[PATCH] IDS: Allow to inspect traffic from or to OpenVPN

[Stefan Schantl <stefan.schantl@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3054 bytes --]

This commit allows to configure suricata to monitor traffic from or to
OpenVPN tunnels. This includes the RW server and all established N2N
connections.

Because the RW server and/or each N2N connection uses it's own tun?
device, it is only possible to enable monitoring all of them or to disable
monitoring entirely.

Fixes #12111.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 html/cgi-bin/ids.cgi            | 10 ++++++++--
 src/initscripts/system/suricata | 18 +++++++++++++++++-
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index da009f891..2a8a7cb26 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -49,6 +49,11 @@ my %ignored=();
 # the list of zones in an array.
 my @network_zones = &IDS::get_available_network_zones();
 
+# Check if openvpn is started and add it to the array of network zones.
+if ( -e "/var/run/openvpn.pid") {
+	push(@network_zones, "ovpn");
+}
+
 my $errormessage;
 
 # Create files if they does not exist yet.
@@ -59,7 +64,8 @@ my %colourhash = (
 	'red' => $Header::colourred,
 	'green' => $Header::colourgreen,
 	'blue' => $Header::colourblue,
-	'orange' => $Header::colourorange
+	'orange' => $Header::colourorange,
+	'ovpn' => $Header::colourovpn
 );
 
 &Header::showhttpheaders();
@@ -839,7 +845,7 @@ END
 			$checked_input = "checked = 'checked'";
 		}
 
-		print "<td class='base' width='25%'>\n";
+		print "<td class='base' width='20%'>\n";
 		print "<input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input>\n";
 		print "&nbsp;$Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font>\n";
 		print "</td>\n";
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 27ab2e4e8..29e58a7e2 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -29,7 +29,7 @@ IPS_OUTPUT_CHAIN="IPS_OUTPUT"
 NFQ_OPTS="--queue-bypass "
 
 # Array containing the 4 possible network zones.
-network_zones=( red green blue orange )
+network_zones=( red green blue orange ovpn )
 
 # Array to store the network zones weather the IPS is enabled for.
 enabled_ips_zones=()
@@ -86,6 +86,22 @@ function generate_fw_rules {
 			if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then
 				# Set device name to ppp0.
 				network_device="ppp0"
+			elif [ "$zone" == "ovpn" ]; then
+				# Get all virtual net devices because the RW server and each
+				# N2N connection creates it's own tun device.
+				for virt_dev in /sys/devices/virtual/net/*; do
+					# Cut-off the directory.
+					dev="${virt_dev##*/}"
+
+					# Only process tun devices.
+					if [[ $dev =~ "tun" ]]; then
+						# Add the network device to the array of enabled zones.
+						enabled_ips_zones+=( "$dev" )
+					fi
+				done
+
+				# Process next zone.
+				continue
 			else
 				# Generate variable name which contains the device name.
 				zone_name="$zone_upper"
-- 
2.24.0