]> git.ipfire.org Git - ipfire-2.x.git/commit
projects / ipfire-2.x.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: bb46f3b) | patch
suricata: Disable fail-open on NFQUEUE
authorMichael Tremer <michael.tremer@ipfire.org>
Wed, 3 Apr 2024 20:42:13 +0000 (21:42 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 5 Apr 2024 11:48:16 +0000 (12:48 +0100)
commit69031f7674295d6d95219a97063c718beecc1052
treef8a5be15acbbe67dfefde92ce5ad43564d029a10tree | snapshot
parentbb46f3bef8445a0dba2e92bbb614113a9a4adcafcommit | diff
suricata: Disable fail-open on NFQUEUE

This change causes that if suricata crashes, the NFQUEUE will no longer
fall into a mode where ALL packets are being accepted. This used the be
the case before which opened the entire firewall.

If suricata randomly crashes, we will fall back to the "bypass" mode
where packets will bypass suricata, but nothing else.

Fixes: #13642
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/suricata/suricata.yaml diff | blob | blame | history
IPFire 2.x development tree