Merged.

Best regards,

-Stefan
> We are using the netfilter MARK in IPsec & QoS and this
> is causing conflicts.
> 
> Therefore, we use the highest bit in the IPS chain now
> and clear it afterwards because we do not really care about
> this after the packets have been passed through suricata.
> 
> Then, no other application has to worry about suricata.
> 
> Fixes: #12010
> Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  config/suricata/suricata.yaml   | 4 ++--
>  src/initscripts/system/suricata | 7 +++++--
>  2 files changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/config/suricata/suricata.yaml
> b/config/suricata/suricata.yaml
> index 12937ab22..7f651327e 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -117,8 +117,8 @@ logging:
>  
>  nfq:
>     mode: repeat
> -   repeat-mark: 16
> -   repeat-mask: 16
> +   repeat-mark: 1879048192
> +   repeat-mask: 1879048192
>  #   bypass-mark: 1
>  #   bypass-mask: 1
>  #  route-queue: 2
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index d2c758660..e755dfaff 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -29,8 +29,8 @@ NFQ_OPTS="--queue-bypass "
>  network_zones=( red green blue orange )
>  
>  # Mark and Mask options.
> -MARK="0x16"
> -MASK="0x16"
> +MARK="0x70000000"
> +MASK="0x70000000"
>  
>  # PID file of suricata.
>  PID_FILE="/var/run/suricata.pid"
> @@ -88,6 +88,9 @@ function generate_fw_rules {
>  			iptables -I "$FW_CHAIN" -o "$network_device" -m
> mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
>  		fi
>  	done
> +
> +	# Clear repeat bit, so that it does not confuse IPsec or QoS
> +	iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
>  }
>  
>  # Function to flush the firewall chain.