Addressing #13764

Addressing #13764

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1872 bytes --]

this a patchset that addresses a bug reported by Dan as #13764.

Suricata and/or NFQUEUE end up in some undefined behaviour where packets
will be accepted when Suricata goes away (in this case it is being
killed by the OOM killer). This results in the firewall exposing all
ports on all interfaces which is a serious problem.

Although we actually configure the queue to simply bypass (as in no
longer enqueue) packets when Suricata dies, the kernel always seems to
end up in this scenario.

We cannot prevent that Suricata might die, but we will have to make sure
that the firewall does not change behaviour. This is now being done by
moving the IPS to the mangle table. The behaviour will be the same, but
an ACCEPT action on the mangle table will not accept the packet, it will
just terminate processing traffic in that table. We further ensure that
this is not going to be a problem by moving the NFQUEUE rule to the end.
If it is being skipped, this is not a problem as we will only stop
processing packets which won't be a problem as Suricata has gone away
anyways.

I believe that this is a better way to integrate Suricata, but it will
change the behaviour of the firewall in that sense that the IPS is now
the first thing that will see a packet. The location filter, IP
blocklists and so on will all come after. I personally do not consider
this a problem, but I wanted to make sure this is documented.

We now make more use of marking packets which might need to be
benchmarked in order to ensure that this is not introducing any
performance penalty.

Furthermore this patchset adds support for WireGuard and made some
improvements on the web UI which used some broken tables and a lot of
empty space on the screen.

Please test this and give me feedback if these changes introduce any
regressions. I believe we want to release this with c189.

Best,
-Michael

[PATCH 01/20] suricata: Move the IPS into the mangle table

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 7163 bytes --]

This should make the IPS more efficient, we should have fewer rules and
the IPS will now sit at the edge of the networking stack as it will see
packets immediately when they come and and just before they leave.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/firewall |  23 +------
 src/initscripts/system/suricata | 108 +++++++++++---------------------
 2 files changed, 39 insertions(+), 92 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 6727e4a20..39d9c0f23 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -39,11 +39,6 @@ fi
 
 NAT_MASK="0x0f000000"
 
-IPS_REPEAT_MARK="0x80000000"
-IPS_REPEAT_MASK="0x80000000"
-IPS_BYPASS_MARK="0x40000000"
-IPS_BYPASS_MASK="0x40000000"
-
 IPSET_DB_DIR="/var/lib/location/ipset"
 
 SYNPROXY_OPTIONS=(
@@ -84,16 +79,6 @@ iptables_init() {
 	modprobe nf_log_ipv4
 	sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4
 
-	# IPS Bypass Chain which stores the BYPASS bit in connection tracking
-	iptables -N IPSBYPASS
-	iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))"
-
-	# Jump into bypass chain when the BYPASS bit is set
-	for chain in INPUT FORWARD OUTPUT; do
-		iptables -A "${chain}" -m mark \
-			--mark "$(( IPS_REPEAT_MARK | IPS_BYPASS_MARK ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS
-	done
-
 	# Empty LOG_DROP and LOG_REJECT chains
 	iptables -N LOG_DROP
 	iptables -A LOG_DROP   -m limit --limit 10/second -j LOG
@@ -237,12 +222,10 @@ iptables_init() {
 	iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
 	# IPS (Suricata) chains
-	iptables -N IPS_INPUT
-	iptables -N IPS_FORWARD
-	iptables -N IPS_OUTPUT
+	iptables -t mangle -N IPS
 
-	for chain in INPUT FORWARD OUTPUT; do
-		iptables -A "${chain}" -m mark --mark "0x0/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}"
+	for chain in PREROUTING POSTROUTING; do
+		iptables -t mangle -A "${chain}" -j IPS
 	done
 
 	# OpenVPN transfer network translation
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 79f9478c3..253ece117 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -27,13 +27,20 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
 eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
+IPS_REPEAT_MARK="0x80000000"
+IPS_REPEAT_MASK="0x80000000"
+IPS_BYPASS_MARK="0x40000000"
+IPS_BYPASS_MASK="0x40000000"
+
 # Name of the firewall chains.
 IPS_INPUT_CHAIN="IPS_INPUT"
 IPS_FORWARD_CHAIN="IPS_FORWARD"
 IPS_OUTPUT_CHAIN="IPS_OUTPUT"
 
 # Optional options for the Netfilter queue.
-NFQ_OPTS="--queue-bypass "
+NFQ_OPTS=(
+	"--queue-bypass"
+)
 
 # Array containing the 4 possible network zones.
 network_zones=( red green blue orange ovpn )
@@ -64,91 +71,48 @@ function get_cpu_count {
 
 # Function to flush the firewall chains.
 function flush_fw_chain {
-	# Call iptables and flush the chains
-	iptables -w -F "$IPS_INPUT_CHAIN"
-	iptables -w -F "$IPS_FORWARD_CHAIN"
-	iptables -w -F "$IPS_OUTPUT_CHAIN"
+	iptables -w -t mangle -F IPS
 }
 
 # Function to create the firewall rules to pass the traffic to suricata.
 function generate_fw_rules {
-	cpu_count=$(get_cpu_count)
-
-	# Loop through the array of network zones.
-	for zone in "${network_zones[@]}"; do
-		# Convert zone into upper case.
-		zone_upper=${zone^^}
-
-		# Generate variable name for checking if the IDS is
-		# enabled on the zone.
-		enable_ids_zone="ENABLE_IDS_$zone_upper"
-
-		# Check if the IDS is enabled for this network zone.
-		if [ "${!enable_ids_zone}" == "on" ]; then
-			# Check if the current processed zone is "red" and the configured type is PPPoE dialin.
-			if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ] && [ "$RED_DRIVER" != "qmi_wwan" ]; then
-				# Set device name to ppp0.
-				network_device="ppp0"
-			elif [ "$zone" == "ovpn" ]; then
-				# Get all virtual net devices because the RW server and each
-				# N2N connection creates it's own tun device.
-				for virt_dev in /sys/devices/virtual/net/*; do
-					# Cut-off the directory.
-					dev="${virt_dev##*/}"
-
-					# Only process tun devices.
-					if [[ $dev =~ "tun" ]]; then
-						# Add the network device to the array of enabled zones.
-						enabled_ips_zones+=( "$dev" )
-					fi
-				done
-
-				# Process next zone.
-				continue
-			else
-				# Generate variable name which contains the device name.
-				zone_name="$zone_upper"
-				zone_name+="_DEV"
-
-				# Grab device name.
-				network_device=${!zone_name}
-			fi
-
-			# Add the network device to the array of enabled zones.
-			enabled_ips_zones+=( "$network_device" )
-		fi
-	done
-
 	# Assign NFQ_OPTS
-	NFQ_OPTIONS=$NFQ_OPTS
+	local NFQ_OPTIONS=( "${NFQ_OPTS[@]}" )
+
+	local cpu_count="$(get_cpu_count)"
 
