From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Fri, 17 Aug 2018 06:45:47 +0000 (+0200)
Subject: suricata: Fix detection of enabled IDS on zone in initscript
X-Git-Tag: suricata-beta3~33^2~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=55658ee381aeeac19c63a0da8822fc3f727b135b;p=people%2Fstevee%2Fipfire-2.x.git

suricata: Fix detection of enabled IDS on zone in initscript

I accidently commited the wrong file in the previous commit.
This is the fixed and working version.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 45e04d4639..57eeec1575 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -51,8 +51,12 @@ case "$1" in
 				# Convert zone into upper case.
 				zone_upper=${zone^^}
 
+				# Generate variable name for checking if the IDS is
+				# enabled on the zone.
+				enable_ids_zone="ENABLE_IDS_$zone_upper"
+
 				# Check if the IDS is enabled for this network zone.
-				if [ "$ENABLE_IDS_$$zone_upper" == "on" ]; then
+				if [ "${!enable_ids_zone}" == "on" ]; then
 					# Generate name of the network interface.
 					network_device=$zone
 					network_device+="0"
@@ -72,8 +76,8 @@ case "$1" in
 
 					# Create firewall rules to queue the traffic and pass to
 					# the IDS.
-					iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE "$NFQ_OPTIONS"
-					iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE "$NFQ_OPTIONS"
+					iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+					iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
 				fi
 			done