Message ID | 20220406192332.4865-1-stefan.schantl@ipfire.org |
---|---|
State | Dropped |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KYZF10Hk0z3x1b for <patchwork@web04.haj.ipfire.org>; Wed, 6 Apr 2022 19:23:49 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4KYZDz50tFz1ly; Wed, 6 Apr 2022 19:23:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KYZDz4gkdz2yZf; Wed, 6 Apr 2022 19:23:47 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KYZDx6sPlz2x9Y for <development@lists.ipfire.org>; Wed, 6 Apr 2022 19:23:45 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4KYZDw5DqFzQd; Wed, 6 Apr 2022 19:23:44 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1649273024; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=1ZrD4lqcmPPMw5W5zMkMVqQrPzkJgDYqbLkSkpj+7hM=; b=/Yh7Z6pI8trGCR6mienI8cznSYLasX5C7BYbyFvNI2wYIhAgU+fImVrkZHSLruHV561C2b oHUcEUiXIJF7I7DA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1649273024; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=1ZrD4lqcmPPMw5W5zMkMVqQrPzkJgDYqbLkSkpj+7hM=; b=DAl41fLTb5J2xGIwZrTvX34JPPebvRr2CgC9CXV2P6lOdkuoDqI6wAGgsVbhX/krFma06r sscVzK1y+e5udHKiC6ktx7QDI2BU0H7INGl4h6+Jdxd9Qut6NtpQPfnpQFAKnSbILTt2kq TtcqxC+fvpbiYnVEmojB9EkXhTj4ve541bs/drPVx0aey6QEUotsyCTrVkHI24mRoBPcy2 V10n7pdpN6VvCxDQYUk69hsVXfaONP6taUMFR+cWuI90ug66becM9uuTYUPtjm4znnpKAA unU/Hcld0MiTKvj62QMrMQoSLisCNOaOAFymYejCf6AxtNK5KIYn2FNDzphP5Q== From: Stefan Schantl <stefan.schantl@ipfire.org> To: development@lists.ipfire.org Subject: [PATCHv2] suricata: Do not create silly forward rules. Date: Wed, 6 Apr 2022 21:23:32 +0200 Message-Id: <20220406192332.4865-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
[PATCHv2] suricata: Do not create silly forward rules.
|
|
Commit Message
Stefan Schantl
April 6, 2022, 7:23 p.m. UTC
Skip creating forward rules if the input and the output device are the
same.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
src/initscripts/system/suricata | 5 +++++
1 file changed, 5 insertions(+)
Comments
Why do you think these rules are not needed? > On 6 Apr 2022, at 20:23, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > > Skip creating forward rules if the input and the output device are the > same. > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > --- > src/initscripts/system/suricata | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata > index 5ede405ce..79c105c23 100644 > --- a/src/initscripts/system/suricata > +++ b/src/initscripts/system/suricata > @@ -171,6 +171,11 @@ function generate_fw_rules { > > # Create rules which are required to handle forwarded traffic. > for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do > + # Skip loop iteration if both zones are the same. > + if [ "$enabled_ips_zone" == "$enabled_ips_zone_forward" ]; then > + continue > + fi > + > # Check if the whetelist file is not empty. > if [ -s "$WHITELIST_FILE" ]; then > # Create rules to handle whitelisted hosts. > -- > 2.30.2 >
For the records, I had a short talk with Michael on the phone about that topic. My intension of the patch was, if there are no packets which have the same input and output device, these rules are not needed. He answered that there are some reasons, why this could happened. In case you are using DNAT, SNAT or some kind of asynchronous routing etc. So the iptables rules are required to pass such traffic to the IDS/IPS and the patch can be ignored. Best regards, -Stefan > Why do you think these rules are not needed? > > > On 6 Apr 2022, at 20:23, Stefan Schantl <stefan.schantl@ipfire.org> > > wrote: > > > > Skip creating forward rules if the input and the output device are > > the > > same. > > > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > > --- > > src/initscripts/system/suricata | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/src/initscripts/system/suricata > > b/src/initscripts/system/suricata > > index 5ede405ce..79c105c23 100644 > > --- a/src/initscripts/system/suricata > > +++ b/src/initscripts/system/suricata > > @@ -171,6 +171,11 @@ function generate_fw_rules { > > > > # Create rules which are required to handle > > forwarded traffic. > > for enabled_ips_zone_forward in > > "${enabled_ips_zones[@]}"; do > > + # Skip loop iteration if both zones > > are the same. > > + if [ "$enabled_ips_zone" == > > "$enabled_ips_zone_forward" ]; then > > + continue > > + fi > > + > > # Check if the whetelist file is > > not empty. > > if [ -s "$WHITELIST_FILE" ]; then > > # Create rules to handle > > whitelisted hosts. > > -- > > 2.30.2 > > >
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 5ede405ce..79c105c23 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -171,6 +171,11 @@ function generate_fw_rules { # Create rules which are required to handle forwarded traffic. for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do + # Skip loop iteration if both zones are the same. + if [ "$enabled_ips_zone" == "$enabled_ips_zone_forward" ]; then + continue + fi + # Check if the whetelist file is not empty. if [ -s "$WHITELIST_FILE" ]; then # Create rules to handle whitelisted hosts.