Merge branch 'master' into next

2026-04-22 17:02:58 +02:00 · 2024-09-24 08:54:50 +00:00
parent 48cd259dd5 84b04cb6d3
commit 6ca5fb74ab
34 changed files with 626 additions and 236 deletions
--- a/config/cfgroot/graphs.pl
+++ b/config/cfgroot/graphs.pl
@@ -1189,3 +1189,90 @@ sub updateconntrackgraph {

 	return "Error in RRD::Graph for conntrack: " . $ERROR . "\n" if $ERROR;
 }
+
+sub updateipsthroughputgraph {
+	my $period = $_[0];
+
+	my @command = (
+		@GRAPH_ARGS,
+		"-",
+		"--start",
+		"-1" . $period,
+		"-r",
+		"--lower-limit","0",
+		"-v $Lang::tr{'bytes per second'}",
+		"--color=BACK" . $color{"color21"},
+
+		# Read bypassed packets
+		"DEF:bypassed_bytes=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_bytes-BYPASSED.rrd:value:AVERAGE",
+		#"DEF:bypassed_packets=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_packets-BYPASSED.rrd:value:AVERAGE",
+
+		"VDEF:bypassed_bytes_avg=bypassed_bytes,AVERAGE",
+		"VDEF:bypassed_bytes_min=bypassed_bytes,MINIMUM",
+		"VDEF:bypassed_bytes_max=bypassed_bytes,MAXIMUM",
+
+		# Read scanned packets
+		"DEF:scanned_bytes=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_bytes-SCANNED.rrd:value:AVERAGE",
+		#"DEF:scanned_packets=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_packets-SCANNED.rrd:value:AVERAGE",
+
+		"VDEF:scanned_bytes_avg=scanned_bytes,AVERAGE",
+		"VDEF:scanned_bytes_min=scanned_bytes,MINIMUM",
+		"VDEF:scanned_bytes_max=scanned_bytes,MAXIMUM",
+
+		# Read whitelisted packets
+		"DEF:whitelisted_bytes=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_bytes-WHITELISTED.rrd:value:AVERAGE",
+		#"DEF:whitelisted_packets=$mainsettings{'RRDLOG'}/collectd/localhost/iptables-mangle-IPS/ipt_packets-WHITELISTED.rrd:value:AVERAGE",
+
+		"VDEF:whitelisted_bytes_avg=whitelisted_bytes,AVERAGE",
+		"VDEF:whitelisted_bytes_min=whitelisted_bytes,MINIMUM",
+		"VDEF:whitelisted_bytes_max=whitelisted_bytes,MAXIMUM",
+
+		# Total
+		"CDEF:total_bytes=bypassed_bytes,scanned_bytes,ADDNAN,whitelisted_bytes,ADDNAN",
+		#"CDEF:total_packets=bypassed_packets,scanned_packets,ADDNAN,whitelisted_packets,ADDNAN",
+
+		"VDEF:total_bytes_avg=total_bytes,AVERAGE",
+		"VDEF:total_bytes_min=total_bytes,MINIMUM",
+		"VDEF:total_bytes_max=total_bytes,MAXIMUM",
+
+		# Add some space below the graph
+		"COMMENT: \\n",
+
+		# Headline
+		"COMMENT:" . sprintf("%32s", ""),
+		"COMMENT:" . sprintf("%16s", $Lang::tr{'average'}),
+		"COMMENT:" . sprintf("%16s", $Lang::tr{'minimum'}),
+		"COMMENT:" . sprintf("%16s", $Lang::tr{'maximum'}) . "\\j",
+
+		# Whitelisted Packets
+		"AREA:whitelisted_bytes$color{'color12'}A0:" . sprintf("%-30s", $Lang::tr{'whitelisted'}),
+		"GPRINT:whitelisted_bytes_avg:%9.2lf %sbps",
+		"GPRINT:whitelisted_bytes_min:%9.2lf %sbps",
+		"GPRINT:whitelisted_bytes_max:%9.2lf %sbps\\j",
+
+		# Bypassed Packets
+		"STACK:bypassed_bytes$color{'color11'}A0:" . sprintf("%-30s", $Lang::tr{'bypassed'}),
+		"GPRINT:bypassed_bytes_avg:%9.2lf %sbps",
+		"GPRINT:bypassed_bytes_min:%9.2lf %sbps",
+		"GPRINT:bypassed_bytes_max:%9.2lf %sbps\\j",
+
+		# Scanned Packets
+		"STACK:scanned_bytes$color{'color13'}A0:" . sprintf("%-30s", $Lang::tr{'scanned'}),
+		"GPRINT:scanned_bytes_avg:%9.2lf %sbps",
+		"GPRINT:scanned_bytes_min:%9.2lf %sbps",
+		"GPRINT:scanned_bytes_max:%9.2lf %sbps\\j",
+
+		"COMMENT: \\n",
+
+		# Total Packets
+		"COMMENT:" . sprintf("%-32s", $Lang::tr{'total'}),
+		"GPRINT:total_bytes_avg:%9.2lf %sbps",
+		"GPRINT:total_bytes_min:%9.2lf %sbps",
+		"GPRINT:total_bytes_max:%9.2lf %sbps\\j",
+	);
+
+	RRDs::graph(@command);
+	$ERROR = RRDs::error;
+
+	return "Error in RRD::Graph for suricata: " . $ERROR . "\n" if $ERROR;
+}
--- a/config/collectd/collectd.conf
+++ b/config/collectd/collectd.conf
@@ -52,6 +52,11 @@ include "/etc/collectd.precache"
 	Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN
 	Chain filter HOSTILE_DROP_IN DROP_HOSTILE
 	Chain filter HOSTILE_DROP_OUT DROP_HOSTILE
+
+	# IPS
+	Chain mangle IPS BYPASSED
+	Chain mangle IPS SCANNED
+	Chain mangle IPS WHITELISTED
 </Plugin>

 #<Plugin logfile>
--- a/config/rootfiles/common/dtc
+++ b/config/rootfiles/common/dtc
@@ -10,5 +10,5 @@
 #usr/include/libfdt_env.h
 #usr/lib/libfdt.a
 #usr/lib/libfdt.so
-#usr/lib/libfdt.so.1
-#usr/lib/libfdt.so.1.7.1
+usr/lib/libfdt.so.1
+usr/lib/libfdt.so.1.7.1
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -1,6 +1,7 @@
 etc/suricata
 etc/suricata/suricata.yaml
 usr/bin/suricata
+usr/bin/suricata-watcher
 usr/sbin/convert-ids-backend-files
 #usr/share/doc/suricata
 #usr/share/doc/suricata/AUTHORS
--- a/config/rootfiles/oldcore/188/filelists/aarch64/u-boot
+++ b/config/rootfiles/oldcore/188/filelists/aarch64/u-boot
@@ -0,0 +1 @@
+../../../../common/aarch64/u-boot
--- a/config/rootfiles/oldcore/188/filelists/files
+++ b/config/rootfiles/oldcore/188/filelists/files
@@ -13,5 +13,6 @@ var/ipfire/backup/bin/backup.pl
 var/ipfire/general-functions.pl
 var/ipfire/graphs.pl
 var/ipfire/header.pl
+var/ipfire/ids-functions.pl
 var/ipfire/lang.pl
 var/ipfire/network-functions.pl
--- a/config/rootfiles/oldcore/188/update.sh
+++ b/config/rootfiles/oldcore/188/update.sh
@@ -121,12 +121,16 @@ ldconfig
 /etc/init.d/apache restart
 /etc/init.d/unbound restart

+# Regenerate Suricata rule files
+perl -e "require '/var/ipfire/ids-functions.pl'; &IDS::write_used_rulefiles_file(&IDS::get_enabled_providers());"
+/etc/init.d/suricata reload
+
 # Build initial ramdisks
 dracut --regenerate-all --force
 KVER="xxxKVERxxx"
 case "$(uname -m)" in
 	aarch64)
-		mkimage -A arm64 -T ramdisk -C lzma -d /boot/initramfs-${KVER}-ipfire.img /boot/uInit-${KVER}-ipfire
+		mkimage -A arm64 -T ramdisk -C lzma -d /boot/initramfs-${KVER}.img /boot/uInit-${KVER}
 		# dont remove initramfs because grub need this to boot.
 		;;
 esac
--- a/config/rootfiles/oldcore/189/filelists/curl
+++ b/config/rootfiles/oldcore/189/filelists/curl
@@ -0,0 +1 @@
+../../../common/curl
--- a/config/rootfiles/oldcore/189/filelists/dtc
+++ b/config/rootfiles/oldcore/189/filelists/dtc
@@ -0,0 +1 @@
+../../../common/dtc
--- a/config/rootfiles/oldcore/189/filelists/files
+++ b/config/rootfiles/oldcore/189/filelists/files
@@ -1,2 +1,12 @@
+etc/collectd.conf
+etc/rc.d/init.d/firewall
 etc/rc.d/init.d/functions
+etc/rc.d/init.d/networking/functions.network
+etc/rc.d/init.d/suricata
+srv/web/ipfire/cgi-bin/getrrdimage.cgi
+srv/web/ipfire/cgi-bin/ids.cgi
+srv/web/ipfire/html/include/rrdimage.js
+usr/bin/suricata-watcher
+var/ipfire/graphs.pl
 var/ipfire/header.pl
+var/ipfire/ids-functions.pl
--- a/config/rootfiles/oldcore/189/filelists/ntp
+++ b/config/rootfiles/oldcore/189/filelists/ntp
@@ -0,0 +1 @@
+../../../common/ntp
--- a/config/rootfiles/oldcore/189/update.sh
+++ b/config/rootfiles/oldcore/189/update.sh
@@ -349,9 +349,14 @@ ldconfig
 telinit u