 	# Check if there are multiple cpu cores available.
 	if [ "$cpu_count" -gt "1" ]; then
-		# Balance beetween all queues.
-		NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))"
-		NFQ_OPTIONS+=" --queue-cpu-fanout"
+		# Balance beetween all queues
+		NFQ_OPTIONS+=(
+			"--queue-balance" "0:$(($cpu_count-1))"
+			"--queue-cpu-fanout"
+		)
 	else
-		# Send all packets to queue 0.
-		NFQ_OPTIONS+="--queue-num 0"
+		# Send all packets to queue 0
+		NFQ_OPTIONS+=(
+			"--queue-num" "0"
+		)
 	fi
 
 	# Flush the firewall chains.
 	flush_fw_chain
 
-	# Check if the array of enabled_ips_zones contains any elements.
-	if [[ ${enabled_ips_zones[@]} ]]; then
-		# Loop through the array and create firewall rules.
-		for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
-			# Create rules queue input and output related traffic and pass it to the IPS.
-			iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
-			iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
-
-			# Create rules which are required to handle forwarded traffic.
-			for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
-				iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE $NFQ_OPTIONS
-			done
-		done
-	fi
+	# Don't process packets where the IPS has requested to bypass the stream
+	iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN
+
+	# Don't process packets that have already been seen by the IPS
+	iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
+
+	# Send packets to suricata
+	iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}"
+
+	# If suricata decided to bypass a stream, we will store the mark in the connection tracking table
+	iptables -w -t mangle -A IPS \
+		-m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" \
+		-j CONNMARK --save-mark --mask "$(( IPS_BYPASS_MASK ))"
+
+	return 0
 }
 
 case "$1" in
-- 
2.39.2

[PATCH 02/20] initscripts: Fix bash function definitions in suricata

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 985 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 253ece117..0c60c5119 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -52,7 +52,7 @@ enabled_ips_zones=()
 PID_FILE="/var/run/suricata.pid"
 
 # Function to get the amount of CPU cores of the system.
-function get_cpu_count {
+get_cpu_count() {
 	CPUCOUNT=0
 
 	# Loop through "/proc/cpuinfo" and count the amount of CPU cores.
@@ -70,12 +70,12 @@ function get_cpu_count {
 }
 
 # Function to flush the firewall chains.
-function flush_fw_chain {
+flush_fw_chain() {
 	iptables -w -t mangle -F IPS
 }
 
 # Function to create the firewall rules to pass the traffic to suricata.
-function generate_fw_rules {
+generate_fw_rules() {
 	# Assign NFQ_OPTS
 	local NFQ_OPTIONS=( "${NFQ_OPTS[@]}" )
 
-- 
2.39.2

[PATCH 03/20] suricata: Use getconf to determine the number of processors

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1366 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 20 +-------------------
 1 file changed, 1 insertion(+), 19 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 0c60c5119..06ad21afa 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -51,24 +51,6 @@ enabled_ips_zones=()
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"
 
-# Function to get the amount of CPU cores of the system.
-get_cpu_count() {
-	CPUCOUNT=0
-
-	# Loop through "/proc/cpuinfo" and count the amount of CPU cores.
-	while read line; do
-		[ "$line" ] && [ -z "${line%processor*}" ]  && ((CPUCOUNT++))
-	done </proc/cpuinfo
-
-	# Limit to a maximum of 16 cores, because suricata does not support more than
-	# 16 netfilter queues at the moment.
-	if [ $CPUCOUNT -gt "16" ]; then
-		echo "16"
-	else
-		echo $CPUCOUNT
-	fi
-}
-
 # Function to flush the firewall chains.
 flush_fw_chain() {
 	iptables -w -t mangle -F IPS
@@ -79,7 +61,7 @@ generate_fw_rules() {
 	# Assign NFQ_OPTS
 	local NFQ_OPTIONS=( "${NFQ_OPTS[@]}" )
 
-	local cpu_count="$(get_cpu_count)"
+	local cpu_count="$(getconf _NPROCESSORS_ONLN)"
 
 	# Check if there are multiple cpu cores available.
 	if [ "$cpu_count" -gt "1" ]; then
-- 
2.39.2

[PATCH 04/20] suricata: Remove some unused constants

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 919 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 06ad21afa..c307e358c 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -32,22 +32,11 @@ IPS_REPEAT_MASK="0x80000000"
 IPS_BYPASS_MARK="0x40000000"
 IPS_BYPASS_MASK="0x40000000"
 
-# Name of the firewall chains.
-IPS_INPUT_CHAIN="IPS_INPUT"
-IPS_FORWARD_CHAIN="IPS_FORWARD"
-IPS_OUTPUT_CHAIN="IPS_OUTPUT"
-
 # Optional options for the Netfilter queue.
 NFQ_OPTS=(
 	"--queue-bypass"
 )
 
-# Array containing the 4 possible network zones.
-network_zones=( red green blue orange ovpn )
-
-# Array to store the network zones weather the IPS is enabled for.
-enabled_ips_zones=()
-
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"
 
-- 
2.39.2

[PATCH 05/20] suricata: Add whitelist to iptables

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1325 bytes --]

This allows us to workaround better against any problems in Suricata
because we never send any whitelisted packets to the IPS in the first
place.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index c307e358c..14b48b5bd 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -75,6 +75,21 @@ generate_fw_rules() {
 	# Don't process packets that have already been seen by the IPS
 	iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
 
+	# Never send any whitelisted packets to the IPS
+	if [ -r "/var/ipfire/suricata/ignored" ]; then
+		local id network remark enabled rest
+
+		while IFS=',' read -r id network remark enabled rest; do
+			echo "$network"
+			echo "$remark"
+			# Skip disabled entries
+			[ "${enabled}" = "enabled" ] || continue
+
+			iptables -w -t mangle -A IPS -s "${network}" -j RETURN
+			iptables -w -t mangle -A IPS -d "${network}" -j RETURN
+		done < "/var/ipfire/suricata/ignored"
+	fi
+
 	# Send packets to suricata
 	iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}"
 
-- 
2.39.2

[PATCH 06/20] suricata: Replace removed CPU count function

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 607 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 14b48b5bd..30a81333f 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -103,8 +103,8 @@ generate_fw_rules() {
 
 case "$1" in
         start)
-		# Get amount of CPU cores.
-		cpu_count=$(get_cpu_count)
+		# Get amount of CPU cores
+		cpu_count="$(getconf _NPROCESSORS_ONLN)"
 
 		# Numer of NFQUES.
 		NFQUEUES="-q 0"
-- 
2.39.2

[PATCH 07/20] suricata: Be more efficient with marks

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2972 bytes --]

This patch changes that we introduce a new mark which allows us to
identify any newly bypassed connections and permanently store the bypass
flag.

