[PATCH 1/9] suricata: Set most significant bit as repeat marker

[PATCH 1/9] suricata: Set most significant bit as repeat marker

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1138 bytes --]

I have no idea why some odd value was chosen here, but one bit should be
enough.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/suricata/suricata.yaml   | 4 ++--
 src/initscripts/system/suricata | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 4e9e39967..1ce013dc7 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -346,8 +346,8 @@ logging:
 
 nfq:
    mode: repeat
-   repeat-mark: 1879048192
-   repeat-mask: 1879048192
+   repeat-mark: 2147483648
+   repeat-mask: 2147483648
 #   bypass-mark: 1
 #   bypass-mask: 1
 #  route-queue: 2
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 33633ddf9..e327225d7 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -35,8 +35,8 @@ network_zones=( red green blue orange ovpn )
 enabled_ips_zones=()
 
 # Mark and Mask options.
-MARK="0x70000000"
-MASK="0x70000000"
+MARK="0x80000000"
+MASK="0x80000000"
 
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"
-- 
2.20.1

[PATCH 2/9] suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2501 bytes --]

This should avoid confusion when we add more marks

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index e327225d7..111bd9df3 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -35,8 +35,8 @@ network_zones=( red green blue orange ovpn )
 enabled_ips_zones=()
 
 # Mark and Mask options.
-MARK="0x80000000"
-MASK="0x80000000"
+REPEAT_MARK="0x80000000"
+REPEAT_MASK="0x80000000"
 
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"
@@ -137,19 +137,19 @@ function generate_fw_rules {
 		# Loop through the array and create firewall rules.
 		for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
 			# Create rules queue input and output related traffic and pass it to the IPS.
-			iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
-			iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+			iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+			iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
 
 			# Create rules which are required to handle forwarded traffic.
 			for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
-				iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+				iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
 			done
 		done
 
 		# Clear repeat bit, so that it does not confuse IPsec or QoS
-		iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
-		iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
-		iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
+		iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
+		iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
+		iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
 	fi
 }
 
-- 
2.20.1

[PATCH 3/9] suricata: Define bypass mark

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1060 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/suricata/suricata.yaml   | 4 ++--
 src/initscripts/system/suricata | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 1ce013dc7..f02b93d76 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -348,8 +348,8 @@ nfq:
    mode: repeat
    repeat-mark: 2147483648
    repeat-mask: 2147483648
-#   bypass-mark: 1
-#   bypass-mask: 1
+   bypass-mark: 1073741824
+   bypass-mask: 1073741824
 #  route-queue: 2
 #  batchcount: 20
    fail-open: yes
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 111bd9df3..981471c7c 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -37,6 +37,8 @@ enabled_ips_zones=()
 # Mark and Mask options.
 REPEAT_MARK="0x80000000"
 REPEAT_MASK="0x80000000"
+BYPASS_MARK="0x40000000"
+BYPASS_MASK="0x40000000"
 
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"
-- 
2.20.1

[PATCH 4/9] suricata: Enable bypassing unhandled streams

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2197 bytes --]

If a stream cannot be identified or if suricata has decided that it
cannot do anything useful any more (e.g. TLS sessions after the
handshake), we will allow suricata to bypass any following packets in
that flow

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/suricata/suricata.yaml | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index f02b93d76..6f37671c8 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -389,11 +389,19 @@ app-layer:
       # will be disabled by default, but enabled if rules require it.
       ja3-fingerprints: auto
 
