From patchwork Mon Oct 18 10:10:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4789 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9p4RZfz3wcq for ; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HXt9n19zSz1Ts; Mon, 18 Oct 2021 10:18:05 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HXt9n00C7z2yWh; Mon, 18 Oct 2021 10:18:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9m4ZRrz2xPS for ; Mon, 18 Oct 2021 10:18:04 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HXt9l61N3zld; Mon, 18 Oct 2021 10:18:03 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1634552283; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=2MWCP/AyVx87HXytX08N/SmFLvXSjRxqHXp3oB7ncT8=; b=aPwoQ+5q6qOzhcOR5McBP1ie4uj/ecdp71d+S8c548DOiwy3H2UH3TRYNydQc3HQ9JQ2ao WkIlwwKmALDfKNBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1634552283; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=2MWCP/AyVx87HXytX08N/SmFLvXSjRxqHXp3oB7ncT8=; b=mgkw6vyKkS78rvDiUsNbzCI1cdioPDoc8oA6bO1cXvdw02ZwckJ+6jY4Tj41TC6ko5aFQu Yr6KihoSbe8ovqhQoSqTk9oTFzbT0FqvHjash0RncCURtTZaeHzJjOTBdGjJM/MK9t+xgD QsFhtdNn686YdEdYbdzEWUHbzggl/uxgKtohSuM+cLfqRwOaklrobxSWdpi3oeglOevLb6 KAF0sRVNRA09WW9g9IlvqjuzyhCSWDGQ2IjNYsORpDuAdxto6ACMJ+rDGwGFYgrIqJ4LYD p2jnT2N1YcsNJAroag7vwqdBmbM7KcFdF6G0dH163ZTFXIriAUh/6feIsD3Fig== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 1/9] suricata: Set most significant bit as repeat marker Date: Mon, 18 Oct 2021 10:10:14 +0000 Message-Id: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" I have no idea why some odd value was chosen here, but one bit should be enough. Signed-off-by: Michael Tremer Reviewed-by: Peter Müller Tested-by: Stefan Schantl --- config/suricata/suricata.yaml | 4 ++-- src/initscripts/system/suricata | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 4e9e39967..1ce013dc7 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -346,8 +346,8 @@ logging: nfq: mode: repeat - repeat-mark: 1879048192 - repeat-mask: 1879048192 + repeat-mark: 2147483648 + repeat-mask: 2147483648 # bypass-mark: 1 # bypass-mask: 1 # route-queue: 2 diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 33633ddf9..e327225d7 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -35,8 +35,8 @@ network_zones=( red green blue orange ovpn ) enabled_ips_zones=() # Mark and Mask options. -MARK="0x70000000" -MASK="0x70000000" +MARK="0x80000000" +MASK="0x80000000" # PID file of suricata. PID_FILE="/var/run/suricata.pid" From patchwork Mon Oct 18 10:10:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4790 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9s32h2z3wcq for ; Mon, 18 Oct 2021 10:18:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HXt9n2xgZz28v; Mon, 18 Oct 2021 10:18:05 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HXt9n0dTVz300q; Mon, 18 Oct 2021 10:18:05 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9m4zxfz2yVc for ; Mon, 18 Oct 2021 10:18:04 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HXt9m3tVxz17l; Mon, 18 Oct 2021 10:18:04 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1634552284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iT775pskl+ZqQ7XIEfOsMmQArvkp77xWrg11+t4cyQw=; b=ffemvaePJbG87dsX0j0xLKLczQWLkznRskZ1QOZpCoTHp5jUmJ8oOhUUYUxzoP39MRzfZ1 v1E4cSwFzE0D8BCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1634552284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iT775pskl+ZqQ7XIEfOsMmQArvkp77xWrg11+t4cyQw=; b=v0H1VOJ4SFzFVx7APVFyIpKlbVBIBapBs7Z/5a/zfAJO6GHe9LHhvFk90kjPmBRVBVBTan 6+CfH94XCRuWjbn++xQz09BNtEUNBtQUV50+d5HzY3ny7f4VjZHATT40ihk8rpNa/wDRCk XX26F6KiTJWSCjmE8Km1HAFPMAUNoqVKUB3lC2q44MvDl33D3OlVuz2JAmoIGIK15tOu2o z6zEGhvO96UU9Zft4PraP1AXHYwYT0npgsrIvnK28x24N511hWUfbgWoA+sZj5+eNCTcc+ KltVt/JM0wt7qhDwnRRh1yz7C6gNaUssZCvu9+JBFZ7TD0eHWzKr3PiJKlHmSA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 