We also only restore marks from the connection tracking when a packet
has no marks, yet.

Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/firewall |  2 +-
 src/initscripts/system/suricata | 20 +++++++++++++-------
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 39d9c0f23..5d37cffd7 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -160,7 +160,7 @@ iptables_init() {
 	iptables -A CTOUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
 
 	# Restore any connection marks
-	iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
+	iptables -t mangle -A PREROUTING -m mark --mark 0 -j CONNMARK --restore-mark
 
 	# Fix for braindead ISPs
 	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 30a81333f..20afab130 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -29,8 +29,14 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
 IPS_REPEAT_MARK="0x80000000"
 IPS_REPEAT_MASK="0x80000000"
-IPS_BYPASS_MARK="0x40000000"
-IPS_BYPASS_MASK="0x40000000"
+
+# The IPS requested that this connection is being bypassed
+IPS_BYPASS_REQUESTED_MARK="0x40000000"
+IPS_BYPASS_REQUESTED_MASK="0x40000000"
+
+# Marks a connection to be bypassed
+IPS_BYPASS_MARK="0x20000000"
+IPS_BYPASS_MASK="0x20000000"
 
 # Optional options for the Netfilter queue.
 NFQ_OPTS=(
@@ -72,6 +78,11 @@ generate_fw_rules() {
 	# Don't process packets where the IPS has requested to bypass the stream
 	iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN
 
+	# If suricata decided to bypass a stream, we will store the mark in the connection tracking table
+	iptables -w -t mangle -A IPS \
+		-m mark --mark "$(( IPS_BYPASS_REQUESTED_MARK ))/$(( IPS_BYPASS_REQUESTED_MASK ))" \
+		-j CONNMARK --set-mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))"
+
 	# Don't process packets that have already been seen by the IPS
 	iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
 
@@ -93,11 +104,6 @@ generate_fw_rules() {
 	# Send packets to suricata
 	iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}"
 
-	# If suricata decided to bypass a stream, we will store the mark in the connection tracking table
-	iptables -w -t mangle -A IPS \
-		-m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" \
-		-j CONNMARK --save-mark --mask "$(( IPS_BYPASS_MASK ))"
-
 	return 0
 }
 
-- 
2.39.2

[PATCH 08/20] suricata: Add a watcher to restart on unexpected termination

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 5068 bytes --]

This patch adds a watcher process that will restart suricata when it is
being killed by SIGKILL (e.g. by the OOM killer) or after a SEGV.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/rootfiles/common/suricata |  1 +
 config/suricata/suricata-watcher | 55 ++++++++++++++++++++++++++++++++
 lfs/suricata                     |  3 ++
 src/initscripts/system/suricata  | 16 ++--------
 4 files changed, 61 insertions(+), 14 deletions(-)
 create mode 100644 config/suricata/suricata-watcher

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 53224d006..8fe53f7e6 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -1,6 +1,7 @@
 etc/suricata
 etc/suricata/suricata.yaml
 usr/bin/suricata
+usr/bin/suricata-watcher
 usr/sbin/convert-ids-backend-files
 #usr/share/doc/suricata
 #usr/share/doc/suricata/AUTHORS
diff --git a/config/suricata/suricata-watcher b/config/suricata/suricata-watcher
new file mode 100644
index 000000000..a1a13d40c
--- /dev/null
+++ b/config/suricata/suricata-watcher
@@ -0,0 +1,55 @@
+#!/bin/bash
+###############################################################################
+#                                                                             #
+# IPFire.org - A Linux-based Firewall                                         #
+# Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                          #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+PIDFILE="/var/run/suricata.pid"
+
+main() {
+	local ret
+
+	while :; do
+		# Launch suricata
+		/usr/bin/suricata "$@" &>/dev/null
+
+		# Wait until suricata is done
+		ret=$?
+
+		case "${ret}" in
+			# If suricata has been killed by SIGKILL (e.g. by
+			# the OOM killer, or if it ran into a SEGV, we will
+			# restart the process.
+			137|139)
+				# Remove the PID file
+				unlink "${PIDFILE}" 2>/dev/null
+
+				sleep 1
+				continue
+				;;
+
+			*)
+				break
+				;;
+		esac
+	done
+
+	return ${ret}
+}
+
+main "$@" || return $?
diff --git a/lfs/suricata b/lfs/suricata
index 88f3c4575..dcee61ea1 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -132,5 +132,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# Install converter script needed for Core Update 167
 	install -m 0755 $(DIR_SRC)/config/suricata/convert-ids-backend-files /usr/sbin/convert-ids-backend-files
 
+	# Install the watcher
+	install -v -m 755 $(DIR_SRC)/config/suricata/suricata-watcher /usr/bin/suricata-watcher
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 20afab130..40bd69c87 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -123,12 +123,9 @@ case "$1" in
 		if [ "$ENABLE_IDS" == "on" ]; then
 			# Start the IDS.
 			boot_mesg "Starting Intrusion Detection System..."
-			/usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null
+			/usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES
 			evaluate_retval
 
-			# Allow reading the pidfile.
-			chmod 644 $PID_FILE
-
 			# Flush the firewall chain
 			flush_fw_chain
 
@@ -139,20 +136,11 @@ case "$1" in
 
         stop)
 		boot_mesg "Stopping Intrusion Detection System..."
-		killproc -p $PID_FILE /var/run
+		killproc /usr/bin/suricata
 
 		# Flush firewall chain.
 		flush_fw_chain
 
-		# Sometimes suricata not correct shutdown. So killall.
-		killall -KILL /usr/bin/suricata 2>/dev/null
-
-		# Remove suricata control socket.
-		rm /var/run/suricata/* >/dev/null 2>/dev/null
-
-		# Trash remain pid file if still exists.
-		rm -f $PID_FILE >/dev/null 2>/dev/null
-
 		# Don't report returncode of rm if suricata was not started
 		exit 0
         ;;
-- 
2.39.2

