]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/commitdiff
projects / people / pmueller / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9deccd1)
suricata: Always append rules instead of inserting them
authorMichael Tremer <michael.tremer@ipfire.org>
Mon, 18 Oct 2021 10:10:18 +0000 (10:10 +0000)
committerArne Fitzenreiter <arne_f@ipfire.org>
Tue, 19 Oct 2021 11:34:32 +0000 (11:34 +0000)
This allows us to add rules in a consistent order like they are in the
script.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
src/initscripts/system/suricata patch | blob | blame | history

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 981471c7ca572cfe6973ec2329a4082bc7a3d5d5..5ccea9391443a3e92abb85254189189ed14310de 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -139,12 +139,12 @@ function generate_fw_rules {
                # Loop through the array and create firewall rules.
                for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
                        # Create rules queue input and output related traffic and pass it to the IPS.
-                       iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
-                       iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+                       iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+                       iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
 
                        # Create rules which are required to handle forwarded traffic.
                        for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
-                               iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
+                               iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS
                        done
                done
 
Peter's tree of IPFire 2.x