2/9] suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK Date: Mon, 18 Oct 2021 10:10:15 +0000 Message-Id: <20211018101022.15448-2-michael.tremer@ipfire.org> In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org> References: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This should avoid confusion when we add more marks Signed-off-by: Michael Tremer Reviewed-by: Peter Müller Tested-by: Stefan Schantl --- src/initscripts/system/suricata | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index e327225d7..111bd9df3 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -35,8 +35,8 @@ network_zones=( red green blue orange ovpn ) enabled_ips_zones=() # Mark and Mask options. -MARK="0x80000000" -MASK="0x80000000" +REPEAT_MARK="0x80000000" +REPEAT_MASK="0x80000000" # PID file of suricata. PID_FILE="/var/run/suricata.pid" @@ -137,19 +137,19 @@ function generate_fw_rules { # Loop through the array and create firewall rules. for enabled_ips_zone in "${enabled_ips_zones[@]}"; do # Create rules queue input and output related traffic and pass it to the IPS. - iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS - iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS + iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS # Create rules which are required to handle forwarded traffic. for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do - iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS done done # Clear repeat bit, so that it does not confuse IPsec or QoS - iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" - iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" - iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}" + iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}" + iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}" fi } From patchwork Mon Oct 18 10:10:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4791 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9t0JnHz3wcr for ; Mon, 18 Oct 2021 10:18:10 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HXt9p1nthz17l; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HXt9p1D8Kz309W; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9m5kMLz2yWh for ; Mon, 18 Oct 2021 10:18:04 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HXt9m4gHjz1DR; Mon, 18 Oct 2021 10:18:04 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1634552284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZoPRX6aWjJyuYx0UTLBtrrtbh3v9Ig3wxblaN+FjneI=; b=bbxalA3dGG2jSCWW/6/uvK7qApSbtJzRQILMqeiBzetgt/V5W4ryp7bmczbTdEx+c0cG0p YXydgDfTUyfH/XBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1634552284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZoPRX6aWjJyuYx0UTLBtrrtbh3v9Ig3wxblaN+FjneI=; b=PrS1rZjIhuozanEwP+yhNecF2KC6wHfEyQhasLJT8imsISgA5V3BY6njtYcsYAfeQNzN8/ qECD8bJyuPXufcPtLKxg9+7FWv1WsnAg3xuaXPywkW+jDET68ddFFl2aixcXtPRttGb17d DtJbEz8i+JmVLRBPdxiAVHJ6tBdsIr2DCM67Gw/U+M2Zgc33+IeCM6jvYkuacSJgKMcTP0 BkvcRHpNHPebYkDYBF+iDKHaftVfuuXUTMnvacEaLbNFJNXg/KJkObzsTGskHx+EYDTIIu GEfTQ2mmEVaX2OwqOPhe8uskg7O2sH3BqWbq5LzBn/lfdHOeQw2RY5OtgbDOjg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 3/9] suricata: Define bypass mark Date: Mon, 18 Oct 2021 10:10:16 +0000 Message-Id: <20211018101022.15448-3-michael.tremer@ipfire.org> In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org> References: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer Reviewed-by: Peter Müller Tested-by: Stefan Schantl --- config/suricata/suricata.yaml | 4 ++-- src/initscripts/system/suricata | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 1ce013dc7..f02b93d76 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -348,8 +348,8 @@ nfq: mode: repeat repeat-mark: 2147483648 repeat-mask: 2147483648 -# bypass-mark: 1 -# bypass-mask: 1 + bypass-mark: 1073741824 + bypass-mask: 1073741824 # route-queue: 2 # batchcount: 20 fail-open: yes diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 111bd9df3..981471c7c 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -37,6 +37,8 @@ enabled_ips_zones=() # Mark and Mask options. REPEAT_MARK="0x80000000" REPEAT_MASK="0x80000000" +BYPASS_MARK="0x40000000" +BYPASS_MASK="0x40000000" # PID file of suricata. PID_FILE="/var/run/suricata.pid" From patchwork Mon Oct 18 10:10:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4792 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9y0xJrz3wcq for ; Mon, 18 Oct 2021 10:18:14 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HXt9p2mnKz4S8; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HXt9p1mfkz30bD; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9m6VFHz2yVc for ; Mon, 18 Oct 2021 10:18:04 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HXt9m5PyPzld; Mon, 18 Oct 2021 10:18:04 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1634552284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1Z8w7G6XxrU1gwdmZTPLtbdW9Z6hurBOt6TiDFC6oK0=; b=P+oq6AGBKx5Xpfff8LDms0/trGi4Dv7YmLApyiWT474fqP34u5h/lFISVb2IiNlS/AZiIv CvHR/kjW0jfxCtCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1634552284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1Z8w7G6XxrU1gwdmZTPLtbdW9Z6hurBOt6TiDFC6oK0=; b=RpSjeM7eeWTUnqFF/Pf+RFjBEdjZFDSs1KHM/2jdMGXu00n64VCXmN0SIyf5UfujX174TZ eY1oWdFt5Jqy2MI4rIEOjLprictoQSUI6mmPCYMS0i/5Ll2vq1bLhmuLZfzYQdZHZYsiqf hnPUySb1b8sTBSCI5hgfsbkxR2s+zlIBkm8c6/woTTQRXMCrE1QUhODeh/IWRkawpE9DX/ XvmXcbQm2/jHzdXvLMACS2C5tD+ahfU+tqN3Enl+5dJQEcSUE6b3VZOAAbPPp7SGD/QJdb dILW5albScrXVWEgZZE5+IgMk5oHGSsJb7Fqt6qMnMFnrN6ebankdENNKlyIfg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 4/9] suricata: Enable bypassing unhandled streams Date: Mon, 18 Oct 2021 10:10:17 +0000 Message-Id: <20211018101022.15448-4-michael.tremer@ipfire.org> In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org> References: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" If a stream cannot be identified or if suricata has decided that it cannot do anything useful any more (e.g. TLS sessions after the handshake), we will allow suricata to bypass any following packets in that flow Signed-off-by: Michael Tremer Tested-by: Stefan Schantl --- config/suricata/suricata.yaml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index f02b93d76..6f37671c8 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -389,11 +389,19 @@ app-layer: # will be disabled by default, but enabled if rules require it. ja3-fingerprints: auto - # Completely stop processing TLS/SSL session after the handshake - # completed. If bypass is enabled this will also trigger flow - # bypass. If disabled (the default), TLS/SSL session is still - # tracked for Heartbleed and other anomalies. - #no-reassemble: yes + # What to do when the encrypted communications start: + # - default: keep tracking TLS session, check for protocol anomalies, + # inspect tls_* keywords. Disables inspection of unmodified + # 'content' signatures. + # - bypass: stop processing this flow as much as possible. No further + # TLS parsing and inspection. Offload flow bypass to kernel + # or hardware if possible. + # - full: keep tracking and inspection as normal. Unmodified content + # keyword signatures are inspected as well. + # + # For best performance, select 'bypass'. + # + encryption-handling: bypass dcerpc: enabled: yes ftp: @@ -810,6 +818,7 @@ stream: prealloc-sessions: 4096 checksum-validation: yes # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + bypass: yes # Bypass packets when stream.reassembly.depth is reached. reassembly: memcap: 256mb depth: 1mb # reassemble 1mb into a stream From patchwork Mon Oct 18 10:10:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4793 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HXtB21FrKz3wcq for ; Mon, 18 Oct 2021 