]> git.ipfire.org Git - ipfire-2.x.git/commitdiff
projects / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 09831e9)
suricata: Add support for zones having multiple interfaces
authorMichael Tremer <michael.tremer@ipfire.org>
Sun, 22 Sep 2024 15:08:03 +0000 (17:08 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Tue, 24 Sep 2024 08:45:31 +0000 (08:45 +0000)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
src/initscripts/networking/functions.network patch | blob | blame | history
src/initscripts/system/suricata patch | blob | blame | history

diff --git a/src/initscripts/networking/functions.network b/src/initscripts/networking/functions.network
index 02ac6b8fe695d7717457b09dba0961acd43af3ed..aff2f5675b375c7dcadf4f49f63e04da38c1fd87 100644 (file)
--- a/src/initscripts/networking/functions.network
+++ b/src/initscripts/networking/functions.network
@@ -54,7 +54,7 @@ bin2ip() {
        echo "${address[*]}"
 }
 
-network_get_intf() {
+network_get_intfs() {
        local zone="${1}"
 
        case "${zone}" in
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index e366375baba3ca8ba5efd428f5ed1d14bb2bb388..139f9ed1a78fc00296ab3708da8834c0f7f5a8eb 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -109,17 +109,12 @@ generate_fw_rules() {
                status="ENABLE_IDS_${zone}"
 
                if [ "${!status}" = "on" ]; then
-                       intf="$(network_get_intf "${zone}")"
-
-                       # Skip if we could not determine an interface
-                       if [ -z "${intf}" ]; then
-                               continue
-                       fi
-
-                       iptables -w -t mangle -A IPS_SCAN_IN \
-                               -i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
-                       iptables -w -t mangle -A IPS_SCAN_OUT \
-                               -o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+                       for intf in $(network_get_intfs "${zone}"); do
+                               iptables -w -t mangle -A IPS_SCAN_IN \
+                                       -i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+                               iptables -w -t mangle -A IPS_SCAN_OUT \
+                                       -o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+                       done
                fi
        done
 
IPFire 2.x development tree