[PATCH 09/20] suricata: Start the new watcher in the background

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 970 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 40bd69c87..455715d1b 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -43,9 +43,6 @@ NFQ_OPTS=(
 	"--queue-bypass"
 )
 
-# PID file of suricata.
-PID_FILE="/var/run/suricata.pid"
-
 # Function to flush the firewall chains.
 flush_fw_chain() {
 	iptables -w -t mangle -F IPS
@@ -123,8 +120,7 @@ case "$1" in
 		if [ "$ENABLE_IDS" == "on" ]; then
 			# Start the IDS.
 			boot_mesg "Starting Intrusion Detection System..."
-			/usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES
-			evaluate_retval
+			loadproc -b /usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES
 
 			# Flush the firewall chain
 			flush_fw_chain
-- 
2.39.2

[PATCH 10/20] suricata: Restore the interface selection

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3367 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/networking/functions.network | 48 ++++++++++++++++++++
 src/initscripts/system/suricata              | 32 +++++++++++++
 2 files changed, 80 insertions(+)

diff --git a/src/initscripts/networking/functions.network b/src/initscripts/networking/functions.network
index e134d0cce..c189c2fbc 100644
--- a/src/initscripts/networking/functions.network
+++ b/src/initscripts/networking/functions.network
@@ -54,6 +54,54 @@ bin2ip() {
 	echo "${address[*]}"
 }
 
+network_get_intf() {
+	local zone="${1}"
+
+	case "${zone}" in
+		RED)
+			# For PPPoE, the RED interface is called ppp0 (unless we use QMI)
+			if [ "${RED_TYPE}" = "PPPOE" ] && [ "${RED_DRIVER}" != "qmi_wwan" ]; then
+				echo "ppp0"
+				return 0
+
+			# Otherwise we return RED_DEV
+			elif [ -n "${RED_DEV}" ]; then
+				echo "${RED_DEV}"
+				return 0
+			fi
+			;;
+
+		GREEN)
+			if [ -n "${GREEN_DEV}" ]; then
+				echo "${GREEN_DEV}"
+				return 0
+			fi
+			;;
+
+		ORANGE)
+			if [ -n "${ORANGE_DEV}" ]; then
+				echo "${ORANGE_DEV}"
+				return 0
+			fi
+			;;
+
+		BLUE)
+			if [ -n "${BLUE_DEV}" ]; then
+				echo "${BLUE_DEV}"
+				return 0
+			fi
+			;;
+
+		OPENVPN|OVPN)
+			# OpenVPN is using all tun devices
+			echo "tun+"
+			;;
+	esac
+
+	# Not found
+	return 1
+}
+
 network_get_address() {
 	local network="${1}"
 
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 455715d1b..8a1740528 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -21,6 +21,7 @@
 
 . /etc/sysconfig/rc
 . ${rc_functions}
+. /etc/init.d/networking/functions.network
 
 PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
 
@@ -38,6 +39,13 @@ IPS_BYPASS_REQUESTED_MASK="0x40000000"
 IPS_BYPASS_MARK="0x20000000"
 IPS_BYPASS_MASK="0x20000000"
 
+# Set if we request to scan this packet
+IPS_SCAN_MARK="0x10000000"
+IPS_SCAN_MASK="0x10000000"
+
+# Supported network zones
+NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "OVPN" )
+
 # Optional options for the Netfilter queue.
 NFQ_OPTS=(
 	"--queue-bypass"
@@ -83,6 +91,30 @@ generate_fw_rules() {
 	# Don't process packets that have already been seen by the IPS
 	iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
 
+	local zone
+	local status
+	local intf
+
+	# Mark packets for all zones that we want to scan
+	for zone in "${NETWORK_ZONES[@]}"; do
+		status="ENABLE_IDS_${zone}"
+
+		if [ "${!status}" = "on" ]; then
+			intf="$(network_get_intf "${zone}")"
+
+			# Skip if we could not determine an interface
+			if [ -z "${intf}" ]; then
+				continue
+			fi
+
+			iptables -w -t mangle -A IPS -i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+			iptables -w -t mangle -A IPS -o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+		fi
+	done
+
+	# Don't keep processing packets we don't want to scan
+	iptables -w -t mangle -A IPS -m mark ! --mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" -j RETURN
+
 	# Never send any whitelisted packets to the IPS
 	if [ -r "/var/ipfire/suricata/ignored" ]; then
 		local id network remark enabled rest
-- 
2.39.2

[PATCH 11/20] suricata: Remove superfluous bits from the initscript

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 830 bytes --]

I don't know why these hacks are here.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 8a1740528..73b4fb523 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -23,8 +23,6 @@
 . ${rc_functions}
 . /etc/init.d/networking/functions.network
 
-PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
-
 eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
@@ -198,5 +196,3 @@ case "$1" in
                 exit 1
                 ;;
 esac
-
-chmod 644 /var/log/suricata/* 2>/dev/null
-- 
2.39.2

[PATCH 12/20] suricata: Don't load /var/ipfire/ethernet/settings

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 674 bytes --]

We no longer need this directly as it is being pulled in from the
network functions.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 73b4fb523..0447b7e8c 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -24,7 +24,6 @@
 . /etc/init.d/networking/functions.network
 
 eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
-eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
 IPS_REPEAT_MARK="0x80000000"
 IPS_REPEAT_MASK="0x80000000"
-- 
2.39.2

[PATCH 13/20] suricata: Add option to scan WireGuard

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3746 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 doc/language_missings                        | 8 ++++++++
 html/cgi-bin/ids.cgi                         | 6 +++++-
 langs/en/cgi-bin/en.pl                       | 1 +
 src/initscripts/networking/functions.network | 6 ++++++
 src/initscripts/system/suricata              | 2 +-
 5 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/doc/language_missings b/doc/language_missings
index 98856b0e8..94adb28d8 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -103,6 +103,7 @@
 < upload fcdsl.o
 < user management
 < vpn configuration main
+< wg
 < winbind daemon
 < wireguard
 < wlanap 802.11w disabled
@@ -156,6 +157,7 @@
 < timeformat
 < transport mode does not support vti
 < warning
+< wg
 < wireguard
 < wlanap
 < wlanap psk
@@ -185,6 +187,7 @@
 < timeformat
 < upload fcdsl.o
 < warning
+< wg
 < wireguard
 < wlanap psk
 < wlanap wireless mode
@@ -668,6 +671,7 @@
 < vulnerable
 < warning
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
@@ -1229,6 +1233,7 @@
 < vulnerable
 < warning
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
@@ -2205,6 +2210,7 @@
 < vulnerable
 < warning
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
@@ -3218,6 +3224,7 @@
 < warning
 < week-graph
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
@@ -3608,6 +3615,7 @@
 < vulnerable
 < warning
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 502e2a125..00cc502f1 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -53,6 +53,9 @@ my %ignored=();
 # the list of zones in an array.
 my @network_zones = &Network::get_available_network_zones();
 
