diff mbox series

[2/9] suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK

Message ID	20211018101022.15448-2-michael.tremer@ipfire.org
State	Accepted
Commit	4f07c279a01d076d7f788ac8635194a8bb7c51cd
Headers	From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 2/9] suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK Date: Mon, 18 Oct 2021 10:10:15 +0000 Message-Id: <20211018101022.15448-2-michael.tremer@ipfire.org> In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org> References: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Cc: Michael Tremer <michael.tremer@ipfire.org> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	[1/9] suricata: Set most significant bit as repeat marker \| [1/9] suricata: Set most significant bit as repeat marker [2/9] suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK [3/9] suricata: Define bypass mark [4/9] suricata: Enable bypassing unhandled streams [5/9] suricata: Always append rules instead of inserting them [6/9] suricata: Add rule to skip IPS if a packet has the bypass bit set [7/9] suricata: Store bypass flag in connmark and restore [8/9] suricata: Introduce IPSBYPASS chain [9/9] firewall: Keep REPEAT bit when saving rest to CONNMARK

Commit Message

Michael Tremer Oct. 18, 2021, 10:10 a.m. UTC

  This should avoid confusion when we add more marks

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/suricata | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

Comments

Peter Müller Oct. 18, 2021, 8:42 p.m. UTC | #1

Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

> This should avoid confusion when we add more marks
> 
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
>  src/initscripts/system/suricata | 16 ++++++++--------
>  1 file changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
> index e327225d7..111bd9df3 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -35,8 +35,8 @@ network_zones=( red green blue orange ovpn )
>  enabled_ips_zones=()
>  
>  # Mark and Mask options.
> -MARK="0x80000000"
> -MASK="0x80000000"
> +REPEAT_MARK="0x80000000"
> +REPEAT_MASK="0x80000000"
>  
>  # PID file of suricata.
>  PID_FILE="/var/run/suricata.pid"
> @@ -137,19 +137,19 @@ function generate_fw_rules {
>  		# Loop through the array and create firewall rules.
>  		for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
>  			# Create rules queue input and output related traffic and pass it to the IPS.
> -			iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
> -			iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
> +			iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
> +			iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
>  
>  			# Create rules which are required to handle forwarded traffic.
>  			for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
> -				iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
> +				iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
>  			done
>  		done
>  
>  		# Clear repeat bit, so that it does not confuse IPsec or QoS
> -		iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
> -		iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
> -		iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
> +		iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
> +		iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
> +		iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
>  	fi
>  }
>  
>

Stefan Schantl Oct. 19, 2021, 4:02 a.m. UTC | #2

Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
> This should avoid confusion when we add more marks
> 
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
>  src/initscripts/system/suricata | 16 ++++++++--------
>  1 file changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index e327225d7..111bd9df3 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -35,8 +35,8 @@ network_zones=( red green blue orange ovpn )
>  enabled_ips_zones=()
>  
>  # Mark and Mask options.
> -MARK="0x80000000"
> -MASK="0x80000000"
> +REPEAT_MARK="0x80000000"
> +REPEAT_MASK="0x80000000"
>  
>  # PID file of suricata.
>  PID_FILE="/var/run/suricata.pid"
> @@ -137,19 +137,19 @@ function generate_fw_rules {
>                 # Loop through the array and create firewall rules.
>                 for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
>                         # Create rules queue input and output related
> traffic and pass it to the IPS.
> -                       iptables -w -I "$IPS_INPUT_CHAIN" -i
> "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE
> $NFQ_OPTIONS
> -                       iptables -w -I "$IPS_OUTPUT_CHAIN" -o
> "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE
> $NFQ_OPTIONS
> +                       iptables -w -I "$IPS_INPUT_CHAIN" -i
> "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}"
> -j NFQUEUE $NFQ_OPTIONS
> +                       iptables -w -I "$IPS_OUTPUT_CHAIN" -o
> "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}"
> -j NFQUEUE $NFQ_OPTIONS
>  
>                         # Create rules which are required to handle
> forwarded traffic.
>                         for enabled_ips_zone_forward in
> "${enabled_ips_zones[@]}"; do
> -                               iptables -w -I "$IPS_FORWARD_CHAIN" -
> i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark
> "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
> +                               iptables -w -I "$IPS_FORWARD_CHAIN" -
> i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark
> "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
>                         done
>                 done
>  
>                 # Clear repeat bit, so that it does not confuse IPsec
> or QoS
> -               iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-
> xmark "0x0/${MASK}"
> -               iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-
> xmark "0x0/${MASK}"
> -               iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-
> xmark "0x0/${MASK}"
> +               iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
> +               iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
> +               iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
>         fi
>  }
>

diff mbox series

Patch

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index e327225d7..111bd9df3 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -35,8 +35,8 @@  network_zones=( red green blue orange ovpn )
 enabled_ips_zones=()
 
 # Mark and Mask options.
-MARK="0x80000000"
-MASK="0x80000000"
+REPEAT_MARK="0x80000000"
+REPEAT_MASK="0x80000000"
 
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"
@@ -137,19 +137,19 @@  function generate_fw_rules {
 		# Loop through the array and create firewall rules.
 		for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
 			# Create rules queue input and output related traffic and pass it to the IPS.
-			iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
-			iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+			iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+			iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
 
 			# Create rules which are required to handle forwarded traffic.
 			for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
-				iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+				iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
 			done
 		done
 
 		# Clear repeat bit, so that it does not confuse IPsec or QoS
-		iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
-		iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
-		iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
+		iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
+		iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
+		iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
 	fi
 }