From patchwork Wed Apr 6 19:23:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 5458 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KYZF10Hk0z3x1b for ; Wed, 6 Apr 2022 19:23:49 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4KYZDz50tFz1ly; Wed, 6 Apr 2022 19:23:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KYZDz4gkdz2yZf; Wed, 6 Apr 2022 19:23:47 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KYZDx6sPlz2x9Y for ; Wed, 6 Apr 2022 19:23:45 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4KYZDw5DqFzQd; Wed, 6 Apr 2022 19:23:44 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1649273024; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=1ZrD4lqcmPPMw5W5zMkMVqQrPzkJgDYqbLkSkpj+7hM=; b=/Yh7Z6pI8trGCR6mienI8cznSYLasX5C7BYbyFvNI2wYIhAgU+fImVrkZHSLruHV561C2b oHUcEUiXIJF7I7DA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1649273024; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=1ZrD4lqcmPPMw5W5zMkMVqQrPzkJgDYqbLkSkpj+7hM=; b=DAl41fLTb5J2xGIwZrTvX34JPPebvRr2CgC9CXV2P6lOdkuoDqI6wAGgsVbhX/krFma06r sscVzK1y+e5udHKiC6ktx7QDI2BU0H7INGl4h6+Jdxd9Qut6NtpQPfnpQFAKnSbILTt2kq TtcqxC+fvpbiYnVEmojB9EkXhTj4ve541bs/drPVx0aey6QEUotsyCTrVkHI24mRoBPcy2 V10n7pdpN6VvCxDQYUk69hsVXfaONP6taUMFR+cWuI90ug66becM9uuTYUPtjm4znnpKAA unU/Hcld0MiTKvj62QMrMQoSLisCNOaOAFymYejCf6AxtNK5KIYn2FNDzphP5Q== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCHv2] suricata: Do not create silly forward rules. Date: Wed, 6 Apr 2022 21:23:32 +0200 Message-Id: <20220406192332.4865-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Skip creating forward rules if the input and the output device are the same. Signed-off-by: Stefan Schantl --- src/initscripts/system/suricata | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 5ede405ce..79c105c23 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -171,6 +171,11 @@ function generate_fw_rules { # Create rules which are required to handle forwarded traffic. for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do + # Skip loop iteration if both zones are the same. + if [ "$enabled_ips_zone" == "$enabled_ips_zone_forward" ]; then + continue + fi + # Check if the whetelist file is not empty. if [ -s "$WHITELIST_FILE" ]; then # Create rules to handle whitelisted hosts.