From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 9 Sep 2024 10:46:23 +0000 (+0200)
Subject: suricata: Add whitelist to iptables
X-Git-Tag: v2.29-core189~49
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=84a73d5f3997be2f1907c5eb4ad7a7069611ab4a;p=ipfire-2.x.git

suricata: Add whitelist to iptables

This allows us to workaround better against any problems in Suricata
because we never send any whitelisted packets to the IPS in the first
place.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index c307e358c2..14b48b5bdb 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -75,6 +75,21 @@ generate_fw_rules() {
 	# Don't process packets that have already been seen by the IPS
 	iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
 
+	# Never send any whitelisted packets to the IPS
+	if [ -r "/var/ipfire/suricata/ignored" ]; then
+		local id network remark enabled rest
+
+		while IFS=',' read -r id network remark enabled rest; do
+			echo "$network"
+			echo "$remark"
+			# Skip disabled entries
+			[ "${enabled}" = "enabled" ] || continue
+
+			iptables -w -t mangle -A IPS -s "${network}" -j RETURN
+			iptables -w -t mangle -A IPS -d "${network}" -j RETURN
+		done < "/var/ipfire/suricata/ignored"
+	fi
+
 	# Send packets to suricata
 	iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}"