+# Always show Wireguard
+push(@network_zones, "wg");
+
 # Check if openvpn is started and add it to the array of network zones.
 if ( -e "/var/run/openvpn.pid") {
 	push(@network_zones, "ovpn");
@@ -69,7 +72,8 @@ my %colourhash = (
 	'green' => $Header::colourgreen,
 	'blue' => $Header::colourblue,
 	'orange' => $Header::colourorange,
-	'ovpn' => $Header::colourovpn
+	'ovpn' => $Header::colourovpn,
+	'wg' => $Header::colourwg,
 );
 
 &Header::showhttpheaders();
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index dca9f1645..6a455ab6d 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -3020,6 +3020,7 @@
 'week-graph' => 'Week',
 'weekly firewallhits' => 'weekly firewallhits',
 'weeks' => 'Weeks',
+'wg' => 'WireGuard',
 'whois results from' => 'WHOIS results from',
 'wildcards' => 'Wildcards',
 'winbind daemon' => 'Winbind Daemon',
diff --git a/src/initscripts/networking/functions.network b/src/initscripts/networking/functions.network
index c189c2fbc..02ac6b8fe 100644
--- a/src/initscripts/networking/functions.network
+++ b/src/initscripts/networking/functions.network
@@ -92,9 +92,15 @@ network_get_intf() {
 			fi
 			;;
 
+		WIREGUARD|WG)
+			echo "wg+"
+			return 0
+			;;
+
 		OPENVPN|OVPN)
 			# OpenVPN is using all tun devices
 			echo "tun+"
+			return 0
 			;;
 	esac
 
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 0447b7e8c..6990b79ca 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -41,7 +41,7 @@ IPS_SCAN_MARK="0x10000000"
 IPS_SCAN_MASK="0x10000000"
 
 # Supported network zones
-NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "OVPN" )
+NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "WG" "OVPN" )
 
 # Optional options for the Netfilter queue.
 NFQ_OPTS=(
-- 
2.39.2

[PATCH 14/20] suricata: Fix broken spacing in the settings section

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2471 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/ids.cgi | 45 +++++++++++++++++++++++++-------------------
 1 file changed, 26 insertions(+), 19 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 00cc502f1..deebb3ad3 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -1017,30 +1017,29 @@ sub show_mainpage() {
 
 	# Only show this area, if at least one ruleset provider is configured.
 	if (%used_providers) {
+		my $num_zones = scalar @network_zones;
 
 print <<END
-
-		<br><br><h2>$Lang::tr{'settings'}</h2>
+		<br>
 
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
 			<table width='100%' border='0'>
 				<tr>
-					<td class='base' colspan='2'>
+					<td colspan='$num_zones'>
 						<input type='checkbox' name='ENABLE_IDS' $checked{'ENABLE_IDS'}{'on'}>&nbsp;$Lang::tr{'ids enable'}
 					</td>
-
-				</td>
 				</tr>
 
-				<tr>
-					<td><br><br></td>
-					<td><br><br></td>
-					<td><br><br></td>
-					<td><br><br></td>
+				<tr> <!-- empty row for spacing -->
+					<td colspan='$num_zones'>
+						&nbsp;
+					</td>
 				</tr>
 
 				<tr>
-					<td colspan='4'><b>$Lang::tr{'ids monitored interfaces'}</b><br></td>
+					<td colspan='$num_zones'>
+						<b>$Lang::tr{'ids monitored interfaces'}</b>
+					</td>
 				</tr>
 
 				<tr>
@@ -1068,21 +1067,29 @@ END
 				$checked_input = "checked = 'checked'";
 			}
 
-			print "<td class='base' width='20%'>\n";
-			print "<input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input>\n";
-			print "&nbsp;$Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font>\n";
-			print "</td>\n";
+			print <<END;
+				<td>
+					<label>
+						<input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input>
+						&nbsp; $Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font>
+					</label>
+				</td>
+END
 		}
 
 print <<END
 				</tr>
-			</table>
 
-			<br><br>
+				<tr> <!-- empty row for spacing -->
+					<td colspan='$num_zones'>
+						&nbsp;
+					</td>
+				</tr>
 
-			<table width='100%'>
 				<tr>
-					<td align='right'><input type='submit' name='IDS' value='$Lang::tr{'save'}' /></td>
+					<td colspan='$num_zones' align='right'>
+						<input type='submit' name='IDS' value='$Lang::tr{'save'}' />
+					</td>
 				</tr>
 			</table>
 		</form>
-- 
2.39.2

