diff mbox series

suricata: Use highest bit to mark packets

Message ID 20190228193738.31905-1-michael.tremer@ipfire.org
State Accepted
Commit 5d04cfe7d582bc58a4e4f9995fe5f67fcc456456
Headers
Series suricata: Use highest bit to mark packets |

Commit Message

Michael Tremer March 1, 2019, 6:37 a.m. UTC 
  We are using the netfilter MARK in IPsec & QoS and this
is causing conflicts.

Therefore, we use the highest bit in the IPS chain now
and clear it afterwards because we do not really care about
this after the packets have been passed through suricata.

Then, no other application has to worry about suricata.

Fixes: #12010
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/suricata/suricata.yaml   | 4 ++--
 src/initscripts/system/suricata | 7 +++++--
 2 files changed, 7 insertions(+), 4 deletions(-)

Comments

Stefan Schantl March 2, 2019, 4:10 a.m. UTC | #1 
Merged.

Best regards,

-Stefan
> We are using the netfilter MARK in IPsec & QoS and this
> is causing conflicts.
> 
> Therefore, we use the highest bit in the IPS chain now
> and clear it afterwards because we do not really care about
> this after the packets have been passed through suricata.
> 
> Then, no other application has to worry about suricata.
> 
> Fixes: #12010
> Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
>  config/suricata/suricata.yaml   | 4 ++--
>  src/initscripts/system/suricata | 7 +++++--
>  2 files changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/config/suricata/suricata.yaml
> b/config/suricata/suricata.yaml
> index 12937ab22..7f651327e 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -117,8 +117,8 @@ logging:
>  
>  nfq:
>     mode: repeat
> -   repeat-mark: 16
> -   repeat-mask: 16
> +   repeat-mark: 1879048192
> +   repeat-mask: 1879048192
>  #   bypass-mark: 1
>  #   bypass-mask: 1
>  #  route-queue: 2
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index d2c758660..e755dfaff 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -29,8 +29,8 @@ NFQ_OPTS="--queue-bypass "
>  network_zones=( red green blue orange )
>  
>  # Mark and Mask options.
> -MARK="0x16"
> -MASK="0x16"
> +MARK="0x70000000"
> +MASK="0x70000000"
>  
>  # PID file of suricata.
>  PID_FILE="/var/run/suricata.pid"
> @@ -88,6 +88,9 @@ function generate_fw_rules {
>  			iptables -I "$FW_CHAIN" -o "$network_device" -m
> mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
>  		fi
>  	done
> +
> +	# Clear repeat bit, so that it does not confuse IPsec or QoS
> +	iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
>  }
>  
>  # Function to flush the firewall chain.
diff mbox series

Patch

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 12937ab22..7f651327e 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -117,8 +117,8 @@  logging:
 
 nfq:
    mode: repeat
-   repeat-mark: 16
-   repeat-mask: 16
+   repeat-mark: 1879048192
+   repeat-mask: 1879048192
 #   bypass-mark: 1
 #   bypass-mask: 1
 #  route-queue: 2
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index d2c758660..e755dfaff 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -29,8 +29,8 @@  NFQ_OPTS="--queue-bypass "
 network_zones=( red green blue orange )
 
 # Mark and Mask options.
-MARK="0x16"
-MASK="0x16"
+MARK="0x70000000"
+MASK="0x70000000"
 
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"
@@ -88,6 +88,9 @@  function generate_fw_rules {
 			iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
 		fi
 	done
+
+	# Clear repeat bit, so that it does not confuse IPsec or QoS
+	iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
 }
 
 # Function to flush the firewall chain.