[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 20c7552e0d1453e90cd069a83c712ff29fb1cbc7

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 20c7552e0d1453e90cd069a83c712ff29fb1cbc7
@ 2019-04-26 17:40 Arne Fitzenreiter
  0 siblings, 0 replies; only message in thread
From: Arne Fitzenreiter @ 2019-04-26 17:40 UTC (permalink / raw)
  To: ipfire-scm

[-- Attachment #1: Type: text/plain, Size: 9073 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  20c7552e0d1453e90cd069a83c712ff29fb1cbc7 (commit)
       via  9cf253e150078852877f5ee530aeb3408fa4216b (commit)
       via  5e3067cb52bdb613a193c2c0280e07d10c30f6de (commit)
       via  686c4b9f25d2c2edfc4fe851f84a78e04eaee330 (commit)
       via  31568a19824a5e0621cf6cb9297d2800e3b3f59e (commit)
       via  1f35114d7bc9e2941b15cb93bebc46f66a525e9f (commit)
       via  d4f315677777e4b819d82eadd14af6f4d20137e5 (commit)
       via  e8a28edbea9f2b6b8d0d2f47d56f548cc1e5e2d9 (commit)
       via  a86bc6dfc6f391ed4c91a9a0ecb503da2ee8a80d (commit)
       via  56f6d107ff152748a0330a99ab39ad66880ff64b (commit)
       via  7b0c8a80af716cb8ce1abfe990b149eb60ef0498 (commit)
      from  2cecfd0fdb1ab4b0b7c1b9468a61c8d1d7d06961 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 20c7552e0d1453e90cd069a83c712ff29fb1cbc7
Merge: 2cecfd0fd 9cf253e15
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date:   Fri Apr 26 19:39:55 2019 +0200

    Merge branch 'master' into next
    
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/rootfiles/oldcore/131/filelists/files |  1 +
 html/cgi-bin/wlanap.cgi                      |  2 -
 lfs/hostapd                                  |  2 +-
 src/initscripts/system/firewall              | 10 ++--
 src/initscripts/system/suricata              | 82 ++++++++++++++++++----------
 5 files changed, 60 insertions(+), 37 deletions(-)

Difference in files:
diff --git a/config/rootfiles/oldcore/131/filelists/files b/config/rootfiles/oldcore/131/filelists/files
index 810c67b1e..aa842b73c 100644
--- a/config/rootfiles/oldcore/131/filelists/files
+++ b/config/rootfiles/oldcore/131/filelists/files
@@ -19,6 +19,7 @@ srv/web/ipfire/cgi-bin/logs.cgi/ids.dat
 srv/web/ipfire/cgi-bin/logs.cgi/log.dat
 srv/web/ipfire/cgi-bin/ovpnmain.cgi
 srv/web/ipfire/cgi-bin/remote.cgi
+srv/web/ipfire/cgi-bin/services.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 usr/local/bin/ipsec-interfaces
 usr/local/bin/sshctrl
diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi
index 06ce05bfb..04b2a9491 100644
--- a/html/cgi-bin/wlanap.cgi
+++ b/html/cgi-bin/wlanap.cgi
@@ -388,8 +388,6 @@ print <<END
 <!--SSID Broadcast: on => HIDESSID: off -->
 <tr><td width='25%' class='base'>$Lang::tr{'wlanap broadcast ssid'}:&nbsp;</td><td class='base' colspan='3'>$Lang::tr{'on'} <input type='radio' name='HIDESSID' value='off' $checked{'HIDESSID'}{'off'} /> | <input type='radio' name='HIDESSID' value='on' $checked{'HIDESSID'}{'on'} /> $Lang::tr{'off'}</td></tr>
 <tr><td width='25%' class='base'>$Lang::tr{'wlanap client isolation'}:&nbsp;</td><td class='base' colspan='3'>$Lang::tr{'on'} <input type='radio' name='CLIENTISOLATION' value='on' $checked{'CLIENTISOLATION'}{'on'} /> | <input type='radio' name='CLIENTISOLATION' value='off' $checked{'CLIENTISOLATION'}{'off'} /> $Lang::tr{'off'}</td></tr>
-
-
 <tr><td width='25%' class='base'>$Lang::tr{'wlanap country'}:&nbsp;</td><td class='base' colspan='3'>
 	<select name='COUNTRY'>
 END
diff --git a/lfs/hostapd b/lfs/hostapd
index 14932cccb..ce399df75 100644
--- a/lfs/hostapd
+++ b/lfs/hostapd
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = hostapd
-PAK_VER    = 48
+PAK_VER    = 47
 
 DEPS       = ""
 
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index be6c9169f..da89857d8 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -186,10 +186,12 @@ iptables_init() {
 	iptables -A FORWARD -j GUARDIAN
 