10:18:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HXt9p5Z3qz5FZ; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HXt9p2MJxz2ylk; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9n0M8Fz2yyx for ; Mon, 18 Oct 2021 10:18:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HXt9m69pvz17l; Mon, 18 Oct 2021 10:18:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1634552284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SObBSFOhmx4Vy8xovv3ht71IIfrvkToTiCVzQZ1OZa0=; b=RVS+MlPzdvcygrG2ZRjbKmcEgov1mehOhxt3AeuWdjibfjmNbdzNJB4X1K8Jjqdm+qGRGW R8EczgEsjUNb4Km08zRYui5Dc1rDNyHQ3rd9owFS4mDWoyliMQqF3yvbyJtkwX0Ckscq8y 6yI2EuoXyzA30cahnoI/eK0IrDd9yC+O9mcmWgvj27OHwldfEfO8//Y/ho31oDwnZqtlUr OhDZN5pCEiH63J6ZhHRtM1N47SfISznCE2jto9m4BY0/2sRH+x1m+QPMRu2b6tp0ZhRbNn OQA79Bt2tkzbC6IpX8da/KVzZdYKO0746pYQY+vt3s4APXzsVxIijmadLbhJMw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1634552284; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SObBSFOhmx4Vy8xovv3ht71IIfrvkToTiCVzQZ1OZa0=; b=U99dVyOcsHka112BgF3fmCe0pYc00LxFPApcmvCMaoeNqwwxEVVxjI2OIKTXpYDBVxWPPV 9YqZapGT6ZFSmTBA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 5/9] suricata: Always append rules instead of inserting them Date: Mon, 18 Oct 2021 10:10:18 +0000 Message-Id: <20211018101022.15448-5-michael.tremer@ipfire.org> In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org> References: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This allows us to add rules in a consistent order like they are in the script. Signed-off-by: Michael Tremer Tested-by: Stefan Schantl --- src/initscripts/system/suricata | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 981471c7c..5ccea9391 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -139,12 +139,12 @@ function generate_fw_rules { # Loop through the array and create firewall rules. for enabled_ips_zone in "${enabled_ips_zones[@]}"; do # Create rules queue input and output related traffic and pass it to the IPS. - iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS - iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS + iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS + iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS # Create rules which are required to handle forwarded traffic. for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do - iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS + iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS done done From patchwork Mon Oct 18 10:10:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4796 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HXtB62k8sz3wcq for ; Mon, 18 Oct 2021 10:18:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HXt9p6Q41z5NB; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HXt9p31dcz3005; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9n0xkgz303m for ; Mon, 18 Oct 2021 10:18:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HXt9m6zNPz1DR; Mon, 18 Oct 2021 10:18:04 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1634552285; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=O5mipGYXt7JUj690qHUzVUXeVh4qTZ0tIWsDZqy81Hk=; b=45O6r2sQ6PrGAiSnNY2XMRG7BjW00kJyh/O0vaGJ9cMe/Gd0oNRuPgAvqdUaPT8+9jr+5m +cWAPpAWiS+SqqCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1634552285; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=O5mipGYXt7JUj690qHUzVUXeVh4qTZ0tIWsDZqy81Hk=; b=n2tsWfy8cdjnF2bevSDwLjK9jfNrNSdvDPzxo/lNWJodqVAsn+JGpgPcJEc3wMmd5fBgwM s0k9GIEAtEgoePrWtKQEgJ2HXiWyXNxjnci+R6NDvV0fiCSj8t3uNTgf9MS14eCmvtE2K+ rpaQLjpQWyfVInj+mNnU4aUMK+J6YLBt8YFkcSwAIlWGdqT5AMUgzf9nxCugMeGSLGoCq5 OfZiSAs1cEItj9pAvW32/l8ttMp81e4w6ktQNos60saYYbQTXMShCdSc0ecQwmkB+gckNv 991wA0tSup+6zmoA72bIHlnf4o2klTcJH7ddEtOaD8S0vUEzqziLXIBsHxnyJw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 6/9] suricata: Add rule to skip IPS if a packet has the bypass bit set Date: Mon, 18 Oct 2021 10:10:19 +0000 Message-Id: <20211018101022.15448-6-michael.tremer@ipfire.org> In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org> References: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer Tested-by: Stefan Schantl --- src/initscripts/system/suricata | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 5ccea9391..2577621b8 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -134,6 +134,12 @@ function generate_fw_rules { # Flush the firewall chains. flush_fw_chain + # Skip anything that has the bypass bit set + local chain + for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do + iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN + done + # Check if the array of enabled_ips_zones contains any elements. if [[ ${enabled_ips_zones[@]} ]]; then # Loop through the array and create firewall rules. From patchwork Mon Oct 18 10:10:20 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4794 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HXtB24k9hz3wcr for ; Mon, 18 Oct 2021 10:18:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HXt9q0DHbz5Q7; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HXt9p3jxcz31LK; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9n2287z2ylk for ; Mon, 18 Oct 2021 10:18:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HXt9n0dq3zld; Mon, 18 Oct 2021 10:18:05 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1634552285; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nPSKk0h+CrC87wDd7h7n5tk1NdW24sk7JctAdZbwqfc=; b=WrbEhCQURlSpGzG+Y7hptCjiwRQXgJzvGbbSbfapnO9DM0w02s3sxUlapqVNxTypQp98L4 r4o3BM9pBp8bTeCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1634552285; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nPSKk0h+CrC87wDd7h7n5tk1NdW24sk7JctAdZbwqfc=; b=SM5ObFzdUPdU/aS3+UBpqF4E0O8hB8re+9NaoCR08SeR+BQnQOVTn1dXfae1ywoO34fGbt 1WsyQx/LazFaFHha6OMm156F3l2BWHE4ItwVQU+ETM8pcuea4FMm2PMEaAhueTdLByvV5R swVAo0DKZ85DkC6nz40I8nVxk+7uJkCXdFHs9tEh1XxWW2hwkK1y++bbh9S+bXly/iYMJD yIV5kun32AUMdGRb5U381bCxgM3CuvPbx6hecr+1XOa4y210v/yjxs/35pyLB48XXrSIFj z/8Fp3hD7AC8n92aAGxYxIt4RTZUt2aW8D3ePjcZTGJrMxYT2sfHMTJAxqYumw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 7/9] suricata: Store bypass flag in connmark and restore Date: Mon, 18 Oct 2021 10:10:20 +0000 Message-Id: <20211018101022.15448-7-michael.tremer@ipfire.org> In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org> References: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer Tested-by: Stefan Schantl --- src/initscripts/system/suricata | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 2577621b8..72d01b91d 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -154,10 +154,14 @@ function generate_fw_rules { done done - # Clear repeat bit, so that it does not confuse IPsec or QoS - iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}" - iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}" - iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}" + # Add common rules at the end of the chain + for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do + # Clear repeat bit + iptables -w -A "${chain}" -j MARK --set-xmark "0x0/${REPEAT_MASK}" + + # Store bypass bit in CONNMARK + iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j CONNMARK --save-mark + done fi } From patchwork Mon Oct 18 10:10:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4795 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HXtB30vw6z3wct for ; Mon, 18 Oct 2021 10:18:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HXt9q3TjPz5Mb; Mon, 18 Oct 2021 10:18:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HXt9p4Fffz30Q7; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9n31w7z2yC8 for ; Mon, 18 Oct 2021 10:18:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HXt9n1RHvz1Tw; Mon, 18 Oct 2021 10:18:05 