[PATCH 15/20] ids.cgi: Use new style tables for rulesets

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 20111 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 doc/language_issues.de |  1 +
 doc/language_issues.en |  3 ++-
 doc/language_issues.es |  3 +++
 doc/language_issues.fr |  3 +++
 doc/language_issues.it |  3 ++-
 doc/language_issues.nl |  3 ++-
 doc/language_issues.pl |  3 ++-
 doc/language_issues.ru |  3 ++-
 doc/language_issues.tr |  3 ++-
 doc/language_missings  | 14 ++++++++++++++
 html/cgi-bin/ids.cgi   | 26 ++++++++------------------
 langs/de/cgi-bin/de.pl |  2 ++
 langs/en/cgi-bin/en.pl |  2 ++
 13 files changed, 45 insertions(+), 24 deletions(-)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index b3d7082df..bd335de41 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -400,6 +400,7 @@ WARNING: translation string unused: icmp type
 WARNING: translation string unused: id
 WARNING: translation string unused: ids oinkcode required
 WARNING: translation string unused: ids rules update
+WARNING: translation string unused: ids ruleset settings
 WARNING: translation string unused: ids unsupported provider
 WARNING: translation string unused: ike encryption
 WARNING: translation string unused: ike grouptype
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 3aa4e9bd8..5063749c4 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1070,7 +1070,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc
 WARNING: untranslated string: ids reset provider = Reset provider
 WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully...
 WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date.
-WARNING: untranslated string: ids ruleset settings = Ruleset Settings
+WARNING: untranslated string: ids rulesets = Rulesets
 WARNING: untranslated string: ids show = Show
 WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code
 WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use.
@@ -1217,6 +1217,7 @@ WARNING: untranslated string: lan = LAN
 WARNING: untranslated string: languagepurpose = Select the language you wish IPFire to display in:
 WARNING: untranslated string: last = Last
 WARNING: untranslated string: last activity = Last Activity
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: lease expires = Lease expires
 WARNING: untranslated string: least preferred = least preferred
 WARNING: untranslated string: legend = Legend
diff --git a/doc/language_issues.es b/doc/language_issues.es
index fbbcd1e74..7e76d5dcf 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -444,6 +444,7 @@ WARNING: translation string unused: ids rules license1
 WARNING: translation string unused: ids rules license2
 WARNING: translation string unused: ids rules license3
 WARNING: translation string unused: ids rules update
+WARNING: translation string unused: ids ruleset settings
 WARNING: translation string unused: ike encryption
 WARNING: translation string unused: ike grouptype
 WARNING: translation string unused: ike integrity
@@ -1028,8 +1029,10 @@ WARNING: untranslated string: hostile networks in = >From Hostile Networks
 WARNING: untranslated string: hostile networks out = To Hostile Networks
 WARNING: untranslated string: hostile networks total = Total Hostile Networks
 WARNING: untranslated string: ids provider eol = (EOL)
+WARNING: untranslated string: ids rulesets = Rulesets
 WARNING: untranslated string: info messages = unknown string
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: load average = Load Average
 WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
 WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 25193da6a..ab6eb0478 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -428,6 +428,7 @@ WARNING: translation string unused: id
 WARNING: translation string unused: ids automatic rules update
 WARNING: translation string unused: ids oinkcode required
 WARNING: translation string unused: ids rules update
+WARNING: translation string unused: ids ruleset settings
 WARNING: translation string unused: ike encryption
 WARNING: translation string unused: ike grouptype
 WARNING: translation string unused: ike integrity
@@ -981,6 +982,8 @@ WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: hostile networks total = Total Hostile Networks
 WARNING: untranslated string: ids provider eol = (EOL)
+WARNING: untranslated string: ids rulesets = Rulesets
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: load average = Load Average
 WARNING: untranslated string: oops something went wrong = Oops, something went wrong...
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
diff --git a/doc/language_issues.it b/doc/language_issues.it
index f00d959d5..ab6c95d68 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1132,7 +1132,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc
 WARNING: untranslated string: ids reset provider = Reset provider
 WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully...
 WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date.
-WARNING: untranslated string: ids ruleset settings = Ruleset Settings
+WARNING: untranslated string: ids rulesets = Rulesets
 WARNING: untranslated string: ids show = Show
 WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code
 WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use.
@@ -1185,6 +1185,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
 WARNING: untranslated string: load average = Load Average
 WARNING: untranslated string: local ip address = Local IP Address
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 9607f98af..7f6c04e23 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1138,7 +1138,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc
 WARNING: untranslated string: ids reset provider = Reset provider
 WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully...
 WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date.
-WARNING: untranslated string: ids ruleset settings = Ruleset Settings
+WARNING: untranslated string: ids rulesets = Rulesets
 WARNING: untranslated string: ids show = Show
 WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code
 WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use.
@@ -1193,6 +1193,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
 WARNING: untranslated string: load average = Load Average
 WARNING: untranslated string: local ip address = Local IP Address
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 92ad3b7be..d073e30b1 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1276,7 +1276,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc
 WARNING: untranslated string: ids reset provider = Reset provider
 WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully...
 WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date.
-WARNING: untranslated string: ids ruleset settings = Ruleset Settings
+WARNING: untranslated string: ids rulesets = Rulesets
 WARNING: untranslated string: ids show = Show
 WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code
 WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use.
@@ -1338,6 +1338,7 @@ WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
 WARNING: untranslated string: last = Last
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: least preferred = least preferred
 WARNING: untranslated string: lifetime = Lifetime:
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 35a590b6b..651f5266a 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1271,7 +1271,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc
 WARNING: untranslated string: ids reset provider = Reset provider
 WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully...
 WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date.
-WARNING: untranslated string: ids ruleset settings = Ruleset Settings
+WARNING: untranslated string: ids rulesets = Rulesets
 WARNING: untranslated string: ids show = Show
 WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code
 WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use.
@@ -1334,6 +1334,7 @@ WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
 WARNING: untranslated string: last = Last
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: least preferred = least preferred
 WARNING: untranslated string: lifetime = Lifetime:
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 3bf595efe..6c22f6d76 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1074,7 +1074,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc
 WARNING: untranslated string: ids reset provider = Reset provider
 WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully...
 WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date.
-WARNING: untranslated string: ids ruleset settings = Ruleset Settings
+WARNING: untranslated string: ids rulesets = Rulesets
 WARNING: untranslated string: ids show = Show
 WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code
 WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use.
@@ -1122,6 +1122,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
 WARNING: untranslated string: load average = Load Average
 WARNING: untranslated string: local ip address = Local IP Address
diff --git a/doc/language_missings b/doc/language_missings
index 94adb28d8..7e3357df0 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -137,8 +137,10 @@
 < hostile networks out
 < hostile networks total
 < ids provider eol
+< ids rulesets
 < ids unsupported provider
 < invalid ip or hostname
+< last updated
 < load average
 < log drop hostile in
 < log drop hostile out
@@ -177,7 +179,9 @@
 < g.lite
 < hostile networks total
 < ids provider eol
+< ids rulesets
 < ids unsupported provider
+< last updated
 < load average
 < oops something went wrong
 < ovpn roadwarrior server
@@ -447,6 +451,7 @@
 < ids reset provider
 < ids ruleset autoupdate in progress
 < ids ruleset is up to date
+< ids rulesets
 < ids ruleset settings
 < ids show
 < ids subscription code required
@@ -507,6 +512,7 @@
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
+< last updated
 < legacy architecture warning
 < link-layer encapsulation
 < load average
@@ -988,6 +994,7 @@
 < ids reset provider
 < ids ruleset autoupdate in progress
 < ids ruleset is up to date
+< ids rulesets
 < ids ruleset settings
 < ids show
 < ids subscription code required
@@ -1050,6 +1057,7 @@
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
+< last updated
 < legacy architecture warning
 < link-layer encapsulation
 < load average
@@ -1834,6 +1842,7 @@
 < ids reset provider
 < ids ruleset autoupdate in progress
 < ids ruleset is up to date
+< ids rulesets
 < ids ruleset settings
 < ids show
 < ids subscription code required
@@ -1904,6 +1913,7 @@
 < ipsec settings
 < itlb multihit
 < last
+< last updated
 < least preferred
 < legacy architecture warning
 < lifetime
@@ -2848,6 +2858,7 @@
 < ids reset provider
 < ids ruleset autoupdate in progress
 < ids ruleset is up to date
+< ids rulesets
 < ids ruleset settings
 < ids show
 < ids subscription code required
@@ -2919,6 +2930,7 @@
 < ipsec settings
 < itlb multihit
 < last
+< last updated
 < least preferred
 < legacy architecture warning
 < lifetime
@@ -3454,6 +3466,7 @@
 < ids reset provider
 < ids ruleset autoupdate in progress
 < ids ruleset is up to date
+< ids rulesets
 < ids ruleset settings
 < ids show
 < ids subscription code required
@@ -3509,6 +3522,7 @@
 < ipsec routing table entries
 < ipsec settings
 < itlb multihit
+< last updated
 < legacy architecture warning
 < link-layer encapsulation
 < load average
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index deebb3ad3..737826580 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -1103,16 +1103,15 @@ END
 	#
 	# Used Ruleset Providers section.
 	#
-	&Header::openbox('100%', 'center', $Lang::tr{'ids ruleset settings'});
+	&Header::openbox('100%', 'center', $Lang::tr{'ids rulesets'});
 
