suricata: Always count the whitelisted packets

Even if there are no rules, if this does not exist, collectd will be
unhappy and we cannot generate the graph.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index a80a32f782ef6244e598d6541797b935e0fe632c..86836ee8c2c6015c9a2015c0ae33420a2195c47a 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -129,13 +129,13 @@ generate_fw_rules() {
                        iptables -w -t mangle -A IPS -s "${network}" -j MARK --set-mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))"
                        iptables -w -t mangle -A IPS -d "${network}" -j MARK --set-mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))"
                done < "/var/ipfire/suricata/ignored"
-
-               # Count and skip the whitelisted packets
-               iptables -w -t mangle -A IPS \
-                       -m comment --comment "WHITELISTED" \
-                       -m mark --mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))" -j RETURN
        fi
 
+       # Count and skip the whitelisted packets
+       iptables -w -t mangle -A IPS \
+               -m comment --comment "WHITELISTED" \
+               -m mark --mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))" -j RETURN
+
        # Send packets to suricata
        iptables -w -t mangle -A IPS -m comment --comment "SCANNED" -j NFQUEUE "${NFQ_OPTIONS[@]}"