From patchwork Wed Apr 6 19:17:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 5457 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KYZ5Y57vgz3x1w for ; Wed, 6 Apr 2022 19:17:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4KYZ5X0N6xz1xJ; Wed, 6 Apr 2022 19:17:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KYZ5W71CCz2yWF; Wed, 6 Apr 2022 19:17:19 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KYZ5V0L40z2xKQ for ; Wed, 6 Apr 2022 19:17:18 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4KYZ5T3CTMzWn; Wed, 6 Apr 2022 19:17:17 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1649272637; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=nRH6K8ltbd99g3956PJWq3G8E3Q/ckkrkQzs1uq2Dis=; b=JYL+afLZ8+nKKhh5C1NaZHeNj59SKR1cNnwaM4elUnQZm/egIznBAzoTpgQUoFghZoR2xb sUvfZew+Lb/pkpDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1649272637; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=nRH6K8ltbd99g3956PJWq3G8E3Q/ckkrkQzs1uq2Dis=; b=IhLjCUw4YVW0Z9GaTJOSP6MKL88CoNaFPPLwq+femYfsGB1eUWjtSbLMniS4FzlNgFGjN+ m2LFSufSc3rbsTS2pTdGC40N8aF2Nu+qIs0idpEtEbhQrHGWJ1DwtllvEf8Aji56aEgy30 aefkpp6ntrU4juRRsjSzfT7HbngzEZiqCuCqKAOQEsNk8Uq2dXg1lNmUwRCpIwP81s4zsS VN2mnc3zYPjmJbQ1CsxgLVINLvhV5CSdcR5/xk4SYKJZxhtxnHPklmAXQ4JLWUIc5smtG3 WqP7ATDouA2dWncS/wj18amg4LFpxH2c7Yo2ngXrWVExRn0D4UkVhTaVO7HU6w== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH] suricata: Do not create silly forward rules. Date: Wed, 6 Apr 2022 21:17:10 +0200 Message-Id: <20220406191710.4424-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Skip creating forward rules if the input and the output device are the same. Signed-off-by: Stefan Schantl --- src/initscripts/system/suricata | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 5ede405ce..a40e02c83 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -171,6 +171,11 @@ function generate_fw_rules { # Create rules which are required to handle forwarded traffic. for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do + # Skip loop iteration if both zones are the same. + if [ "$enabled_ips_zone" -eq "$enabled_ips_zone_forward" ]; then + continue + fi + # Check if the whetelist file is not empty. if [ -s "$WHITELIST_FILE" ]; then # Create rules to handle whitelisted hosts.