From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 21 Oct 2024 17:01:07 +0000 (+0100)
Subject: suricata: Explicitly ignore IPsec traffic unless enabled
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fheads%2Fsuricata-ipsec-fixes;p=people%2Fms%2Fipfire-2.x.git

suricata: Explicitly ignore IPsec traffic unless enabled

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index a753e32e6..a0f607971 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -111,6 +111,18 @@ generate_fw_rules() {
 		if [ "${!status}" = "on" ]; then
 			# Handle IPsec packets
 			case "${zone}" in
+				RED)
+					# If IPsec is not enabled, skip everything that is IPsec traffic
+					if [ "${ENABLE_IDS_IPSEC}" != "on" ]; then
+						for intf in $(network_get_intfs "${zone}"); do
+							iptables -w -t mangle -A IPS_SCAN_IN \
+								-i "${intf}" -m policy --pol ipsec --dir in -j RETURN
+							iptables -w -t mangle -A IPS_SCAN_OUT \
+								-o "${intf}" -m policy --pol ipsec --dir out -j RETURN
+						done
+					fi
+					;;
+
 				IPSEC)
 					iptables -w -t mangle -A IPS_SCAN_IN \
 						-m policy --pol ipsec --dir in -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"