Bypass-mark/bypass-mask not working in NFQ mode

I’m trying to use the Suricata bypass-mark feature when running in inline NFQ mode.
I’ve configured the bypass mark settings in suricata.yaml:

    bypass-mark: 0x1000
    bypass-mask: 0xf000

I have the following bypass rule I use for testing:
pass ip any -> any any (msg:"BYPASS"; sid:1000001; rev:1;)

And I have the following iptables rules:
(nat table)
-A POSTROUTING -m mark --mark 0x1000/0xf000 -j LOG --log-prefix "BYPASS_SET " --log-level 6

(filter table)
-A FORWARD -j NFQUEUE --queue-balance 1000:1003 --queue-bypass --queue-cpu-fanout

And I run suricata in a docker container with:
suricata -q 1000 -q 10001 -q 10002 -q 10003 -c /etc/suricata/suricata.yaml

I’m running a simple curl from to another server, packets being routed via the machine where suricata is running (which is why the NFQUEUE rule is in the FORWARD chain and not INPUT/OUTPUT).
The bypass is working (I’m not triggering later signatures that do trigger without the bypass rule), but I don’t get the LOG message from the POSTROUTING chain, meaning that the packet is not being marked as expected.

What am I doing wrong here?
EDIT: Solved, see my next reply. But still have a follow up question for TLS bypass.

Follow-up question - is this feature (bypass mark) expected to work with TLS bypass as well? Or is it just for bypass signatures? I read the very little documentation on the subject, including the external links, and from my understanding it should work, but it’s not quite clear.

Thank you.

Ok, so I realized that I needed the bypass keyword in the signature definition, i.e:
pass ip any → any any (msg:“BYPASS”; bypass;sid:1000001; rev:1;)

So this brings me to the follow up question - TLS bypass does not seem to work.
I’ve followed the advice on this thread: Bypassing encrypted traffic does not seem to work - Help - Suricata
And enabled stream.bypass and set app-layer.tls.encrypt-handling to bypass, but still no mark.
I even tried a super explicit signature:
alert tls any -> any any (msg:"TLS_BYPASS"; bypass; nfq_set_mark:0x1000/0xf000; sid:1000001; rev:1;)
And I do get the alert, but not the mark, which now makes me question my sanity.
BTW, Forgot to mention, I’m running Suricata 6.0.1

OK I figured it out.
The setting name is encryption-handling and not encrypt-handling: Next/20190314/v3 by victorjulien · Pull Request #3735 · OISF/suricata (
I was using an older config template with the wrong documentation.

Issue can be closed.