-      # Completely stop processing TLS/SSL session after the handshake
-      # completed. If bypass is enabled this will also trigger flow
-      # bypass. If disabled (the default), TLS/SSL session is still
-      # tracked for Heartbleed and other anomalies.
-      #no-reassemble: yes
+      # What to do when the encrypted communications start:
+      # - default: keep tracking TLS session, check for protocol anomalies,
+      #            inspect tls_* keywords. Disables inspection of unmodified
+      #            'content' signatures.
+      # - bypass:  stop processing this flow as much as possible. No further
+      #            TLS parsing and inspection. Offload flow bypass to kernel
+      #            or hardware if possible.
+      # - full:    keep tracking and inspection as normal. Unmodified content
+      #            keyword signatures are inspected as well.
+      #
+      # For best performance, select 'bypass'.
+      #
+      encryption-handling: bypass
     dcerpc:
       enabled: yes
     ftp:
@@ -810,6 +818,7 @@ stream:
   prealloc-sessions: 4096
   checksum-validation: yes      # reject wrong csums
   inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
+  bypass: yes                   # Bypass packets when stream.reassembly.depth is reached.
   reassembly:
     memcap: 256mb
     depth: 1mb                  # reassemble 1mb into a stream
-- 
2.20.1

[PATCH 5/9] suricata: Always append rules instead of inserting them

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1743 bytes --]

This allows us to add rules in a consistent order like they are in the
script.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 981471c7c..5ccea9391 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -139,12 +139,12 @@ function generate_fw_rules {
 		# Loop through the array and create firewall rules.
 		for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
 			# Create rules queue input and output related traffic and pass it to the IPS.
-			iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
-			iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+			iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+			iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
 
 			# Create rules which are required to handle forwarded traffic.
 			for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
-				iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+				iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
 			done
 		done
 
-- 
2.20.1

[PATCH 6/9] suricata: Add rule to skip IPS if a packet has the bypass bit set

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 871 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 5ccea9391..2577621b8 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -134,6 +134,12 @@ function generate_fw_rules {
 	# Flush the firewall chains.
 	flush_fw_chain
 
+	# Skip anything that has the bypass bit set
+	local chain
+	for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do
+		iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN
+	done
+
 	# Check if the array of enabled_ips_zones contains any elements.
 	if [[ ${enabled_ips_zones[@]} ]]; then
 		# Loop through the array and create firewall rules.
-- 
2.20.1

[PATCH 7/9] suricata: Store bypass flag in connmark and restore

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1156 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/suricata | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 2577621b8..72d01b91d 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -154,10 +154,14 @@ function generate_fw_rules {
 			done
 		done
 
-		# Clear repeat bit, so that it does not confuse IPsec or QoS
-		iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
-		iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
-		iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
+		# Add common rules at the end of the chain
+		for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do
+			# Clear repeat bit
+			iptables -w -A "${chain}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
+
+			# Store bypass bit in CONNMARK
+			iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j CONNMARK --save-mark
+		done
 	fi
 }
 
-- 
2.20.1

[PATCH 8/9] suricata: Introduce IPSBYPASS chain

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 5259 bytes --]

NFQUEUE does not let the packet continue where it was processed, but
inserts it back into iptables at the start. That is why we need an
extra IPSBYPASS chain which has the following tasks:

* Make the BYPASS bit permanent for the entire connection
* Clear the REPEAT bit

The latter is more of cosmetic nature so that we can identify packets
that have come from suricata again and those which have bypassed the IPS
straight away.

The IPS_* chain will now only be sent traffic to, when none of the two
relevant bits has been set. Otherwise the packet has already been
processed by suricata in the first pass or suricata has decided to
bypass the connection.

This massively reduces load on the IPS which allows many common
connections (TLS connections with downloads) to bypass the IPS bringing
us back to line speed.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/firewall | 23 ++++++++++++++++++++---
 src/initscripts/system/suricata | 27 +++------------------------
 2 files changed, 23 insertions(+), 27 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index ce428393d..530e8f1d6 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -17,6 +17,11 @@ NAT_MASK="0x0f000000"
 IPSEC_MARK="0x00800000"
 IPSEC_MASK="${IPSEC_MARK}"
 
+IPS_REPEAT_MARK="0x80000000"
+IPS_REPEAT_MASK="0x80000000"
+IPS_BYPASS_MARK="0x40000000"
+IPS_BYPASS_MASK="0x40000000"
+
 function iptables() {
 	/sbin/iptables --wait "$@"
 }
@@ -41,6 +46,17 @@ iptables_init() {
 	modprobe nf_log_ipv4
 	sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4
 
