From patchwork Tue Dec 17 12:06:29 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefan Schantl <stefan.schantl@ipfire.org>
X-Patchwork-Id: 2649
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 47ccLj6gPGz43dc
	for <patchwork@web04.haj.ipfire.org>; Tue, 17 Dec 2019 12:06:37 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 47ccLh2fCYz2jb;
	Tue, 17 Dec 2019 12:06:36 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 47ccLh1b5wz2yHm;
	Tue, 17 Dec 2019 12:06:36 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
 client-signature ECDSA (P-384) client-digest SHA384)
 (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 47ccLf2XFFz2xZ8
 for <development@lists.ipfire.org>; Tue, 17 Dec 2019 12:06:34 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 47ccLb61mTz2jb;
 Tue, 17 Dec 2019 12:06:31 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909ed25519; t=1576584392;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=TLv4t9yKJbSN6Qy7pQAHufsEyp54whEab6Q3a766FoM=;
 b=3aAYiyMkxOEFc0i9SH+UeODP2sAMud83pFKVsNHXL58X3P1EcryPz1csqacKkTOkmcndvC
 mIzAAGRDqOllmrAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909rsa;
 t=1576584392;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=TLv4t9yKJbSN6Qy7pQAHufsEyp54whEab6Q3a766FoM=;
 b=jpnu9FafJEXwLh5jkhrO3hRdZb87ct7Pk4MuaO19fFqmlPkdT6myZwO9pijNn02vI6KLkc
 +Wa2GOezHl7NkB4I4v8w/NqVhWin/BBcIcnIdWBp7l3QRPpTRWyZ7QdHcPtsnfPN0SyO0w
 IRwmoo9E8NcxFaVwTuCmmwBGa7ib7MQ00p8n9jPGs0jcC/qd300r7edvnLO6Crm6Iq7yxT
 qaF0IgqsOyK++5hCLFf/P1yXtbZH8vInEy1sxhQsuSUOmwthyMpojPPUjnB7qoXpZJhH2H
 ju4jhnBb+DdnixQXZVov6SADgTw6pCk+ZYU1UqtFTNvVXFNxu8GS0IyKR2Crtw==
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] IDS: Allow to inspect traffic from or to OpenVPN
Date: Tue, 17 Dec 2019 13:06:29 +0100
Message-Id: <20191217120629.2679-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Authentication-Results: mail01.ipfire.org;
 auth=pass smtp.auth=stevee smtp.mailfrom=stefan.schantl@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This commit allows to configure suricata to monitor traffic from or to
OpenVPN tunnels. This includes the RW server and all established N2N
connections.

Because the RW server and/or each N2N connection uses it's own tun?
device, it is only possible to enable monitoring all of them or to disable
monitoring entirely.

Fixes #12111.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 html/cgi-bin/ids.cgi            | 10 ++++++++--
 src/initscripts/system/suricata | 18 +++++++++++++++++-
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index da009f891..2a8a7cb26 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -49,6 +49,11 @@ my %ignored=();
 # the list of zones in an array.
 my @network_zones = &IDS::get_available_network_zones();
 
+# Check if openvpn is started and add it to the array of network zones.
+if ( -e "/var/run/openvpn.pid") {
+	push(@network_zones, "ovpn");
+}
+
 my $errormessage;
 
 # Create files if they does not exist yet.
@@ -59,7 +64,8 @@ my %colourhash = (
 	'red' => $Header::colourred,
 	'green' => $Header::colourgreen,
 	'blue' => $Header::colourblue,
-	'orange' => $Header::colourorange
+	'orange' => $Header::colourorange,
+	'ovpn' => $Header::colourovpn
 );
 
 &Header::showhttpheaders();
@@ -839,7 +845,7 @@ END
 			$checked_input = "checked = 'checked'";
 		}
 
-		print "<td class='base' width='25%'>\n";
+		print "<td class='base' width='20%'>\n";
 		print "<input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input>\n";
 		print "&nbsp;$Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font>\n";
 		print "</td>\n";
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 27ab2e4e8..29e58a7e2 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -29,7 +29,7 @@ IPS_OUTPUT_CHAIN="IPS_OUTPUT"
 NFQ_OPTS="--queue-bypass "
 
 # Array containing the 4 possible network zones.
-network_zones=( red green blue orange )
+network_zones=( red green blue orange ovpn )
 
 # Array to store the network zones weather the IPS is enabled for.
 enabled_ips_zones=()
@@ -86,6 +86,22 @@ function generate_fw_rules {
 			if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then
 				# Set device name to ppp0.
 				network_device="ppp0"
+			elif [ "$zone" == "ovpn" ]; then
+				# Get all virtual net devices because the RW server and each
+				# N2N connection creates it's own tun device.
+				for virt_dev in /sys/devices/virtual/net/*; do
+					# Cut-off the directory.
+					dev="${virt_dev##*/}"
+
+					# Only process tun devices.
+					if [[ $dev =~ "tun" ]]; then
+						# Add the network device to the array of enabled zones.
+						enabled_ips_zones+=( "$dev" )
+					fi
+				done
+
+				# Process next zone.
+				continue
 			else
 				# Generate variable name which contains the device name.
 				zone_name="$zone_upper"