[6/9] suricata: Add rule to skip IPS if a packet has the bypass bit set
Commit Message
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
src/initscripts/system/suricata | 6 ++++++
1 file changed, 6 insertions(+)
Comments
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
> src/initscripts/system/suricata | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index 5ccea9391..2577621b8 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -134,6 +134,12 @@ function generate_fw_rules {
> # Flush the firewall chains.
> flush_fw_chain
>
> + # Skip anything that has the bypass bit set
> + local chain
> + for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}"
> "${IPS_OUTPUT_CHAIN}"; do
> + iptables -w -A "${chain}" -m mark --mark
> "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN
> + done
> +
> # Check if the array of enabled_ips_zones contains any
> elements.
> if [[ ${enabled_ips_zones[@]} ]]; then
> # Loop through the array and create firewall rules.
@@ -134,6 +134,12 @@ function generate_fw_rules {
# Flush the firewall chains.
flush_fw_chain
+ # Skip anything that has the bypass bit set
+ local chain
+ for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do
+ iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN
+ done
+
# Check if the array of enabled_ips_zones contains any elements.
if [[ ${enabled_ips_zones[@]} ]]; then
# Loop through the array and create firewall rules.