This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  e850a61429b03cb77a9dc798e9f093500db09a87 (commit)
       via  ef7d9d7657a3062dbba694728c4c8c6b05caa4c7 (commit)
       via  d4ff0694c5fa0ec1798cbf849b896b3212a262f6 (commit)
       via  19357bc55e63cbde3bfae3f46bfaf5e655871763 (commit)
       via  3fa8300e706227db9f72b4b1349dde3e66399298 (commit)
       via  2469ca9fbab0a02502fc8086bc94517d7dcdcfaf (commit)
       via  49dd3e2946435b0f4dc77ca1a9d7b14d22edca8d (commit)
       via  855475580b153f05df8417d408193142a76950cf (commit)
       via  9deccd1cbab7e446a362b6410fb88b36b655a7cd (commit)
       via  11f7218f9cd16b32b2cb4477355e0e5057df6399 (commit)
       via  4f07c279a01d076d7f788ac8635194a8bb7c51cd (commit)
       via  761fadbdde805c8863a1f2a736408367a38f94da (commit)
       via  aaf266ac2b1c230eeb1ba897c9674aaf28cbcf53 (commit)
       via  ec18a1ecae60c6c3b6418e300aebd6a823844c8d (commit)
       via  56702858529ae1bf75e21da3ef00f136bacedfcd (commit)
       via  637eb94684cb0029ca76bb67dda8a8d2c15560ab (commit)
       via  0165dd40256fb1fe8474140cf54eb30cfb9fb7f3 (commit)
       via  a09578f4eb954ea982926daab53c34492df05b43 (commit)
      from  80909fb6da64a911c900df50805fd5866685faf0 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit e850a61429b03cb77a9dc798e9f093500db09a87
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date:   Tue Oct 19 18:27:49 2021 +0000

    firewall: replace mark with --pol ipsec to exclude ipsec traffic from masquerade
    
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit ef7d9d7657a3062dbba694728c4c8c6b05caa4c7
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date:   Tue Oct 19 18:25:11 2021 +0000

    core161: add suricata changes
    
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit d4ff0694c5fa0ec1798cbf849b896b3212a262f6
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date:   Mon Oct 18 22:36:02 2021 +0200

    squid-asnbl: update to 0.2.3
    
    Upstream commit 500b9137d0a9dd31e40f0d1effdba0aafeb94ca4 changes the
    behaviour of this script in case of invalid or unresolvable FQDNs,
    preventing Squid from eventually shutting down due to too many BH's per
    time.
    
    Since this allows (authenticated) users to run a DoS against the Squid
    instance, it is considered to be security relevant.
    
    Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 19357bc55e63cbde3bfae3f46bfaf5e655871763
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Oct 18 10:10:22 2021 +0000

    firewall: Keep REPEAT bit when saving rest to CONNMARK
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 3fa8300e706227db9f72b4b1349dde3e66399298
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Oct 18 10:10:21 2021 +0000

    suricata: Introduce IPSBYPASS chain
    
    NFQUEUE does not let the packet continue where it was processed, but
    inserts it back into iptables at the start. That is why we need an
    extra IPSBYPASS chain which has the following tasks:
    
    * Make the BYPASS bit permanent for the entire connection
    * Clear the REPEAT bit
    
    The latter is more of cosmetic nature so that we can identify packets
    that have come from suricata again and those which have bypassed the IPS
    straight away.
    
    The IPS_* chain will now only be sent traffic to, when none of the two
    relevant bits has been set. Otherwise the packet has already been
    processed by suricata in the first pass or suricata has decided to
    bypass the connection.
    
    This massively reduces load on the IPS which allows many common
    connections (TLS connections with downloads) to bypass the IPS bringing
    us back to line speed.
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 2469ca9fbab0a02502fc8086bc94517d7dcdcfaf
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Oct 18 10:10:20 2021 +0000

    suricata: Store bypass flag in connmark and restore
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 49dd3e2946435b0f4dc77ca1a9d7b14d22edca8d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Oct 18 10:10:19 2021 +0000

    suricata: Add rule to skip IPS if a packet has the bypass bit set
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 855475580b153f05df8417d408193142a76950cf
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Oct 18 10:10:18 2021 +0000

    suricata: Always append rules instead of inserting them
    
    This allows us to add rules in a consistent order like they are in the
    script.
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 9deccd1cbab7e446a362b6410fb88b36b655a7cd
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Oct 18 10:10:17 2021 +0000

    suricata: Enable bypassing unhandled streams
    
    If a stream cannot be identified or if suricata has decided that it
    cannot do anything useful any more (e.g. TLS sessions after the
    handshake), we will allow suricata to bypass any following packets in
    that flow
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 11f7218f9cd16b32b2cb4477355e0e5057df6399
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Oct 18 10:10:16 2021 +0000