+	# IPS Bypass Chain which stores the BYPASS bit in connection tracking
+	iptables -N IPSBYPASS
+	iptables -A IPSBYPASS -j MARK --set-xmark "0/$(( IPS_REPEAT_MASK ))"
+	iptables -A IPSBYPASS -j CONNMARK --save-mark
+
+	# Jump into bypass chain when the BYPASS bit is set
+	for chain in INPUT FORWARD OUTPUT; do
+		iptables -A "${chain}" -m mark \
+			--mark "$(( IPS_REPEAT_MARK | IPS_BYPASS_MARK ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS
+	done
+
 	# Empty LOG_DROP and LOG_REJECT chains
 	iptables -N LOG_DROP
 	iptables -A LOG_DROP   -m limit --limit 10/second -j LOG
@@ -147,9 +163,10 @@ iptables_init() {
 	iptables -N IPS_INPUT
 	iptables -N IPS_FORWARD
 	iptables -N IPS_OUTPUT
-	iptables -A INPUT -j IPS_INPUT
-	iptables -A FORWARD -j IPS_FORWARD
-	iptables -A OUTPUT -j IPS_OUTPUT
+
+	for chain in INPUT FORWARD OUTPUT; do
+		iptables -A "${chain}" -m mark --mark "0x0/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}"
+	done
 
 	# OpenVPN transfer network translation
 	iptables -t nat -N OVPNNAT
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 72d01b91d..13fcc7f34 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -34,12 +34,6 @@ network_zones=( red green blue orange ovpn )
 # Array to store the network zones weather the IPS is enabled for.
 enabled_ips_zones=()
 
-# Mark and Mask options.
-REPEAT_MARK="0x80000000"
-REPEAT_MASK="0x80000000"
-BYPASS_MARK="0x40000000"
-BYPASS_MASK="0x40000000"
-
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"
 
@@ -134,34 +128,19 @@ function generate_fw_rules {
 	# Flush the firewall chains.
 	flush_fw_chain
 
-	# Skip anything that has the bypass bit set
-	local chain
-	for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do
-		iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN
-	done
-
 	# Check if the array of enabled_ips_zones contains any elements.
 	if [[ ${enabled_ips_zones[@]} ]]; then
 		# Loop through the array and create firewall rules.
 		for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
 			# Create rules queue input and output related traffic and pass it to the IPS.
-			iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
-			iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+			iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
+			iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
 
 			# Create rules which are required to handle forwarded traffic.
 			for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
-				iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+				iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE $NFQ_OPTIONS
 			done
 		done
-
-		# Add common rules at the end of the chain
-		for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do
-			# Clear repeat bit
-			iptables -w -A "${chain}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
-
-			# Store bypass bit in CONNMARK
-			iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j CONNMARK --save-mark
-		done
 	fi
 }
 
-- 
2.20.1

[PATCH 9/9] firewall: Keep REPEAT bit when saving rest to CONNMARK

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 820 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/firewall | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 530e8f1d6..5fc63683c 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -48,8 +48,7 @@ iptables_init() {
 
 	# IPS Bypass Chain which stores the BYPASS bit in connection tracking
 	iptables -N IPSBYPASS
-	iptables -A IPSBYPASS -j MARK --set-xmark "0/$(( IPS_REPEAT_MASK ))"
-	iptables -A IPSBYPASS -j CONNMARK --save-mark
+	iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))"
 
