From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 21 Sep 2024 15:55:09 +0000 (+0200)
Subject: suricata: Clear IPS bits after use
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=75a89ddf4aaccaf397e320a98bf1ecf65c78cff4;p=people%2Fms%2Fipfire-2.x.git

suricata: Clear IPS bits after use

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index ab4833a7f..be52ff88f 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -377,9 +377,11 @@ iptables_init() {
 
 	# IPS (Suricata) chains
 	iptables -t mangle -N IPS
+	iptables -t mangle -N IPS_CLEAR
 
 	for chain in INPUT FORWARD OUTPUT; do
 		iptables -t mangle -A "${chain}" -j IPS
+		iptables -t mangle -A "${chain}" -j IPS_CLEAR
 	done
 
 	# RED chain, used for the red interface
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 86836ee8c..2cfdc8ae4 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -55,6 +55,7 @@ NFQ_OPTS=(
 # Function to flush the firewall chains.
 flush_fw_chain() {
 	iptables -w -t mangle -F IPS
+	iptables -w -t mangle -F IPS_CLEAR
 }
 
 # Function to create the firewall rules to pass the traffic to suricata.
@@ -139,6 +140,11 @@ generate_fw_rules() {
 	# Send packets to suricata
 	iptables -w -t mangle -A IPS -m comment --comment "SCANNED" -j NFQUEUE "${NFQ_OPTIONS[@]}"
 
+	# Clear all bits again after packets have been sent to the IPS
+	# This is required so that encapsulated packets can't inherit any set bits here and won't be scanned.
+	iptables -w -t mangle -A IPS_CLEAR \
+			-j MARK --set-mark "0/$(( IPS_BYPASS_MASK | IPS_BYPASS_REQUESTED_MASK | IPS_REPEAT_MASK | IPS_SCAN_MASK ))"
+
 	return 0
 }