return (g_engine_mode == ENGINE_MODE_UNKNOWN);
}
+bool EngineModeIsFirewall(void)
+{
+ DEBUG_VALIDATE_BUG_ON(g_engine_mode == ENGINE_MODE_UNKNOWN);
+ return (g_engine_mode == ENGINE_MODE_FIREWALL);
+}
+
+/* this returns true for firewall mode as well */
int EngineModeIsIPS(void)
{
DEBUG_VALIDATE_BUG_ON(g_engine_mode == ENGINE_MODE_UNKNOWN);
- return (g_engine_mode == ENGINE_MODE_IPS);
+ return (g_engine_mode >= ENGINE_MODE_IPS);
}
int EngineModeIsIDS(void)
return (g_engine_mode == ENGINE_MODE_IDS);
}
+void EngineModeSetFirewall(void)
+{
+ g_engine_mode = ENGINE_MODE_FIREWALL;
+}
+
void EngineModeSetIPS(void)
{
g_engine_mode = ENGINE_MODE_IPS;
printf("\t--fatal-unittests : enable fatal failure on unittest error\n");
printf("\t--unittests-coverage : display unittest coverage report\n");
#endif /* UNITTESTS */
+ printf("\t--firewall : enable firewall mode\n");
printf("\t--firewall-rules-exclusive=<path> : path to firewall rule file loaded "
"exclusively\n");
printf("\t--list-app-layer-protos : list supported app layer protocols\n");
int conf_test = 0;
int engine_analysis = 0;
int ret = TM_ECODE_OK;
+ int is_firewall = 0;
#ifdef UNITTESTS
coverage_unittests = 0;
{"qa-skip-prefilter", 0, &g_skip_prefilter, 1 },
+ {"firewall", 0, &is_firewall, 1 },
{"firewall-rules-exclusive", required_argument, 0, 0},
{"include", required_argument, 0, 0},
}
suri->firewall_rule_file = optarg;
suri->firewall_rule_file_exclusive = true;
+ suri->is_firewall = true;
} else {
int r = ExceptionSimulationCommandLineParser(
(long_opts[option_index]).name, optarg);
}
}
+ if (is_firewall) {
+ suri->is_firewall = true;
+ }
+
if (suri->disabled_detect && (suri->sig_file != NULL || suri->firewall_rule_file != NULL)) {
SCLogError("can't use -s/-S or --firewall-rules-exclusive when detection is disabled");
return TM_ECODE_FAILED;
*/
int PostConfLoadedSetup(SCInstance *suri)
{
+ int cnf_firewall_enabled = 0;
+ if (SCConfGetBool("firewall.enabled", &cnf_firewall_enabled) == 1) {
+ if (cnf_firewall_enabled == 1) {
+ suri->is_firewall = true;
+ } else {
+ if (suri->is_firewall) {
+ FatalError("firewall mode enabled through commandline, but disabled in config");
+ }
+ }
+ }
+ if (suri->is_firewall) {
+ SCLogWarning("firewall mode is EXPERIMENTAL and subject to change");
+ EngineModeSetFirewall();
+ }
+
/* load the pattern matchers */
MpmTableSetup();
SpmTableSetup();
enum EngineMode {
ENGINE_MODE_UNKNOWN,
ENGINE_MODE_IDS,
+ /* order matters, we need to be able to do IPS is true for >= ENGINE_MODE_IPS */
ENGINE_MODE_IPS,
+ ENGINE_MODE_FIREWALL,
};
+/* superset of IPS mode */
+void EngineModeSetFirewall(void);
void EngineModeSetIPS(void);
void EngineModeSetIDS(void);
int EngineModeIsUnknown(void);
+bool EngineModeIsFirewall(void);
int EngineModeIsIPS(void);
int EngineModeIsIDS(void);
char *regex_arg;
char *firewall_rule_file;
bool firewall_rule_file_exclusive;
+ /* is firewall mode enabled */
+ bool is_firewall;
char *keyword_info;
char *runmode_custom_mode;
projects / thirdparty / suricata.git / commitdiff
