From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] suricata: Explicitly ignore IPsec traffic unless enabled
Date: Mon, 21 Oct 2024 17:03:06 +0000
Message-ID: <20241021170306.1266677-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2457356257144876829=="
List-Id: <development.lists.ipfire.org>

--===============2457356257144876829==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index a753e32e6..a0f607971 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -111,6 +111,18 @@ generate_fw_rules() {
 		if [ "${!status}" =3D "on" ]; then
 			# Handle IPsec packets
 			case "${zone}" in
+				RED)
+					# If IPsec is not enabled, skip everything that is IPsec traffic
+					if [ "${ENABLE_IDS_IPSEC}" !=3D "on" ]; then
+						for intf in $(network_get_intfs "${zone}"); do
+							iptables -w -t mangle -A IPS_SCAN_IN \
+								-i "${intf}" -m policy --pol ipsec --dir in -j RETURN
+							iptables -w -t mangle -A IPS_SCAN_OUT \
+								-o "${intf}" -m policy --pol ipsec --dir out -j RETURN
+						done
+					fi
+					;;
+
 				IPSEC)
 					iptables -w -t mangle -A IPS_SCAN_IN \
 						-m policy --pol ipsec --dir in -j MARK --set-mark "$(( IPS_SCAN_MARK )=
)/$(( IPS_SCAN_MASK ))"
--=20
2.39.5


--===============2457356257144876829==--