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1634552285; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j9AUOwQR0Pm8L1ZqF7WH1AU21f1p+kcnpTSyLoZaAf0=; b=kRfFdJhsH/T/0+MZqZw7ugueA8EGKAvsJdlI/pa7xALkLO6W0LK+P6KQZqMeNFXj9Fgz5x ZJsSsLdGiMXAs+BA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1634552285; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j9AUOwQR0Pm8L1ZqF7WH1AU21f1p+kcnpTSyLoZaAf0=; b=b8SbGuAZuSnHiDlG/AuhE/qCjXu1xyCBoedLgEm0e3h+RHwlsU1nVVWXxtqD0Fn0gyeA6s cHfdxiKlGCCcA4S2zouvwjUeBBinNtMod0wUOzw4NTeQ3BJw3pIdwq/s/4pJxt8OzZ6/Lr nUi1ziY0NM+WOaB3VueG8CyWHuDk9BjUiuCB6rijmQbcVFE2aIAmm0jiGZQLJOZldb6hsG E2KuaAQgxieCARjrnPOkopkqi7127ZFEPUmQmL98/aRlDvTIhJ9F3gTfCn/8HVizTrceTz QPPxdW0bCyN5VIK9fQYojN+5h2hKTbR/fNFj0r7ZS+7JI9mQpCnWNxjr6+28AQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 8/9] suricata: Introduce IPSBYPASS chain Date: Mon, 18 Oct 2021 10:10:21 +0000 Message-Id: <20211018101022.15448-8-michael.tremer@ipfire.org> In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org> References: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" NFQUEUE does not let the packet continue where it was processed, but inserts it back into iptables at the start. That is why we need an extra IPSBYPASS chain which has the following tasks: * Make the BYPASS bit permanent for the entire connection * Clear the REPEAT bit The latter is more of cosmetic nature so that we can identify packets that have come from suricata again and those which have bypassed the IPS straight away. The IPS_* chain will now only be sent traffic to, when none of the two relevant bits has been set. Otherwise the packet has already been processed by suricata in the first pass or suricata has decided to bypass the connection. This massively reduces load on the IPS which allows many common connections (TLS connections with downloads) to bypass the IPS bringing us back to line speed. Signed-off-by: Michael Tremer Tested-by: Stefan Schantl --- src/initscripts/system/firewall | 23 ++++++++++++++++++++--- src/initscripts/system/suricata | 27 +++------------------------ 2 files changed, 23 insertions(+), 27 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index ce428393d..530e8f1d6 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -17,6 +17,11 @@ NAT_MASK="0x0f000000" IPSEC_MARK="0x00800000" IPSEC_MASK="${IPSEC_MARK}" +IPS_REPEAT_MARK="0x80000000" +IPS_REPEAT_MASK="0x80000000" +IPS_BYPASS_MARK="0x40000000" +IPS_BYPASS_MASK="0x40000000" + function iptables() { /sbin/iptables --wait "$@" } @@ -41,6 +46,17 @@ iptables_init() { modprobe nf_log_ipv4 sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4 + # IPS Bypass Chain which stores the BYPASS bit in connection tracking + iptables -N IPSBYPASS + iptables -A IPSBYPASS -j MARK --set-xmark "0/$(( IPS_REPEAT_MASK ))" + iptables -A IPSBYPASS -j CONNMARK --save-mark + + # Jump into bypass chain when the BYPASS bit is set + for chain in INPUT FORWARD OUTPUT; do + iptables -A "${chain}" -m mark \ + --mark "$(( IPS_REPEAT_MARK | IPS_BYPASS_MARK ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS + done + # Empty LOG_DROP and LOG_REJECT chains iptables -N LOG_DROP iptables -A LOG_DROP -m limit --limit 10/second -j LOG @@ -147,9 +163,10 @@ iptables_init() { iptables -N IPS_INPUT iptables -N IPS_FORWARD iptables -N IPS_OUTPUT - iptables -A INPUT -j IPS_INPUT - iptables -A FORWARD -j IPS_FORWARD - iptables -A OUTPUT -j IPS_OUTPUT + + for chain in INPUT FORWARD OUTPUT; do + iptables -A "${chain}" -m mark --mark "0x0/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}" + done # OpenVPN transfer network translation iptables -t nat -N OVPNNAT diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 72d01b91d..13fcc7f34 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -34,12 +34,6 @@ network_zones=( red green blue orange ovpn ) # Array to store the network zones weather the IPS is enabled for. enabled_ips_zones=() -# Mark