Tested-by: Stefan Schantl > This should avoid confusion when we add more marks > > Signed-off-by: Michael Tremer > --- >  src/initscripts/system/suricata | 16 ++++++++-------- >  1 file changed, 8 insertions(+), 8 deletions(-) > > diff --git a/src/initscripts/system/suricata > b/src/initscripts/system/suricata > index e327225d7..111bd9df3 100644 > --- a/src/initscripts/system/suricata > +++ b/src/initscripts/system/suricata > @@ -35,8 +35,8 @@ network_zones=( red green blue orange ovpn ) >  enabled_ips_zones=() >   >  # Mark and Mask options. > -MARK="0x80000000" > -MASK="0x80000000" > +REPEAT_MARK="0x80000000" > +REPEAT_MASK="0x80000000" >   >  # PID file of suricata. >  PID_FILE="/var/run/suricata.pid" > @@ -137,19 +137,19 @@ function generate_fw_rules { >                 # Loop through the array and create firewall rules. >                 for enabled_ips_zone in "${enabled_ips_zones[@]}"; do >                         # Create rules queue input and output related > traffic and pass it to the IPS. > -                       iptables -w -I "$IPS_INPUT_CHAIN" -i > "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE > $NFQ_OPTIONS > -                       iptables -w -I "$IPS_OUTPUT_CHAIN" -o > "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE > $NFQ_OPTIONS > +                       iptables -w -I "$IPS_INPUT_CHAIN" -i > "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" > -j NFQUEUE $NFQ_OPTIONS > +                       iptables -w -I "$IPS_OUTPUT_CHAIN" -o > "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" > -j NFQUEUE $NFQ_OPTIONS >   >                         # Create rules which are required to handle > forwarded traffic. >                         for enabled_ips_zone_forward in > "${enabled_ips_zones[@]}"; do > -                               iptables -w -I "$IPS_FORWARD_CHAIN" - > i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark > "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS > +                               iptables -w -I "$IPS_FORWARD_CHAIN" - > i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark > "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS >                         done >                 done >   >                 # Clear repeat bit, so that it does not confuse IPsec > or QoS > -               iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set- > xmark "0x0/${MASK}" > -               iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set- > xmark "0x0/${MASK}" > -               iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set- > xmark "0x0/${MASK}" > +               iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set- > xmark "0x0/${REPEAT_MASK}" > +               iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set- > xmark "0x0/${REPEAT_MASK}" > +               iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set- > xmark "0x0/${REPEAT_MASK}" >         fi >  } >