From 84a73d5f3997be2f1907c5eb4ad7a7069611ab4a Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 9 Sep 2024 12:46:23 +0200
Subject: [PATCH] suricata: Add whitelist to iptables

This allows us to workaround better against any problems in Suricata
because we never send any whitelisted packets to the IPS in the first
place.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/suricata | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index c307e358c2..14b48b5bdb 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -75,6 +75,21 @@ generate_fw_rules() {
 	# Don't process packets that have already been seen by the IPS
 	iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
 
+	# Never send any whitelisted packets to the IPS
+	if [ -r "/var/ipfire/suricata/ignored" ]; then
+		local id network remark enabled rest
+
+		while IFS=',' read -r id network remark enabled rest; do
+			echo "$network"
+			echo "$remark"
+			# Skip disabled entries
+			[ "${enabled}" = "enabled" ] || continue
+
+			iptables -w -t mangle -A IPS -s "${network}" -j RETURN
+			iptables -w -t mangle -A IPS -d "${network}" -j RETURN
+		done < "/var/ipfire/suricata/ignored"
+	fi
+
 	# Send packets to suricata
 	iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}"
 
-- 
2.39.5