From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 7/9] suricata: Store bypass flag in connmark and restore
Date: Tue, 19 Oct 2021 06:04:26 +0200
Message-ID: <357a81e67cebd832c95656e5460c2a7d7c2996c0.camel@ipfire.org>
In-Reply-To: <20211018101022.15448-7-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5899745398937419393=="
List-Id: <development.lists.ipfire.org>

--===============5899745398937419393==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> =C2=A0src/initscripts/system/suricata | 12 ++++++++----
> =C2=A01 file changed, 8 insertions(+), 4 deletions(-)
>=20
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index 2577621b8..72d01b91d 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -154,10 +154,14 @@ function generate_fw_rules {
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0done
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0done
> =C2=A0
> -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0# Clear repeat bit, so that it does not confuse IPsec
> or QoS
> -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
> -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
> -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0# Add common rules at the end of the chain
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0for chain in "${IPS_INPUT_CHAIN}"
> "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# Clear rep=
eat bit
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -w=
 -A "${chain}" -j MARK --set-xmark
> "0x0/${REPEAT_MASK}"
> +
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# Store byp=
ass bit in CONNMARK
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -w=
 -A "${chain}" -m mark --mark
> "${BYPASS_MARK}/${BYPASS_MASK}" -j CONNMARK --save-mark
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0done
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0fi
> =C2=A0}
> =C2=A0


--===============5899745398937419393==--