From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH 9/9] firewall: Keep REPEAT bit when saving rest to CONNMARK
Date: Tue, 19 Oct 2021 06:05:04 +0200
Message-ID: <f553773636e9c8c36f822ebd16d62af0bf74343e.camel@ipfire.org>
In-Reply-To: <20211018101022.15448-9-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6392684690423233932=="
List-Id: <development.lists.ipfire.org>

--===============6392684690423233932==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  src/initscripts/system/firewall | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/src/initscripts/system/firewall
> b/src/initscripts/system/firewall
> index 530e8f1d6..5fc63683c 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -48,8 +48,7 @@ iptables_init() {
>  
>         # IPS Bypass Chain which stores the BYPASS bit in connection
> tracking
>         iptables -N IPSBYPASS
> -       iptables -A IPSBYPASS -j MARK --set-xmark "0/$((
> IPS_REPEAT_MASK ))"
> -       iptables -A IPSBYPASS -j CONNMARK --save-mark
> +       iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$((
> ~IPS_REPEAT_MASK & 0xffffffff ))"
>  
>         # Jump into bypass chain when the BYPASS bit is set
>         for chain in INPUT FORWARD OUTPUT; do



--===============6392684690423233932==--