#
# Author : Stefan Schantl <stefan.schantl@ipfire.org>
#
-# Version : 01.01
+# Version : 01.02
#
# Notes :
#
NFQ_OPTS="--queue-bypass "
# Array containing the 4 possible network zones.
-network_zones=( red green blue orange )
+network_zones=( red green blue orange ovpn )
# Array to store the network zones weather the IPS is enabled for.
enabled_ips_zones=()
[ "$line" ] && [ -z "${line%processor*}" ] && ((CPUCOUNT++))
done </proc/cpuinfo
- echo $CPUCOUNT
+ # Limit to a maximum of 16 cores, because suricata does not support more than
+ # 16 netfilter queues at the moment.
+ if [ $CPUCOUNT -gt "16" ]; then
+ echo "16"
+ else
+ echo $CPUCOUNT
+ fi
}
# Function to flush the firewall chains.
if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then
# Set device name to ppp0.
network_device="ppp0"
+ elif [ "$zone" == "ovpn" ]; then
+ # Get all virtual net devices because the RW server and each
+ # N2N connection creates it's own tun device.
+ for virt_dev in /sys/devices/virtual/net/*; do
+ # Cut-off the directory.
+ dev="${virt_dev##*/}"
+
+ # Only process tun devices.
+ if [[ $dev =~ "tun" ]]; then
+ # Add the network device to the array of enabled zones.
+ enabled_ips_zones+=( "$dev" )
+ fi
+ done
+
+ # Process next zone.
+ continue
else
# Generate variable name which contains the device name.
zone_name="$zone_upper"
# Remove suricata control socket.
rm /var/run/suricata/* >/dev/null 2>/dev/null
+ # Trash remain pid file if still exists.
+ rm -f $PID_FILE >/dev/null 2>/dev/null
+
# Don't report returncode of rm if suricata was not started
exit 0
;;