suricata: Use iptables lock to ensure rules are being inserted

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/rootfiles/core/156/filelists/files b/config/rootfiles/core/156/filelists/files
index 940d3ebe604674e5061c951cd28c230aea7b716e..0e40822919b9533cc6ec7e7cfa56298b64e88da4 100644 (file)
--- a/config/rootfiles/core/156/filelists/files
+++ b/config/rootfiles/core/156/filelists/files
@@ -1,3 +1,4 @@
+etc/rc.d/init.d/suricata
 srv/web/ipfire/cgi-bin/firewall.cgi
 srv/web/ipfire/cgi-bin/zoneconf.cgi
 var/ipfire/header.pl

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index f0d4b88d1fe96de251be8cac957d5e856b8036c0..33633ddf943cd8af0aa42484310352674f834ac0 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -62,9 +62,9 @@ function get_cpu_count {
 # Function to flush the firewall chains.
 function flush_fw_chain {
        # Call iptables and flush the chains
-       iptables -F "$IPS_INPUT_CHAIN"
-       iptables -F "$IPS_FORWARD_CHAIN"
-       iptables -F "$IPS_OUTPUT_CHAIN"
+       iptables -w -F "$IPS_INPUT_CHAIN"
+       iptables -w -F "$IPS_FORWARD_CHAIN"
+       iptables -w -F "$IPS_OUTPUT_CHAIN"
 }
 
 # Function to create the firewall rules to pass the traffic to suricata.
@@ -137,19 +137,19 @@ function generate_fw_rules {
                # Loop through the array and create firewall rules.
                for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
                        # Create rules queue input and output related traffic and pass it to the IPS.
-                       iptables -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
-                       iptables -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+                       iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+                       iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
 
                        # Create rules which are required to handle forwarded traffic.
                        for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
-                               iptables -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+                               iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
                        done
                done
 
                # Clear repeat bit, so that it does not confuse IPsec or QoS
-               iptables -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
-               iptables -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
-               iptables -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
+               iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
+               iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
+               iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
        fi
 }