From db151ad716beefcb9ab9fadd2bb3ac9934748793 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 22 Sep 2024 17:08:03 +0200
Subject: [PATCH] suricata: Add support for zones having multiple interfaces

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/networking/functions.network |  2 +-
 src/initscripts/system/suricata              | 17 ++++++-----------
 2 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/src/initscripts/networking/functions.network b/src/initscripts/networking/functions.network
index 02ac6b8fe..aff2f5675 100644
--- a/src/initscripts/networking/functions.network
+++ b/src/initscripts/networking/functions.network
@@ -54,7 +54,7 @@ bin2ip() {
 	echo "${address[*]}"
 }
 
-network_get_intf() {
+network_get_intfs() {
 	local zone="${1}"
 
 	case "${zone}" in
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index e366375ba..139f9ed1a 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -109,17 +109,12 @@ generate_fw_rules() {
 		status="ENABLE_IDS_${zone}"
 
 		if [ "${!status}" = "on" ]; then
-			intf="$(network_get_intf "${zone}")"
-
-			# Skip if we could not determine an interface
-			if [ -z "${intf}" ]; then
-				continue
-			fi
-
-			iptables -w -t mangle -A IPS_SCAN_IN \
-				-i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
-			iptables -w -t mangle -A IPS_SCAN_OUT \
-				-o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+			for intf in $(network_get_intfs "${zone}"); do
+				iptables -w -t mangle -A IPS_SCAN_IN \
+					-i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+				iptables -w -t mangle -A IPS_SCAN_OUT \
+					-o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+			done
 		fi
 	done
 
-- 
2.39.5