capture: block IDS + IPS combination

In general, improve IPS setup error checking.

Ticket: #5588.

diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c
index 742d96855bb7b1ee8d7cd28003a91b1a69895be8..2521327ddfebb086f479c9f98320631a9fb92c97 100644 (file)
--- a/src/runmode-af-packet.c
+++ b/src/runmode-af-packet.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2011-2020 Open Information Security Foundation
+/* Copyright (C) 2011-2024 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -88,14 +88,14 @@ static int AFPRunModeIsIPS(void)
         const char *live_dev = LiveGetDeviceName(ldev);
         if (live_dev == NULL) {
             SCLogError("Problem with config file");
-            return 0;
+            return -1;
         }
         if_root = ConfFindDeviceConfig(af_packet_node, live_dev);
 
         if (if_root == NULL) {
             if (if_default == NULL) {
                 SCLogError("Problem with config file");
-                return 0;
+                return -1;
             }
             if_root = if_default;
         }
@@ -115,44 +115,22 @@ static int AFPRunModeIsIPS(void)
     }
 
     if (has_ids && has_ips) {
-        SCLogWarning("AF_PACKET using both IPS and TAP/IDS mode, this will not "
-                     "be allowed in Suricata 8 due to undefined behavior. See ticket #5588.");
-        for (ldev = 0; ldev < nlive; ldev++) {
-            const char *live_dev = LiveGetDeviceName(ldev);
-            if (live_dev == NULL) {
-                SCLogError("Problem with config file");
-                return 0;
-            }
-            if_root = ConfNodeLookupKeyValue(af_packet_node, "interface", live_dev);
-            const char *copymodestr = NULL;
-
-            if (if_root == NULL) {
-                if (if_default == NULL) {
-                    SCLogError("Problem with config file");
-                    return 0;
-                }
-                if_root = if_default;
-            }
-
-            if (!((ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) ==
-                          1) &&
-                        (strcmp(copymodestr, "ips") == 0))) {
-                SCLogError("AF_PACKET IPS mode used and interface '%s' is in IDS or TAP mode. "
-                           "Sniffing '%s' but expect bad result as stream-inline is activated.",
-                        live_dev, live_dev);
-            }
-        }
+        SCLogError("using both IPS and TAP/IDS mode is not allowed due to undefined behavior. See "
+                   "ticket #5588.");
+        return -1;
     }
 
     return has_ips;
 }
 
-static void AFPRunModeEnableIPS(void)
+static int AFPRunModeEnableIPS(void)
 {
-    if (AFPRunModeIsIPS()) {
+    int r = AFPRunModeIsIPS();
+    if (r == 1) {
         SCLogInfo("Setting IPS mode");
         EngineModeSetIPS();
     }
+    return r;
 }
 
 void RunModeIdsAFPRegister(void)

diff --git a/src/runmode-dpdk.c b/src/runmode-dpdk.c
index d5f9536d25806683423430560e80e4e5bf51fb8d..0e814cbec9c04561f0ead88c179c85ee99936c2e 100644 (file)
--- a/src/runmode-dpdk.c
+++ b/src/runmode-dpdk.c
@@ -1685,12 +1685,14 @@ static int DPDKRunModeIsIPS(void)
     return has_ips;
 }
 
-static void DPDKRunModeEnableIPS(void)
+static int DPDKRunModeEnableIPS(void)
 {
-    if (DPDKRunModeIsIPS()) {
+    int r = DPDKRunModeIsIPS();
+    if (r == 1) {
         SCLogInfo("Setting IPS mode");
         EngineModeSetIPS();
     }
+    return r;
 }
 
 const char *RunModeDpdkGetDefaultMode(void)

diff --git a/src/runmode-netmap.c b/src/runmode-netmap.c
index 947b381229d23c9c90190e11c77022f846ec0f87..bb91475d67ae689c4c63ac196a3bec222b113aaa 100644 (file)
--- a/src/runmode-netmap.c
+++ b/src/runmode-netmap.c
@@ -79,14 +79,14 @@ static int NetmapRunModeIsIPS(void)
         const char *live_dev = LiveGetDeviceName(ldev);
         if (live_dev == NULL) {
             SCLogError("Problem with config file");
-            return 0;
+            return -1;
         }
         if_root = ConfNodeLookupKeyValue(netmap_node, "interface", live_dev);
 
         if (if_root == NULL) {
             if (if_default == NULL) {
                 SCLogError("Problem with config file");
-                return 0;
+                return -1;
             }
             if_root = if_default;
         }
@@ -106,44 +106,22 @@ static int NetmapRunModeIsIPS(void)
     }
 
