diff mbox series

[13/20] suricata: Add option to scan WireGuard

Message ID	20240910143748.3469271-14-michael.tremer@ipfire.org
State	New
Headers	From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 13/20] suricata: Add option to scan WireGuard Date: Tue, 10 Sep 2024 14:37:26 +0000 Message-Id: <20240910143748.3469271-14-michael.tremer@ipfire.org> In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: AUHV7RRNYNYZBNNMHO2CQQUMNMZ5DZMM CC: Michael Tremer <michael.tremer@ipfire.org> Precedence: list Archived-At: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/AUHV7RRNYNYZBNNMHO2CQQUMNMZ5DZMM/>
Series	[01/20] suricata: Move the IPS into the mangle table \| [01/20] suricata: Move the IPS into the mangle table [02/20] initscripts: Fix bash function definitions in suricata [03/20] suricata: Use getconf to determine the number of processors [04/20] suricata: Remove some unused constants [05/20] suricata: Add whitelist to iptables [06/20] suricata: Replace removed CPU count function [07/20] suricata: Be more efficient with marks [08/20] suricata: Add a watcher to restart on unexpected termination [09/20] suricata: Start the new watcher in the background [10/20] suricata: Restore the interface selection [11/20] suricata: Remove superfluous bits from the initscript [12/20] suricata: Don't load /var/ipfire/ethernet/settings [13/20] suricata: Add option to scan WireGuard [14/20] suricata: Fix broken spacing in the settings section [15/20] ids.cgi: Use new style tables for rulesets [16/20] ids.cgi: Use new-style table for whitelist entries [17/20] ids.cgi: Sort whitelist entries [18/20] ids.cgi: Remove box from the top section [19/20] ids.cgi: Fix detection for the Suricata process [20/20] firewall: Move the IPS after the NAT marking

Commit Message

Michael Tremer Sept. 10, 2024, 2:37 p.m. UTC

  Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 doc/language_missings                        | 8 ++++++++
 html/cgi-bin/ids.cgi                         | 6 +++++-
 langs/en/cgi-bin/en.pl                       | 1 +
 src/initscripts/networking/functions.network | 6 ++++++
 src/initscripts/system/suricata              | 2 +-
 5 files changed, 21 insertions(+), 2 deletions(-)

diff mbox series

Patch

diff --git a/doc/language_missings b/doc/language_missings
index 98856b0e8..94adb28d8 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -103,6 +103,7 @@ 
 < upload fcdsl.o
 < user management
 < vpn configuration main
+< wg
 < winbind daemon
 < wireguard
 < wlanap 802.11w disabled
@@ -156,6 +157,7 @@ 
 < timeformat
 < transport mode does not support vti
 < warning
+< wg
 < wireguard
 < wlanap
 < wlanap psk
@@ -185,6 +187,7 @@ 
 < timeformat
 < upload fcdsl.o
 < warning
+< wg
 < wireguard
 < wlanap psk
 < wlanap wireless mode
@@ -668,6 +671,7 @@ 
 < vulnerable
 < warning
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
@@ -1229,6 +1233,7 @@ 
 < vulnerable
 < warning
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
@@ -2205,6 +2210,7 @@ 
 < vulnerable
 < warning
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
@@ -3218,6 +3224,7 @@ 
 < warning
 < week-graph
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
@@ -3608,6 +3615,7 @@ 
 < vulnerable
 < warning
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 502e2a125..00cc502f1 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -53,6 +53,9 @@  my %ignored=();
 # the list of zones in an array.
 my @network_zones = &Network::get_available_network_zones();
 
+# Always show Wireguard
+push(@network_zones, "wg");
+
 # Check if openvpn is started and add it to the array of network zones.
 if ( -e "/var/run/openvpn.pid") {
 	push(@network_zones, "ovpn");
@@ -69,7 +72,8 @@  my %colourhash = (
 	'green' => $Header::colourgreen,
 	'blue' => $Header::colourblue,
 	'orange' => $Header::colourorange,
-	'ovpn' => $Header::colourovpn
+	'ovpn' => $Header::colourovpn,
+	'wg' => $Header::colourwg,
 );
 
 &Header::showhttpheaders();
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index dca9f1645..6a455ab6d 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -3020,6 +3020,7 @@ 
 'week-graph' => 'Week',
 'weekly firewallhits' => 'weekly firewallhits',
 'weeks' => 'Weeks',
+'wg' => 'WireGuard',
 'whois results from' => 'WHOIS results from',
 'wildcards' => 'Wildcards',
 'winbind daemon' => 'Winbind Daemon',
diff --git a/src/initscripts/networking/functions.network b/src/initscripts/networking/functions.network
index c189c2fbc..02ac6b8fe 100644
--- a/src/initscripts/networking/functions.network
+++ b/src/initscripts/networking/functions.network
@@ -92,9 +92,15 @@  network_get_intf() {
 			fi
 			;;
 
+		WIREGUARD|WG)
+			echo "wg+"
+			return 0
+			;;
+
 		OPENVPN|OVPN)
 			# OpenVPN is using all tun devices
 			echo "tun+"
+			return 0
 			;;
 	esac
 
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 0447b7e8c..6990b79ca 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -41,7 +41,7 @@  IPS_SCAN_MARK="0x10000000"
 IPS_SCAN_MASK="0x10000000"
 
 # Supported network zones
-NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "OVPN" )
+NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "WG" "OVPN" )
 
 # Optional options for the Netfilter queue.
 NFQ_OPTS=(