 	# Jump into bypass chain when the BYPASS bit is set
 	for chain in INPUT FORWARD OUTPUT; do
-- 
2.20.1

Re: [PATCH 1/9] suricata: Set most significant bit as repeat marker

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1306 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> I have no idea why some odd value was chosen here, but one bit should be
> enough.
> 
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  config/suricata/suricata.yaml   | 4 ++--
>  src/initscripts/system/suricata | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
> index 4e9e39967..1ce013dc7 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -346,8 +346,8 @@ logging:
>  
>  nfq:
>     mode: repeat
> -   repeat-mark: 1879048192
> -   repeat-mask: 1879048192
> +   repeat-mark: 2147483648
> +   repeat-mask: 2147483648
>  #   bypass-mark: 1
>  #   bypass-mask: 1
>  #  route-queue: 2
> diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
> index 33633ddf9..e327225d7 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -35,8 +35,8 @@ network_zones=( red green blue orange ovpn )
>  enabled_ips_zones=()
>  
>  # Mark and Mask options.
> -MARK="0x70000000"
> -MASK="0x70000000"
> +MARK="0x80000000"
> +MASK="0x80000000"
>  
>  # PID file of suricata.
>  PID_FILE="/var/run/suricata.pid"
> 

Re: [PATCH 2/9] suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2645 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> This should avoid confusion when we add more marks
> 
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  src/initscripts/system/suricata | 16 ++++++++--------
>  1 file changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
> index e327225d7..111bd9df3 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -35,8 +35,8 @@ network_zones=( red green blue orange ovpn )
>  enabled_ips_zones=()
>  
>  # Mark and Mask options.
> -MARK="0x80000000"
> -MASK="0x80000000"
> +REPEAT_MARK="0x80000000"
> +REPEAT_MASK="0x80000000"
>  
>  # PID file of suricata.
>  PID_FILE="/var/run/suricata.pid"
> @@ -137,19 +137,19 @@ function generate_fw_rules {
>  		# Loop through the array and create firewall rules.
>  		for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
>  			# Create rules queue input and output related traffic and pass it to the IPS.
> -			iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
> -			iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
> +			iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
> +			iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
>  
>  			# Create rules which are required to handle forwarded traffic.
>  			for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
> -				iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
> +				iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
>  			done
>  		done
>  
>  		# Clear repeat bit, so that it does not confuse IPsec or QoS
> -		iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
> -		iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
> -		iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
> +		iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
> +		iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
> +		iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
>  	fi
>  }
>  
> 

Re: [PATCH 3/9] suricata: Define bypass mark

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1213 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  config/suricata/suricata.yaml   | 4 ++--
>  src/initscripts/system/suricata | 2 ++
>  2 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
> index 1ce013dc7..f02b93d76 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -348,8 +348,8 @@ nfq:
>     mode: repeat
>     repeat-mark: 2147483648
>     repeat-mask: 2147483648
> -#   bypass-mark: 1
> -#   bypass-mask: 1
> +   bypass-mark: 1073741824
> +   bypass-mask: 1073741824
>  #  route-queue: 2
>  #  batchcount: 20
>     fail-open: yes
> diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
> index 111bd9df3..981471c7c 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -37,6 +37,8 @@ enabled_ips_zones=()
>  # Mark and Mask options.
>  REPEAT_MARK="0x80000000"
>  REPEAT_MASK="0x80000000"
> +BYPASS_MARK="0x40000000"
> +BYPASS_MASK="0x40000000"
>  
>  # PID file of suricata.
>  PID_FILE="/var/run/suricata.pid"
> 

Re: [PATCH 1/9] suricata: Set most significant bit as repeat marker

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 1300 bytes --]

Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> I have no idea why some odd value was chosen here, but one bit should
> be
> enough.
> 
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  config/suricata/suricata.yaml   | 4 ++--
>  src/initscripts/system/suricata | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/config/suricata/suricata.yaml
> b/config/suricata/suricata.yaml
> index 4e9e39967..1ce013dc7 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -346,8 +346,8 @@ logging:
>  
>  nfq:
>     mode: repeat
> -   repeat-mark: 1879048192
> -   repeat-mask: 1879048192
> +   repeat-mark: 2147483648
> +   repeat-mask: 2147483648
>  #   bypass-mark: 1
>  #   bypass-mask: 1
>  #  route-queue: 2
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index 33633ddf9..e327225d7 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -35,8 +35,8 @@ network_zones=( red green blue orange ovpn )
>  enabled_ips_zones=()
>  
>  # Mark and Mask options.
> -MARK="0x70000000"
> -MASK="0x70000000"
> +MARK="0x80000000"
> +MASK="0x80000000"
>  
>  # PID file of suricata.
>  PID_FILE="/var/run/suricata.pid"

