Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  src/initscripts/system/suricata | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index 5ccea9391..2577621b8 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -134,6 +134,12 @@ function generate_fw_rules {
>         # Flush the firewall chains.
>         flush_fw_chain
>  
> +       # Skip anything that has the bypass bit set
> +       local chain
> +       for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}"
> "${IPS_OUTPUT_CHAIN}"; do
> +               iptables -w -A "${chain}" -m mark --mark
> "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN
> +       done
> +
>         # Check if the array of enabled_ips_zones contains any
> elements.
>         if [[ ${enabled_ips_zones[@]} ]]; then
>                 # Loop through the array and create firewall rules.