+# Function to get the amount of CPU cores of the system.
+function get_cpu_count {
+ CPUCOUNT=0
+
+ # Loop through "/proc/cpuinfo" and count the amount of CPU cores.
+ while read line; do
+ [ "$line" ] && [ -z "${line%processor*}" ] && ((CPUCOUNT++))
+ done </proc/cpuinfo
+
+ echo $CPUCOUNT
+}
+
+# Function to create the firewall rules to pass the traffic to suricata.
+function generate_fw_rules {
+ cpu_count=$(get_cpu_count)
+
+ # Flush the firewall chain.
+ iptables -F "$FW_CHAIN"
+
+ # Loop through the array of network zones.
+ for zone in "${network_zones[@]}"; do
+ # Convert zone into upper case.
+ zone_upper=${zone^^}
+
+ # Generate variable name for checking if the IDS is
+ # enabled on the zone.
+ enable_ids_zone="ENABLE_IDS_$zone_upper"
+
+ # Check if the IDS is enabled for this network zone.
+ if [ "${!enable_ids_zone}" == "on" ]; then
+ # Generate name of the network interface.
+ network_device=$zone
+ network_device+="0"
+
+ # Assign NFQ_OPTS
+ NFQ_OPTIONS=$NFQ_OPTS
+
+ # Check if there are multiple cpu cores available.
+ if [ "$cpu_count" -gt "1" ]; then
+ # Balance beetween all queues.
+ NFQ_OPTIONS+="--queue-balance 0:"
+ NFQ_OPTIONS+=$(($cpu_count-1))
+ else
+ # Send all packets to queue 0.
+ NFQ_OPTIONS+="--queue-num 0"
+ fi
+
+ # Create firewall rules to queue the traffic and pass to
+ # the IDS.
+ iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+ iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+ fi
+ done
+}
+
+# Function to flush the firewall chain.
+function flush_fw_chain {
+ # Call iptables and flush the chain
+ iptables -F "$FW_CHAIN"
+}
+