 print <<END;
-	<table width='100%' border='0'>
+	<table width='100%' border='0' class='tbl'>
 		<tr>
-			<td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ids provider'}</b></td>
-			<td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'date'}</b></td>
-			<td class='base' bgcolor='$color{'color20'}' align='center'><b>$Lang::tr{'ids autoupdates'}</b></td>
-			<td class='base' bgcolor='$color{'color20'}' align='center'><b>$Lang::tr{'action'}</b></td>
-			<td class='base' colspan='3' bgcolor='$color{'color20'}'></td>
+			<th>$Lang::tr{'ids provider'}</td>
+			<th>$Lang::tr{'last updated'}</td>
+			<th align='center'>$Lang::tr{'ids autoupdates'}</td>
+			<th align='center' colspan='3'>$Lang::tr{'action'}</td>
 		</tr>
 END
 		my $line = 1;
@@ -1133,13 +1132,6 @@ END
 				my $status  = $used_providers{$id}[3];
 				my $unsupported;
 
-				# Check if the item number is even or not.
-				if ($line % 2) {
-					$col="bgcolor='$color{'color22'}'";
-				} else {
-					$col="bgcolor='$color{'color20'}'";
-				}
-
 				# Handle providers which are not longer supported.
 				unless ($IDS::Ruleset::Providers{$provider}{'dl_url'}) {
 					$col = "bgcolor='$Header::colouryellow'";
@@ -1172,8 +1164,8 @@ END
 
 print <<END;
 				<tr>
-					<td width='33%' class='base' $col>$provider_name $unsupported</td>
-					<td width='30%' class='base' $col>$rulesetdate</td>
+					<th scope='row' width='33%' $col>$provider_name $unsupported</th>
+					<td width='30%' $col align='center'>$rulesetdate</td>
 
 					<td align='center' $col>
 						<form method='post' action='$ENV{'SCRIPT_NAME'}'>
@@ -1225,8 +1217,6 @@ END
 	# Section to add new elements or edit existing ones.
 	print <<END;
 	<br>
-	<hr>
-	<br>
 
 	<form method='post' action='$ENV{'SCRIPT_NAME'}'>
 		<div align='right'>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index a718228bc..b06ba6e91 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1413,6 +1413,7 @@
 'ids ruleset autoupdate in progress' => 'Der Regelsatz wird gerade aktualisiert. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...',
 'ids ruleset is up to date' => 'Regelset ist aktuell - Keine Aktualisierung notwendig.',
 'ids ruleset settings' => 'Regelsatzeinstellungen',
+'ids rulesets' => 'Regelsätze',
 'ids show' => 'Anzeigen',
 'ids the choosen provider is already in use' => 'Der gewhählte Provider wird bereits verwendet.',
 'ids unable to download the ruleset' => 'Das Regelset konnte nicht heruntergeladen werden.',
@@ -1603,6 +1604,7 @@
 'languagepurpose' => 'Wählen Sie eine Sprache, in der IPFire angezeigt werden soll:',
 'last' => 'Letzte',
 'last activity' => 'Letzte Aktivität',
+'last updated' => 'Zuletzt Aktualisiert',
 'lateprompting' => 'Late prompting',
 'lease expires' => 'Zuordnung verfällt',
 'least preferred' => 'weniger präferiert',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 6a455ab6d..59da23c3a 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1466,6 +1466,7 @@
 'ids ruleset autoupdate in progress' => 'Ruleset update in progress. Please wait until all operations have completed successfully...',
 'ids ruleset is up to date' => 'No update required - The ruleset is up to date.',
 'ids ruleset settings' => 'Ruleset Settings',
+'ids rulesets' => 'Rulesets',
 'ids show' => 'Show',
 'ids subscription code required' => 'The selected ruleset requires a subscription code',
 'ids the choosen provider is already in use' => 'The choosen provider is already in use.',
@@ -1660,6 +1661,7 @@
 'languagepurpose' => 'Select the language you wish IPFire to display in:',
 'last' => 'Last',
 'last activity' => 'Last Activity',
+'last updated' => 'Last Updated',
 'lateprompting' => 'Lateprompting',
 'lease expires' => 'Lease expires',
 'least preferred' => 'least preferred',
-- 
2.39.2

[PATCH 16/20] ids.cgi: Use new-style table for whitelist entries

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3928 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/ids.cgi | 52 ++++++++++++++++++++++----------------------
 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 737826580..08db95595 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -1241,11 +1241,11 @@ END
 	&Header::openbox('100%', 'center', $Lang::tr{'ids ignored hosts'});
 
 	print <<END;
-	<table width='100%'>
+	<table class='tbl'>
 		<tr>
-			<td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ip address'}</b></td>
-			<td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'remark'}</b></td>
-			<td class='base' colspan='3' bgcolor='$color{'color20'}'></td>
+			<th>$Lang::tr{'ip address'}</td>
+			<th>$Lang::tr{'remark'}</td>
+			<th colspan='3'></td>
 		</tr>
 END
 		# Check if some hosts have been added to be ignored.
@@ -1262,10 +1262,6 @@ END
 				# Check if the key (id) number is even or not.
 				if ($cgiparams{'ID'} eq $key) {
 					$col="bgcolor='${Header::colouryellow}'";
-				} elsif ($key % 2) {
-					$col="bgcolor='$color{'color22'}'";
-				} else {
-					$col="bgcolor='$color{'color20'}'";
 				}
 
