From 76b6bc3e9d4a40624c2bc80b5f408844359346ba Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 21 Oct 2024 17:03:06 +0000
Subject: [PATCH] suricata: Explicitly ignore IPsec traffic unless enabled

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 src/initscripts/system/suricata | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index a753e32e68..a0f6079712 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -111,6 +111,18 @@ generate_fw_rules() {
 		if [ "${!status}" = "on" ]; then
 			# Handle IPsec packets
 			case "${zone}" in
+				RED)
+					# If IPsec is not enabled, skip everything that is IPsec traffic
+					if [ "${ENABLE_IDS_IPSEC}" != "on" ]; then
+						for intf in $(network_get_intfs "${zone}"); do
+							iptables -w -t mangle -A IPS_SCAN_IN \
+								-i "${intf}" -m policy --pol ipsec --dir in -j RETURN
+							iptables -w -t mangle -A IPS_SCAN_OUT \
+								-o "${intf}" -m policy --pol ipsec --dir out -j RETURN
+						done
+					fi
+					;;
+
 				IPSEC)
 					iptables -w -t mangle -A IPS_SCAN_IN \
 						-m policy --pol ipsec --dir in -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
-- 
2.39.5