This allows us to workaround better against any problems in Suricata because we never send any whitelisted packets to the IPS in the first place.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/suricata | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index c307e358c..14b48b5bd 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -75,6 +75,21 @@ generate_fw_rules() { # Don't process packets that have already been seen by the IPS iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
+ # Never send any whitelisted packets to the IPS + if [ -r "/var/ipfire/suricata/ignored" ]; then + local id network remark enabled rest + + while IFS=',' read -r id network remark enabled rest; do + echo "$network" + echo "$remark" + # Skip disabled entries + [ "${enabled}" = "enabled" ] || continue + + iptables -w -t mangle -A IPS -s "${network}" -j RETURN + iptables -w -t mangle -A IPS -d "${network}" -j RETURN + done < "/var/ipfire/suricata/ignored" + fi + # Send packets to suricata iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}"