Re: [PATCH 2/9] suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 3492 bytes --]

Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> This should avoid confusion when we add more marks
> 
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  src/initscripts/system/suricata | 16 ++++++++--------
>  1 file changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index e327225d7..111bd9df3 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -35,8 +35,8 @@ network_zones=( red green blue orange ovpn )
>  enabled_ips_zones=()
>  
>  # Mark and Mask options.
> -MARK="0x80000000"
> -MASK="0x80000000"
> +REPEAT_MARK="0x80000000"
> +REPEAT_MASK="0x80000000"
>  
>  # PID file of suricata.
>  PID_FILE="/var/run/suricata.pid"
> @@ -137,19 +137,19 @@ function generate_fw_rules {
>                 # Loop through the array and create firewall rules.
>                 for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
>                         # Create rules queue input and output related
> traffic and pass it to the IPS.
> -                       iptables -w -I "$IPS_INPUT_CHAIN" -i
> "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE
> $NFQ_OPTIONS
> -                       iptables -w -I "$IPS_OUTPUT_CHAIN" -o
> "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE
> $NFQ_OPTIONS
> +                       iptables -w -I "$IPS_INPUT_CHAIN" -i
> "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}"
> -j NFQUEUE $NFQ_OPTIONS
> +                       iptables -w -I "$IPS_OUTPUT_CHAIN" -o
> "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}"
> -j NFQUEUE $NFQ_OPTIONS
>  
>                         # Create rules which are required to handle
> forwarded traffic.
>                         for enabled_ips_zone_forward in
> "${enabled_ips_zones[@]}"; do
> -                               iptables -w -I "$IPS_FORWARD_CHAIN" -
> i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark
> "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
> +                               iptables -w -I "$IPS_FORWARD_CHAIN" -
> i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark
> "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
>                         done
>                 done
>  
>                 # Clear repeat bit, so that it does not confuse IPsec
> or QoS
> -               iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-
> xmark "0x0/${MASK}"
> -               iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-
> xmark "0x0/${MASK}"
> -               iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-
> xmark "0x0/${MASK}"
> +               iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
> +               iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
> +               iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
>         fi
>  }
>  

Re: [PATCH 3/9] suricata: Define bypass mark

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 1213 bytes --]

Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  config/suricata/suricata.yaml   | 4 ++--
>  src/initscripts/system/suricata | 2 ++
>  2 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/config/suricata/suricata.yaml
> b/config/suricata/suricata.yaml
> index 1ce013dc7..f02b93d76 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -348,8 +348,8 @@ nfq:
>     mode: repeat
>     repeat-mark: 2147483648
>     repeat-mask: 2147483648
> -#   bypass-mark: 1
> -#   bypass-mask: 1
> +   bypass-mark: 1073741824
> +   bypass-mask: 1073741824
>  #  route-queue: 2
>  #  batchcount: 20
>     fail-open: yes
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index 111bd9df3..981471c7c 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -37,6 +37,8 @@ enabled_ips_zones=()
>  # Mark and Mask options.
>  REPEAT_MARK="0x80000000"
>  REPEAT_MASK="0x80000000"
> +BYPASS_MARK="0x40000000"
> +BYPASS_MASK="0x40000000"
>  
>  # PID file of suricata.
>  PID_FILE="/var/run/suricata.pid"

Re: [PATCH 4/9] suricata: Enable bypassing unhandled streams

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 2617 bytes --]

Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> If a stream cannot be identified or if suricata has decided that it
> cannot do anything useful any more (e.g. TLS sessions after the
> handshake), we will allow suricata to bypass any following packets in
> that flow
> 
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  config/suricata/suricata.yaml | 19 ++++++++++++++-----
>  1 file changed, 14 insertions(+), 5 deletions(-)
> 
> diff --git a/config/suricata/suricata.yaml
> b/config/suricata/suricata.yaml
> index f02b93d76..6f37671c8 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -389,11 +389,19 @@ app-layer:
>        # will be disabled by default, but enabled if rules require
> it.
>        ja3-fingerprints: auto
>  
> -      # Completely stop processing TLS/SSL session after the
> handshake
> -      # completed. If bypass is enabled this will also trigger flow
> -      # bypass. If disabled (the default), TLS/SSL session is still
> -      # tracked for Heartbleed and other anomalies.
> -      #no-reassemble: yes
> +      # What to do when the encrypted communications start:
> +      # - default: keep tracking TLS session, check for protocol
> anomalies,
> +      #            inspect tls_* keywords. Disables inspection of
> unmodified
> +      #            'content' signatures.
> +      # - bypass:  stop processing this flow as much as possible. No
> further
> +      #            TLS parsing and inspection. Offload flow bypass
> to kernel
> +      #            or hardware if possible.
> +      # - full:    keep tracking and inspection as normal.
> Unmodified content
> +      #            keyword signatures are inspected as well.
> +      #
> +      # For best performance, select 'bypass'.
> +      #
> +      encryption-handling: bypass
>      dcerpc:
>        enabled: yes
>      ftp:
> @@ -810,6 +818,7 @@ stream:
>    prealloc-sessions: 4096
>    checksum-validation: yes      # reject wrong csums
>    inline: auto                  # auto will use inline mode in IPS
> mode, yes or no set it statically
> +  bypass: yes                   # Bypass packets when
> stream.reassembly.depth is reached.
>    reassembly:
>      memcap: 256mb
>      depth: 1mb                  # reassemble 1mb into a stream

Re: [PATCH 5/9] suricata: Always append rules instead of inserting them

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 2451 bytes --]

Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> This allows us to add rules in a consistent order like they are in
> the
> script.
> 
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  src/initscripts/system/suricata | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index 981471c7c..5ccea9391 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -139,12 +139,12 @@ function generate_fw_rules {
>                 # Loop through the array and create firewall rules.
>                 for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
>                         # Create rules queue input and output related
> traffic and pass it to the IPS.
> -                       iptables -w -I "$IPS_INPUT_CHAIN" -i
> "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}"
> -j NFQUEUE $NFQ_OPTIONS
> -                       iptables -w -I "$IPS_OUTPUT_CHAIN" -o
> "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}"
> -j NFQUEUE $NFQ_OPTIONS
> +                       iptables -w -A "$IPS_INPUT_CHAIN" -i
> "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}"
> -j NFQUEUE $NFQ_OPTIONS
> +                       iptables -w -A "$IPS_OUTPUT_CHAIN" -o
> "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}"
> -j NFQUEUE $NFQ_OPTIONS
>  
>                         # Create rules which are required to handle
> forwarded traffic.
>                         for enabled_ips_zone_forward in
> "${enabled_ips_zones[@]}"; do
> -                               iptables -w -I "$IPS_FORWARD_CHAIN" -
> i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark
> "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
> +                               iptables -w -A "$IPS_FORWARD_CHAIN" -
> i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark
> "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
>                         done
>                 done
>  

Re: [PATCH 6/9] suricata: Add rule to skip IPS if a packet has the bypass bit set

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 1139 bytes --]

Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  src/initscripts/system/suricata | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index 5ccea9391..2577621b8 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -134,6 +134,12 @@ function generate_fw_rules {
>         # Flush the firewall chains.
>         flush_fw_chain
>  
> +       # Skip anything that has the bypass bit set
> +       local chain
> +       for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}"
> "${IPS_OUTPUT_CHAIN}"; do
> +               iptables -w -A "${chain}" -m mark --mark
> "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN
> +       done
> +
>         # Check if the array of enabled_ips_zones contains any
> elements.
>         if [[ ${enabled_ips_zones[@]} ]]; then
>                 # Loop through the array and create firewall rules.

