[SOLVED] NFQUEUE bypassing UFW rules

Managed to solve this by adjusting nfq-section in suricata.yaml, and adjusting UFW before.rules:

In /etc/suricata/suricata.yaml change to

nfq:
  mode: repeat
  repeat-mark: 1
  repeat-mask: 1

in /etc/ufw/before.rules insert section:

### SURICATA ###
-I INPUT 1 -p tcp --dport 12345 -j NFQUEUE --queue-bypass
-I OUTPUT 1 -p tcp --sport 12345 -j NFQUEUE --queue-bypass
-I INPUT 2 -m mark ! --mark 1/1 -j NFQUEUE
-I FORWARD 1 -m mark ! --mark 1/1 -j NFQUEUE
-I OUTPUT 2 -m mark ! --mark 1/1 -j NFQUEUE
### END SURICATA ###

(where 12345 is the ssh-port you want to bypass, so you keep access in case suricata goes down. If you do not need this, you can skip the first two lines)

Restart UFW and Suricata:

systemctl restart ufw.service
systemctl restart suricata.service

Explanation Suricata repeat- and route-mode here: