suricata: Clear IPS bits after use

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

src/initscripts/system/firewall

@@ -377,9 +377,11 @@ iptables_init() {
 
 	# IPS (Suricata) chains
 	iptables -t mangle -N IPS
+	iptables -t mangle -N IPS_CLEAR
 
 	for chain in INPUT FORWARD OUTPUT; do
 		iptables -t mangle -A "${chain}" -j IPS
+		iptables -t mangle -A "${chain}" -j IPS_CLEAR
 	done
 
 	# RED chain, used for the red interface

src/initscripts/system/suricata

@@ -55,6 +55,7 @@ NFQ_OPTS=(
 # Function to flush the firewall chains.
 flush_fw_chain() {
 	iptables -w -t mangle -F IPS
+	iptables -w -t mangle -F IPS_CLEAR
 }
 
 # Function to create the firewall rules to pass the traffic to suricata.
@@ -139,6 +140,11 @@ generate_fw_rules() {
 	# Send packets to suricata
 	iptables -w -t mangle -A IPS -m comment --comment "SCANNED" -j NFQUEUE "${NFQ_OPTIONS[@]}"
 
+	# Clear all bits again after packets have been sent to the IPS
+	# This is required so that encapsulated packets can't inherit any set bits here and won't be scanned.
+	iptables -w -t mangle -A IPS_CLEAR \
+			-j MARK --set-mark "0/$(( IPS_BYPASS_MASK | IPS_BYPASS_REQUESTED_MASK | IPS_REPEAT_MASK | IPS_SCAN_MASK ))"
+
 	return 0
 }