Re: [PATCH 7/9] suricata: Store bypass flag in connmark and restore

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 1743 bytes --]

Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  src/initscripts/system/suricata | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index 2577621b8..72d01b91d 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -154,10 +154,14 @@ function generate_fw_rules {
>                         done
>                 done
>  
> -               # Clear repeat bit, so that it does not confuse IPsec
> or QoS
> -               iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
> -               iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
> -               iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
> +               # Add common rules at the end of the chain
> +               for chain in "${IPS_INPUT_CHAIN}"
> "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do
> +                       # Clear repeat bit
> +                       iptables -w -A "${chain}" -j MARK --set-xmark
> "0x0/${REPEAT_MASK}"
> +
> +                       # Store bypass bit in CONNMARK
> +                       iptables -w -A "${chain}" -m mark --mark
> "${BYPASS_MARK}/${BYPASS_MASK}" -j CONNMARK --save-mark
> +               done
>         fi
>  }
>  

Re: [PATCH 8/9] suricata: Introduce IPSBYPASS chain

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 7035 bytes --]

Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> NFQUEUE does not let the packet continue where it was processed, but
> inserts it back into iptables at the start. That is why we need an
> extra IPSBYPASS chain which has the following tasks:
> 
> * Make the BYPASS bit permanent for the entire connection
> * Clear the REPEAT bit
> 
> The latter is more of cosmetic nature so that we can identify packets
> that have come from suricata again and those which have bypassed the
> IPS
> straight away.
> 
> The IPS_* chain will now only be sent traffic to, when none of the
> two
> relevant bits has been set. Otherwise the packet has already been
> processed by suricata in the first pass or suricata has decided to
> bypass the connection.
> 
> This massively reduces load on the IPS which allows many common
> connections (TLS connections with downloads) to bypass the IPS
> bringing
> us back to line speed.
> 
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  src/initscripts/system/firewall | 23 ++++++++++++++++++++---
>  src/initscripts/system/suricata | 27 +++------------------------
>  2 files changed, 23 insertions(+), 27 deletions(-)
> 
> diff --git a/src/initscripts/system/firewall
> b/src/initscripts/system/firewall
> index ce428393d..530e8f1d6 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -17,6 +17,11 @@ NAT_MASK="0x0f000000"
>  IPSEC_MARK="0x00800000"
>  IPSEC_MASK="${IPSEC_MARK}"
>  
> +IPS_REPEAT_MARK="0x80000000"
> +IPS_REPEAT_MASK="0x80000000"
> +IPS_BYPASS_MARK="0x40000000"
> +IPS_BYPASS_MASK="0x40000000"
> +
>  function iptables() {
>         /sbin/iptables --wait "$@"
>  }
> @@ -41,6 +46,17 @@ iptables_init() {
>         modprobe nf_log_ipv4
>         sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4
>  
> +       # IPS Bypass Chain which stores the BYPASS bit in connection
> tracking
> +       iptables -N IPSBYPASS
> +       iptables -A IPSBYPASS -j MARK --set-xmark "0/$((
> IPS_REPEAT_MASK ))"
> +       iptables -A IPSBYPASS -j CONNMARK --save-mark
> +
> +       # Jump into bypass chain when the BYPASS bit is set
> +       for chain in INPUT FORWARD OUTPUT; do
> +               iptables -A "${chain}" -m mark \
> +                       --mark "$(( IPS_REPEAT_MARK | IPS_BYPASS_MARK
> ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS
> +       done
> +
>         # Empty LOG_DROP and LOG_REJECT chains
>         iptables -N LOG_DROP
>         iptables -A LOG_DROP   -m limit --limit 10/second -j LOG
> @@ -147,9 +163,10 @@ iptables_init() {
>         iptables -N IPS_INPUT
>         iptables -N IPS_FORWARD
>         iptables -N IPS_OUTPUT
> -       iptables -A INPUT -j IPS_INPUT
> -       iptables -A FORWARD -j IPS_FORWARD
> -       iptables -A OUTPUT -j IPS_OUTPUT
> +
