From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 5/9] suricata: Always append rules instead of inserting them
Date: Mon, 18 Oct 2021 10:10:18 +0000
Message-ID: <20211018101022.15448-5-michael.tremer@ipfire.org>
In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3351396929404087746=="
List-Id: <development.lists.ipfire.org>

--===============3351396929404087746==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

This allows us to add rules in a consistent order like they are in the
script.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 981471c7c..5ccea9391 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -139,12 +139,12 @@ function generate_fw_rules {
 		# Loop through the array and create firewall rules.
 		for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
 			# Create rules queue input and output related traffic and pass it to the =
IPS.
-			iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark=
 "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
-			iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mar=
k "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+			iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark=
 "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+			iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mar=
k "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
=20
 			# Create rules which are required to handle forwarded traffic.
 			for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
-				iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_=
ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE=
 $NFQ_OPTIONS
+				iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_=
ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE=
 $NFQ_OPTIONS
 			done
 		done
=20
--=20
2.20.1


--===============3351396929404087746==--