[05/20] suricata: Add whitelist to iptables

Message ID 20240910143748.3469271-6-michael.tremer@ipfire.org
State Accepted
Commit 84a73d5f3997be2f1907c5eb4ad7a7069611ab4a
Headers
Series [01/20] suricata: Move the IPS into the mangle table |

Commit Message

Michael Tremer Sept. 10, 2024, 2:37 p.m. UTC
  This allows us to workaround better against any problems in Suricata
because we never send any whitelisted packets to the IPS in the first
place.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/suricata | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
  

Patch

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index c307e358c..14b48b5bd 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -75,6 +75,21 @@  generate_fw_rules() {
 	# Don't process packets that have already been seen by the IPS
 	iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
 
+	# Never send any whitelisted packets to the IPS
+	if [ -r "/var/ipfire/suricata/ignored" ]; then
+		local id network remark enabled rest
+
+		while IFS=',' read -r id network remark enabled rest; do
+			echo "$network"
+			echo "$remark"
+			# Skip disabled entries
+			[ "${enabled}" = "enabled" ] || continue
+
+			iptables -w -t mangle -A IPS -s "${network}" -j RETURN
+			iptables -w -t mangle -A IPS -d "${network}" -j RETURN
+		done < "/var/ipfire/suricata/ignored"
+	fi
+
 	# Send packets to suricata
 	iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}"