X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=src%2Finitscripts%2Fsystem%2Fsuricata;h=ecd6930541f03bfd3a8b1c9faad0392ea5e3b07a;hb=e8a28edbea9f2b6b8d0d2f47d56f548cc1e5e2d9;hp=b406b920ab5af20c4b13eec92c9e7084d5692b5e;hpb=c9b07d6a0cdb54c71d5aef4a75c40d505585a0fe;p=ipfire-2.x.git diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index b406b920ab..ecd6930541 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -18,6 +18,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) # Name of the firewall chain. FW_CHAIN="IPS" @@ -29,8 +30,8 @@ NFQ_OPTS="--queue-bypass " network_zones=( red green blue orange ) # Mark and Mask options. -MARK="0x2" -MASK="0x2" +MARK="0x70000000" +MASK="0x70000000" # PID file of suricata. PID_FILE="/var/run/suricata.pid" @@ -65,9 +66,18 @@ function generate_fw_rules { # Check if the IDS is enabled for this network zone. if [ "${!enable_ids_zone}" == "on" ]; then - # Generate name of the network interface. - network_device=$zone - network_device+="0" + # Check if the current processed zone is "red" and the configured type is PPPoE dialin. + if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then + # Set device name to ppp0. + network_device="ppp0" + else + # Generate variable name which contains the device name. + zone_name="$zone_upper" + zone_name+="_DEV" + + # Grab device name. + network_device=${!zone_name} + fi # Assign NFQ_OPTS NFQ_OPTIONS=$NFQ_OPTS @@ -75,8 +85,8 @@ function generate_fw_rules { # Check if there are multiple cpu cores available. if [ "$cpu_count" -gt "1" ]; then # Balance beetween all queues. - NFQ_OPTIONS+="--queue-balance 0:" - NFQ_OPTIONS+=$(($cpu_count-1)) + NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" + NFQ_OPTIONS+=" --queue-cpu-fanout" else # Send all packets to queue 0. NFQ_OPTIONS+="--queue-num 0" @@ -88,6 +98,9 @@ function generate_fw_rules { iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS fi done + + # Clear repeat bit, so that it does not confuse IPsec or QoS + iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" } # Function to flush the firewall chain. @@ -104,7 +117,7 @@ case "$1" in # Numer of NFQUES. NFQUEUES= - for i in $(seq 0 $cpu_count); do + for i in $(seq 0 $((cpu_count-1)) ); do NFQUEUES+="-q $i " done @@ -112,7 +125,7 @@ case "$1" in if [ "$ENABLE_IDS" == "on" ]; then # Start the IDS. boot_mesg "Starting Intrusion Detection System..." - /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES + /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null evaluate_retval # Allow reading the pidfile.