suricata: Clear IPS bits after use

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index ab4833a7f1df7851995dbdb8c046e211c37e472e..be52ff88f0036dbe6b734882899beb7dba2e5c99 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -377,9 +377,11 @@ iptables_init() {
 
        # IPS (Suricata) chains
        iptables -t mangle -N IPS
+       iptables -t mangle -N IPS_CLEAR
 
        for chain in INPUT FORWARD OUTPUT; do
                iptables -t mangle -A "${chain}" -j IPS
+               iptables -t mangle -A "${chain}" -j IPS_CLEAR
        done
 
        # RED chain, used for the red interface

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 86836ee8c2c6015c9a2015c0ae33420a2195c47a..2cfdc8ae4e7ae83c2a3f5befca327414e11ff289 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -55,6 +55,7 @@ NFQ_OPTS=(
 # Function to flush the firewall chains.
 flush_fw_chain() {
        iptables -w -t mangle -F IPS
+       iptables -w -t mangle -F IPS_CLEAR
 }
 
 # Function to create the firewall rules to pass the traffic to suricata.
@@ -139,6 +140,11 @@ generate_fw_rules() {
        # Send packets to suricata
        iptables -w -t mangle -A IPS -m comment --comment "SCANNED" -j NFQUEUE "${NFQ_OPTIONS[@]}"
 
+       # Clear all bits again after packets have been sent to the IPS
+       # This is required so that encapsulated packets can't inherit any set bits here and won't be scanned.
+       iptables -w -t mangle -A IPS_CLEAR \
+                       -j MARK --set-mark "0/$(( IPS_BYPASS_MASK | IPS_BYPASS_REQUESTED_MASK | IPS_REPEAT_MASK | IPS_SCAN_MASK ))"
+
        return 0
 }