     if (has_ids && has_ips) {
-        SCLogWarning("Netmap using both IPS and TAP/IDS mode, this will not be "
-                     "allowed in Suricata 8 due to undefined behavior. See ticket #5588.");
-        for (ldev = 0; ldev < nlive; ldev++) {
-            const char *live_dev = LiveGetDeviceName(ldev);
-            if (live_dev == NULL) {
-                SCLogError("Problem with config file");
-                return 0;
-            }
-            if_root = ConfNodeLookupKeyValue(netmap_node, "interface", live_dev);
-            const char *copymodestr = NULL;
-
-            if (if_root == NULL) {
-                if (if_default == NULL) {
-                    SCLogError("Problem with config file");
-                    return 0;
-                }
-                if_root = if_default;
-            }
-
-            if (!((ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) ==
-                          1) &&
-                        (strcmp(copymodestr, "ips") == 0))) {
-                SCLogError("Netmap IPS mode used and interface '%s' is in IDS or TAP mode. "
-                           "Sniffing '%s' but expect bad result as stream-inline is activated.",
-                        live_dev, live_dev);
-            }
-        }
+        SCLogError("using both IPS and TAP/IDS mode is not allowed due to undefined behavior. See "
+                   "ticket #5588.");
+        return -1;
     }
 
     return has_ips;
 }
 
-static void NetmapRunModeEnableIPS(void)
+static int NetmapRunModeEnableIPS(void)
 {
-    if (NetmapRunModeIsIPS()) {
+    int r = NetmapRunModeIsIPS();
+    if (r == 1) {
         SCLogInfo("Netmap: Setting IPS mode");
         EngineModeSetIPS();
     }
+    return r;
 }
 
 void RunModeIdsNetmapRegister(void)

diff --git a/src/runmodes.c b/src/runmodes.c
index c6e5f77351d7152869526b8f9c41b8329e36df97..ee5d77957fbe54a189b9add76701f9ba7328e08a 100644 (file)
--- a/src/runmodes.c
+++ b/src/runmodes.c
@@ -98,7 +98,7 @@ typedef struct RunMode_ {
     const char *description;
     /* runmode function */
     int (*RunModeFunc)(void);
-    void (*RunModeIsIPSEnabled)(void);
+    int (*RunModeIsIPSEnabled)(void);
 } RunMode;
 
 typedef struct RunModes_ {
@@ -393,22 +393,23 @@ static const char *RunModeGetConfOrDefault(int capture_mode, const char *capture
     return custom_mode;
 }
 
-void RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name)
+int RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name)
 {
     if (runmode == NULL) {
         runmode = RunModeGetConfOrDefault(capture_mode, capture_plugin_name);
         if (runmode == NULL) // non-standard runmode
-            return;
+            return 0;
     }
 
     RunMode *mode = RunModeGetCustomMode(capture_mode, runmode);
     if (mode == NULL) {
-        return;
+        return 0;
     }
 
     if (mode->RunModeIsIPSEnabled != NULL) {
-        mode->RunModeIsIPSEnabled();
+        return mode->RunModeIsIPSEnabled();
     }
+    return 0;
 }
 
 /**
@@ -489,7 +490,7 @@ int RunModeNeedsBypassManager(void)
  * \param RunModeFunc The function to be run for this runmode.
  */
 void RunModeRegisterNewRunMode(enum RunModes runmode, const char *name, const char *description,
-        int (*RunModeFunc)(void), void (*RunModeIsIPSEnabled)(void))
+        int (*RunModeFunc)(void), int (*RunModeIsIPSEnabled)(void))
 {
     if (RunModeGetCustomMode(runmode, name) != NULL) {
         FatalError("runmode '%s' has already "

diff --git a/src/runmodes.h b/src/runmodes.h
index ee156db0c69147865818b45b6c96789ee2cb67ec..7d486121e7da11c4f8393e06dd14c4ee99a6d913 100644 (file)
--- a/src/runmodes.h
+++ b/src/runmodes.h
@@ -80,11 +80,11 @@ char *RunmodeGetActive(void);
 const char *RunModeGetMainMode(void);
 
 void RunModeListRunmodes(void);
-void RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name);
+int RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *capture_plugin_name);
 void RunModeDispatch(int, const char *, const char *capture_plugin_name, const char *capture_plugin_args);
 void RunModeRegisterRunModes(void);
 void RunModeRegisterNewRunMode(enum RunModes, const char *, const char *, int (*RunModeFunc)(void),
-        void (*RunModeIsIPSEnabled)(void));
+        int (*RunModeIsIPSEnabled)(void));
 void RunModeInitializeThreadSettings(void);
 void RunModeInitializeOutputs(void);
 void RunModeShutDown(void);

diff --git a/src/suricata.c b/src/suricata.c
index 4ea325f7a8212c0eb0883811565d8d37816316de..b1af2a5d6bdfcdcaa3fc15ff718dc02d731efe70 100644 (file)
--- a/src/suricata.c
+++ b/src/suricata.c
@@ -2697,8 +2697,10 @@ int PostConfLoadedSetup(SCInstance *suri)
 
     LiveDeviceFinalize(); // must be after EBPF extension registration
 
-    RunModeEngineIsIPS(
-            suricata.run_mode, suricata.runmode_custom_mode, suricata.capture_plugin_name);
+    if (RunModeEngineIsIPS(suricata.run_mode, suricata.runmode_custom_mode,
+                suricata.capture_plugin_name) < 0) {
+        FatalError("IPS mode setup failed");
+    }
 
     if (EngineModeIsUnknown()) { // if still uninitialized, set the default
         SCLogInfo("Setting engine mode to IDS mode by default");