From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 9/9] firewall: Keep REPEAT bit when saving rest to CONNMARK
Date: Mon, 18 Oct 2021 10:10:22 +0000
Message-ID: <20211018101022.15448-9-michael.tremer@ipfire.org>
In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7843002969794023456=="
List-Id: <development.lists.ipfire.org>

--===============7843002969794023456==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/firewall | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 530e8f1d6..5fc63683c 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -48,8 +48,7 @@ iptables_init() {
=20
 	# IPS Bypass Chain which stores the BYPASS bit in connection tracking
 	iptables -N IPSBYPASS
-	iptables -A IPSBYPASS -j MARK --set-xmark "0/$(( IPS_REPEAT_MASK ))"
-	iptables -A IPSBYPASS -j CONNMARK --save-mark
+	iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK =
& 0xffffffff ))"
=20
 	# Jump into bypass chain when the BYPASS bit is set
 	for chain in INPUT FORWARD OUTPUT; do
--=20
2.20.1


--===============7843002969794023456==--