From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Tue, 17 Dec 2019 12:06:29 +0000 (+0100)
Subject: IDS: Allow to inspect traffic from or to OpenVPN
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=51b63b4186e9a5521437ba65b072e9a0522f1105;p=people%2Fpmueller%2Fipfire-2.x.git

IDS: Allow to inspect traffic from or to OpenVPN

This commit allows to configure suricata to monitor traffic from or to
OpenVPN tunnels. This includes the RW server and all established N2N
connections.

Because the RW server and/or each N2N connection uses it's own tun?
device, it is only possible to enable monitoring all of them or to disable
monitoring entirely.

Fixes #12111.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index da009f8918..2a8a7cb261 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -49,6 +49,11 @@ my %ignored=();
 # the list of zones in an array.
 my @network_zones = &IDS::get_available_network_zones();
 
+# Check if openvpn is started and add it to the array of network zones.
+if ( -e "/var/run/openvpn.pid") {
+	push(@network_zones, "ovpn");
+}
+
 my $errormessage;
 
 # Create files if they does not exist yet.
@@ -59,7 +64,8 @@ my %colourhash = (
 	'red' => $Header::colourred,
 	'green' => $Header::colourgreen,
 	'blue' => $Header::colourblue,
-	'orange' => $Header::colourorange
+	'orange' => $Header::colourorange,
+	'ovpn' => $Header::colourovpn
 );
 
 &Header::showhttpheaders();
@@ -839,7 +845,7 @@ END
 			$checked_input = "checked = 'checked'";
 		}
 
-		print "<td class='base' width='25%'>\n";
+		print "<td class='base' width='20%'>\n";
 		print "<input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input>\n";
 		print "&nbsp;$Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font>\n";
 		print "</td>\n";
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 5a567f2d7f..5dc4082623 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -29,7 +29,7 @@ IPS_OUTPUT_CHAIN="IPS_OUTPUT"
 NFQ_OPTS="--queue-bypass "
 
 # Array containing the 4 possible network zones.
-network_zones=( red green blue orange )
+network_zones=( red green blue orange ovpn )
 
 # Array to store the network zones weather the IPS is enabled for.
 enabled_ips_zones=()
@@ -86,6 +86,22 @@ function generate_fw_rules {
 			if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then
 				# Set device name to ppp0.
 				network_device="ppp0"
+			elif [ "$zone" == "ovpn" ]; then
+				# Get all virtual net devices because the RW server and each
+				# N2N connection creates it's own tun device.
+				for virt_dev in /sys/devices/virtual/net/*; do
+					# Cut-off the directory.
+					dev="${virt_dev##*/}"
+
+					# Only process tun devices.
+					if [[ $dev =~ "tun" ]]; then
+						# Add the network device to the array of enabled zones.
+						enabled_ips_zones+=( "$dev" )
+					fi
+				done
+
+				# Process next zone.
+				continue
 			else
 				# Generate variable name which contains the device name.
 				zone_name="$zone_upper"