suricata: Enable scanning IPsec packets

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/networking/functions.network b/src/initscripts/networking/functions.network
index aff2f5675b375c7dcadf4f49f63e04da38c1fd87..eb83b183daa0df72340474176ce5e79713304eb5 100644 (file)
--- a/src/initscripts/networking/functions.network
+++ b/src/initscripts/networking/functions.network
@@ -57,7 +57,7 @@ bin2ip() {
 network_get_intfs() {
        local zone="${1}"
 
-       case "${zone}" in
+       case "${zone^^}" in
                RED)
                        # For PPPoE, the RED interface is called ppp0 (unless we use QMI)
                        if [ "${RED_TYPE}" = "PPPOE" ] && [ "${RED_DRIVER}" != "qmi_wwan" ]; then
@@ -92,6 +92,32 @@ network_get_intfs() {
                        fi
                        ;;
 
+               IPSEC)
+                       local VARS=(
+                               id status x1 x2 type x3 x4 x5 x6 x7 x8 x9 x10
+                               x11 x12 x13 x14 x15 x16 x17 x18 x19 x20
+                               x21 x22 x23 x24 x25 x26 x27 x28 x29 x30
+                               x31 x32 x33 x34 interface_mode rest
+                       )
+
+                       while IFS="," read -r "${VARS[@]}"; do
+                               # Check if the connection is enabled
+                               [ "${status}" = "on" ] || continue
+
+                               # Check if this a net-to-net connection
+                               [ "${type}" = "net" ] || continue
+
+                               # Determine the interface name
+                               case "${interface_mode}" in
+                                       gre|vti)
+                                               echo "${interface_mode}${id}"
+                                               ;;
+                               esac
+                       done < /var/ipfire/vpn/config
+
+                       return 0
+                       ;;
+
                WIREGUARD|WG)
                        echo "wg+"
                        return 0

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 139f9ed1a78fc00296ab3708da8834c0f7f5a8eb..a753e32e68a4e3a839d50b5fe111faa2e5e62968 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -45,7 +45,7 @@ IPS_WHITELISTED_MARK="0x08000000"
 IPS_WHITELISTED_MASK="0x08000000"
 
 # Supported network zones
-NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "WG" "OVPN" )
+NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "IPSEC" "WG" "OVPN" )
 
 # Optional options for the Netfilter queue.
 NFQ_OPTS=(
@@ -109,6 +109,17 @@ generate_fw_rules() {
                status="ENABLE_IDS_${zone}"
 
                if [ "${!status}" = "on" ]; then
+                       # Handle IPsec packets
+                       case "${zone}" in
+                               IPSEC)
+                                       iptables -w -t mangle -A IPS_SCAN_IN \
+                                               -m policy --pol ipsec --dir in -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+                                       iptables -w -t mangle -A IPS_SCAN_OUT \
+                                               -m policy --pol ipsec --dir out -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+                                       ;;
+                       esac
+
+                       # Add interfaces
                        for intf in $(network_get_intfs "${zone}"); do
                                iptables -w -t mangle -A IPS_SCAN_IN \
                                        -i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"