suricata: Enable scanning IPsec packets

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 10:35:53 +02:00 · 2024-09-24 10:33:22 +02:00
parent e5da7dea66
commit d99826dc71
2 changed files with 39 additions and 2 deletions
--- a/src/initscripts/networking/functions.network
+++ b/src/initscripts/networking/functions.network
@@ -57,7 +57,7 @@ bin2ip() {
 network_get_intfs() {
 	local zone="${1}"

-	case "${zone}" in
+	case "${zone^^}" in
 		RED)
 			# For PPPoE, the RED interface is called ppp0 (unless we use QMI)
 			if [ "${RED_TYPE}" = "PPPOE" ] && [ "${RED_DRIVER}" != "qmi_wwan" ]; then
@@ -92,6 +92,32 @@ network_get_intfs() {
 			fi
 			;;

+		IPSEC)
+			local VARS=(
+				id status x1 x2 type x3 x4 x5 x6 x7 x8 x9 x10
+				x11 x12 x13 x14 x15 x16 x17 x18 x19 x20
+				x21 x22 x23 x24 x25 x26 x27 x28 x29 x30
+				x31 x32 x33 x34 interface_mode rest
+			)
+
+			while IFS="," read -r "${VARS[@]}"; do
+				# Check if the connection is enabled
+				[ "${status}" = "on" ] || continue
+
+				# Check if this a net-to-net connection
+				[ "${type}" = "net" ] || continue
+
+				# Determine the interface name
+				case "${interface_mode}" in
+					gre|vti)
+						echo "${interface_mode}${id}"
+						;;
+				esac
+			done < /var/ipfire/vpn/config
+
+			return 0
+			;;
+
 		WIREGUARD|WG)
 			echo "wg+"
 			return 0
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -45,7 +45,7 @@ IPS_WHITELISTED_MARK="0x08000000"
 IPS_WHITELISTED_MASK="0x08000000"

 # Supported network zones
-NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "WG" "OVPN" )
+NETWORK_ZONES=( "RED" "GREEN" "ORANGE" "BLUE" "IPSEC" "WG" "OVPN" )

 # Optional options for the Netfilter queue.
 NFQ_OPTS=(
@@ -109,6 +109,17 @@ generate_fw_rules() {
 		status="ENABLE_IDS_${zone}"

 		if [ "${!status}" = "on" ]; then
+			# Handle IPsec packets
+			case "${zone}" in
+				IPSEC)
+					iptables -w -t mangle -A IPS_SCAN_IN \
+						-m policy --pol ipsec --dir in -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+					iptables -w -t mangle -A IPS_SCAN_OUT \
+						-m policy --pol ipsec --dir out -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
+					;;
+			esac
+
+			# Add interfaces
 			for intf in $(network_get_intfs "${zone}"); do
 				iptables -w -t mangle -A IPS_SCAN_IN \
 					-i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"