suricata: Do not create silly forward rules.

Skip creating forward rules if the input and the output device are the
same.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 5ede405ce14659b6d80ca3e7dc5a64ce3036c661..a40e02c83d51bcfd6f24dd791d2818e92b9a1a2c 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -171,6 +171,11 @@ function generate_fw_rules {
 
                        # Create rules which are required to handle forwarded traffic.
                        for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
+                               # Skip loop iteration if both zones are the same.
+                               if [ "$enabled_ips_zone" -eq "$enabled_ips_zone_forward" ]; then
+                                       continue
+                               fi
+                               
                                # Check if the whetelist file is not empty.
                                if [ -s "$WHITELIST_FILE" ]; then
                                        # Create rules to handle whitelisted hosts.