detect: issue drop to root packet in all cases

Update DROP action handling in tunnel packets. DROP/REJECT action is set
to outer (root) and inner packet.

Check action flags both against outer (root) and inner packet.

Remove PACKET_SET_ACTION macro. Replace with RESET for the one reset usecase.
The reason to remove is to make the logic easier to understand.

Reduce scope of RESET macros.

Rename PacketTestAction to PacketCheckAction except in unittests. Keep
PacketTestAction as a wrapper around PacketCheckAction. This makes it
easier to trace the action handling in the real code.

Fix rate_filter setting actions directly.

General code cleanups.

Bug: #5571.

diff --git a/src/action-globals.h b/src/action-globals.h
index 65c6544946b5996086a560fb677718b53ef6e196..b63086f668d31cd03170a918313a7650ef58abde 100644 (file)
--- a/src/action-globals.h
+++ b/src/action-globals.h
@@ -36,4 +36,6 @@
 
 #define ACTION_REJECT_ANY   (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)
 
+#define ACTION_DROP_REJECT (ACTION_REJECT_ANY | ACTION_DROP)
+
 #endif /* __ACTION_GLOBALS_H__ */

diff --git a/src/decode.c b/src/decode.c
index f25d26b1a2e20fbe20589c792792949990a9d832..c6a7574be5d56669cae151371d04dbab1097f9b5 100644 (file)
--- a/src/decode.c
+++ b/src/decode.c
@@ -805,6 +805,8 @@ const char *PacketDropReasonToString(enum PacketDropReason r)
             return "threshold detection_filter";
         case PKT_DROP_REASON_NFQ_ERROR:
             return "nfq error";
+        case PKT_DROP_REASON_INNER_PACKET:
+            return "tunnel packet drop";
         case PKT_DROP_REASON_NOT_SET:
             return NULL;
     }
@@ -814,9 +816,9 @@ const char *PacketDropReasonToString(enum PacketDropReason r)
 /* TODO drop reason stats! */
 void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p)
 {
-    if (unlikely(PacketTestAction(p, (ACTION_REJECT | ACTION_REJECT_DST | ACTION_REJECT_BOTH)))) {
+    if (unlikely(PacketCheckAction(p, ACTION_REJECT_ANY))) {
         StatsIncr(tv, s->counter_ips_rejected);
-    } else if (unlikely(PacketTestAction(p, ACTION_DROP))) {
+    } else if (unlikely(PacketCheckAction(p, ACTION_DROP))) {
         StatsIncr(tv, s->counter_ips_blocked);
     } else if (unlikely(p->flags & PKT_STREAM_MODIFIED)) {
         StatsIncr(tv, s->counter_ips_replaced);

diff --git a/src/decode.h b/src/decode.h
index 888f634f26da2809dc8a265b2350a04c5c6192a8..b340a6024f858b0766edba81d59ea140633da58e 100644 (file)
--- a/src/decode.h
+++ b/src/decode.h
@@ -154,15 +154,6 @@ typedef struct Address_ {
         (a)->addr_data32[3] = 0;                                  \
     } while (0)
 
-/* clear the address structure by setting all fields to 0 */
-#define CLEAR_ADDR(a) do {       \
-        (a)->family = 0;         \
-        (a)->addr_data32[0] = 0; \
-        (a)->addr_data32[1] = 0; \
-        (a)->addr_data32[2] = 0; \
-        (a)->addr_data32[3] = 0; \
-    } while (0)
-
 /* Set the IPv6 addresses into the Addrs of the Packet.
  * Make sure p->ip6h is initialized and validated. */
 #define SET_IPV6_SRC_ADDR(p, a) do {                    \
@@ -223,7 +214,6 @@ typedef struct Address_ {
 #define GET_TCP_SRC_PORT(p)  ((p)->sp)
 #define GET_TCP_DST_PORT(p)  ((p)->dp)
 
-#define RESET_PKT_LEN(p)           ((p)->pktlen = 0)
 #define GET_PKT_LEN(p) ((p)->pktlen)
 #define GET_PKT_DATA(p) ((((p)->ext_pkt) == NULL ) ? (uint8_t *)((p) + 1) : (p)->ext_pkt)
 #define GET_PKT_DIRECT_DATA(p) (uint8_t *)((p) + 1)
@@ -410,7 +400,8 @@ enum PacketDropReason {
     PKT_DROP_REASON_STREAM_ERROR,
     PKT_DROP_REASON_STREAM_MEMCAP,
     PKT_DROP_REASON_STREAM_MIDSTREAM,
-    PKT_DROP_REASON_NFQ_ERROR, /**< no nfq verdict, must be error */
+    PKT_DROP_REASON_NFQ_ERROR,    /**< no nfq verdict, must be error */
+    PKT_DROP_REASON_INNER_PACKET, /**< drop issued by inner (tunnel) packet */
 };
 
 /* forward declaration since Packet struct definition requires this */
@@ -778,58 +769,45 @@ void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s);
         }                                           \
     } while(0)
 
-/* macro's for setting the action
- * handle the case of a root packet
- * for tunnels */
+/** \brief issue drop action
+ *
+ *  Set drop (+reject) flags in both current and root packet.
+ *
+ *  \param action action bit flags. Must be limited to ACTION_DROP_REJECT
+ */
+static inline void PacketDrop(Packet *p, const uint8_t action, enum PacketDropReason r)
+{
+    BUG_ON((action & ~ACTION_DROP_REJECT) != 0);
 