 # Start services
+/etc/init.d/collectd restart
 /usr/local/bin/openvpnctrl -s
 /usr/local/bin/openvpnctrl -sn2n

+# Regenerate Suricata rule files
+perl -e "require '/var/ipfire/ids-functions.pl'; &IDS::write_used_rulefiles_file(&IDS::get_enabled_providers());"
+/etc/init.d/suricata reload
+
 # Build initial ramdisks
 dracut --regenerate-all --force
 KVER="xxxKVERxxx"
--- a/config/suricata/suricata-watcher
+++ b/config/suricata/suricata-watcher
@@ -0,0 +1,58 @@
+#!/bin/bash
+###############################################################################
+#                                                                             #
+# IPFire.org - A Linux-based Firewall                                         #
+# Copyright (C) 2024  IPFire Team  <info@ipfire.org>                          #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+PIDFILE="/var/run/suricata.pid"
+
+main() {
+	local ret
+
+	# Suricata becomes unhappy if the PID file exists
+	unlink "${PIDFILE}" &>/dev/null
+
+	while :; do
+		# Launch suricata
+		/usr/bin/suricata --pidfile "${PIDFILE}" "$@" &>/dev/null
+
+		# Wait until suricata is done
+		ret=$?
+
+		case "${ret}" in
+			# If suricata has been killed by SIGKILL (e.g. by
+			# the OOM killer, or if it ran into a SEGV, we will
+			# restart the process.
+			137|139)
+				# Remove the PID file
+				unlink "${PIDFILE}" 2>/dev/null
+
+				sleep 1
+				continue
+				;;
+
+			*)
+				break
+				;;
+		esac
+	done
+
+	return ${ret}
+}
+
+main "$@" || exit $?
--- a/config/u-boot/boot.cmd
+++ b/config/u-boot/boot.cmd
@@ -77,8 +77,8 @@ else
 fi;

 setenv fdt_high ffffffff;
-fatload ${boot_dev} ${boot_part} ${kernel_addr_r} vmlinuz-${KVER}-ipfire${kernel_type};
-fatload ${boot_dev} ${boot_part} ${fdt_addr_r} dtb-${KVER}-ipfire${kernel_type}/${fdtfile};
+fatload ${boot_dev} ${boot_part} ${kernel_addr_r} vmlinuz-${KVER};
+fatload ${boot_dev} ${boot_part} ${fdt_addr_r} dtb-${KVER}/${fdtfile};

 if test "${FDTCMDS}" = ""; then
 	echo ;
@@ -88,7 +88,7 @@ else
 fi;