 				# Choose icon for the checkbox.
@@ -1283,8 +1279,8 @@ END
 
 print <<END;
 				<tr>
-					<td width='20%' class='base' $col>$address</td>
-					<td width='65%' class='base' $col>$remark</td>
+					<td width='20%' $col>$address</td>
+					<td width='65%' $col>$remark</td>
 
 					<td align='center' $col>
 						<form method='post' action='$ENV{'SCRIPT_NAME'}'>
@@ -1323,12 +1319,10 @@ END
 
 		# Section to add new elements or edit existing ones.
 print <<END;
-		<br>
-		<hr>
-		<br>
+		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
+			<input type='hidden' name='ID' value='$cgiparams{'ID'}'>
 
-		<div align='center'>
-			<table width='100%'>
+			<table class='form'>
 END
 
 		# Assign correct headline and button text.
@@ -1339,30 +1333,36 @@ END
 		# Check if an ID (key) has been given, in this case an existing entry should be edited.
 		if ($cgiparams{'ID'} ne '') {
 			$buttontext = $Lang::tr{'update'};
-				print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'update'}</b></td></tr>\n";
+				print "<tr><td colspan='2'><h6>$Lang::tr{'update'}</h6></td></tr>\n";
 
 				# Grab address and remark for the given key.
 				$entry_address = $ignored{$cgiparams{'ID'}}[0];
 				$entry_remark = $ignored{$cgiparams{'ID'}}[1];
 			} else {
 				$buttontext = $Lang::tr{'add'};
-				print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'dnsforward add a new entry'}</b></td></tr>\n";
+				print "<tr><td colspan='2'><h6>$Lang::tr{'dnsforward add a new entry'}</h6></td></tr>\n";
 			}
 
 print <<END;
-				<form method='post' action='$ENV{'SCRIPT_NAME'}'>
-				<input type='hidden' name='ID' value='$cgiparams{'ID'}'>
 				<tr>
-					<td width='30%'>$Lang::tr{'ip address'}: </td>
-					<td width='50%'><input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /></td>
+					<td>$Lang::tr{'ip address'}</td>
+					<td>
+						<input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' />
+					</td>
+				</tr>
+
+				<tr>
+					<td>$Lang::tr{'remark'}</td>
+					<td>
+						<input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' />
+					</td>
+				</tr>
 
-					<td width='30%'>$Lang::tr{'remark'}: </td>
-					<td wicth='50%'><input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /></td>
-					<td align='center' width='20%'><input type='submit' name='WHITELIST' value='$buttontext' /></td>
+				<tr class='action'>
+					<td colspan='2'><input type='submit' name='WHITELIST' value='$buttontext' /></td>
 				</tr>
-				</form>
 			</table>
-		</div>
+		</form>
 END
 
 	&Header::closebox();
-- 
2.39.2

[PATCH 17/20] ids.cgi: Sort whitelist entries

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 673 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/ids.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 08db95595..b18f239e6 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -1253,7 +1253,7 @@ END
 			my $col = "";
 
 			# Loop through all entries of the hash.
-			while( (my $key) = each %ignored)  {
+			foreach my $key (sort { $ignored{$a}[0] <=> $ignored{$b}[0] } keys %ignored)  {
 				# Assign data array positions to some nice variable names.
 				my $address = $ignored{$key}[0];
 				my $remark = $ignored{$key}[1];
-- 
2.39.2

[PATCH 18/20] ids.cgi: Remove box from the top section

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 765 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/ids.cgi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index b18f239e6..db05df98a 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -1007,7 +1007,7 @@ sub show_mainpage() {
 	$checked{'ENABLE_IDS'}{$idssettings{'ENABLE_IDS'}} = "checked='checked'";
 
 	# Draw current state of the IDS
-	&Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system'});
+	&Header::opensection();
 
 	&Header::ServiceStatus({
 		$Lang::tr{'intrusion prevention system'} => {
@@ -1098,7 +1098,7 @@ END
 
 	}
 
-	&Header::closebox();
+	&Header::closesection();
 
 	#
 	# Used Ruleset Providers section.
-- 
2.39.2

[PATCH 19/20] ids.cgi: Fix detection for the Suricata process

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 554 bytes --]

We don't seem to have a PID file any more.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/ids.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index db05df98a..34e6bf233 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -1011,7 +1011,7 @@ sub show_mainpage() {
 
 	&Header::ServiceStatus({
 		$Lang::tr{'intrusion prevention system'} => {
-			"pidfile" => "/var/run/suricata.pid",
+			"process" => "Suricata-Main",
 		},
 	});
 
-- 
2.39.2

[PATCH 20/20] firewall: Move the IPS after the NAT marking

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1461 bytes --]

This is because we might still land in the scenario where Suricata
crashes and NFQUEUE will simply ACCEPT all packets which will terminate
the processing of the mangle table.

Therefore the NFQUEUE rule should be the last one so that we never skip
any of the other processing.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/firewall | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 5d37cffd7..7dbbe38cb 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -221,13 +221,6 @@ iptables_init() {
 	iptables -A FORWARD -i tun+ -j OVPNBLOCK
 	iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
-	# IPS (Suricata) chains
-	iptables -t mangle -N IPS
-
-	for chain in PREROUTING POSTROUTING; do
-		iptables -t mangle -A "${chain}" -j IPS
-	done
-
 	# OpenVPN transfer network translation
 	iptables -t nat -N OVPNNAT
 	iptables -t nat -A POSTROUTING -j OVPNNAT
@@ -382,6 +375,13 @@ iptables_init() {
 			-m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
 	fi
 
+	# IPS (Suricata) chains
+	iptables -t mangle -N IPS
+
+	for chain in PREROUTING POSTROUTING; do
+		iptables -t mangle -A "${chain}" -j IPS
+	done
+
 	# RED chain, used for the red interface
 	iptables -N REDINPUT
 	iptables -A INPUT -j REDINPUT
-- 
2.39.2