From f78eb45c09100b45e6b4c1297a8caa26785679a0 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 2 Apr 2021 15:33:42 +0000 Subject: [PATCH] suricata: Use iptables lock to ensure rules are being inserted Signed-off-by: Michael Tremer --- config/rootfiles/core/156/filelists/files | 1 + src/initscripts/system/suricata | 18 +++++++++--------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/config/rootfiles/core/156/filelists/files b/config/rootfiles/core/156/filelists/files index 940d3ebe60..0e40822919 100644 --- a/config/rootfiles/core/156/filelists/files +++ b/config/rootfiles/core/156/filelists/files @@ -1,3 +1,4 @@ +etc/rc.d/init.d/suricata srv/web/ipfire/cgi-bin/firewall.cgi srv/web/ipfire/cgi-bin/zoneconf.cgi var/ipfire/header.pl diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index f0d4b88d1f..33633ddf94 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -62,9 +62,9 @@ function get_cpu_count { # Function to flush the firewall chains. function flush_fw_chain { # Call iptables and flush the chains - iptables -F "$IPS_INPUT_CHAIN" - iptables -F "$IPS_FORWARD_CHAIN" - iptables -F "$IPS_OUTPUT_CHAIN" + iptables -w -F "$IPS_INPUT_CHAIN" + iptables -w -F "$IPS_FORWARD_CHAIN" + iptables -w -F "$IPS_OUTPUT_CHAIN" } # Function to create the firewall rules to pass the traffic to suricata. @@ -137,19 +137,19 @@ function generate_fw_rules { # Loop through the array and create firewall rules. for enabled_ips_zone in "${enabled_ips_zones[@]}"; do # Create rules queue input and output related traffic and pass it to the IPS. - iptables -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS - iptables -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS # Create rules which are required to handle forwarded traffic. for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do - iptables -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS done done # Clear repeat bit, so that it does not confuse IPsec or QoS - iptables -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" - iptables -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" - iptables -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" fi } -- 2.39.5