mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-12 04:05:53 +02:00
3fa8300e70
NFQUEUE does not let the packet continue where it was processed, but inserts it back into iptables at the start. That is why we need an extra IPSBYPASS chain which has the following tasks: * Make the BYPASS bit permanent for the entire connection * Clear the REPEAT bit The latter is more of cosmetic nature so that we can identify packets that have come from suricata again and those which have bypassed the IPS straight away. The IPS_* chain will now only be sent traffic to, when none of the two relevant bits has been set. Otherwise the packet has already been processed by suricata in the first pass or suricata has decided to bypass the connection. This massively reduces load on the IPS which allows many common connections (TLS connections with downloads) to bypass the IPS bringing us back to line speed. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>