From patchwork Fri Mar 1 06:37:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2121 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id D58CB88B5C2 for ; Thu, 28 Feb 2019 19:37:47 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 449NB30rn5z5KgVq; Thu, 28 Feb 2019 19:37:47 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551382667; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references:list-id: list-unsubscribe:list-subscribe:list-post; bh=2pJ3lsSw3/oTFYLer8kVlb7Zv8L/ESxRNMPGz+h4tsg=; b=Wsap/bJH4a7WijnqH+qQCqjGPINtYEl5QqnYNriRALBBBjcPIWDk4owYDPJikkitQ8pse1 YwwXvHFdUAXCAQj2w2obBKrvnjGDI882usP+YlJq3BNq+Bjwa6cRid//SGKYGnzMGlv0Eq 1Al1GKHU8GF+IvwwVXMuly/AAVkib6OgL8SM7YGZfI7G2oFswNMLiCCJ2TGJU4MqWJu2uD yxgc6UfW8V4EWUu/uDaWLWgBPIS3eDvfR6ORO05krvJcCu9DW2xznMapLAr/Il9e0TLkjK onu0U0PAattLTTgeg5pxq5l06xV6mKqhfM6KEfOma9MkDsZZaeG6Rqjyy9aG3w== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 449N9z5hBHz5KgVm; Thu, 28 Feb 2019 19:37:43 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551382664; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=2pJ3lsSw3/oTFYLer8kVlb7Zv8L/ESxRNMPGz+h4tsg=; b=lmzqV9ymKCVlpc1Hu7OHWJ9RN4tnLJzY7yfaDNScwEy2ukbf5BBhcRedbNuUMcbeLib8eI B4BS1SiHo6wG00Ms4gHBrxqGNVD+/UP0HDAX6+xjkATiqNBATBp7Y0Ucr0jYpCmR2aqM1L Wyn60wTEeVGjVZ6P8xgUz5uw6L/2eVf2B7VdB1UPSY1WKxFcj7WAlJTwbxNrra/0JOk4rk A0RZNSRue8I57y4qWmb1b4c8Dk5N40TJQjGhywIaHrgyDnL3+a+lhN9fNlu7lyIhcTTGpo FHXhHePfJDDWfwCo66HhMVG/hFecBNuqj28PDAk/9GXH2h9GKEj8Pj51SJ60QQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH] suricata: Use highest bit to mark packets Date: Thu, 28 Feb 2019 19:37:38 +0000 Message-Id: <20190228193738.31905-1-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-4.29 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DKIM_SIGNED(0.00)[]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.19)[-0.730,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-4.29 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" We are using the netfilter MARK in IPsec & QoS and this is causing conflicts. Therefore, we use the highest bit in the IPS chain now and clear it afterwards because we do not really care about this after the packets have been passed through suricata. Then, no other application has to worry about suricata. Fixes: #12010 Signed-off-by: Arne Fitzenreiter Signed-off-by: Michael Tremer --- config/suricata/suricata.yaml | 4 ++-- src/initscripts/system/suricata | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 12937ab22..7f651327e 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -117,8 +117,8 @@ logging: nfq: mode: repeat - repeat-mark: 16 - repeat-mask: 16 + repeat-mark: 1879048192 + repeat-mask: 1879048192 # bypass-mark: 1 # bypass-mask: 1 # route-queue: 2 diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index d2c758660..e755dfaff 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -29,8 +29,8 @@ NFQ_OPTS="--queue-bypass " network_zones=( red green blue orange ) # Mark and Mask options. -MARK="0x16" -MASK="0x16" +MARK="0x70000000" +MASK="0x70000000" # PID file of suricata. PID_FILE="/var/run/suricata.pid" @@ -88,6 +88,9 @@ function generate_fw_rules { iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS fi done + + # Clear repeat bit, so that it does not confuse IPsec or QoS + iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" } # Function to flush the firewall chain.