diff mbox series

[7/9] suricata: Store bypass flag in connmark and restore

Message ID	20211018101022.15448-7-michael.tremer@ipfire.org
State	Accepted
Commit	2469ca9fbab0a02502fc8086bc94517d7dcdcfaf
Headers	From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 7/9] suricata: Store bypass flag in connmark and restore Date: Mon, 18 Oct 2021 10:10:20 +0000 Message-Id: <20211018101022.15448-7-michael.tremer@ipfire.org> In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org> References: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Cc: Michael Tremer <michael.tremer@ipfire.org> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	[1/9] suricata: Set most significant bit as repeat marker \| [1/9] suricata: Set most significant bit as repeat marker [2/9] suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK [3/9] suricata: Define bypass mark [4/9] suricata: Enable bypassing unhandled streams [5/9] suricata: Always append rules instead of inserting them [6/9] suricata: Add rule to skip IPS if a packet has the bypass bit set [7/9] suricata: Store bypass flag in connmark and restore [8/9] suricata: Introduce IPSBYPASS chain [9/9] firewall: Keep REPEAT bit when saving rest to CONNMARK

Commit Message

Michael Tremer Oct. 18, 2021, 10:10 a.m. UTC

  Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/suricata | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

Comments

Stefan Schantl Oct. 19, 2021, 4:04 a.m. UTC | #1

Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
>  src/initscripts/system/suricata | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/src/initscripts/system/suricata
> b/src/initscripts/system/suricata
> index 2577621b8..72d01b91d 100644
> --- a/src/initscripts/system/suricata
> +++ b/src/initscripts/system/suricata
> @@ -154,10 +154,14 @@ function generate_fw_rules {
>                         done
>                 done
>  
> -               # Clear repeat bit, so that it does not confuse IPsec
> or QoS
> -               iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
> -               iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
> -               iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-
> xmark "0x0/${REPEAT_MASK}"
> +               # Add common rules at the end of the chain
> +               for chain in "${IPS_INPUT_CHAIN}"
> "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do
> +                       # Clear repeat bit
> +                       iptables -w -A "${chain}" -j MARK --set-xmark
> "0x0/${REPEAT_MASK}"
> +
> +                       # Store bypass bit in CONNMARK
> +                       iptables -w -A "${chain}" -m mark --mark
> "${BYPASS_MARK}/${BYPASS_MASK}" -j CONNMARK --save-mark
> +               done
>         fi
>  }
>

diff mbox series

Patch

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 2577621b8..72d01b91d 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -154,10 +154,14 @@  function generate_fw_rules {
 			done
 		done
 
-		# Clear repeat bit, so that it does not confuse IPsec or QoS
-		iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
-		iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
-		iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
+		# Add common rules at the end of the chain
+		for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do
+			# Clear repeat bit
+			iptables -w -A "${chain}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
+
+			# Store bypass bit in CONNMARK
+			iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j CONNMARK --save-mark
+		done
 	fi
 }