From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCHv2] suricata: Do not create silly forward rules.
Date: Thu, 07 Apr 2022 09:55:40 +0100
Message-ID: <306198F4-002A-4741-9F0C-D6D719238321@ipfire.org>
In-Reply-To: <20220406192332.4865-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1051346890756604604=="
List-Id: <development.lists.ipfire.org>

--===============1051346890756604604==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Why do you think these rules are not needed?

> On 6 Apr 2022, at 20:23, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
>=20
> Skip creating forward rules if the input and the output device are the
> same.
>=20
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> src/initscripts/system/suricata | 5 +++++
> 1 file changed, 5 insertions(+)
>=20
> diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suric=
ata
> index 5ede405ce..79c105c23 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -171,6 +171,11 @@ function generate_fw_rules {
>=20
> 			# Create rules which are required to handle forwarded traffic.
> 			for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
> +				# Skip loop iteration if both zones are the same.
> +				if [ "$enabled_ips_zone" =3D=3D "$enabled_ips_zone_forward" ]; then
> +					continue
> +				fi
> +			=09
> 				# Check if the whetelist file is not empty.
> 				if [ -s "$WHITELIST_FILE" ]; then
> 					# Create rules to handle whitelisted hosts.
> --=20
> 2.30.2
>=20


--===============1051346890756604604==--