 setenv ramdisk_addr ${ramdisk_addr_r}
-if fatload ${boot_dev} ${boot_part} ${ramdisk_addr} uInit-${KVER}-ipfire${kernel_type}; then
+if fatload ${boot_dev} ${boot_part} ${ramdisk_addr} uInit-${KVER}; then
 	echo Ramdisk loaded...;
 else
 	echo Ramdisk not loaded...;
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -400,6 +400,7 @@ WARNING: translation string unused: icmp type
 WARNING: translation string unused: id
 WARNING: translation string unused: ids oinkcode required
 WARNING: translation string unused: ids rules update
+WARNING: translation string unused: ids ruleset settings
 WARNING: translation string unused: ids unsupported provider
 WARNING: translation string unused: ike encryption
 WARNING: translation string unused: ike grouptype
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -361,6 +361,7 @@ WARNING: untranslated string: broken = Broken
 WARNING: untranslated string: broken pipe = Broken pipe
 WARNING: untranslated string: buffered memory = Buffered Memory
 WARNING: untranslated string: buffers = buffers
+WARNING: untranslated string: bypassed = Bypassed
 WARNING: untranslated string: bytes per second = Bytes per Second
 WARNING: untranslated string: bytes received = Bytes Received
 WARNING: untranslated string: bytes sent = Bytes Sent
@@ -1070,7 +1071,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc
 WARNING: untranslated string: ids reset provider = Reset provider
 WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully...
 WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date.
-WARNING: untranslated string: ids ruleset settings = Ruleset Settings
+WARNING: untranslated string: ids rulesets = Rulesets
 WARNING: untranslated string: ids show = Show
 WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code
 WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use.
@@ -1191,6 +1192,7 @@ WARNING: untranslated string: ipfire has now shutdown = IPFire is shutting down
 WARNING: untranslated string: ipfire side is invalid = IPFire side is invalid.
 WARNING: untranslated string: ipfires hostname = IPFire's Hostname
 WARNING: untranslated string: ipinfo = IP info
+WARNING: untranslated string: ips throughput = Throughput
 WARNING: untranslated string: ipsec = IPsec
 WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
@@ -1217,6 +1219,7 @@ WARNING: untranslated string: lan = LAN
 WARNING: untranslated string: languagepurpose = Select the language you wish IPFire to display in:
 WARNING: untranslated string: last = Last
 WARNING: untranslated string: last activity = Last Activity
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: lease expires = Lease expires
 WARNING: untranslated string: least preferred = least preferred
 WARNING: untranslated string: legend = Legend
@@ -1612,6 +1615,7 @@ WARNING: untranslated string: samba server role standalone = Standalone
 WARNING: untranslated string: saturday = Saturday
 WARNING: untranslated string: save = Save
 WARNING: untranslated string: save-adv-options = Save advanced options
+WARNING: untranslated string: scanned = Scanned
 WARNING: untranslated string: script name = Script name:
 WARNING: untranslated string: search = Search
 WARNING: untranslated string: secondary dns = Secondary DNS:
@@ -1802,6 +1806,7 @@ WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reac
 WARNING: untranslated string: tor traffic read written = Total traffic (read/written)
 WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one fingerprint per line)
 WARNING: untranslated string: tor use guard nodes = Use only these guard nodes (one fingerprint per line)
+WARNING: untranslated string: total = Total
 WARNING: untranslated string: total connection time = Total Connection Time
 WARNING: untranslated string: total hits for log section = Total hits for log section
 WARNING: untranslated string: traffic stat in = In
@@ -2156,6 +2161,7 @@ WARNING: untranslated string: webradio playlist = Webradio Playlist
 WARNING: untranslated string: website = Website
 WARNING: untranslated string: wednesday = Wednesday
 WARNING: untranslated string: weeks = Weeks
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: whois results from = WHOIS results from
 WARNING: untranslated string: winbind daemon = Winbind Daemon
 WARNING: untranslated string: wio = unknown string
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -444,6 +444,7 @@ WARNING: translation string unused: ids rules license1
 WARNING: translation string unused: ids rules license2
 WARNING: translation string unused: ids rules license3
 WARNING: translation string unused: ids rules update
+WARNING: translation string unused: ids ruleset settings
 WARNING: translation string unused: ike encryption
 WARNING: translation string unused: ike grouptype
 WARNING: translation string unused: ike integrity
@@ -980,6 +981,7 @@ WARNING: untranslated string: Scan for Songs = unknown string
 WARNING: untranslated string: access point name = Access Point Name
 WARNING: untranslated string: access point name is invalid = Access Point Name is invalid
 WARNING: untranslated string: access point name is required = Access Point Name is required
+WARNING: untranslated string: bypassed = Bypassed
 WARNING: untranslated string: cpu frequency = CPU frequency
 WARNING: untranslated string: data transfer = Data Transfer
 WARNING: untranslated string: dhcp fixed ip address in dynamic range = Fixed IP Address in dynamic range
@@ -1029,8 +1031,11 @@ WARNING: untranslated string: hostile networks in = From Hostile Networks
 WARNING: untranslated string: hostile networks out = To Hostile Networks
 WARNING: untranslated string: hostile networks total = Total Hostile Networks
 WARNING: untranslated string: ids provider eol = (EOL)
+WARNING: untranslated string: ids rulesets = Rulesets
 WARNING: untranslated string: info messages = unknown string
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
+WARNING: untranslated string: ips throughput = Throughput
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: load average = Load Average
 WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
 WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
@@ -1049,12 +1054,15 @@ WARNING: untranslated string: route config changed = unknown string
 WARNING: untranslated string: routing config added = unknown string
 WARNING: untranslated string: routing config changed = unknown string
 WARNING: untranslated string: routing table = unknown string
+WARNING: untranslated string: scanned = Scanned
 WARNING: untranslated string: service boot setting unavailable = No valid runlevel symlink was found for the initscript of this service.
 WARNING: untranslated string: spec rstack overflow = Speculative Return Stack Overflow
 WARNING: untranslated string: system time = System Time (as of last page load)
 WARNING: untranslated string: timeformat = %Y-%m-%d at %H:%M:%S %Z
+WARNING: untranslated string: total = Total
 WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
 WARNING: untranslated string: warning = Warning
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: wio = unknown string
 WARNING: untranslated string: wio checked = unknown string
 WARNING: untranslated string: wio cron = unknown string
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -428,6 +428,7 @@ WARNING: translation string unused: id
 WARNING: translation string unused: ids automatic rules update
 WARNING: translation string unused: ids oinkcode required
 WARNING: translation string unused: ids rules update
+WARNING: translation string unused: ids ruleset settings
 WARNING: translation string unused: ike encryption
 WARNING: translation string unused: ike grouptype
 WARNING: translation string unused: ike integrity
@@ -943,6 +944,7 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error
 WARNING: translation string unused: zoneconf val vlan tag assignment error
 WARNING: translation string unused: zoneconf val vlan tag range error
 WARNING: translation string unused: zoneconf val zoneslave amount error
+WARNING: untranslated string: bypassed = Bypassed
 WARNING: untranslated string: core notice 3 = available.
 WARNING: untranslated string: data transfer = Data Transfer
 WARNING: untranslated string: enable disable client = unknown string
@@ -982,6 +984,9 @@ WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: hostile networks total = Total Hostile Networks
 WARNING: untranslated string: ids provider eol = (EOL)
+WARNING: untranslated string: ids rulesets = Rulesets
+WARNING: untranslated string: ips throughput = Throughput
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: load average = Load Average
 WARNING: untranslated string: oops something went wrong = Oops, something went wrong...
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
@@ -990,9 +995,12 @@ WARNING: untranslated string: processors = Processors
 WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS)
 WARNING: untranslated string: routing config added = unknown string
 WARNING: untranslated string: routing config changed = unknown string
+WARNING: untranslated string: scanned = Scanned
 WARNING: untranslated string: system time = System Time (as of last page load)
 WARNING: untranslated string: timeformat = %Y-%m-%d at %H:%M:%S %Z
+WARNING: untranslated string: total = Total
 WARNING: untranslated string: warning = Warning
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: wio = unknown string
 WARNING: untranslated string: wio checked = unknown string
 WARNING: untranslated string: wio cron = unknown string
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -948,6 +948,7 @@ WARNING: untranslated string: autonomous system = Autonomous System
 WARNING: untranslated string: available = available
 WARNING: untranslated string: block = Block
 WARNING: untranslated string: broken = Broken
+WARNING: untranslated string: bypassed = Bypassed
 WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes)
 WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes)
 WARNING: untranslated string: cake profile bridged-vcmux 24 = Bridged VC-MUX (24 bytes)
@@ -1132,7 +1133,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc
 WARNING: untranslated string: ids reset provider = Reset provider
 WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully...
 WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date.
-WARNING: untranslated string: ids ruleset settings = Ruleset Settings
+WARNING: untranslated string: ids rulesets = Rulesets
 WARNING: untranslated string: ids show = Show
 WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code
 WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use.
@@ -1173,6 +1174,7 @@ WARNING: untranslated string: ipblocklist logs = IP Address Blocklist Logs
 WARNING: untranslated string: ipblocklist name = Name
 WARNING: untranslated string: ipblocklist output = Packets dropped (OUT)
 WARNING: untranslated string: ipblocklist use ipblocklists = Enable IP Blocklists
+WARNING: untranslated string: ips throughput = Throughput
 WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
@@ -1185,6 +1187,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
 WARNING: untranslated string: load average = Load Average
 WARNING: untranslated string: local ip address = Local IP Address
@@ -1272,6 +1275,7 @@ WARNING: untranslated string: samba join a domain = Join a domain
 WARNING: untranslated string: samba join domain = Join domain
 WARNING: untranslated string: samba server role member = Domain Member
 WARNING: untranslated string: samba server role standalone = Standalone
+WARNING: untranslated string: scanned = Scanned
 WARNING: untranslated string: search = Search
 WARNING: untranslated string: secret = Secret
 WARNING: untranslated string: sent = Sent
@@ -1309,6 +1313,7 @@ WARNING: untranslated string: token not set = No Token has been given.
 WARNING: untranslated string: tor guard country any = Any country
 WARNING: untranslated string: tor guard nodes = Guard Nodes
 WARNING: untranslated string: tor use guard nodes = Use only these guard nodes (one fingerprint per line)
+WARNING: untranslated string: total = Total
 WARNING: untranslated string: traffic stat in = In
 WARNING: untranslated string: traffic stat out = Out
 WARNING: untranslated string: traffic stat title = RED Traffic
@@ -1342,6 +1347,7 @@ WARNING: untranslated string: vpn weak = Weak
 WARNING: untranslated string: vulnerability = Vulnerability
 WARNING: untranslated string: vulnerable = Vulnerable
 WARNING: untranslated string: warning = Warning
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: whois results from = WHOIS results from
 WARNING: untranslated string: winbind daemon = Winbind Daemon
 WARNING: untranslated string: wio = unknown string
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -950,6 +950,7 @@ WARNING: untranslated string: autonomous system = Autonomous System
 WARNING: untranslated string: available = available
 WARNING: untranslated string: block = Block
 WARNING: untranslated string: broken = Broken
+WARNING: untranslated string: bypassed = Bypassed
 WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes)
 WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes)
 WARNING: untranslated string: cake profile bridged-vcmux 24 = Bridged VC-MUX (24 bytes)
@@ -1138,7 +1139,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc
 WARNING: untranslated string: ids reset provider = Reset provider
 WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully...
 WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date.
-WARNING: untranslated string: ids ruleset settings = Ruleset Settings
+WARNING: untranslated string: ids rulesets = Rulesets
 WARNING: untranslated string: ids show = Show
 WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code
 WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use.
@@ -1181,6 +1182,7 @@ WARNING: untranslated string: ipblocklist logs = IP Address Blocklist Logs
 WARNING: untranslated string: ipblocklist name = Name
 WARNING: untranslated string: ipblocklist output = Packets dropped (OUT)
 WARNING: untranslated string: ipblocklist use ipblocklists = Enable IP Blocklists
+WARNING: untranslated string: ips throughput = Throughput
 WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
@@ -1193,6 +1195,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
 WARNING: untranslated string: load average = Load Average
 WARNING: untranslated string: local ip address = Local IP Address
@@ -1295,6 +1298,7 @@ WARNING: untranslated string: samba join a domain = Join a domain
 WARNING: untranslated string: samba join domain = Join domain
 WARNING: untranslated string: samba server role member = Domain Member
 WARNING: untranslated string: samba server role standalone = Standalone
+WARNING: untranslated string: scanned = Scanned
 WARNING: untranslated string: search = Search
 WARNING: untranslated string: secret = Secret
 WARNING: untranslated string: sent = Sent
@@ -1335,6 +1339,7 @@ WARNING: untranslated string: token not set = No Token has been given.
 WARNING: untranslated string: tor guard country any = Any country
 WARNING: untranslated string: tor guard nodes = Guard Nodes
 WARNING: untranslated string: tor use guard nodes = Use only these guard nodes (one fingerprint per line)
+WARNING: untranslated string: total = Total
 WARNING: untranslated string: transfers = Transfers
 WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode
 WARNING: untranslated string: twelve hours = 12 Hours
@@ -1365,6 +1370,7 @@ WARNING: untranslated string: vpn weak = Weak
 WARNING: untranslated string: vulnerability = Vulnerability
 WARNING: untranslated string: vulnerable = Vulnerable
 WARNING: untranslated string: warning = Warning
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: whois results from = WHOIS results from
 WARNING: untranslated string: winbind daemon = Winbind Daemon
 WARNING: untranslated string: wio = unknown string
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -875,6 +875,7 @@ WARNING: untranslated string: available = available
 WARNING: untranslated string: bit = bit
 WARNING: untranslated string: block = Block
 WARNING: untranslated string: broken = Broken
+WARNING: untranslated string: bypassed = Bypassed
 WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes)
 WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes)
 WARNING: untranslated string: cake profile bridged-vcmux 24 = Bridged VC-MUX (24 bytes)
@@ -1276,7 +1277,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc
 WARNING: untranslated string: ids reset provider = Reset provider
 WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully...
 WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date.
-WARNING: untranslated string: ids ruleset settings = Ruleset Settings
+WARNING: untranslated string: ids rulesets = Rulesets
 WARNING: untranslated string: ids show = Show
 WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code
 WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use.
@@ -1323,6 +1324,7 @@ WARNING: untranslated string: ipblocklist logs = IP Address Blocklist Logs
 WARNING: untranslated string: ipblocklist name = Name
 WARNING: untranslated string: ipblocklist output = Packets dropped (OUT)
 WARNING: untranslated string: ipblocklist use ipblocklists = Enable IP Blocklists
+WARNING: untranslated string: ips throughput = Throughput
 WARNING: untranslated string: ipsec = IPsec
 WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
@@ -1338,6 +1340,7 @@ WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
 WARNING: untranslated string: last = Last
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: least preferred = least preferred
 WARNING: untranslated string: lifetime = Lifetime:
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
@@ -1474,6 +1477,7 @@ WARNING: untranslated string: samba join a domain = Join a domain
 WARNING: untranslated string: samba join domain = Join domain
 WARNING: untranslated string: samba server role member = Domain Member
 WARNING: untranslated string: samba server role standalone = Standalone
+WARNING: untranslated string: scanned = Scanned
 WARNING: untranslated string: search = Search
 WARNING: untranslated string: secret = Secret
 WARNING: untranslated string: sent = Sent
@@ -1568,6 +1572,7 @@ WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reac
 WARNING: untranslated string: tor traffic read written = Total traffic (read/written)
 WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one fingerprint per line)
 WARNING: untranslated string: tor use guard nodes = Use only these guard nodes (one fingerprint per line)
+WARNING: untranslated string: total = Total
 WARNING: untranslated string: traffic stat in = In
 WARNING: untranslated string: traffic stat out = Out
 WARNING: untranslated string: traffic stat title = RED Traffic
@@ -1606,6 +1611,7 @@ WARNING: untranslated string: vpn weak = Weak
 WARNING: untranslated string: vulnerability = Vulnerability
 WARNING: untranslated string: vulnerable = Vulnerable
 WARNING: untranslated string: warning = Warning
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: whois results from = WHOIS results from
 WARNING: untranslated string: winbind daemon = Winbind Daemon
 WARNING: untranslated string: wio = unknown string
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -870,6 +870,7 @@ WARNING: untranslated string: available = available
 WARNING: untranslated string: bit = bit
 WARNING: untranslated string: block = Block
 WARNING: untranslated string: broken = Broken
+WARNING: untranslated string: bypassed = Bypassed
 WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes)
 WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes)
 WARNING: untranslated string: cake profile bridged-vcmux 24 = Bridged VC-MUX (24 bytes)
@@ -1271,7 +1272,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc
 WARNING: untranslated string: ids reset provider = Reset provider
 WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully...
 WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date.
-WARNING: untranslated string: ids ruleset settings = Ruleset Settings
+WARNING: untranslated string: ids rulesets = Rulesets
 WARNING: untranslated string: ids show = Show
 WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code
 WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use.
@@ -1319,6 +1320,7 @@ WARNING: untranslated string: ipblocklist logs = IP Address Blocklist Logs
 WARNING: untranslated string: ipblocklist name = Name
 WARNING: untranslated string: ipblocklist output = Packets dropped (OUT)
 WARNING: untranslated string: ipblocklist use ipblocklists = Enable IP Blocklists
+WARNING: untranslated string: ips throughput = Throughput
 WARNING: untranslated string: ipsec = IPsec
 WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
@@ -1334,6 +1336,7 @@ WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
 WARNING: untranslated string: last = Last
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: least preferred = least preferred
 WARNING: untranslated string: lifetime = Lifetime:
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
@@ -1467,6 +1470,7 @@ WARNING: untranslated string: samba join a domain = Join a domain
 WARNING: untranslated string: samba join domain = Join domain
 WARNING: untranslated string: samba server role member = Domain Member
 WARNING: untranslated string: samba server role standalone = Standalone
+WARNING: untranslated string: scanned = Scanned
 WARNING: untranslated string: search = Search
 WARNING: untranslated string: secret = Secret
 WARNING: untranslated string: sent = Sent
@@ -1561,6 +1565,7 @@ WARNING: untranslated string: tor traffic limit soft = Traffic limit almost reac
 WARNING: untranslated string: tor traffic read written = Total traffic (read/written)
 WARNING: untranslated string: tor use exit nodes = Use only these exit nodes (one fingerprint per line)
 WARNING: untranslated string: tor use guard nodes = Use only these guard nodes (one fingerprint per line)
+WARNING: untranslated string: total = Total
 WARNING: untranslated string: traffic stat in = In
 WARNING: untranslated string: traffic stat out = Out
 WARNING: untranslated string: traffic stat title = RED Traffic
@@ -1599,6 +1604,7 @@ WARNING: untranslated string: vpn weak = Weak
 WARNING: untranslated string: vulnerability = Vulnerability
 WARNING: untranslated string: vulnerable = Vulnerable
 WARNING: untranslated string: warning = Warning
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: whois results from = WHOIS results from
 WARNING: untranslated string: winbind daemon = Winbind Daemon
 WARNING: untranslated string: wio = unknown string
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -935,6 +935,7 @@ WARNING: untranslated string: asn lookup failed = AS lookup failed
 WARNING: untranslated string: autonomous system = Autonomous System
 WARNING: untranslated string: available = available
 WARNING: untranslated string: broken = Broken
+WARNING: untranslated string: bypassed = Bypassed
 WARNING: untranslated string: cake profile bridged-llcsnap 32 = Bridged LLC SNAP (32 bytes)
 WARNING: untranslated string: cake profile bridged-ptm 19 = Bridged PTM (19 bytes)
 WARNING: untranslated string: cake profile bridged-vcmux 24 = Bridged VC-MUX (24 bytes)
@@ -1074,7 +1075,7 @@ WARNING: untranslated string: ids remove rule structures = Remove old rule struc
 WARNING: untranslated string: ids reset provider = Reset provider
 WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully...
 WARNING: untranslated string: ids ruleset is up to date = No update required - The ruleset is up to date.
-WARNING: untranslated string: ids ruleset settings = Ruleset Settings
+WARNING: untranslated string: ids rulesets = Rulesets
 WARNING: untranslated string: ids show = Show
 WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code
 WARNING: untranslated string: ids the choosen provider is already in use = The choosen provider is already in use.
@@ -1110,6 +1111,7 @@ WARNING: untranslated string: ipblocklist logs = IP Address Blocklist Logs
 WARNING: untranslated string: ipblocklist name = Name
 WARNING: untranslated string: ipblocklist output = Packets dropped (OUT)
 WARNING: untranslated string: ipblocklist use ipblocklists = Enable IP Blocklists
+WARNING: untranslated string: ips throughput = Throughput
 WARNING: untranslated string: ipsec connection = IPsec Connection
 WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
@@ -1122,6 +1124,7 @@ WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: ipsec routing table entries = IPsec Routing Table Entries
 WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
+WARNING: untranslated string: last updated = Last Updated
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
 WARNING: untranslated string: load average = Load Average
 WARNING: untranslated string: local ip address = Local IP Address
@@ -1179,6 +1182,7 @@ WARNING: untranslated string: routing config changed = unknown string
 WARNING: untranslated string: routing table = unknown string
 WARNING: untranslated string: samba server role member = Domain Member
 WARNING: untranslated string: samba server role standalone = Standalone
+WARNING: untranslated string: scanned = Scanned
 WARNING: untranslated string: secret = Secret
 WARNING: untranslated string: sent = Sent
 WARNING: untranslated string: service boot setting unavailable = No valid runlevel symlink was found for the initscript of this service.
@@ -1212,6 +1216,7 @@ WARNING: untranslated string: token not set = No Token has been given.
 WARNING: untranslated string: tor guard country any = Any country
 WARNING: untranslated string: tor guard nodes = Guard Nodes
 WARNING: untranslated string: tor use guard nodes = Use only these guard nodes (one fingerprint per line)
+WARNING: untranslated string: total = Total
 WARNING: untranslated string: traffic stat in = In
 WARNING: untranslated string: traffic stat out = Out
 WARNING: untranslated string: traffic stat title = RED Traffic
@@ -1226,6 +1231,7 @@ WARNING: untranslated string: vpn wait = WAITING
 WARNING: untranslated string: vulnerability = Vulnerability
 WARNING: untranslated string: vulnerable = Vulnerable
 WARNING: untranslated string: warning = Warning
+WARNING: untranslated string: whitelisted = Whitelisted
 WARNING: untranslated string: whois results from = WHOIS results from
 WARNING: untranslated string: winbind daemon = Winbind Daemon
 WARNING: untranslated string: wio = unknown string
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -103,6 +103,7 @@
 < upload fcdsl.o
 < user management
 < vpn configuration main
+< wg
 < winbind daemon
 < wireguard
 < wlanap 802.11w disabled
@@ -120,6 +121,7 @@
 < access point name is invalid
 < access point name is required
 < addon
+< bypassed
 < cpu frequency
 < data transfer
 < dhcp fixed ip address in dynamic range
@@ -136,8 +138,11 @@
 < hostile networks out
 < hostile networks total
 < ids provider eol
+< ids rulesets
 < ids unsupported provider
 < invalid ip or hostname
+< ips throughput
+< last updated
 < load average
 < log drop hostile in
 < log drop hostile out
@@ -150,12 +155,16 @@
 < reg_file_data_sampling
 < reiserfs warning1
 < reiserfs warning2
+< scanned
 < service boot setting unavailable
 < spec rstack overflow
 < system time
 < timeformat
+< total
 < transport mode does not support vti
 < warning
+< wg
+< whitelisted
 < wireguard
 < wlanap
 < wlanap hide ssid
@@ -169,6 +178,7 @@
 < ansi t1.483
 < bewan adsl pci st
 < bewan adsl usb
+< bypassed
 < data transfer
 < extrahd because it it outside the allowed mount path
 < fwdfw syn flood protection
@@ -176,16 +186,23 @@
 < g.lite
 < hostile networks total
 < ids provider eol
+< ids rulesets
 < ids unsupported provider
+< ips throughput
+< last updated
 < load average
 < oops something went wrong
 < ovpn roadwarrior server
 < processors
 < reg_file_data_sampling
+< scanned
 < system time
 < timeformat
+< total
 < upload fcdsl.o
 < warning
+< wg
+< whitelisted
 < wireguard
 < wlanap hide ssid
 < wlanap psk
@@ -228,6 +245,7 @@
 < available
 < block
 < broken
+< bypassed
 < cake profile bridged-llcsnap 32
 < cake profile bridged-ptm 19
 < cake profile bridged-vcmux 24
@@ -446,6 +464,7 @@
 < ids reset provider
 < ids ruleset autoupdate in progress
 < ids ruleset is up to date
+< ids rulesets
 < ids ruleset settings
 < ids show
 < ids subscription code required
@@ -505,7 +524,9 @@
 < ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
+< ips throughput
 < itlb multihit
+< last updated
 < legacy architecture warning
 < link-layer encapsulation
 < load average
@@ -597,6 +618,7 @@
 < samba join domain
 < samba server role member
 < samba server role standalone
+< scanned
 < search
 < secret
 < sent
@@ -635,6 +657,7 @@
 < tor guard country any
 < tor guard nodes
 < tor use guard nodes
+< total
 < traffic stat in
 < traffic stat out
 < traffic stat title
@@ -670,6 +693,8 @@
 < vulnerable
 < warning
 < Weekly
+< wg
+< whitelisted
 < whois results from
 < winbind daemon
 < wireguard
@@ -763,6 +788,7 @@
 < available
 < block
 < broken
+< bypassed
 < cake profile bridged-llcsnap 32
 < cake profile bridged-ptm 19
 < cake profile bridged-vcmux 24
@@ -986,6 +1012,7 @@
 < ids reset provider
 < ids ruleset autoupdate in progress
 < ids ruleset is up to date
+< ids rulesets
 < ids ruleset settings
 < ids show
 < ids subscription code required
@@ -1047,7 +1074,9 @@
 < ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
+< ips throughput
 < itlb multihit
+< last updated
 < legacy architecture warning
 < link-layer encapsulation
 < load average
@@ -1157,6 +1186,7 @@
 < samba join domain
 < samba server role member
 < samba server role standalone
+< scanned
 < search
 < secret
 < sent
@@ -1199,6 +1229,7 @@
 < tor guard country any
 < tor guard nodes
 < tor use guard nodes
+< total
 < transfers
 < transport mode does not support vti
 < twelve hours
@@ -1231,6 +1262,8 @@
 < vulnerable
 < warning
 < Weekly
+< wg
+< whitelisted
 < whois results from
 < winbind daemon
 < wireguard
@@ -1338,6 +1371,7 @@
 < bit
 < block
 < broken
+< bypassed
 < cake profile bridged-llcsnap 32
 < cake profile bridged-ptm 19
 < cake profile bridged-vcmux 24
@@ -1831,6 +1865,7 @@
 < ids reset provider
 < ids ruleset autoupdate in progress
 < ids ruleset is up to date
+< ids rulesets
 < ids ruleset settings
 < ids show
 < ids subscription code required
@@ -1899,8 +1934,10 @@
 < ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
+< ips throughput
 < itlb multihit
 < last
+< last updated
 < least preferred
 < legacy architecture warning
 < lifetime
@@ -2059,6 +2096,7 @@
 < samba join domain
 < samba server role member
 < samba server role standalone
+< scanned
 < search
 < secret
 < sent
@@ -2162,6 +2200,7 @@
 < tor traffic read written
 < tor use exit nodes
 < tor use guard nodes
+< total
 < traffic stat in
 < traffic stat out
 < traffic stat title
@@ -2207,6 +2246,8 @@
 < vulnerable
 < warning
 < Weekly
+< wg
+< whitelisted
 < whois results from
 < winbind daemon
 < wireguard
@@ -2346,6 +2387,7 @@
 < bit
 < block
 < broken
+< bypassed
 < cake profile bridged-llcsnap 32
 < cake profile bridged-ptm 19
 < cake profile bridged-vcmux 24
@@ -2844,6 +2886,7 @@
 < ids reset provider
 < ids ruleset autoupdate in progress
 < ids ruleset is up to date
+< ids rulesets
 < ids ruleset settings
 < ids show
 < ids subscription code required
@@ -2913,8 +2956,10 @@
 < ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
+< ips throughput
 < itlb multihit
 < last
+< last updated
 < least preferred
 < legacy architecture warning
 < lifetime
@@ -3071,6 +3116,7 @@
 < samba join domain
 < samba server role member
 < samba server role standalone
+< scanned
 < search
 < secret
 < sent
@@ -3174,6 +3220,7 @@
 < tor traffic read written
 < tor use exit nodes
 < tor use guard nodes
+< total
 < traffic stat in
 < traffic stat out
 < traffic stat title
@@ -3220,6 +3267,8 @@
 < warning
 < week-graph
 < Weekly
+< wg
+< whitelisted
 < whois results from
 < winbind daemon
 < wireguard
@@ -3335,6 +3384,7 @@
 < autonomous system
 < available
 < broken
+< bypassed
 < cake profile bridged-llcsnap 32
 < cake profile bridged-ptm 19
 < cake profile bridged-vcmux 24
@@ -3449,6 +3499,7 @@
 < ids reset provider
 < ids ruleset autoupdate in progress
 < ids ruleset is up to date
+< ids rulesets
 < ids ruleset settings
 < ids show
 < ids subscription code required
@@ -3503,7 +3554,9 @@
 < ipsec roadwarrior endpoint
 < ipsec routing table entries
 < ipsec settings
+< ips throughput
 < itlb multihit
+< last updated
 < legacy architecture warning
 < link-layer encapsulation
 < load average
@@ -3560,6 +3613,7 @@
 < runmode
 < samba server role member
 < samba server role standalone
+< scanned
 < secret
 < sent
 < service boot setting unavailable
@@ -3594,6 +3648,7 @@
 < tor guard country any
 < tor guard nodes
 < tor use guard nodes
+< total
 < traffic stat in
 < traffic stat out
 < traffic stat title
@@ -3610,6 +3665,8 @@
 < vulnerable
 < warning
 < Weekly
+< wg
+< whitelisted
 < whois results from
 < winbind daemon
 < wireguard
--- a/html/cgi-bin/getrrdimage.cgi
+++ b/html/cgi-bin/getrrdimage.cgi
@@ -35,7 +35,7 @@ require "${General::swroot}/graphs.pl";

