diff mbox series

[3/6] firewall: Always restore all connection marks

Message ID 20211004175222.9208-3-michael.tremer@ipfire.org
State Accepted
Commit c825fcef40f63c8ce39a50b7285dbca98e2db60b
Headers
Series [1/6] firewall: Only check relevant bits for NAT fix rules |

Commit Message

Michael Tremer Oct. 4, 2021, 5:52 p.m. UTC 
  This was done by tc only when QoS was enabled

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/qos/makeqosscripts.pl    | 1 -
 src/initscripts/system/firewall | 3 +++
 2 files changed, 3 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl
index 3af046ac3..5bdd5b811 100644
--- a/config/qos/makeqosscripts.pl
+++ b/config/qos/makeqosscripts.pl
@@ -370,7 +370,6 @@  print <<END
 	ip link set $qossettings{'IMQ_DEV'} up
 
 	tc filter add dev $qossettings{'RED_DEV'} parent ffff: protocol all u32 match u32 0 0 \\
-		action connmark \\
 		action mirred egress redirect dev $qossettings{'IMQ_DEV'}
 
 	### ADD HTB QDISC FOR $qossettings{'IMQ_DEV'}
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 9d023a349..7a7d52d57 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -100,6 +100,9 @@  iptables_init() {
 	iptables -t raw -N CONNTRACK
 	iptables -t raw -A PREROUTING -j CONNTRACK
 
+	# Restore any connection marks
+	iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
+
 	# Fix for braindead ISPs
 	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu