From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 22 Sep 2024 15:06:21 +0000 (+0200)
Subject: suricata: Split marking packets off into a separate chain
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e0fb8f8da2419f84fecdfdfcde8a381cab43d938;p=people%2Fms%2Fipfire-2.x.git

suricata: Split marking packets off into a separate chain

This is required so that we can have different policies for incoming and
outgoing packets.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index be52ff88f..139d94aa0 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -378,6 +378,13 @@ iptables_init() {
 	# IPS (Suricata) chains
 	iptables -t mangle -N IPS
 	iptables -t mangle -N IPS_CLEAR
+	iptables -t mangle -N IPS_SCAN_IN
+	iptables -t mangle -N IPS_SCAN_OUT
+
+	iptables -t mangle -A INPUT   -j IPS_SCAN_IN
+	iptables -t mangle -A FORWARD -j IPS_SCAN_IN
+	iptables -t mangle -A FORWARD -j IPS_SCAN_OUT
+	iptables -t mangle -A OUTPUT  -j IPS_SCAN_OUT
 
 	for chain in INPUT FORWARD OUTPUT; do
 		iptables -t mangle -A "${chain}" -j IPS
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 4311c69fb..83d60db52 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -56,6 +56,8 @@ NFQ_OPTS=(
 flush_fw_chain() {
 	iptables -w -t mangle -F IPS
 	iptables -w -t mangle -F IPS_CLEAR
+	iptables -w -t mangle -F IPS_SCAN_IN
+	iptables -w -t mangle -F IPS_SCAN_OUT
 }
 
 # Function to create the firewall rules to pass the traffic to suricata.
@@ -93,7 +95,10 @@ generate_fw_rules() {
 		-j CONNMARK --set-mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))"
 
 	# Don't process packets that have already been seen by the IPS
-	iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
+	for chain in IPS IPS_SCAN_IN IPS_SCAN_OUT; do
+		iptables -w -t mangle -A "${chain}" \
+			-m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
+	done
 
 	local zone
 	local status
@@ -111,8 +116,10 @@ generate_fw_rules() {
 				continue
 			fi
 
-			iptables -w -t mangle -A IPS -i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
-			iptables -w -t mangle -A IPS -o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+			iptables -w -t mangle -A IPS_SCAN_IN \
+				-i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+			iptables -w -t mangle -A IPS_SCAN_OUT \
+				-o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
 		fi
 	done