Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN
Chain filter HOSTILE_DROP_IN DROP_HOSTILE
Chain filter HOSTILE_DROP_OUT DROP_HOSTILE
+
+ # IPS
+ Chain mangle IPS BYPASSED
+ Chain mangle IPS SCANNED
</Plugin>
#<Plugin logfile>
flush_fw_chain
# Don't process packets where the IPS has requested to bypass the stream
- iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN
+ iptables -w -t mangle -A IPS \
+ -m comment --comment "BYPASSED" \
+ -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN
# If suricata decided to bypass a stream, we will store the mark in the connection tracking table
iptables -w -t mangle -A IPS \
fi
# Send packets to suricata
- iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}"
+ iptables -w -t mangle -A IPS -m comment --comment "SCANNED" -j NFQUEUE "${NFQ_OPTIONS[@]}"
return 0
}
projects / ipfire-2.x.git / commitdiff