 	# IPS (suricata) chains
-	iptables -N IPS
-	iptables -A INPUT -j IPS
-	iptables -A FORWARD -j IPS
-	iptables -A OUTPUT -j IPS
+	iptables -N IPS_INPUT
+	iptables -N IPS_FORWARD
+	iptables -N IPS_OUTPUT
+	iptables -A INPUT -j IPS_INPUT
+	iptables -A FORWARD -j IPS_FORWARD
+	iptables -A OUTPUT -j IPS_OUTPUT
 
 	# Block non-established IPsec networks
 	iptables -N IPSECBLOCK
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index ecd693054..c9f131fca 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -6,7 +6,7 @@
 #
 # Author      : Stefan Schantl <stefan.schantl(a)ipfire.org>
 #
-# Version     : 01.00
+# Version     : 01.01
 #
 # Notes       :
 #
@@ -20,8 +20,10 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
 eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
-# Name of the firewall chain.
-FW_CHAIN="IPS"
+# Name of the firewall chains.
+IPS_INPUT_CHAIN="IPS_INPUT"
+IPS_FORWARD_CHAIN="IPS_FORWARD"
+IPS_OUTPUT_CHAIN="IPS_OUTPUT"
 
 # Optional options for the Netfilter queue.
 NFQ_OPTS="--queue-bypass "
@@ -29,6 +31,9 @@ NFQ_OPTS="--queue-bypass "
 # Array containing the 4 possible network zones.
 network_zones=( red green blue orange )
 
+# Array to store the network zones weather the IPS is enabled for.
+enabled_ips_zones=()
+
 # Mark and Mask options.
 MARK="0x70000000"
 MASK="0x70000000"
@@ -48,13 +53,18 @@ function get_cpu_count {
 	echo $CPUCOUNT
 }
 
+# Function to flush the firewall chains.
+function flush_fw_chain {
+	# Call iptables and flush the chains
+	iptables -F "$IPS_INPUT_CHAIN"
+	iptables -F "$IPS_FORWARD_CHAIN"
+	iptables -F "$IPS_OUTPUT_CHAIN"
+}
+
 # Function to create the firewall rules to pass the traffic to suricata.
 function generate_fw_rules {
 	cpu_count=$(get_cpu_count)
 
-	# Flush the firewall chain.
-	iptables -F "$FW_CHAIN"
-
 	# Loop through the array of network zones.
 	for zone in "${network_zones[@]}"; do
 		# Convert zone into upper case.
@@ -79,34 +89,46 @@ function generate_fw_rules {
 				network_device=${!zone_name}
 			fi
 
-			# Assign NFQ_OPTS
-			NFQ_OPTIONS=$NFQ_OPTS
-
-			# Check if there are multiple cpu cores available.
-			if [ "$cpu_count" -gt "1" ]; then
-				# Balance beetween all queues.
-				NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))"
-				NFQ_OPTIONS+=" --queue-cpu-fanout"
-			else
-				# Send all packets to queue 0.
-				NFQ_OPTIONS+="--queue-num 0"
-			fi
-
-			# Create firewall rules to queue the traffic and pass to
-			# the IDS.
-			iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
-			iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+			# Add the network device to the array of enabled zones.
+			enabled_ips_zones+=( "$network_device" )
 		fi
 	done
 
-	# Clear repeat bit, so that it does not confuse IPsec or QoS
-	iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
-}
+	# Assign NFQ_OPTS
+	NFQ_OPTIONS=$NFQ_OPTS
+
+	# Check if there are multiple cpu cores available.
+	if [ "$cpu_count" -gt "1" ]; then
+		# Balance beetween all queues.
+		NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))"
+		NFQ_OPTIONS+=" --queue-cpu-fanout"
+	else
+		# Send all packets to queue 0.
+		NFQ_OPTIONS+="--queue-num 0"
+	fi
+
+	# Flush the firewall chains.
+	flush_fw_chain
+
+	# Check if the array of enabled_ips_zones contains any elements.
+	if [[ ${enabled_ips_zones[@]} ]]; then
+		# Loop through the array and create firewall rules.
+		for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
+			# Create rules queue input and output related traffic and pass it to the IPS.
+			iptables -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+			iptables -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+
+			# Create rules which are required to handle forwarded traffic.
+			for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
+				iptables -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+			done
+		done
 
-# Function to flush the firewall chain.
-function flush_fw_chain {
-	# Call iptables and flush the chain
-	iptables -F "$FW_CHAIN"
+		# Clear repeat bit, so that it does not confuse IPsec or QoS
+		iptables -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
+		iptables -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
+		iptables -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
+	fi
 }
 
 case "$1" in


hooks/post-receive
--
IPFire 2.x development tree

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2019-04-26 17:40 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-26 17:40 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 20c7552e0d1453e90cd069a83c712ff29fb1cbc7 Arne Fitzenreiter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox