suricata: Use highest bit to mark packets

We are using the netfilter MARK in IPsec & QoS and this
is causing conflicts.

Therefore, we use the highest bit in the IPS chain now
and clear it afterwards because we do not really care about
this after the packets have been passed through suricata.

Then, no other application has to worry about suricata.

Fixes: #12010
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

config/suricata/suricata.yaml

@@ -117,8 +117,8 @@ logging:
 
 nfq:
    mode: repeat
-   repeat-mark: 16
-   repeat-mask: 16
+   repeat-mark: 1879048192
+   repeat-mask: 1879048192
 #   bypass-mark: 1
 #   bypass-mask: 1
 #  route-queue: 2

src/initscripts/system/suricata

@@ -29,8 +29,8 @@ NFQ_OPTS="--queue-bypass "
 network_zones=( red green blue orange )
 
 # Mark and Mask options.
-MARK="0x16"
-MASK="0x16"
+MARK="0x70000000"
+MASK="0x70000000"
 
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"
@@ -88,6 +88,9 @@ function generate_fw_rules {
 			iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
 		fi
 	done
+
+	# Clear repeat bit, so that it does not confuse IPsec or QoS
+	iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
 }
 
 # Function to flush the firewall chain.