From 629fa3034587ef8010e4f559ffa03dcfaa4b626d Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 25 Oct 2016 14:25:55 +0200
Subject: [PATCH] nfq_set_mask: set mark on root pkt for tunnels

---
 src/detect-mark.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/src/detect-mark.c b/src/detect-mark.c
index b298ccfe7f..b2326f98dc 100644
--- a/src/detect-mark.c
+++ b/src/detect-mark.c
@@ -222,9 +222,23 @@ int DetectMarkPacket(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, S
 #ifdef NFQ
     const DetectMarkData *nf_data = (const DetectMarkData *)ctx;
     if (nf_data->mask) {
-        p->nfq_v.mark = (nf_data->mark & nf_data->mask)
-                        | (p->nfq_v.mark & ~(nf_data->mask));
-        p->flags |= PKT_MARK_MODIFIED;
+        if (!(IS_TUNNEL_PKT(p))) {
+            p->nfq_v.mark = (nf_data->mark & nf_data->mask)
+                | (p->nfq_v.mark & ~(nf_data->mask));
+            p->flags |= PKT_MARK_MODIFIED;
+        } else {
+            /* real tunnels may have multiple flows inside them, so marking
+             * might 'mark' too much. Rebuilt packets from IP fragments
+             * are fine. */
+            if (p->flags & PKT_REBUILT_FRAGMENT) {
+                Packet *tp = p->root ? p->root : p;
+                SCMutexLock(&tp->tunnel_mutex);
+                tp->nfq_v.mark = (nf_data->mark & nf_data->mask)
+                    | (tp->nfq_v.mark & ~(nf_data->mask));
+                tp->flags |= PKT_MARK_MODIFIED;
+                SCMutexUnlock(&tp->tunnel_mutex);
+            }
+        }
     }
 #endif
     return 1;