Menu
▾
▴
[Snort-inline-users] [PATCH] new iptables rule set type
|
From: Eric L. <er...@in...> - 2008-12-02 09:54:52
|
Hi, snort-inline can be difficult to use because it is necessary to put the NFQUEUE rule in PREROUTING to get all the packets. In the case where we only want to analyse what is on FORWARD, there is no easy way to do this. The following patchset fixes this. By issuing a NF_REPEAT verdict and a little trick on mark, we can use a simple ruleset. Let's say we can reserve a bit in the mark for the reinjection process (we take value 1 for convenience). Then to send all traffic to snort-inline, we can just add at the top of your ruleset: iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE When packet reaches the FORWARD chain, it matches the first rule and is send to snort-inline. Instead of accepting the packet, snort-inline reinject it in the FORWARD chain but change the mark before. Thus, the packet does not match this rule and live his life in the standard Netfilter ruleset. The cost of the modification is light as it just adds a single rule check when the packet is reinjected. BR, -- Eric Leblond <er...@in...> INL: http://www.inl.fr/ NuFW: http://www.nufw.org/ |
