From 75a89ddf4aaccaf397e320a98bf1ecf65c78cff4 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 21 Sep 2024 17:55:09 +0200 Subject: [PATCH] suricata: Clear IPS bits after use Signed-off-by: Michael Tremer --- src/initscripts/system/firewall | 2 ++ src/initscripts/system/suricata | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index ab4833a7f1..be52ff88f0 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -377,9 +377,11 @@ iptables_init() { # IPS (Suricata) chains iptables -t mangle -N IPS + iptables -t mangle -N IPS_CLEAR for chain in INPUT FORWARD OUTPUT; do iptables -t mangle -A "${chain}" -j IPS + iptables -t mangle -A "${chain}" -j IPS_CLEAR done # RED chain, used for the red interface diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 86836ee8c2..2cfdc8ae4e 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -55,6 +55,7 @@ NFQ_OPTS=( # Function to flush the firewall chains. flush_fw_chain() { iptables -w -t mangle -F IPS + iptables -w -t mangle -F IPS_CLEAR } # Function to create the firewall rules to pass the traffic to suricata. @@ -139,6 +140,11 @@ generate_fw_rules() { # Send packets to suricata iptables -w -t mangle -A IPS -m comment --comment "SCANNED" -j NFQUEUE "${NFQ_OPTIONS[@]}" + # Clear all bits again after packets have been sent to the IPS + # This is required so that encapsulated packets can't inherit any set bits here and won't be scanned. + iptables -w -t mangle -A IPS_CLEAR \ + -j MARK --set-mark "0/$(( IPS_BYPASS_MASK | IPS_BYPASS_REQUESTED_MASK | IPS_REPEAT_MASK | IPS_SCAN_MASK ))" + return 0 } -- 2.39.5