Skip creating forward rules if the input and the output device are the same.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- src/initscripts/system/suricata | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 5ede405ce..79c105c23 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -171,6 +171,11 @@ function generate_fw_rules {
# Create rules which are required to handle forwarded traffic. for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do + # Skip loop iteration if both zones are the same. + if [ "$enabled_ips_zone" == "$enabled_ips_zone_forward" ]; then + continue + fi + # Check if the whetelist file is not empty. if [ -s "$WHITELIST_FILE" ]; then # Create rules to handle whitelisted hosts.
Why do you think these rules are not needed?
On 6 Apr 2022, at 20:23, Stefan Schantl stefan.schantl@ipfire.org wrote:
Skip creating forward rules if the input and the output device are the same.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
src/initscripts/system/suricata | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 5ede405ce..79c105c23 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -171,6 +171,11 @@ function generate_fw_rules {
# Create rules which are required to handle forwarded traffic. for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
# Skip loop iteration if both zones are the same.if [ "$enabled_ips_zone" == "$enabled_ips_zone_forward" ]; thencontinuefi# Check if the whetelist file is not empty. if [ -s "$WHITELIST_FILE" ]; then # Create rules to handle whitelisted hosts.-- 2.30.2
For the records,
I had a short talk with Michael on the phone about that topic.
My intension of the patch was, if there are no packets which have the same input and output device, these rules are not needed.
He answered that there are some reasons, why this could happened. In case you are using DNAT, SNAT or some kind of asynchronous routing etc.
So the iptables rules are required to pass such traffic to the IDS/IPS and the patch can be ignored.
Best regards,
-Stefan
Why do you think these rules are not needed?
On 6 Apr 2022, at 20:23, Stefan Schantl stefan.schantl@ipfire.org wrote:
Skip creating forward rules if the input and the output device are the same.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
src/initscripts/system/suricata | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 5ede405ce..79c105c23 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -171,6 +171,11 @@ function generate_fw_rules {
# Create rules which are required to handle forwarded traffic. for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do + # Skip loop iteration if both zones are the same. + if [ "$enabled_ips_zone" == "$enabled_ips_zone_forward" ]; then + continue + fi + # Check if the whetelist file is not empty. if [ -s "$WHITELIST_FILE" ]; then # Create rules to handle whitelisted hosts. -- 2.30.2
-
Michael Tremer -
Stefan Schantl