this a patchset that addresses a bug reported by Dan as #13764.
Suricata and/or NFQUEUE end up in some undefined behaviour where packets will be accepted when Suricata goes away (in this case it is being killed by the OOM killer). This results in the firewall exposing all ports on all interfaces which is a serious problem.
Although we actually configure the queue to simply bypass (as in no longer enqueue) packets when Suricata dies, the kernel always seems to end up in this scenario.
We cannot prevent that Suricata might die, but we will have to make sure that the firewall does not change behaviour. This is now being done by moving the IPS to the mangle table. The behaviour will be the same, but an ACCEPT action on the mangle table will not accept the packet, it will just terminate processing traffic in that table. We further ensure that this is not going to be a problem by moving the NFQUEUE rule to the end. If it is being skipped, this is not a problem as we will only stop processing packets which won't be a problem as Suricata has gone away anyways.
I believe that this is a better way to integrate Suricata, but it will change the behaviour of the firewall in that sense that the IPS is now the first thing that will see a packet. The location filter, IP blocklists and so on will all come after. I personally do not consider this a problem, but I wanted to make sure this is documented.
We now make more use of marking packets which might need to be benchmarked in order to ensure that this is not introducing any performance penalty.
Furthermore this patchset adds support for WireGuard and made some improvements on the web UI which used some broken tables and a lot of empty space on the screen.
Please test this and give me feedback if these changes introduce any regressions. I believe we want to release this with c189.
Best, -Michael