From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 [PATCH 6/9] suricata: Add rule to skip IPS if a packet has the bypass bit set
Date: Mon, 18 Oct 2021 10:10:19 +0000
Message-ID: <20211018101022.15448-6-michael.tremer@ipfire.org>
In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0977470260237772507=="
List-Id: <development.lists.ipfire.org>

--===============0977470260237772507==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 5ccea9391..2577621b8 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -134,6 +134,12 @@ function generate_fw_rules {
 	# Flush the firewall chains.
 	flush_fw_chain
=20
+	# Skip anything that has the bypass bit set
+	local chain
+	for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAI=
N}"; do
+		iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -=
j RETURN
+	done
+
 	# Check if the array of enabled_ips_zones contains any elements.
 	if [[ ${enabled_ips_zones[@]} ]]; then
 		# Loop through the array and create firewall rules.
--=20
2.20.1


--===============0977470260237772507==--