    suricata: Define bypass mark
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
    Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 4f07c279a01d076d7f788ac8635194a8bb7c51cd
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Oct 18 10:10:15 2021 +0000

    suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK
    
    This should avoid confusion when we add more marks
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
    Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 761fadbdde805c8863a1f2a736408367a38f94da
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Oct 18 10:10:14 2021 +0000

    suricata: Set most significant bit as repeat marker
    
    I have no idea why some odd value was chosen here, but one bit should be
    enough.
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
    Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit aaf266ac2b1c230eeb1ba897c9674aaf28cbcf53
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date:   Tue Oct 19 11:32:00 2021 +0000

    core161: add pakfire.conf and pakfire/lib/functions.pl
    
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit ec18a1ecae60c6c3b6418e300aebd6a823844c8d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Thu Oct 14 19:01:49 2021 +0000

    pakfire: Allow pinning Pakfire to one mirror server
    
    This patch adds a new $mirror option to the configuration file which
    will cause Pakfire to only use this one to download any files.
    
    This feature is disabled by default but useful for development.
    
    Fixes: #12706
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 56702858529ae1bf75e21da3ef00f136bacedfcd
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date:   Tue Oct 19 11:27:58 2021 +0000

    core161: add index.cgi and general-functions.pl
    
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 637eb94684cb0029ca76bb67dda8a8d2c15560ab
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Thu Oct 14 13:26:30 2021 +0000

    index.cgi: Remove left-over DNSSEC status warning
    
    An error message is still shown although there is no option to disable
    DNSSEC at the moment. The old marker file could still be present on
    older machines.
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 0165dd40256fb1fe8474140cf54eb30cfb9fb7f3
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date:   Tue Oct 19 11:23:12 2021 +0000

    core161: add partresize
    
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit a09578f4eb954ea982926daab53c34492df05b43
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Thu Oct 14 12:00:31 2021 +0000

    OCI: Enable serial console by default
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/cfgroot/general-functions.pl       | 11 -----------
 config/grub2/00_cloud                     |  8 ++++++++
 config/rootfiles/core/161/filelists/files |  7 +++++++
 config/suricata/suricata.yaml             | 27 ++++++++++++++++++---------
 html/cgi-bin/index.cgi                    |  5 -----
 lfs/squid-asnbl                           |  4 ++--
 src/initscripts/system/firewall           | 25 +++++++++++++++++++------
 src/initscripts/system/partresize         |  6 +++---
 src/initscripts/system/suricata           | 15 +++------------
 src/pakfire/lib/functions.pl              | 12 ++++++++++++
 src/pakfire/pakfire.conf                  |  3 +++
 11 files changed, 75 insertions(+), 48 deletions(-)

Difference in files:
diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
index de608e38b..f72d6588c 100644
--- a/config/cfgroot/general-functions.pl
+++ b/config/cfgroot/general-functions.pl
@@ -1238,17 +1238,6 @@ sub get_red_interface() {
 	return $interface;
 }
 
-sub dnssec_status() {
-	my $path = "${General::swroot}/red/dnssec-status";
-
-	open(STATUS, $path) or return 0;
-	my $status = <STATUS>;
-	close(STATUS);
-
-	chomp($status);
-
-	return $status;
-}
 sub number_cpu_cores() {
 	open my $cpuinfo, "/proc/cpuinfo" or die "Can't open cpuinfo: $!\n";
 	my $cores = scalar (map /^processor/, <$cpuinfo>);
diff --git a/config/grub2/00_cloud b/config/grub2/00_cloud
index 121cb2fbd..1ef5053e5 100644
--- a/config/grub2/00_cloud
+++ b/config/grub2/00_cloud
@@ -23,8 +23,16 @@ cat <<EOF
 # Read the system manufacturer string from the BIOS
 smbios --type 1 --get-string 4 --set system_manufacturer
 
+# Read the chassis asset tag
+smbios --type 3 --get-string 8 --set chassis_asset_tag
+
 # Are we on Amazon EC2?
 if [ "\$system_manufacturer" = "Amazon EC2" ]; then
 	next_entry=gnulinux-${KERNEL_RELEASE}-serial-${boot_device_id}
 fi
+
+# Are we on Oracle Cloud?
+if [ "\$chassis_asset_tag" = "OracleCloud.com" ]; then
+	next_entry=gnulinux-${KERNEL_RELEASE}-serial-${boot_device_id}
+fi
 EOF
diff --git a/config/rootfiles/core/161/filelists/files b/config/rootfiles/core/161/filelists/files
index adab4730d..b6a7fff92 100644
--- a/config/rootfiles/core/161/filelists/files
+++ b/config/rootfiles/core/161/filelists/files
@@ -1,4 +1,10 @@
 etc/rc.d/init.d/firewall
+etc/rc.d/init.d/partresize
+etc/rc.d/init.d/suricata
+etc/suricata/suricata.yaml
+opt/pakfire/etc/pakfire.conf
+opt/pakfire/lib/functions.pl
+srv/web/ipfire/cgi-bin/index.cgi
 srv/web/ipfire/cgi-bin/proxy.cgi
 srv/web/ipfire/cgi-bin/qos.cgi
 usr/bin/2to3
@@ -7,4 +13,5 @@ usr/lib/firewall/rules.pl
 usr/libexec/ipsec/_updown
 usr/local/bin/hddshutdown
 usr/local/bin/makegraphs
+var/ipfire/general-functions.pl
 var/ipfire/qos/bin/makeqosscripts.pl
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 4e9e39967..6f37671c8 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -346,10 +346,10 @@ logging:
 