 # List of graph origins that getrrdimage.cgi can process directly
 # (unknown origins are forwarded to ensure compatibility)
-my @supported_origins = ("hardwaregraphs.cgi", "media.cgi",
+my @supported_origins = ("ids.cgi", "hardwaregraphs.cgi", "media.cgi",
 	"memory.cgi", "netexternal.cgi", "netinternal.cgi", "netother.cgi",
 	"netovpnrw.cgi", "netovpnsrv.cgi", "qos.cgi", "services.cgi", "system.cgi");

@@ -80,7 +80,13 @@ _start_svg_output();
 # Graphs are first grouped by their origin.
 # This is because some graph categories require special parameter handling.
 my $graphstatus = '';
-if($origin eq "hardwaregraphs.cgi") {		## hardwaregraphs.cgi
+if ($origin eq "ids.cgi") {				## ids.cgi
+	if ($graph eq "ips-throughput") {
+		$graphstatus = Graphs::updateipsthroughputgraph($range);
+	} else {
+		$graphstatus = "Unknown graph name.";
+	}
+} elsif($origin eq "hardwaregraphs.cgi") {		## hardwaregraphs.cgi
 	if($graph eq "hwtemp") {
 		$graphstatus = Graphs::updatehwtempgraph($range);
 	} elsif($graph eq "hwfan") {
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -53,6 +53,9 @@ my %ignored=();
 # the list of zones in an array.
 my @network_zones = &Network::get_available_network_zones();

+# Always show IPsec & Wireguard
+push(@network_zones, "ipsec", "wg");
+
 # Check if openvpn is started and add it to the array of network zones.
 if ( -e "/var/run/openvpn.pid") {
 	push(@network_zones, "ovpn");
@@ -69,7 +72,9 @@ my %colourhash = (
 	'green' => $Header::colourgreen,
 	'blue' => $Header::colourblue,
 	'orange' => $Header::colourorange,
-	'ovpn' => $Header::colourovpn
+	'ipsec' => $Header::colourvpn,
+	'ovpn' => $Header::colourovpn,
+	'wg' => $Header::colourwg,
 );

 &Header::showhttpheaders();
@@ -1003,7 +1008,7 @@ sub show_mainpage() {
 	$checked{'ENABLE_IDS'}{$idssettings{'ENABLE_IDS'}} = "checked='checked'";

 	# Draw current state of the IDS
-	&Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system'});
+	&Header::opensection();

 	&Header::ServiceStatus({
 		$Lang::tr{'intrusion prevention system'} => {
@@ -1013,30 +1018,29 @@ sub show_mainpage() {

 	# Only show this area, if at least one ruleset provider is configured.
 	if (%used_providers) {
+		my $num_zones = scalar @network_zones;

 print <<END
-
-		<br><br><h2>$Lang::tr{'settings'}</h2>
+		<br>

 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
 			<table width='100%' border='0'>
 				<tr>
-					<td class='base' colspan='2'>
+					<td colspan='$num_zones'>
 						<input type='checkbox' name='ENABLE_IDS' $checked{'ENABLE_IDS'}{'on'}>&nbsp;$Lang::tr{'ids enable'}
 					</td>
+				</tr>

-				</td>
+				<tr> <!-- empty row for spacing -->
+					<td colspan='$num_zones'>
+						&nbsp;
+					</td>
 				</tr>

 				<tr>
-					<td><br><br></td>
-					<td><br><br></td>
-					<td><br><br></td>
-					<td><br><br></td>
-				</tr>
-
-				<tr>
-					<td colspan='4'><b>$Lang::tr{'ids monitored interfaces'}</b><br></td>
+					<td colspan='$num_zones'>
+						<b>$Lang::tr{'ids monitored interfaces'}</b>
+					</td>
 				</tr>

 				<tr>
@@ -1064,21 +1068,29 @@ END
 				$checked_input = "checked = 'checked'";
 			}

-			print "<td class='base' width='20%'>\n";
-			print "<input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input>\n";
-			print "&nbsp;$Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font>\n";
-			print "</td>\n";
+			print <<END;
+				<td>
+					<label>
+						<input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input>
+						&nbsp; $Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font>
+					</label>
+				</td>
+END
 		}

 print <<END
 				</tr>
-			</table>

-			<br><br>
+				<tr> <!-- empty row for spacing -->
+					<td colspan='$num_zones'>
+						&nbsp;
+					</td>
+				</tr>

-			<table width='100%'>
 				<tr>
-					<td align='right'><input type='submit' name='IDS' value='$Lang::tr{'save'}' /></td>
+					<td colspan='$num_zones' align='right'>
+						<input type='submit' name='IDS' value='$Lang::tr{'save'}' />
+					</td>
 				</tr>
 			</table>
 		</form>
@@ -1087,21 +1099,25 @@ END

 	}

-	&Header::closebox();
+	&Header::closesection();
+
+	# Throughput Graph
+	if (-e "/var/log/rrd/collectd/localhost/iptables-mangle-IPS/ipt_bytes-BYPASSED.rrd") {
+		&Header::graph("$Lang::tr{'ips throughput'}", "ids.cgi", "ips-throughput", "day");
+	}

 	#
 	# Used Ruleset Providers section.
 	#
-	&Header::openbox('100%', 'center', $Lang::tr{'ids ruleset settings'});
+	&Header::openbox('100%', 'center', $Lang::tr{'ids rulesets'});

 print <<END;
-	<table width='100%' border='0'>
+	<table width='100%' border='0' class='tbl'>
 		<tr>
-			<td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ids provider'}</b></td>
-			<td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'date'}</b></td>
-			<td class='base' bgcolor='$color{'color20'}' align='center'><b>$Lang::tr{'ids autoupdates'}</b></td>
-			<td class='base' bgcolor='$color{'color20'}' align='center'><b>$Lang::tr{'action'}</b></td>
-			<td class='base' colspan='3' bgcolor='$color{'color20'}'></td>
+			<th>$Lang::tr{'ids provider'}</td>
+			<th>$Lang::tr{'last updated'}</td>
+			<th align='center'>$Lang::tr{'ids autoupdates'}</td>
+			<th align='center' colspan='3'>$Lang::tr{'action'}</td>
 		</tr>
 END
 		my $line = 1;
@@ -1122,13 +1138,6 @@ END
 				my $status  = $used_providers{$id}[3];
 				my $unsupported;

