]> git.ipfire.org Git - ipfire-2.x.git/commit
projects / ipfire-2.x.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2438c6c) | patch
firewall: Move the IPS after the NAT marking
authorMichael Tremer <michael.tremer@ipfire.org>
Tue, 10 Sep 2024 09:37:38 +0000 (11:37 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Tue, 24 Sep 2024 08:43:41 +0000 (08:43 +0000)
commit525ff6d74dac833854dde69a152e98f1b5fd14d2
tree483363ebe61718092bbc4a1d36815b624de42086tree
parent2438c6c2497015e92e823ecd2fbe9071a2cda575commit | diff
firewall: Move the IPS after the NAT marking

This is because we might still land in the scenario where Suricata
crashes and NFQUEUE will simply ACCEPT all packets which will terminate
the processing of the mangle table.

Therefore the NFQUEUE rule should be the last one so that we never skip
any of the other processing.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
src/initscripts/system/firewall diff | blob | blame | history
IPFire 2.x development tree