> +       for chain in INPUT FORWARD OUTPUT; do
> +               iptables -A "${chain}" -m mark --mark "0x0/$((
> IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}"
> +       done
>  
>         # OpenVPN transfer network translation
>         iptables -t nat -N OVPNNAT
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index 72d01b91d..13fcc7f34 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -34,12 +34,6 @@ network_zones=( red green blue orange ovpn )
>  # Array to store the network zones weather the IPS is enabled for.
>  enabled_ips_zones=()
>  
> -# Mark and Mask options.
> -REPEAT_MARK="0x80000000"
> -REPEAT_MASK="0x80000000"
> -BYPASS_MARK="0x40000000"
> -BYPASS_MASK="0x40000000"
> -
>  # PID file of suricata.
>  PID_FILE="/var/run/suricata.pid"
>  
> @@ -134,34 +128,19 @@ function generate_fw_rules {
>         # Flush the firewall chains.
>         flush_fw_chain
>  
> -       # Skip anything that has the bypass bit set
> -       local chain
> -       for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}"
> "${IPS_OUTPUT_CHAIN}"; do
> -               iptables -w -A "${chain}" -m mark --mark
> "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN
> -       done
> -
>         # Check if the array of enabled_ips_zones contains any
> elements.
>         if [[ ${enabled_ips_zones[@]} ]]; then
>                 # Loop through the array and create firewall rules.
>                 for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
>                         # Create rules queue input and output related
> traffic and pass it to the IPS.
> -                       iptables -w -A "$IPS_INPUT_CHAIN" -i
> "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}"
> -j NFQUEUE $NFQ_OPTIONS
> -                       iptables -w -A "$IPS_OUTPUT_CHAIN" -o
> "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}"
> -j NFQUEUE $NFQ_OPTIONS
> +                       iptables -w -A "$IPS_INPUT_CHAIN" -i
> "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
> +                       iptables -w -A "$IPS_OUTPUT_CHAIN" -o
> "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
>  
>                         # Create rules which are required to handle
> forwarded traffic.
>                         for enabled_ips_zone_forward in
> "${enabled_ips_zones[@]}"; do
> -                               iptables -w -A "$IPS_FORWARD_CHAIN" -
> i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark
> "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
> +                               iptables -w -A "$IPS_FORWARD_CHAIN" -
> i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE
> $NFQ_OPTIONS
>                         done
>                 done
> -
> -               # Add common rules at the end of the chain
> -               for chain in "${IPS_INPUT_CHAIN}"
> "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do
> -                       # Clear repeat bit
> -                       iptables -w -A "${chain}" -j MARK --set-xmark
> "0x0/${REPEAT_MASK}"
> -
> -                       # Store bypass bit in CONNMARK
> -                       iptables -w -A "${chain}" -m mark --mark
> "${BYPASS_MARK}/${BYPASS_MASK}" -j CONNMARK --save-mark
> -               done
>         fi
>  }
>  

Re: [PATCH 9/9] firewall: Keep REPEAT bit when saving rest to CONNMARK

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 989 bytes --]

Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  src/initscripts/system/firewall | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/src/initscripts/system/firewall
> b/src/initscripts/system/firewall
> index 530e8f1d6..5fc63683c 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -48,8 +48,7 @@ iptables_init() {
>  
>         # IPS Bypass Chain which stores the BYPASS bit in connection
> tracking
>         iptables -N IPSBYPASS
> -       iptables -A IPSBYPASS -j MARK --set-xmark "0/$((
> IPS_REPEAT_MASK ))"
> -       iptables -A IPSBYPASS -j CONNMARK --save-mark
> +       iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$((
> ~IPS_REPEAT_MASK & 0xffffffff ))"
>  
>         # Jump into bypass chain when the BYPASS bit is set
>         for chain in INPUT FORWARD OUTPUT; do