[git.ipfire.org] IPFire 2.x development tree branch, core131, updated. 9cf253e150078852877f5ee530aeb3408fa4216b

[Arne Fitzenreiter <git@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 10320 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, core131 has been updated
       via  9cf253e150078852877f5ee530aeb3408fa4216b (commit)
       via  5e3067cb52bdb613a193c2c0280e07d10c30f6de (commit)
       via  686c4b9f25d2c2edfc4fe851f84a78e04eaee330 (commit)
       via  31568a19824a5e0621cf6cb9297d2800e3b3f59e (commit)
       via  1f35114d7bc9e2941b15cb93bebc46f66a525e9f (commit)
      from  d4f315677777e4b819d82eadd14af6f4d20137e5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 9cf253e150078852877f5ee530aeb3408fa4216b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date:   Thu Apr 25 19:31:48 2019 +0200

    initscripts/suricata: Rework creation of firewall rules.
    
    The script now will use the previously introduced seperate firewall chains called
    IPS_INPUT, IPS_FORWARD and IPS_OUTPUT.
    
    The commit also creates an AND connection between the choosen network zones in the UI and
    the final firwall rules.
    
    Fixes #12062.
    
    Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 5e3067cb52bdb613a193c2c0280e07d10c30f6de
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date:   Thu Apr 25 19:31:47 2019 +0200

    initscripts/suricata: Move functions order and always use flush_fw_chain function
    
    Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 686c4b9f25d2c2edfc4fe851f84a78e04eaee330
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date:   Thu Apr 25 19:31:46 2019 +0200

    firewall: Use seperate firewall chains for passing traffic to the IPS
    
    Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT
    to be more flexible which kind of traffic should be passed to suricata.
    
    Reference #12062
    
    Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 31568a19824a5e0621cf6cb9297d2800e3b3f59e
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date:   Fri Apr 26 07:43:21 2019 +0200

    hostapd: bump package version
    
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 1f35114d7bc9e2941b15cb93bebc46f66a525e9f
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Wed Apr 24 11:24:33 2019 +0100

    hostap: Fix wiring of checkboxes for client isolation
    
    The checkboxes were swapped which lead to client isolation
    being enabled when the UI said disabled and vice-versa.
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 html/cgi-bin/wlanap.cgi         |  2 +-
 lfs/hostapd                     |  2 +-
 src/initscripts/system/firewall | 10 +++--
 src/initscripts/system/suricata | 82 ++++++++++++++++++++++++++---------------
 4 files changed, 60 insertions(+), 36 deletions(-)

Difference in files:
diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi
index 44b0b4053..abee0c3cb 100644
--- a/html/cgi-bin/wlanap.cgi
+++ b/html/cgi-bin/wlanap.cgi
@@ -382,7 +382,7 @@ print <<END
 <tr><td width='25%' class='base'>SSID:&nbsp;</td><td class='base' colspan='3'><input type='text' name='SSID' size='30' value='$wlanapsettings{'SSID'}' /></td></tr>
 <!--SSID Broadcast: on => HIDESSID: off -->
 <tr><td width='25%' class='base'>SSID Broadcast:&nbsp;</td><td class='base' colspan='3'>on <input type='radio' name='HIDESSID' value='off' $checked{'HIDESSID'}{'off'} /> | <input type='radio' name='HIDESSID' value='on' $checked{'HIDESSID'}{'on'} /> off</td></tr>
-<tr><td width='25%' class='base'>Client Isolation:&nbsp;</td><td class='base' colspan='3'>on <input type='radio' name='CLIENTISOLATION' value='off' $checked{'CLIENTISOLATION'}{'off'} /> | <input type='radio' name='CLIENTISOLATION' value='on' $checked{'CLIENTISOLATION'}{'on'} /> off</td></tr>
+<tr><td width='25%' class='base'>Client Isolation:&nbsp;</td><td class='base' colspan='3'>on <input type='radio' name='CLIENTISOLATION' value='on' $checked{'CLIENTISOLATION'}{'on'} /> | <input type='radio' name='CLIENTISOLATION' value='off' $checked{'CLIENTISOLATION'}{'off'} /> off</td></tr>
 
 
 <tr><td width='25%' class='base'>$Lang::tr{'wlanap country'}:&nbsp;</td><td class='base' colspan='3'>
diff --git a/lfs/hostapd b/lfs/hostapd
index 64ff28e4b..c2830b88a 100644
--- a/lfs/hostapd
+++ b/lfs/hostapd
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = hostapd
-PAK_VER    = 45
+PAK_VER    = 46
 
 DEPS       = ""
 
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index be6c9169f..da89857d8 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -186,10 +186,12 @@ iptables_init() {
 	iptables -A FORWARD -j GUARDIAN
 
