webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

suricata: Store bypass flag in connmark and restore

Browse Source 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This commit is contained in:
Michael Tremer
2021-10-18 10:10:20 +00:00
committed by Arne Fitzenreiter
parent 49dd3e2946
commit 2469ca9fba
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/initscripts/system/suricata
View File

@@ -154,10 +154,14 @@ function generate_fw_rules {
done
done
# Clear repeat bit, so that it does not confuse IPsec or QoS
iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
# Add common rules at the end of the chain
for chain in "${IPS_INPUT_CHAIN}" "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do
# Clear repeat bit
iptables -w -A "${chain}" -j MARK --set-xmark "0x0/${REPEAT_MASK}"
# Store bypass bit in CONNMARK
iptables -w -A "${chain}" -m mark --mark "${BYPASS_MARK}/${BYPASS_MASK}" -j CONNMARK --save-mark
done
fi
}