[9/9] firewall: Keep REPEAT bit when saving rest to CONNMARK
Commit Message
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
src/initscripts/system/firewall | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
Comments
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
> src/initscripts/system/firewall | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/src/initscripts/system/firewall
> b/src/initscripts/system/firewall
> index 530e8f1d6..5fc63683c 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -48,8 +48,7 @@ iptables_init() {
>
> # IPS Bypass Chain which stores the BYPASS bit in connection
> tracking
> iptables -N IPSBYPASS
> - iptables -A IPSBYPASS -j MARK --set-xmark "0/$((
> IPS_REPEAT_MASK ))"
> - iptables -A IPSBYPASS -j CONNMARK --save-mark
> + iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$((
> ~IPS_REPEAT_MASK & 0xffffffff ))"
>
> # Jump into bypass chain when the BYPASS bit is set
> for chain in INPUT FORWARD OUTPUT; do
@@ -48,8 +48,7 @@ iptables_init() {
# IPS Bypass Chain which stores the BYPASS bit in connection tracking
iptables -N IPSBYPASS
- iptables -A IPSBYPASS -j MARK --set-xmark "0/$(( IPS_REPEAT_MASK ))"
- iptables -A IPSBYPASS -j CONNMARK --save-mark
+ iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))"
# Jump into bypass chain when the BYPASS bit is set
for chain in INPUT FORWARD OUTPUT; do