-				# Check if the item number is even or not.
-				if ($line % 2) {
-					$col="bgcolor='$color{'color22'}'";
-				} else {
-					$col="bgcolor='$color{'color20'}'";
-				}
-
 				# Handle providers which are not longer supported.
 				unless ($IDS::Ruleset::Providers{$provider}{'dl_url'}) {
 					$col = "bgcolor='$Header::colouryellow'";
@@ -1161,8 +1170,8 @@ END

 print <<END;
 				<tr>
-					<td width='33%' class='base' $col>$provider_name $unsupported</td>
-					<td width='30%' class='base' $col>$rulesetdate</td>
+					<th scope='row' width='33%' $col>$provider_name $unsupported</th>
+					<td width='30%' $col align='center'>$rulesetdate</td>

 					<td align='center' $col>
 						<form method='post' action='$ENV{'SCRIPT_NAME'}'>
@@ -1205,7 +1214,7 @@ END
 		} else {
 			# Print notice that currently no hosts are ignored.
 			print "<tr>\n";
-			print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n";
+			print "<td class='base' colspan='6'>$Lang::tr{'guardian no entries'}</td>\n";
 			print "</tr>\n";
 		}

@@ -1214,8 +1223,6 @@ END
 	# Section to add new elements or edit existing ones.
 	print <<END;
 	<br>
-	<hr>
-	<br>

 	<form method='post' action='$ENV{'SCRIPT_NAME'}'>
 		<div align='right'>
@@ -1240,11 +1247,11 @@ END
 	&Header::openbox('100%', 'center', $Lang::tr{'ids ignored hosts'});

 	print <<END;
-	<table width='100%'>
+	<table class='tbl'>
 		<tr>
-			<td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ip address'}</b></td>
-			<td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'remark'}</b></td>
-			<td class='base' colspan='3' bgcolor='$color{'color20'}'></td>
+			<th>$Lang::tr{'ip address'}</td>
+			<th>$Lang::tr{'remark'}</td>
+			<th colspan='3'></td>
 		</tr>
 END
 		# Check if some hosts have been added to be ignored.
@@ -1252,7 +1259,7 @@ END
 			my $col = "";

 			# Loop through all entries of the hash.
-			while( (my $key) = each %ignored)  {
+			foreach my $key (sort { $ignored{$a}[0] <=> $ignored{$b}[0] } keys %ignored)  {
 				# Assign data array positions to some nice variable names.
 				my $address = $ignored{$key}[0];
 				my $remark = $ignored{$key}[1];
@@ -1261,10 +1268,6 @@ END
 				# Check if the key (id) number is even or not.
 				if ($cgiparams{'ID'} eq $key) {
 					$col="bgcolor='${Header::colouryellow}'";
-				} elsif ($key % 2) {
-					$col="bgcolor='$color{'color22'}'";
-				} else {
-					$col="bgcolor='$color{'color20'}'";
 				}

 				# Choose icon for the checkbox.
@@ -1282,8 +1285,8 @@ END

 print <<END;
 				<tr>
-					<td width='20%' class='base' $col>$address</td>
-					<td width='65%' class='base' $col>$remark</td>
+					<td width='20%' $col>$address</td>
+					<td width='65%' $col>$remark</td>

 					<td align='center' $col>
 						<form method='post' action='$ENV{'SCRIPT_NAME'}'>
@@ -1314,7 +1317,7 @@ END
 			} else {
 				# Print notice that currently no hosts are ignored.
 				print "<tr>\n";
-				print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n";
+				print "<td class='base' colspan='5'>$Lang::tr{'guardian no entries'}</td>\n";
 				print "</tr>\n";
 			}

@@ -1322,12 +1325,10 @@ END

 		# Section to add new elements or edit existing ones.
 print <<END;
-		<br>
-		<hr>
-		<br>
+		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
+			<input type='hidden' name='ID' value='$cgiparams{'ID'}'>

-		<div align='center'>
-			<table width='100%'>
+			<table class='form'>
 END

 		# Assign correct headline and button text.
@@ -1338,30 +1339,36 @@ END
 		# Check if an ID (key) has been given, in this case an existing entry should be edited.
 		if ($cgiparams{'ID'} ne '') {
 			$buttontext = $Lang::tr{'update'};
-				print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'update'}</b></td></tr>\n";
+				print "<tr><td colspan='2'><h6>$Lang::tr{'update'}</h6></td></tr>\n";

 				# Grab address and remark for the given key.
 				$entry_address = $ignored{$cgiparams{'ID'}}[0];
 				$entry_remark = $ignored{$cgiparams{'ID'}}[1];
 			} else {
 				$buttontext = $Lang::tr{'add'};
-				print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'dnsforward add a new entry'}</b></td></tr>\n";
+				print "<tr><td colspan='2'><h6>$Lang::tr{'dnsforward add a new entry'}</h6></td></tr>\n";
 			}

 print <<END;
-				<form method='post' action='$ENV{'SCRIPT_NAME'}'>
-				<input type='hidden' name='ID' value='$cgiparams{'ID'}'>
 				<tr>
-					<td width='30%'>$Lang::tr{'ip address'}: </td>
-					<td width='50%'><input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /></td>
-
-					<td width='30%'>$Lang::tr{'remark'}: </td>
-					<td wicth='50%'><input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /></td>
-					<td align='center' width='20%'><input type='submit' name='WHITELIST' value='$buttontext' /></td>
+					<td>$Lang::tr{'ip address'}</td>
+					<td>
+						<input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' />
+					</td>
+				</tr>
+
+				<tr>
+					<td>$Lang::tr{'remark'}</td>
+					<td>
+						<input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' />
+					</td>
+				</tr>
+
+				<tr class='action'>
+					<td colspan='2'><input type='submit' name='WHITELIST' value='$buttontext' /></td>
 				</tr>
-				</form>
 			</table>
-		</div>
+		</form>
 END

 	&Header::closebox();
--- a/html/html/include/rrdimage.js
+++ b/html/html/include/rrdimage.js
@@ -35,7 +35,7 @@ function rrdimage_selectRange(buttonObj) {

 // Document loaded: Process all graphs, start reload timers
 $(function() {
-	$('div.rrdimage').each(function() {
+	$('div.graph').each(function() {
 		let graphBox = $(this);
 		_rrdimg_setRange(graphBox, graphBox.data('defaultRange'), true);
 	});
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -503,6 +503,7 @@
 'broken pipe' => 'Zerbrochene Pipe',
 'buffered memory' => 'Pufferspeicher    ',
 'buffers' => 'Puffer',
+'bypassed' => 'Übersprungen',
 'bytes' => 'Bytes',
 'bytes per second' => 'Bytes pro Sekunde',
 'bytes received' => 'Bytes empfangen',
@@ -1413,6 +1414,7 @@
 'ids ruleset autoupdate in progress' => 'Der Regelsatz wird gerade aktualisiert. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...',
 'ids ruleset is up to date' => 'Regelset ist aktuell - Keine Aktualisierung notwendig.',
 'ids ruleset settings' => 'Regelsatzeinstellungen',
+'ids rulesets' => 'Regelsätze',
 'ids show' => 'Anzeigen',
 'ids the choosen provider is already in use' => 'Der gewhählte Provider wird bereits verwendet.',
 'ids unable to download the ruleset' => 'Das Regelset konnte nicht heruntergeladen werden.',
@@ -1571,6 +1573,7 @@
 'ipfire side is invalid' => 'IPFire Seite ist ungültig.',
 'ipfires hostname' => 'IPFire\'s Hostname',
 'ipinfo' => 'IP-Info',
+'ips throughput' => 'Durchsatz',
 'ipsec' => 'IPsec',
 'ipsec connection' => 'IPsec-Verbindung',
 'ipsec interface mode gre' => 'GRE',
@@ -1603,6 +1606,7 @@
 'languagepurpose' => 'Wählen Sie eine Sprache, in der IPFire angezeigt werden soll:',
 'last' => 'Letzte',
 'last activity' => 'Letzte Aktivität',
+'last updated' => 'Zuletzt Aktualisiert',
 'lateprompting' => 'Late prompting',
 'lease expires' => 'Zuordnung verfällt',
 'least preferred' => 'weniger präferiert',
@@ -2218,6 +2222,7 @@
 'save error' => 'Konfigurationsarchiv-Datei konnte nicht gespeichert werden',
 'save settings' => 'Einstellungen speichern',
 'save-adv-options' => 'Erweiterte Optionen speichern',
+'scanned' => 'Gescannt',
 'script name' => 'Skriptname:',
 'search' => 'Suchen',
 'secondary dns' => 'Sekundärer DNS-Server:',
@@ -2493,6 +2498,7 @@
 'tor traffic read written' => 'Gesamter Traffic (empfangen/gesendet)',
 'tor use exit nodes' => 'Nur diese Exitknoten benutzen (ein Fingerabdruck pro Zeile)',
 'tor use guard nodes' => 'Nur diese Guardknoten benutzen (ein Fingerabdruck pro Zeile)',
+'total' => 'Gesamt',
 'total connection time' => 'Gesamte Verbindungszeit',
 'total hits for log section' => 'Gesamte Treffer für Protokollsektion',
 'traffic back' => 'Zurück',
@@ -2936,6 +2942,7 @@
 'week-graph' => 'Woche',
 'weekly firewallhits' => 'wöchentliche Firewalltreffer',
 'weeks' => 'Wochen',
+'whitelisted' => 'Ausgenommen',
 'whois results from' => 'WHOIS-Ergebnisse von',
 'wildcards' => 'Wildcards',
 'wins server' => 'WINS-Server',
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -524,6 +524,7 @@
 'broken pipe' => 'Broken pipe',
 'buffered memory' => 'Buffered Memory',
 'buffers' => 'buffers',
+'bypassed' => 'Bypassed',
 'bytes per second' => 'Bytes per Second',
 'bytes received' => 'Bytes Received',
 'bytes sent' => 'Bytes Sent',
@@ -1466,6 +1467,7 @@
 'ids ruleset autoupdate in progress' => 'Ruleset update in progress. Please wait until all operations have completed successfully...',
 'ids ruleset is up to date' => 'No update required - The ruleset is up to date.',
 'ids ruleset settings' => 'Ruleset Settings',
+'ids rulesets' => 'Rulesets',
 'ids show' => 'Show',
 'ids subscription code required' => 'The selected ruleset requires a subscription code',
 'ids the choosen provider is already in use' => 'The choosen provider is already in use.',
@@ -1625,6 +1627,7 @@
 'ipfire side is invalid' => 'IPFire side is invalid.',
 'ipfires hostname' => 'IPFire\'s Hostname',
 'ipinfo' => 'IP info',
+'ips throughput' => 'Throughput',
 'ipsec' => 'IPsec',
 'ipsec connection' => 'IPsec Connection',
 'ipsec dns server address is invalid' => 'Invalid DNS server IP address(es)',
@@ -1660,6 +1663,7 @@
 'languagepurpose' => 'Select the language you wish IPFire to display in:',
 'last' => 'Last',
 'last activity' => 'Last Activity',
+'last updated' => 'Last Updated',
 'lateprompting' => 'Lateprompting',
 'lease expires' => 'Lease expires',
 'least preferred' => 'least preferred',
@@ -2289,6 +2293,7 @@
 'save error' => 'Unable to save configuration archive file',
 'save settings' => 'Save settings',
 'save-adv-options' => 'Save advanced options',
+'scanned' => 'Scanned',
 'script name' => 'Script name:',
 'search' => 'Search',
 'secondary dns' => 'Secondary DNS:',
@@ -2573,6 +2578,7 @@
 'tor traffic read written' => 'Total traffic (read/written)',
 'tor use exit nodes' => 'Use only these exit nodes (one fingerprint per line)',
 'tor use guard nodes' => 'Use only these guard nodes (one fingerprint per line)',
+'total' => 'Total',
 'total connection time' => 'Total Connection Time',
 'total hits for log section' => 'Total hits for log section',
 'traffic back' => 'Back',
@@ -3020,6 +3026,8 @@
 'week-graph' => 'Week',
 'weekly firewallhits' => 'weekly firewallhits',
 'weeks' => 'Weeks',
+'wg' => 'WireGuard',
+'whitelisted' => 'Whitelisted',
 'whois results from' => 'WHOIS results from',
 'wildcards' => 'Wildcards',
 'winbind daemon' => 'Winbind Daemon',
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -132,5 +132,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# Install converter script needed for Core Update 167
 	install -m 0755 $(DIR_SRC)/config/suricata/convert-ids-backend-files /usr/sbin/convert-ids-backend-files

