git.ipfire.org Git - people/ms/ipfire-2.x.git/commit

author	Michael Tremer <michael.tremer@ipfire.org>
	Thu, 19 Aug 2021 11:06:27 +0000 (12:06 +0100)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Thu, 19 Aug 2021 11:06:27 +0000 (12:06 +0100)
commit	6478d8206c00f95f2cab5b1a9fc3fe723bc97404
tree	b1cf8bf26ef783d8f8dbe5860f3b350cb5fc716a	tree
parent	e1f2493fffa082a1ffd1f89e9990bb4af5c258c2	commit \| diff

suricata: Introduce IPSBYPASS chain

NFQUEUE does not let the packet continue where it was processed, but
inserts it back into iptables at the start. That is why we need an
extra IPSBYPASS chain which has the following tasks:

* Make the BYPASS bit permanent for the entire connection
* Clear the REPEAT bit

The latter is more of cosmetic nature so that we can identify packets
that have come from suricata again and those which have bypassed the IPS
straight away.

The IPS_* chain will now only be sent traffic to, when none of the two
relevant bits has been set. Otherwise the packet has already been
processed by suricata in the first pass or suricata has decided to
bypass the connection.

This massively reduces load on the IPS which allows many common
connections (TLS connections with downloads) to bypass the IPS bringing
us back to line speed.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

src/initscripts/system/firewall		diff \| blob \| blame \| history
src/initscripts/system/suricata		diff \| blob \| blame \| history