suricata: Explicitly ignore IPsec traffic unless enabled

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index a753e32e68a4e3a839d50b5fe111faa2e5e62968..a0f607971201a1fe705a7d437f980806b10add79 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -111,6 +111,18 @@ generate_fw_rules() {
                if [ "${!status}" = "on" ]; then
                        # Handle IPsec packets
                        case "${zone}" in
+                               RED)
+                                       # If IPsec is not enabled, skip everything that is IPsec traffic
+                                       if [ "${ENABLE_IDS_IPSEC}" != "on" ]; then
+                                               for intf in $(network_get_intfs "${zone}"); do
+                                                       iptables -w -t mangle -A IPS_SCAN_IN \
+                                                               -i "${intf}" -m policy --pol ipsec --dir in -j RETURN
+                                                       iptables -w -t mangle -A IPS_SCAN_OUT \
+                                                               -o "${intf}" -m policy --pol ipsec --dir out -j RETURN
+                                               done
+                                       fi
+                                       ;;
+
                                IPSEC)
                                        iptables -w -t mangle -A IPS_SCAN_IN \
                                                -m policy --pol ipsec --dir in -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"