+	# Install the watcher
+	install -v -m 755 $(DIR_SRC)/config/suricata/suricata-watcher /usr/bin/suricata-watcher
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
--- a/make.sh
+++ b/make.sh
@@ -2240,6 +2240,12 @@ check_rootfiles() {

 	print_headline "Checking for rootfile consistency..."

+	# Check for changes
+	if ! check_rootfiles_for_pattern "^[\+\-]" \
+			"Rootfiles have changed in them"; then
+		failed=1
+	fi
+
 	# Check for /etc/init.d
 	if ! check_rootfiles_for_pattern "^etc/init\.d/" \
 			"/etc/init.d/* has been found. Please replace by /etc/rc.d/init.d"; then
--- a/src/initscripts/networking/functions.network
+++ b/src/initscripts/networking/functions.network
@@ -54,6 +54,86 @@ bin2ip() {
 	echo "${address[*]}"
 }

+network_get_intfs() {
+	local zone="${1}"
+
+	case "${zone^^}" in
+		RED)
+			# For PPPoE, the RED interface is called ppp0 (unless we use QMI)
+			if [ "${RED_TYPE}" = "PPPOE" ] && [ "${RED_DRIVER}" != "qmi_wwan" ]; then
+				echo "ppp0"
+				return 0
+
+			# Otherwise we return RED_DEV
+			elif [ -n "${RED_DEV}" ]; then
+				echo "${RED_DEV}"
+				return 0
+			fi
+			;;
+
+		GREEN)
+			if [ -n "${GREEN_DEV}" ]; then
+				echo "${GREEN_DEV}"
+				return 0
+			fi
+			;;
+
+		ORANGE)
+			if [ -n "${ORANGE_DEV}" ]; then
+				echo "${ORANGE_DEV}"
+				return 0
+			fi
+			;;
+
+		BLUE)
+			if [ -n "${BLUE_DEV}" ]; then
+				echo "${BLUE_DEV}"
+				return 0
+			fi
+			;;
+
+		IPSEC)
+			local VARS=(
+				id status x1 x2 type x3 x4 x5 x6 x7 x8 x9 x10
+				x11 x12 x13 x14 x15 x16 x17 x18 x19 x20
+				x21 x22 x23 x24 x25 x26 x27 x28 x29 x30
+				x31 x32 x33 x34 interface_mode rest
+			)
+
+			while IFS="," read -r "${VARS[@]}"; do
+				# Check if the connection is enabled
+				[ "${status}" = "on" ] || continue
+
+				# Check if this a net-to-net connection
+				[ "${type}" = "net" ] || continue
+
+				# Determine the interface name
+				case "${interface_mode}" in
+					gre|vti)
+						echo "${interface_mode}${id}"
+						;;
+				esac
+			done < /var/ipfire/vpn/config
+
+			return 0
+			;;
+
+		WIREGUARD|WG)
+			echo "wg+"
+			return 0
+			;;
+
+		OPENVPN|OVPN)
+			# OpenVPN is using all tun devices
+			echo "tun+"
+			return 0
+			;;
+	esac
+
+	# Not found
+	return 1
+}
+
 network_get_address() {
 	local network="${1}"

--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -39,11 +39,6 @@ fi

 NAT_MASK="0x0f000000"

-IPS_REPEAT_MARK="0x80000000"
-IPS_REPEAT_MASK="0x80000000"
-IPS_BYPASS_MARK="0x40000000"
-IPS_BYPASS_MASK="0x40000000"
-
 IPSET_DB_DIR="/var/lib/location/ipset"

 SYNPROXY_OPTIONS=(
@@ -84,16 +79,6 @@ iptables_init() {
 	modprobe nf_log_ipv4
 	sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4

-	# IPS Bypass Chain which stores the BYPASS bit in connection tracking
-	iptables -N IPSBYPASS
-	iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))"
-
-	# Jump into bypass chain when the BYPASS bit is set
-	for chain in INPUT FORWARD OUTPUT; do
-		iptables -A "${chain}" -m mark \
-			--mark "$(( IPS_REPEAT_MARK | IPS_BYPASS_MARK ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS
-	done
-
 	# Empty LOG_DROP and LOG_REJECT chains
 	iptables -N LOG_DROP
 	iptables -A LOG_DROP   -m limit --limit 10/second -j LOG
@@ -175,7 +160,7 @@ iptables_init() {
 	iptables -A CTOUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT

 	# Restore any connection marks
-	iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
+	iptables -t mangle -A PREROUTING -m mark --mark 0 -j CONNMARK --restore-mark

 	# Fix for braindead ISPs
 	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
@@ -236,15 +221,6 @@ iptables_init() {
 	iptables -A FORWARD -i tun+ -j OVPNBLOCK
 	iptables -A FORWARD -o tun+ -j OVPNBLOCK

-	# IPS (Suricata) chains
-	iptables -N IPS_INPUT
-	iptables -N IPS_FORWARD
-	iptables -N IPS_OUTPUT
-
-	for chain in INPUT FORWARD OUTPUT; do
-		iptables -A "${chain}" -m mark --mark "0x0/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}"
-	done
-
 	# OpenVPN transfer network translation
 	iptables -t nat -N OVPNNAT
 	iptables -t nat -A POSTROUTING -j OVPNNAT
@@ -399,6 +375,22 @@ iptables_init() {
 			-m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
 	fi

+	# IPS (Suricata) chains
+	iptables -t mangle -N IPS
+	iptables -t mangle -N IPS_CLEAR
+	iptables -t mangle -N IPS_SCAN_IN
+	iptables -t mangle -N IPS_SCAN_OUT
+
+	iptables -t mangle -A INPUT   -j IPS_SCAN_IN
+	iptables -t mangle -A FORWARD -j IPS_SCAN_IN
+	iptables -t mangle -A FORWARD -j IPS_SCAN_OUT
+	iptables -t mangle -A OUTPUT  -j IPS_SCAN_OUT
+
+	for chain in INPUT FORWARD OUTPUT; do
+		iptables -t mangle -A "${chain}" -j IPS
+		iptables -t mangle -A "${chain}" -j IPS_CLEAR
+	done
+
 	# RED chain, used for the red interface
 	iptables -N REDINPUT
 	iptables -A INPUT -j REDINPUT
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -21,140 +21,150 @@

 . /etc/sysconfig/rc
 . ${rc_functions}
-
-PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
+. /etc/init.d/networking/functions.network

 eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
-eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

-# Name of the firewall chains.
-IPS_INPUT_CHAIN="IPS_INPUT"
-IPS_FORWARD_CHAIN="IPS_FORWARD"
-IPS_OUTPUT_CHAIN="IPS_OUTPUT"
+IPS_REPEAT_MARK="0x80000000"
+IPS_REPEAT_MASK="0x80000000"
+
+# The IPS requested that this connection is being bypassed
+IPS_BYPASS_REQUESTED_MARK="0x40000000"
+IPS_BYPASS_REQUESTED_MASK="0x40000000"
+
+# Marks a connection to be bypassed
+IPS_BYPASS_MARK="0x20000000"
+IPS_BYPASS_MASK="0x20000000"
+
+# Set if we request to scan this packet
+IPS_SCAN_MARK="0x10000000"
+IPS_SCAN_MASK="0x10000000"
+
+# Set if a packet has been whitelisted
+IPS_WHITELISTED_MARK="0x08000000"
+IPS_WHITELISTED_MASK="0x08000000"
+
+# Supported network zones
+NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "IPSEC" "WG" "OVPN" )

