We are using the netfilter MARK in IPsec & QoS and this is causing conflicts.
Therefore, we use the highest bit in the IPS chain now and clear it afterwards because we do not really care about this after the packets have been passed through suricata.
Then, no other application has to worry about suricata.
Fixes: #12010 Signed-off-by: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/suricata/suricata.yaml | 4 ++-- src/initscripts/system/suricata | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 12937ab22..7f651327e 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -117,8 +117,8 @@ logging:
nfq: mode: repeat - repeat-mark: 16 - repeat-mask: 16 + repeat-mark: 1879048192 + repeat-mask: 1879048192 # bypass-mark: 1 # bypass-mask: 1 # route-queue: 2 diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index d2c758660..e755dfaff 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -29,8 +29,8 @@ NFQ_OPTS="--queue-bypass " network_zones=( red green blue orange )
# Mark and Mask options. -MARK="0x16" -MASK="0x16" +MARK="0x70000000" +MASK="0x70000000"
# PID file of suricata. PID_FILE="/var/run/suricata.pid" @@ -88,6 +88,9 @@ function generate_fw_rules { iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS fi done + + # Clear repeat bit, so that it does not confuse IPsec or QoS + iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" }
# Function to flush the firewall chain.
Merged.
Best regards,
-Stefan
We are using the netfilter MARK in IPsec & QoS and this is causing conflicts.
Therefore, we use the highest bit in the IPS chain now and clear it afterwards because we do not really care about this after the packets have been passed through suricata.
Then, no other application has to worry about suricata.
Fixes: #12010 Signed-off-by: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
config/suricata/suricata.yaml | 4 ++-- src/initscripts/system/suricata | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 12937ab22..7f651327e 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -117,8 +117,8 @@ logging:
nfq: mode: repeat
- repeat-mark: 16
- repeat-mask: 16
- repeat-mark: 1879048192
- repeat-mask: 1879048192
# bypass-mark: 1 # bypass-mask: 1 # route-queue: 2 diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index d2c758660..e755dfaff 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -29,8 +29,8 @@ NFQ_OPTS="--queue-bypass " network_zones=( red green blue orange )
# Mark and Mask options. -MARK="0x16" -MASK="0x16" +MARK="0x70000000" +MASK="0x70000000"
# PID file of suricata. PID_FILE="/var/run/suricata.pid" @@ -88,6 +88,9 @@ function generate_fw_rules { iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS fi done
- # Clear repeat bit, so that it does not confuse IPsec or QoS
- iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
}
# Function to flush the firewall chain.