From patchwork Mon Oct 18 10:10:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4796 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HXtB62k8sz3wcq for ; Mon, 18 Oct 2021 10:18:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HXt9p6Q41z5NB; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HXt9p31dcz3005; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9n0xkgz303m for ; Mon, 18 Oct 2021 10:18:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HXt9m6zNPz1DR; Mon, 18 Oct 2021 10:18:04 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1634552285; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=O5mipGYXt7JUj690qHUzVUXeVh4qTZ0tIWsDZqy81Hk=; b=45O6r2sQ6PrGAiSnNY2XMRG7BjW00kJyh/O0vaGJ9cMe/Gd0oNRuPgAvqdUaPT8+9jr+5m +cWAPpAWiS+SqqCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1634552285; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=O5mipGYXt7JUj690qHUzVUXeVh4qTZ0tIWsDZqy81Hk=; b=n2tsWfy8cdjnF2bevSDwLjK9jfNrNSdvDPzxo/lNWJodqVAsn+JGpgPcJEc3wMmd5fBgwM s0k9GIEAtEgoePrWtKQEgJ2HXiWyXNxjnci+R6NDvV0fiCSj8t3uNTgf9MS14eCmvtE2K+ rpaQLjpQWyfVInj+mNnU4aUMK+J6YLBt8YFkcSwAIlWGdqT5AMUgzf9nxCugMeGSLGoCq5 OfZiSAs1cEItj9pAvW32/l8ttMp81e4w6ktQNos60saYYbQTXMShCdSc0ecQwmkB+gckNv 991wA0tSup+6zmoA72bIHlnf4o2klTcJH7ddEtOaD8S0vUEzqziLXIBsHxnyJw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 6/9] suricata: Add rule to skip IPS if a packet has the bypass bit set Date: Mon, 18 Oct 2021 10:10:19 +0000 Message-Id: <20211018101022.15448-6-michael.tremer@ipfire.org> In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org> References: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer Tested-by: Stefan Schantl --- src/initscripts/system/suricata | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 5ccea9391..2577621b8 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -134,6 +134,12 @@ function generate_fw_rules { # Flush the firewall chains. flush_fw_chain + # Skip anything that has the bypass bit set + local chain + for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do + iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN + done + # Check if the array of enabled_ips_zones contains any elements. if [[ ${enabled_ips_zones[@]} ]]; then # Loop through the array and create firewall rules.