afpacket/netmap: warn about mixed ips, ids/tap deprecation

Suricata already logs if AF_PACKET or Netmap are running in a mixed IPS
and IDS/TAP mode.  As the behavior is undefined when these modes are
mixed, it is best to deprecate and to not allow this behavior. For now
warn that it will be unsupported and fail in Suricata 8.

Ticket: 5587

diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c
index f2500d3d3b0cb0934fc8245c340ee714fdc5249b..006e0a4cc065dfc605c8de353a21e3c2946f74bb 100644 (file)
--- a/src/runmode-af-packet.c
+++ b/src/runmode-af-packet.c
@@ -738,7 +738,9 @@ int AFPRunModeIsIPS()
     }
 
     if (has_ids && has_ips) {
-        SCLogInfo("AF_PACKET mode using IPS and IDS mode");
+        SCLogWarning(SC_ERR_INVALID_ARGUMENT,
+                "AF_PACKET using both IPS and TAP/IDS mode, this will not "
+                "be allowed in Suricata 8 due to undefined behavior. See ticket #5588.");
         for (ldev = 0; ldev < nlive; ldev++) {
             const char *live_dev = LiveGetDeviceName(ldev);
             if (live_dev == NULL) {

diff --git a/src/runmode-netmap.c b/src/runmode-netmap.c
index 5aa4128c88c4decd0fb564ef1c04633bf6eb4355..a4f22b7c400b3f4a43e2d2afe7ae38553310b7e7 100644 (file)
--- a/src/runmode-netmap.c
+++ b/src/runmode-netmap.c
@@ -373,7 +373,9 @@ int NetmapRunModeIsIPS()
     }
 
     if (has_ids && has_ips) {
-        SCLogInfo("Netmap mode using IPS and IDS mode");
+        SCLogWarning(SC_ERR_INVALID_ARGUMENT,
+                "Netmap using both IPS and TAP/IDS mode, this will not be "
+                "allowed in Suricata 8 due to undefined behavior. See ticket #5588.");
         for (ldev = 0; ldev < nlive; ldev++) {
             const char *live_dev = LiveGetDeviceName(ldev);
             if (live_dev == NULL) {