git.ipfire.org Git - ipfire-2.x.git/commit - src/initscripts/system/firewall

author	Michael Tremer <michael.tremer@ipfire.org>
	Mon, 18 Oct 2021 10:10:21 +0000 (10:10 +0000)
committer	Arne Fitzenreiter <arne_f@ipfire.org>
	Tue, 19 Oct 2021 11:35:04 +0000 (11:35 +0000)
commit	3fa8300e706227db9f72b4b1349dde3e66399298
tree	a36d83b115a9259fce17f9b07d7f4c4fe1e882d9	tree \| snapshot
parent	2469ca9fbab0a02502fc8086bc94517d7dcdcfaf	commit \| diff

suricata: Introduce IPSBYPASS chain

NFQUEUE does not let the packet continue where it was processed, but
inserts it back into iptables at the start. That is why we need an
extra IPSBYPASS chain which has the following tasks:

* Make the BYPASS bit permanent for the entire connection
* Clear the REPEAT bit

The latter is more of cosmetic nature so that we can identify packets
that have come from suricata again and those which have bypassed the IPS
straight away.

The IPS_* chain will now only be sent traffic to, when none of the two
relevant bits has been set. Otherwise the packet has already been
processed by suricata in the first pass or suricata has decided to
bypass the connection.

This massively reduces load on the IPS which allows many common
connections (TLS connections with downloads) to bypass the IPS bringing
us back to line speed.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

src/initscripts/system/firewall		diff \| blob \| blame \| history
src/initscripts/system/suricata		diff \| blob \| blame \| history