suricata: Add option to scan WireGuard

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2024-09-10 10:50:15 +02:00
parent 72d501f923
commit 1b7d1abdf0
5 changed files with 21 additions and 2 deletions
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -103,6 +103,7 @@
 < upload fcdsl.o
 < user management
 < vpn configuration main
+< wg
 < winbind daemon
 < wireguard
 < wlanap 802.11w disabled
@@ -156,6 +157,7 @@
 < timeformat
 < transport mode does not support vti
 < warning
+< wg
 < wireguard
 < wlanap
 < wlanap psk
@@ -185,6 +187,7 @@
 < timeformat
 < upload fcdsl.o
 < warning
+< wg
 < wireguard
 < wlanap psk
 < wlanap wireless mode
@@ -668,6 +671,7 @@
 < vulnerable
 < warning
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
@@ -1229,6 +1233,7 @@
 < vulnerable
 < warning
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
@@ -2205,6 +2210,7 @@
 < vulnerable
 < warning
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
@@ -3218,6 +3224,7 @@
 < warning
 < week-graph
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
@@ -3608,6 +3615,7 @@
 < vulnerable
 < warning
 < Weekly
+< wg
 < whois results from
 < winbind daemon
 < wireguard
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -53,6 +53,9 @@ my %ignored=();
 # the list of zones in an array.
 my @network_zones = &Network::get_available_network_zones();

+# Always show Wireguard
+push(@network_zones, "wg");
+
 # Check if openvpn is started and add it to the array of network zones.
 if ( -e "/var/run/openvpn.pid") {
 	push(@network_zones, "ovpn");
@@ -69,7 +72,8 @@ my %colourhash = (
 	'green' => $Header::colourgreen,
 	'blue' => $Header::colourblue,
 	'orange' => $Header::colourorange,
-	'ovpn' => $Header::colourovpn
+	'ovpn' => $Header::colourovpn,
+	'wg' => $Header::colourwg,
 );

 &Header::showhttpheaders();
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -3020,6 +3020,7 @@
 'week-graph' => 'Week',
 'weekly firewallhits' => 'weekly firewallhits',
 'weeks' => 'Weeks',
+'wg' => 'WireGuard',
 'whois results from' => 'WHOIS results from',
 'wildcards' => 'Wildcards',
 'winbind daemon' => 'Winbind Daemon',
--- a/src/initscripts/networking/functions.network
+++ b/src/initscripts/networking/functions.network
@@ -92,9 +92,15 @@ network_get_intf() {
 			fi
 			;;

+		WIREGUARD|WG)
+			echo "wg+"
+			return 0
+			;;
+
 		OPENVPN|OVPN)
 			# OpenVPN is using all tun devices
 			echo "tun+"
+			return 0
 			;;
 	esac

--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -41,7 +41,7 @@ IPS_SCAN_MARK="0x10000000"
 IPS_SCAN_MASK="0x10000000"

 # Supported network zones
-NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "OVPN" )
+NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "WG" "OVPN" )

 # Optional options for the Netfilter queue.
 NFQ_OPTS=(