 nfq:
    mode: repeat
-   repeat-mark: 1879048192
-   repeat-mask: 1879048192
-#   bypass-mark: 1
-#   bypass-mask: 1
+   repeat-mark: 2147483648
+   repeat-mask: 2147483648
+   bypass-mark: 1073741824
+   bypass-mask: 1073741824
 #  route-queue: 2
 #  batchcount: 20
    fail-open: yes
@@ -389,11 +389,19 @@ app-layer:
       # will be disabled by default, but enabled if rules require it.
       ja3-fingerprints: auto
 
-      # Completely stop processing TLS/SSL session after the handshake
-      # completed. If bypass is enabled this will also trigger flow
-      # bypass. If disabled (the default), TLS/SSL session is still
-      # tracked for Heartbleed and other anomalies.
-      #no-reassemble: yes
+      # What to do when the encrypted communications start:
+      # - default: keep tracking TLS session, check for protocol anomalies,
+      #            inspect tls_* keywords. Disables inspection of unmodified
+      #            'content' signatures.
+      # - bypass:  stop processing this flow as much as possible. No further
+      #            TLS parsing and inspection. Offload flow bypass to kernel
+      #            or hardware if possible.
+      # - full:    keep tracking and inspection as normal. Unmodified content
+      #            keyword signatures are inspected as well.
+      #
+      # For best performance, select 'bypass'.
+      #
+      encryption-handling: bypass
     dcerpc:
       enabled: yes
     ftp:
@@ -810,6 +818,7 @@ stream:
   prealloc-sessions: 4096
   checksum-validation: yes      # reject wrong csums
   inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
+  bypass: yes                   # Bypass packets when stream.reassembly.depth is reached.
   reassembly:
     memcap: 256mb
     depth: 1mb                  # reassemble 1mb into a stream
diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi
index fafbe0aa1..948fdde55 100644
--- a/html/cgi-bin/index.cgi
+++ b/html/cgi-bin/index.cgi
@@ -536,11 +536,6 @@ END
 &Header::closebox();
 }
 
-my $dnssec_status = &General::dnssec_status();
-if ($dnssec_status eq "off") {
-	$warnmessage .= "<li>$Lang::tr{'dnssec disabled warning'}</li>";
-}
-
 # Fireinfo
 if ( ! -e "/var/ipfire/main/send_profile") {
 	$warnmessage .= "<li><a style='color: white;' href='fireinfo.cgi'>$Lang::tr{'fireinfo please enable'}</a></li>";
diff --git a/lfs/squid-asnbl b/lfs/squid-asnbl
index 3fc001768..9bb7ef198 100644
--- a/lfs/squid-asnbl
+++ b/lfs/squid-asnbl
@@ -25,7 +25,7 @@
 
 include Config
 
-VER        = 0.2.2
+VER        = 0.2.3
 
 THISAPP    = squid-asnbl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -45,7 +45,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = d62be77baa30b16d1c2362460123d6c0
+$(DL_FILE)_MD5 = cf0a269215f06f487d1ed488ea463d6b
 
 install : $(TARGET)
 
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index ce428393d..776e70d6e 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -14,8 +14,10 @@ fi
 
 NAT_MASK="0x0f000000"
 
-IPSEC_MARK="0x00800000"
-IPSEC_MASK="${IPSEC_MARK}"
+IPS_REPEAT_MARK="0x80000000"
+IPS_REPEAT_MASK="0x80000000"
+IPS_BYPASS_MARK="0x40000000"
+IPS_BYPASS_MASK="0x40000000"
 
 function iptables() {
 	/sbin/iptables --wait "$@"
@@ -41,6 +43,16 @@ iptables_init() {
 	modprobe nf_log_ipv4
 	sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4
 
