From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Schantl To: development@lists.ipfire.org Subject: Re: [PATCH 6/9] suricata: Add rule to skip IPS if a packet has the bypass bit set Date: Tue, 19 Oct 2021 06:04:10 +0200 Message-ID: In-Reply-To: <20211018101022.15448-6-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6865021605283900305==" List-Id: --===============6865021605283900305== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Tested-by: Stefan Schantl > Signed-off-by: Michael Tremer > --- > =C2=A0src/initscripts/system/suricata | 6 ++++++ > =C2=A01 file changed, 6 insertions(+) >=20 > diff --git a/src/initscripts/system/suricata > b/src/initscripts/system/suricata > index 5ccea9391..2577621b8 100644 > --- a/src/initscripts/system/suricata > +++ b/src/initscripts/system/suricata > @@ -134,6 +134,12 @@ function generate_fw_rules { > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# Flush the firewall chains. > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0flush_fw_chain > =C2=A0 > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# Skip anything that has the byp= ass bit set > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0local chain > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0for chain in "${IPS_INPUT_CHAIN}= " "${IPS_FORWARD_CHAIN}" > "${IPS_OUTPUT_CHAIN}"; do > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0iptables -w -A "${chain}" -m mark --mark > "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0done > + > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# Check if the array of ena= bled_ips_zones contains any > elements. > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0if [[ ${enabled_ips_zones[@= ]} ]]; then > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0# Loop through the array and create firewall rules. --===============6865021605283900305==--