From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Schantl To: development@lists.ipfire.org Subject: Re: [PATCH] suricata: Use highest bit to mark packets Date: Fri, 01 Mar 2019 18:10:50 +0100 Message-ID: In-Reply-To: <20190228193738.31905-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1733252850970573521==" List-Id: --===============1733252850970573521== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Merged. Best regards, -Stefan > We are using the netfilter MARK in IPsec & QoS and this > is causing conflicts. > > Therefore, we use the highest bit in the IPS chain now > and clear it afterwards because we do not really care about > this after the packets have been passed through suricata. > > Then, no other application has to worry about suricata. > > Fixes: #12010 > Signed-off-by: Arne Fitzenreiter > Signed-off-by: Michael Tremer > --- > config/suricata/suricata.yaml | 4 ++-- > src/initscripts/system/suricata | 7 +++++-- > 2 files changed, 7 insertions(+), 4 deletions(-) > > diff --git a/config/suricata/suricata.yaml > b/config/suricata/suricata.yaml > index 12937ab22..7f651327e 100644 > --- a/config/suricata/suricata.yaml > +++ b/config/suricata/suricata.yaml > @@ -117,8 +117,8 @@ logging: > > nfq: > mode: repeat > - repeat-mark: 16 > - repeat-mask: 16 > + repeat-mark: 1879048192 > + repeat-mask: 1879048192 > # bypass-mark: 1 > # bypass-mask: 1 > # route-queue: 2 > diff --git a/src/initscripts/system/suricata > b/src/initscripts/system/suricata > index d2c758660..e755dfaff 100644 > --- a/src/initscripts/system/suricata > +++ b/src/initscripts/system/suricata > @@ -29,8 +29,8 @@ NFQ_OPTS="--queue-bypass " > network_zones=( red green blue orange ) > > # Mark and Mask options. > -MARK="0x16" > -MASK="0x16" > +MARK="0x70000000" > +MASK="0x70000000" > > # PID file of suricata. > PID_FILE="/var/run/suricata.pid" > @@ -88,6 +88,9 @@ function generate_fw_rules { > iptables -I "$FW_CHAIN" -o "$network_device" -m > mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS > fi > done > + > + # Clear repeat bit, so that it does not confuse IPsec or QoS > + iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" > } > > # Function to flush the firewall chain. --===============1733252850970573521== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUVXTzBOWHRTcnZo YXN5dERuVHRkT0ZZK1RzdDRGQWx4NVo1b0FDZ2tRVHRkT0ZZK1QKc3Q0dGxBLy9hSWxXTEQxbXR4 VllmVGV6THJPRjNQM3piSDFnSjRQLzkrNG9scUthdi9xSVJINENYYUtQWExoMAo4Um9oM3ZoSnBV UzhlcEVwUVFvazZoV3cxUmVRTDdUdmxTVDNsU1NkbDVRTU43amlqL2MreGlqanJ1MlV4eFRICnBN M1lXSFM2eGhKN1dvZ3l6RmpBMG4rYnZGSXhla2xNTlVqSHJaY3BZSmp3dGJocW1UVXBsR1NlNk1z azNCN1kKay9JVkVNcDFZdmVROFNtT1FWdkkrYnhIcVJYV3ZMbWVsMm5VeW9nQkVkZVRQTVZjdlVL T0VLSys4YVZncmdMLwovRGdPNWVQeVpsd2M2WXhNb3RqZWUyLzYzMVd3K1h1N1FzNlFZSFM5M1F3 UWFBdWlDSWwwZkpKZVJLWFVlQmJBCjQ2VUJnMXlDdUR4S0ZCejk3WklEK00xWUdqRUVyOXlFUkhS RzhVNzlQbHVrRzVDUTU3SW4razZhblZ2NytSU2YKdk1EUlZudDhvb3djdWsyemhXbjJsSWtlK1Vo ZTl2em9CRVQxM0RGSm83bmhpWFdoQkxHVDFpY0VoUWV6bUFvSgo4STRKM0l3SU9pbnB6N1IzOU8r Qzlrck1lMDBBUG5oSENIVmprMEtYeUI0eFY3UWVML0JWSE5INmlEVHhoUnhkCkpXaHcxeGFaNjZM YTdraDlab1VVVk52K2txejdGSmNVVy9adnVIRUlwOFo4TG1kN2tnT21zaW9LeGIxdnA3Y2YKUDRz ZWwxNjM2OWZpTXRCd2h4ZU1MWjR1enltMmRKSGVEek93ZXJ2ZXRHd3FRNGNKN2gzUDRRV0l6ekRj YkY3egp3Y05pQ1FMdHBUSlhZcTcvS3FhMlpMWWZnN0FqelBvem9PbUkwRVdwbU54QlFORTkwR2s9 Cj1ESTZkCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============1733252850970573521==--