Skip to content

Snort: new bypass and allow home net configuration #1496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gsanchietti merged 2 commits into from
Feb 4, 2026
Merged

Snort: new bypass and allow home net configuration #1496

gsanchietti merged 2 commits into from
Feb 4, 2026
+134 −117

Conversation

@gsanchietti
Copy link
Member

@gsanchietti gsanchietti commented Jan 29, 2026
edited
Loading

Changes:

  • Unify logic: having 2 different bypass types can lead to wrong config
  • Allow home net configuration

Fixes #1422
Implements #1381

@gsanchietti gsanchietti self-assigned this Jan 29, 2026
@gsanchietti gsanchietti changed the title fix(snort): merge bypass logic Snort: new bypass and allow home net configuration Jan 29, 2026
@gsanchietti gsanchietti marked this pull request as ready for review January 30, 2026 10:33
Tbaile
Tbaile approved these changes Feb 4, 2026
View reviewed changes
Copy link
Collaborator

@Tbaile Tbaile left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even checked that an update to latest version won't give us too many conflicts. Greenlighling it

filippocarletti
filippocarletti requested changes Feb 4, 2026
View reviewed changes
Copy link
Member

@filippocarletti filippocarletti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The migration of the bypasses doesn’t work:

  • before
snort.nfq.bypass_dst_v4='192.168.122.2,'
snort.nfq.bypass_src_v4='192.168.122.2,' '192.168.122.3,'
  • after
snort.nfq.bypass_v4='192.168.122.2, 192.168.122.3,'

root@NethSec:~# nft list table inet snort
table inet snort {
	set bypass_v4 {
		type ipv4_addr
		flags interval
		elements = { 192.168.122.2 }
	}

And the UI shows only one bypass with 192.168.122.3 in the description.

@gsanchietti
fix(snort): merge bypass logic
0e1f4a1 
Unify logic: having 2 different bypass types
can lead to wrong config

The migration takes care of the following aspects:
- merge dst and src bypass for both ipv4 and ipv6
- make sure to preserve descriptions with spaces
- prevent bypass duplication based on IP (description
  of a duplicate is lost)
@gsanchietti
feat(snort): support home net configuration
99254c7 
Allow users to specify and change the Snort home net:
on some scenarios it could be useful also to add VPN networks
@gsanchietti
Copy link
Member Author

gsanchietti commented Feb 4, 2026

Major changes:

  • rewritten the migration logic because it didn't take care of bypass with spaces inside description
  • improved the api to avoid sending useless data

See also the related changes to the UI: NethServer/nethsecurity-ui#683

@Tbaile Tbaile linked an issue Feb 4, 2026 that may be closed by this pull request
Unify Snort host bypass: one entry for both directions (source and destination) #1381
Open
@gsanchietti gsanchietti merged commit efb5c1a into main Feb 4, 2026
2 checks passed
@gsanchietti gsanchietti deleted the issue1381 branch February 4, 2026 12:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@filippocarletti filippocarletti filippocarletti approved these changes

@Tbaile Tbaile Awaiting requested review from Tbaile

Assignees

@gsanchietti gsanchietti

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Snort: home_net configuration does not get updated Unify Snort host bypass: one entry for both directions (source and destination)

4 participants

@gsanchietti @filippocarletti @Tbaile