+	# IPS Bypass Chain which stores the BYPASS bit in connection tracking
+	iptables -N IPSBYPASS
+	iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))"
+
+	# Jump into bypass chain when the BYPASS bit is set
+	for chain in INPUT FORWARD OUTPUT; do
+		iptables -A "${chain}" -m mark \
+			--mark "$(( IPS_REPEAT_MARK | IPS_BYPASS_MARK ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS
+	done
+
 	# Empty LOG_DROP and LOG_REJECT chains
 	iptables -N LOG_DROP
 	iptables -A LOG_DROP   -m limit --limit 10/second -j LOG
@@ -147,9 +159,10 @@ iptables_init() {
 	iptables -N IPS_INPUT
 	iptables -N IPS_FORWARD
 	iptables -N IPS_OUTPUT
-	iptables -A INPUT -j IPS_INPUT
-	iptables -A FORWARD -j IPS_FORWARD
-	iptables -A OUTPUT -j IPS_OUTPUT
+
+	for chain in INPUT FORWARD OUTPUT; do
+		iptables -A "${chain}" -m mark --mark "0x0/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}"
+	done
 
 	# OpenVPN transfer network translation
 	iptables -t nat -N OVPNNAT
@@ -380,7 +393,7 @@ iptables_red_up() {
 		fi
 
 		# Outgoing masquerading (don't masqerade IPsec)
-		iptables -t nat -A REDNAT -m mark --mark "${IPSEC_MARK}/${IPSEC_MASK}" -o "${IFACE}" -j RETURN
+		iptables -t nat -A REDNAT -m policy --pol ipsec --dir=out -o "${IFACE}" -j RETURN
 
 		if [ "${IFACE}" = "${GREEN_DEV}" ]; then
 			iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN
diff --git a/src/initscripts/system/partresize b/src/initscripts/system/partresize
index 4fa1906d0..2206ca451 100644
--- a/src/initscripts/system/partresize
+++ b/src/initscripts/system/partresize
@@ -45,9 +45,9 @@ case "${1}" in
 				esac
 			fi
 
-			# Enable the serial console on all systems on AWS EC2, Azure
-			# and Google Compute Platform
-			if running_on_ec2 || running_on_azure || running_on_gcp; then
+			# Enable the serial console on all systems on AWS EC2, Oracle Cloud,
+			# Azure and Google Compute Platform
+			if running_on_ec2 || running_on_oci || running_on_azure || running_on_gcp; then
 				scon="on"
 			fi
 
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 33633ddf9..13fcc7f34 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -34,10 +34,6 @@ network_zones=( red green blue orange ovpn )
 # Array to store the network zones weather the IPS is enabled for.
 enabled_ips_zones=()
 
-# Mark and Mask options.
-MARK="0x70000000"
-MASK="0x70000000"
-
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"
 
@@ -137,19 +133,14 @@ function generate_fw_rules {
 		# Loop through the array and create firewall rules.
 		for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
 			# Create rules queue input and output related traffic and pass it to the IPS.
-			iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
-			iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+			iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
+			iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
 
 			# Create rules which are required to handle forwarded traffic.
 			for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
-				iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+				iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE $NFQ_OPTIONS
 			done
 		done
-
-		# Clear repeat bit, so that it does not confuse IPsec or QoS
-		iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
-		iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
-		iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
 	fi
 }
 
diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl
index f46c9acc1..4d9854a6f 100644
--- a/src/pakfire/lib/functions.pl
+++ b/src/pakfire/lib/functions.pl
@@ -30,6 +30,7 @@ use HTTP::Headers;
 use HTTP::Message;
 use HTTP::Request;
 use Net::Ping;
+use URI;
 
 use Switch;
 
@@ -297,6 +298,17 @@ sub valid_signature($) {
 }
 
 sub selectmirror {
+	if (defined ${Conf::mirror}) {
+		my $uri = URI->new("${Conf::mirror}");
+
+		# Only accept HTTPS mirrors
+		if ($uri->scheme eq "https") {
+			return ("HTTPS", $uri->host, $uri->path . "/" . ${Conf::version});
+		} else {
+			message("MIRROR ERROR: Unsupported mirror: " . ${Conf::mirror});
+		}
+	}
+
 	### Check if there is a current server list and read it.
 	#   If there is no list try to get one.
 	my $count = 0;
diff --git a/src/pakfire/pakfire.conf b/src/pakfire/pakfire.conf
index 9930f3771..bc54dcff4 100644
--- a/src/pakfire/pakfire.conf
+++ b/src/pakfire/pakfire.conf
@@ -23,6 +23,9 @@ package Conf;
 
 $mainserver = "pakfire.ipfire.org";
 
+# Only use this mirror
+#$mirror = "https://mirror1.ipfire.org/pakfire2";
+
 $cachedir = "/opt/pakfire/cache";
 $dbdir = "/opt/pakfire/db";
 $coredir = "/opt/pakfire/db/core";


hooks/post-receive
--
IPFire 2.x development tree