suricata: Use highest bit to mark packets

We are using the netfilter MARK in IPsec & QoS and this
is causing conflicts.

Therefore, we use the highest bit in the IPS chain now
and clear it afterwards because we do not really care about
this after the packets have been passed through suricata.

Then, no other application has to worry about suricata.

Fixes: #12010
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 9e2221b034fcfeffb7a2bd6a873c9392a50d9fb4..d3ebbcfe438092493d32c2874502718a7da43bf7 100644 (file)
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -117,8 +117,8 @@ logging:
 
 nfq:
    mode: repeat
-   repeat-mark: 16
-   repeat-mask: 16
+   repeat-mark: 1879048192
+   repeat-mask: 1879048192
 #   bypass-mark: 1
 #   bypass-mask: 1
 #  route-queue: 2

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index d2c758660ce3b2071479f2515df818d21c60699d..e755dfaff22bb54c6ff11adac354ef1d9c7ca2c9 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -29,8 +29,8 @@ NFQ_OPTS="--queue-bypass "
 network_zones=( red green blue orange )
 
 # Mark and Mask options.
-MARK="0x16"
-MASK="0x16"
+MARK="0x70000000"
+MASK="0x70000000"
 
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"
@@ -88,6 +88,9 @@ function generate_fw_rules {
                        iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
                fi
        done
+
+       # Clear repeat bit, so that it does not confuse IPsec or QoS
+       iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
 }
 
 # Function to flush the firewall chain.