suricata: Add whitelist to iptables

This allows us to workaround better against any problems in Suricata
because we never send any whitelisted packets to the IPS in the first
place.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index c307e358c26d7248a55f4052bf3cd1a4b5df2756..14b48b5bdbb1d91f8b18c43afd58b96dcd3831e1 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -75,6 +75,21 @@ generate_fw_rules() {
        # Don't process packets that have already been seen by the IPS
        iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
 
+       # Never send any whitelisted packets to the IPS
+       if [ -r "/var/ipfire/suricata/ignored" ]; then
+               local id network remark enabled rest
+
+               while IFS=',' read -r id network remark enabled rest; do
+                       echo "$network"
+                       echo "$remark"
+                       # Skip disabled entries
+                       [ "${enabled}" = "enabled" ] || continue
+
+                       iptables -w -t mangle -A IPS -s "${network}" -j RETURN
+                       iptables -w -t mangle -A IPS -d "${network}" -j RETURN
+               done < "/var/ipfire/suricata/ignored"
+       fi
+
        # Send packets to suricata
        iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}"