 # Optional options for the Netfilter queue.
-NFQ_OPTS="--queue-bypass "
-
-# Array containing the 4 possible network zones.
-network_zones=( red green blue orange ovpn )
-
-# Array to store the network zones weather the IPS is enabled for.
-enabled_ips_zones=()
-
-# PID file of suricata.
-PID_FILE="/var/run/suricata.pid"
-
-# Function to get the amount of CPU cores of the system.
-function get_cpu_count {
-	CPUCOUNT=0
-
-	# Loop through "/proc/cpuinfo" and count the amount of CPU cores.
-	while read line; do
-		[ "$line" ] && [ -z "${line%processor*}" ]  && ((CPUCOUNT++))
-	done </proc/cpuinfo
-
-	# Limit to a maximum of 16 cores, because suricata does not support more than
-	# 16 netfilter queues at the moment.
-	if [ $CPUCOUNT -gt "16" ]; then
-		echo "16"
-	else
-		echo $CPUCOUNT
-	fi
-}
+NFQ_OPTS=(
+	"--queue-bypass"
+)

 # Function to flush the firewall chains.
-function flush_fw_chain {
-	# Call iptables and flush the chains
-	iptables -w -F "$IPS_INPUT_CHAIN"
-	iptables -w -F "$IPS_FORWARD_CHAIN"
-	iptables -w -F "$IPS_OUTPUT_CHAIN"
+flush_fw_chain() {
+	iptables -w -t mangle -F IPS
+	iptables -w -t mangle -F IPS_CLEAR
+	iptables -w -t mangle -F IPS_SCAN_IN
+	iptables -w -t mangle -F IPS_SCAN_OUT
 }

 # Function to create the firewall rules to pass the traffic to suricata.
-function generate_fw_rules {
-	cpu_count=$(get_cpu_count)
-
-	# Loop through the array of network zones.
-	for zone in "${network_zones[@]}"; do
-		# Convert zone into upper case.
-		zone_upper=${zone^^}
-
-		# Generate variable name for checking if the IDS is
-		# enabled on the zone.
-		enable_ids_zone="ENABLE_IDS_$zone_upper"
-
-		# Check if the IDS is enabled for this network zone.
-		if [ "${!enable_ids_zone}" == "on" ]; then
-			# Check if the current processed zone is "red" and the configured type is PPPoE dialin.
-			if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ] && [ "$RED_DRIVER" != "qmi_wwan" ]; then
-				# Set device name to ppp0.
-				network_device="ppp0"
-			elif [ "$zone" == "ovpn" ]; then
-				# Get all virtual net devices because the RW server and each
-				# N2N connection creates it's own tun device.
-				for virt_dev in /sys/devices/virtual/net/*; do
-					# Cut-off the directory.
-					dev="${virt_dev##*/}"
-
-					# Only process tun devices.
-					if [[ $dev =~ "tun" ]]; then
-						# Add the network device to the array of enabled zones.
-						enabled_ips_zones+=( "$dev" )
-					fi
-				done
-
-				# Process next zone.
-				continue
-			else
-				# Generate variable name which contains the device name.
-				zone_name="$zone_upper"
-				zone_name+="_DEV"
-
-				# Grab device name.
-				network_device=${!zone_name}
-			fi
-
-			# Add the network device to the array of enabled zones.
-			enabled_ips_zones+=( "$network_device" )
-		fi
-	done
-
+generate_fw_rules() {
 	# Assign NFQ_OPTS
-	NFQ_OPTIONS=$NFQ_OPTS
+	local NFQ_OPTIONS=( "${NFQ_OPTS[@]}" )
+
+	local cpu_count="$(getconf _NPROCESSORS_ONLN)"

 	# Check if there are multiple cpu cores available.
 	if [ "$cpu_count" -gt "1" ]; then
-		# Balance beetween all queues.
-		NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))"
-		NFQ_OPTIONS+=" --queue-cpu-fanout"
+		# Balance beetween all queues
+		NFQ_OPTIONS+=(
+			"--queue-balance" "0:$(($cpu_count-1))"
+			"--queue-cpu-fanout"
+		)
 	else
-		# Send all packets to queue 0.
-		NFQ_OPTIONS+="--queue-num 0"
+		# Send all packets to queue 0
+		NFQ_OPTIONS+=(
+			"--queue-num" "0"
+		)
 	fi

 	# Flush the firewall chains.
 	flush_fw_chain

-	# Check if the array of enabled_ips_zones contains any elements.
-	if [[ ${enabled_ips_zones[@]} ]]; then
-		# Loop through the array and create firewall rules.
-		for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
-			# Create rules queue input and output related traffic and pass it to the IPS.
-			iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
-			iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
+	# Don't process packets where the IPS has requested to bypass the stream
+	iptables -w -t mangle -A IPS \
+		-m comment --comment "BYPASSED" \
+		-m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN

-			# Create rules which are required to handle forwarded traffic.
-			for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
-				iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE $NFQ_OPTIONS
+	# If suricata decided to bypass a stream, we will store the mark in the connection tracking table
+	iptables -w -t mangle -A IPS \
+		-m mark --mark "$(( IPS_BYPASS_REQUESTED_MARK ))/$(( IPS_BYPASS_REQUESTED_MASK ))" \
+		-j CONNMARK --set-mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))"
+
+	# Don't process packets that have already been seen by the IPS
+	for chain in IPS IPS_SCAN_IN IPS_SCAN_OUT; do
+		iptables -w -t mangle -A "${chain}" \
+			-m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
+	done
+
+	local zone
+	local status
+	local intf
+
+	# Mark packets for all zones that we want to scan
+	for zone in "${NETWORK_ZONES[@]}"; do
+		status="ENABLE_IDS_${zone}"
+
+		if [ "${!status}" = "on" ]; then
+			# Handle IPsec packets
+			case "${zone}" in
+				IPSEC)
+					iptables -w -t mangle -A IPS_SCAN_IN \
+						-m policy --pol ipsec --dir in -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+					iptables -w -t mangle -A IPS_SCAN_OUT \
+						-m policy --pol ipsec --dir out -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+					;;
+			esac
+
+			# Add interfaces
+			for intf in $(network_get_intfs "${zone}"); do
+				iptables -w -t mangle -A IPS_SCAN_IN \
+					-i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+				iptables -w -t mangle -A IPS_SCAN_OUT \
+					-o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
 			done
-		done
+		fi
+	done
+
+	# Don't keep processing packets we don't want to scan
+	iptables -w -t mangle -A IPS -m mark ! --mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" -j RETURN
+
+	# Never send any whitelisted packets to the IPS
+	if [ -r "/var/ipfire/suricata/ignored" ]; then
+		local id network remark enabled rest
+
+		while IFS=',' read -r id network remark enabled rest; do
+			# Skip disabled entries
+			[ "${enabled}" = "enabled" ] || continue
+
+			iptables -w -t mangle -A IPS -s "${network}" -j MARK --set-mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))"
+			iptables -w -t mangle -A IPS -d "${network}" -j MARK --set-mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))"
+		done < "/var/ipfire/suricata/ignored"
 	fi
+
+	# Count and skip the whitelisted packets
+	iptables -w -t mangle -A IPS \
+		-m comment --comment "WHITELISTED" \
+		-m mark --mark "$(( IPS_WHITELISTED_MARK ))/$(( IPS_WHITELISTED_MASK ))" -j RETURN
+
+	# Send packets to suricata
+	iptables -w -t mangle -A IPS -m comment --comment "SCANNED" -j NFQUEUE "${NFQ_OPTIONS[@]}"
+
+	# Clear all bits again after packets have been sent to the IPS
+	# This is required so that encapsulated packets can't inherit any set bits here and won't be scanned.
+	iptables -w -t mangle -A IPS_CLEAR \
+			-j MARK --set-mark "0/$(( IPS_BYPASS_MASK | IPS_BYPASS_REQUESTED_MASK | IPS_REPEAT_MASK | IPS_SCAN_MASK ))"
+
+	return 0
 }

 case "$1" in
        start)
-		# Get amount of CPU cores.
-		cpu_count=$(get_cpu_count)
+		# Get amount of CPU cores
+		cpu_count="$(getconf _NPROCESSORS_ONLN)"

 		# Numer of NFQUES.
 		NFQUEUES="-q 0"
@@ -167,11 +177,7 @@ case "$1" in
 		if [ "$ENABLE_IDS" == "on" ]; then
 			# Start the IDS.
 			boot_mesg "Starting Intrusion Detection System..."
-			/usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null
-			evaluate_retval
-
-			# Allow reading the pidfile.
-			chmod 644 $PID_FILE
+			loadproc -b /usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES

 			# Flush the firewall chain
 			flush_fw_chain
@@ -183,32 +189,24 @@ case "$1" in

        stop)
 		boot_mesg "Stopping Intrusion Detection System..."
-		killproc -p $PID_FILE /var/run
+		killproc -p /var/run/suricata.pid /usr/bin/suricata

 		# Flush firewall chain.
 		flush_fw_chain

-		# Sometimes suricata not correct shutdown. So killall.
-		killall -KILL /usr/bin/suricata 2>/dev/null
-
-		# Remove suricata control socket.
-		rm /var/run/suricata/* >/dev/null 2>/dev/null
-
-		# Trash remain pid file if still exists.
-		rm -f $PID_FILE >/dev/null 2>/dev/null
-
 		# Don't report returncode of rm if suricata was not started
 		exit 0
        ;;

        status)
-                statusproc /usr/bin/suricata
+                PIDFILE="/var/run/suricata.pid" statusproc /usr/bin/suricata
                ;;

        restart)
                $0 stop
                $0 start
                ;;
+
 	reload)
 		# Send SIGUSR2 to the suricata process to perform a reload
 		# of the ruleset.
@@ -226,5 +224,3 @@ case "$1" in
                exit 1
                ;;
 esac
-
-chmod 644 /var/log/suricata/* 2>/dev/null