[5/9] suricata: Always append rules instead of inserting them
Commit Message
This allows us to add rules in a consistent order like they are in the
script.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
src/initscripts/system/suricata | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Comments
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
> This allows us to add rules in a consistent order like they are in
> the
> script.
>
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
> src/initscripts/system/suricata | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index 981471c7c..5ccea9391 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -139,12 +139,12 @@ function generate_fw_rules {
> # Loop through the array and create firewall rules.
> for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
> # Create rules queue input and output related
> traffic and pass it to the IPS.
> - iptables -w -I "$IPS_INPUT_CHAIN" -i
> "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}"
> -j NFQUEUE $NFQ_OPTIONS
> - iptables -w -I "$IPS_OUTPUT_CHAIN" -o
> "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}"
> -j NFQUEUE $NFQ_OPTIONS
> + iptables -w -A "$IPS_INPUT_CHAIN" -i
> "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}"
> -j NFQUEUE $NFQ_OPTIONS
> + iptables -w -A "$IPS_OUTPUT_CHAIN" -o
> "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}"
> -j NFQUEUE $NFQ_OPTIONS
>
> # Create rules which are required to handle
> forwarded traffic.
> for enabled_ips_zone_forward in
> "${enabled_ips_zones[@]}"; do
> - iptables -w -I "$IPS_FORWARD_CHAIN" -
> i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark
> "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
> + iptables -w -A "$IPS_FORWARD_CHAIN" -
> i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark
> "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
> done
> done
>
@@ -139,12 +139,12 @@ function generate_fw_rules {
# Loop through the array and create firewall rules.
for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
# Create rules queue input and output related traffic and pass it to the IPS.
- iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
- iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+ iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+ iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
# Create rules which are required to handle forwarded traffic.
for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
- iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+ iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
done
done