]> git.ipfire.org Git - people/ms/ipfire-2.x.git/commitdiff
projects / people / ms / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e0fb8f8)
suricata: Add support for zones having multiple interfaces
authorMichael Tremer <michael.tremer@ipfire.org>
Sun, 22 Sep 2024 15:08:03 +0000 (17:08 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Sun, 22 Sep 2024 15:08:03 +0000 (17:08 +0200)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
src/initscripts/networking/functions.network patch | blob | blame | history
src/initscripts/system/suricata patch | blob | blame | history

diff --git a/src/initscripts/networking/functions.network b/src/initscripts/networking/functions.network
index 02ac6b8fe695d7717457b09dba0961acd43af3ed..aff2f5675b375c7dcadf4f49f63e04da38c1fd87 100644 (file)
--- a/src/initscripts/networking/functions.network
+++ b/src/initscripts/networking/functions.network
@@ -54,7 +54,7 @@ bin2ip() {
        echo "${address[*]}"
 }
 
-network_get_intf() {
+network_get_intfs() {
        local zone="${1}"
 
        case "${zone}" in
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 83d60db52a54c8c4717650cf8d33939d38126df6..e0fe1cc3c6da867591f33d2b88a754a84fba81e0 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -109,17 +109,12 @@ generate_fw_rules() {
                status="ENABLE_IDS_${zone}"
 
                if [ "${!status}" = "on" ]; then
-                       intf="$(network_get_intf "${zone}")"
-
-                       # Skip if we could not determine an interface
-                       if [ -z "${intf}" ]; then
-                               continue
-                       fi
-
-                       iptables -w -t mangle -A IPS_SCAN_IN \
-                               -i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
-                       iptables -w -t mangle -A IPS_SCAN_OUT \
-                               -o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+                       for intf in $(network_get_intfs "${zone}"); do
+                               iptables -w -t mangle -A IPS_SCAN_IN \
+                                       -i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+                               iptables -w -t mangle -A IPS_SCAN_OUT \
+                                       -o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+                       done
                fi
        done
 
Michael's tree of IPFire 2.x.