 	# IPS (suricata) chains
-	iptables -N IPS
-	iptables -A INPUT -j IPS
-	iptables -A FORWARD -j IPS
-	iptables -A OUTPUT -j IPS
+	iptables -N IPS_INPUT
+	iptables -N IPS_FORWARD
+	iptables -N IPS_OUTPUT
+	iptables -A INPUT -j IPS_INPUT
+	iptables -A FORWARD -j IPS_FORWARD
+	iptables -A OUTPUT -j IPS_OUTPUT
 
 	# Block non-established IPsec networks
 	iptables -N IPSECBLOCK
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index ecd693054..c9f131fca 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -6,7 +6,7 @@
 #
 # Author      : Stefan Schantl <stefan.schantl(a)ipfire.org>
 #
-# Version     : 01.00
+# Version     : 01.01
 #
 # Notes       :
 #
@@ -20,8 +20,10 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
 eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
-# Name of the firewall chain.
-FW_CHAIN="IPS"
+# Name of the firewall chains.
+IPS_INPUT_CHAIN="IPS_INPUT"
+IPS_FORWARD_CHAIN="IPS_FORWARD"
+IPS_OUTPUT_CHAIN="IPS_OUTPUT"
 
 # Optional options for the Netfilter queue.
 NFQ_OPTS="--queue-bypass "
@@ -29,6 +31,9 @@ NFQ_OPTS="--queue-bypass "
 # Array containing the 4 possible network zones.
 network_zones=( red green blue orange )
 
+# Array to store the network zones weather the IPS is enabled for.
+enabled_ips_zones=()
+
 # Mark and Mask options.
 MARK="0x70000000"
 MASK="0x70000000"
@@ -48,13 +53,18 @@ function get_cpu_count {
 	echo $CPUCOUNT
 }
 
+# Function to flush the firewall chains.
+function flush_fw_chain {
+	# Call iptables and flush the chains
+	iptables -F "$IPS_INPUT_CHAIN"
+	iptables -F "$IPS_FORWARD_CHAIN"
+	iptables -F "$IPS_OUTPUT_CHAIN"
+}
+
 # Function to create the firewall rules to pass the traffic to suricata.
 function generate_fw_rules {
 	cpu_count=$(get_cpu_count)
 
-	# Flush the firewall chain.
-	iptables -F "$FW_CHAIN"
-
 	# Loop through the array of network zones.
 	for zone in "${network_zones[@]}"; do
 		# Convert zone into upper case.
@@ -79,34 +89,46 @@ function generate_fw_rules {
 				network_device=${!zone_name}
 			fi
 
-			# Assign NFQ_OPTS
-			NFQ_OPTIONS=$NFQ_OPTS
-
-			# Check if there are multiple cpu cores available.
-			if [ "$cpu_count" -gt "1" ]; then
-				# Balance beetween all queues.
-				NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))"
-				NFQ_OPTIONS+=" --queue-cpu-fanout"
-			else
-				# Send all packets to queue 0.
-				NFQ_OPTIONS+="--queue-num 0"
-			fi
-
-			# Create firewall rules to queue the traffic and pass to
-			# the IDS.
-			iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
-			iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+			# Add the network device to the array of enabled zones.
+			enabled_ips_zones+=( "$network_device" )
 		fi
 	done
 
-	# Clear repeat bit, so that it does not confuse IPsec or QoS
-	iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
-}
+	# Assign NFQ_OPTS
+	NFQ_OPTIONS=$NFQ_OPTS
+
+	# Check if there are multiple cpu cores available.
+	if [ "$cpu_count" -gt "1" ]; then
+		# Balance beetween all queues.
+		NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))"
+		NFQ_OPTIONS+=" --queue-cpu-fanout"
+	else
+		# Send all packets to queue 0.
+		NFQ_OPTIONS+="--queue-num 0"
+	fi
+
+	# Flush the firewall chains.
+	flush_fw_chain
+
+	# Check if the array of enabled_ips_zones contains any elements.
+	if [[ ${enabled_ips_zones[@]} ]]; then
+		# Loop through the array and create firewall rules.
+		for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
+			# Create rules queue input and output related traffic and pass it to the IPS.
+			iptables -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+			iptables -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+
+			# Create rules which are required to handle forwarded traffic.
+			for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
+				iptables -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+			done
+		done
 
-# Function to flush the firewall chain.
-function flush_fw_chain {
-	# Call iptables and flush the chain
-	iptables -F "$FW_CHAIN"
+		# Clear repeat bit, so that it does not confuse IPsec or QoS
+		iptables -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
+		iptables -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
+		iptables -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
+	fi
 }
 
 case "$1" in


hooks/post-receive
--
IPFire 2.x development tree