and Mask options. -REPEAT_MARK="0x80000000" -REPEAT_MASK="0x80000000" -BYPASS_MARK="0x40000000" -BYPASS_MASK="0x40000000" - # PID file of suricata. PID_FILE="/var/run/suricata.pid" @@ -134,34 +128,19 @@ function generate_fw_rules { # Flush the firewall chains. flush_fw_chain - # Skip anything that has the bypass bit set - local chain - for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do - iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN - done - # Check if the array of enabled_ips_zones contains any elements. if [[ ${enabled_ips_zones[@]} ]]; then # Loop through the array and create firewall rules. for enabled_ips_zone in "${enabled_ips_zones[@]}"; do # Create rules queue input and output related traffic and pass it to the IPS. - iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS - iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS + iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS + iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS # Create rules which are required to handle forwarded traffic. for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do - iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS + iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE $NFQ_OPTIONS done done - - # Add common rules at the end of the chain - for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do - # Clear repeat bit - iptables -w -A "${chain}" -j MARK --set-xmark "0x0/${REPEAT_MASK}" - - # Store bypass bit in CONNMARK - iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j CONNMARK --save-mark - done fi } From patchwork Mon Oct 18 10:10:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4797 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HXtB72Q7nz3wcr for ; Mon, 18 Oct 2021 10:18:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HXt9q6GHrz5TS; Mon, 18 Oct 2021 10:18:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HXt9p4phdz31ry; Mon, 18 Oct 2021 10:18:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HXt9n4kcMz2yC8 for ; Mon, 18 Oct 2021 10:18:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HXt9n2fTZz27r; Mon, 18 Oct 2021 10:18:05 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1634552285; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ks5Ff9wYO1Z6v/HBynVNVFejvxWth0kKrfB0dVxcHBA=; b=jHNp/vMOR4pTBW4hPhaEpSwhE6idCscGU9LaHjlX5XpMCWlXFIfIl6b8vSXXNhLZ2hJicu p2Podfq8uQxUIqAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1634552285; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ks5Ff9wYO1Z6v/HBynVNVFejvxWth0kKrfB0dVxcHBA=; b=ASLNf9UWUaOzSe7a1M0YSnaERn/Mcyv6uj3QmnSuZTwnjh9yOakTOVO5bogHgsc1FsS19d k7Qe8VY7lkbUZKOryQFwEM+ixU8RMgPXGi3zCZLb6C5lFfrAMvC/48mhNCboSiEhmP3ijV uQUxBX/XnAL7UD9zlqsTZn2SDo08xQN5109kS5aT4Uh5O5JhtwSPOtGBnfkuvKWi6Ylok5 MTxoKyI0Xwu4v50Ou9Y/EcFOnw27vp7TuV7r7rG0HNpLoa4dWBzTwE1Cmh8awI0IjX/u62 2kAx8dgleZx72rHY16BHuZ6vJmfiQQ7S1oLgJBJRNDZ3jywxRqgZvdjx9MdTwA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 9/9] firewall: Keep REPEAT bit when saving rest to CONNMARK Date: Mon, 18 Oct 2021 10:10:22 +0000 Message-Id: <20211018101022.15448-9-michael.tremer@ipfire.org> In-Reply-To: <20211018101022.15448-1-michael.tremer@ipfire.org> References: <20211018101022.15448-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer Tested-by: Stefan Schantl --- src/initscripts/system/firewall | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 530e8f1d6..5fc63683c 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -48,8 +48,7 @@ iptables_init() { # IPS Bypass Chain which stores the BYPASS bit in connection tracking iptables -N IPSBYPASS - iptables -A IPSBYPASS -j MARK --set-xmark "0/$(( IPS_REPEAT_MASK ))" - iptables -A IPSBYPASS -j CONNMARK --save-mark + iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))" # Jump into bypass chain when the BYPASS bit is set for chain in INPUT FORWARD OUTPUT; do