-#define PACKET_SET_ACTION(p, a) (p)->action = (a)
+    if (p->drop_reason == PKT_DROP_REASON_NOT_SET)
+        p->drop_reason = (uint8_t)r;
 
-static inline void PacketSetAction(Packet *p, const uint8_t a)
-{
-    if (likely(p->root == NULL)) {
-        PACKET_SET_ACTION(p, a);
-    } else {
-        PACKET_SET_ACTION(p->root, a);
+    if (p->root) {
+        p->root->action |= action;
+        if (p->root->drop_reason == PKT_DROP_REASON_NOT_SET) {
+            p->root->drop_reason = PKT_DROP_REASON_INNER_PACKET;
+        }
     }
+    p->action |= action;
 }
 
-#define PACKET_ALERT(p) PACKET_SET_ACTION(p, ACTION_ALERT)
-
-#define PACKET_ACCEPT(p) PACKET_SET_ACTION(p, ACTION_ACCEPT)
-
-#define PACKET_TEST_ACTION(p, a) (p)->action &(a)
-
-#define PACKET_UPDATE_ACTION(p, a) (p)->action |= (a)
-static inline void PacketUpdateAction(Packet *p, const uint8_t a)
+static inline uint8_t PacketCheckAction(const Packet *p, const uint8_t a)
 {
     if (likely(p->root == NULL)) {
-        PACKET_UPDATE_ACTION(p, a);
+        return (p->action & a) != 0;
     } else {
-        PACKET_UPDATE_ACTION(p->root, a);
+        /* check against both */
+        const uint8_t actions = p->action | p->root->action;
+        return (actions & a) != 0;
     }
 }
 
-static inline void PacketDrop(Packet *p, const uint8_t action, enum PacketDropReason r)
-{
-    if (p->drop_reason == PKT_DROP_REASON_NOT_SET)
-        p->drop_reason = (uint8_t)r;
-
-    PACKET_UPDATE_ACTION(p, action);
-}
-
-static inline void PacketPass(Packet *p)
-{
-    PACKET_SET_ACTION(p, ACTION_PASS);
-}
-
+#ifdef UNITTESTS
 static inline uint8_t PacketTestAction(const Packet *p, const uint8_t a)
 {
-    if (likely(p->root == NULL)) {
-        return PACKET_TEST_ACTION(p, a);
-    } else {
-        return PACKET_TEST_ACTION(p->root, a);
-    }
+    return PacketCheckAction(p, a);
 }
+#endif
 
 #define TUNNEL_INCR_PKT_RTV_NOLOCK(p) do {                                          \
         ((p)->root ? (p)->root->tunnel_rtv_cnt++ : (p)->tunnel_rtv_cnt++);          \

diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 1738b0fe5ee3bf162f4ed1d6d0ad255c65047d28..7cce2a70da53f02a57da12af8272810aacc0f84b 100644 (file)
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -178,33 +178,46 @@ static inline void RuleActionToFlow(const uint8_t action, Flow *f)
 }
 
 /** \brief Apply action(s) and Set 'drop' sig info,
- *         if applicable */
-static void PacketApplySignatureActions(Packet *p, const Signature *s, const uint8_t alert_flags)
+ *         if applicable
+ *  \param p packet
+ *  \param s signature -- for id, sig pointer, not actions
+ *  \param pa packet alert struct -- match, including actions after thresholding (rate_filter) */
+static void PacketApplySignatureActions(Packet *p, const Signature *s, const PacketAlert *pa)
 {
     SCLogDebug("packet %" PRIu64 " sid %u action %02x alert_flags %02x", p->pcap_cnt, s->id,
-            s->action, alert_flags);
+            pa->action, pa->flags);
 
     /* REJECT also sets ACTION_DROP, just make it more visible with this check */
-    if (s->action & (ACTION_DROP | ACTION_REJECT_ANY)) {
+    if (pa->action & ACTION_DROP_REJECT) {
         /* PacketDrop will update the packet action, too */
-        PacketDrop(p, s->action, PKT_DROP_REASON_RULES);
+        PacketDrop(p, pa->action,
+                (pa->flags & PACKET_ALERT_RATE_FILTER_MODIFIED) ? PKT_DROP_REASON_RULES_THRESHOLD
+                                                                : PKT_DROP_REASON_RULES);
+        SCLogDebug("[packet %p][DROP sid %u]", p, s->id);
 
         if (p->alerts.drop.action == 0) {
             p->alerts.drop.num = s->num;
-            p->alerts.drop.action = s->action;
+            p->alerts.drop.action = pa->action;
             p->alerts.drop.s = (Signature *)s;
         }
-        if ((p->flow != NULL) && (alert_flags & PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)) {
-            RuleActionToFlow(s->action, p->flow);
+        if ((p->flow != NULL) && (pa->flags & PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)) {
+            RuleActionToFlow(pa->action, p->flow);
         }
 
-        DEBUG_VALIDATE_BUG_ON(!PacketTestAction(p, ACTION_DROP));
+        DEBUG_VALIDATE_BUG_ON(!PacketCheckAction(p, ACTION_DROP));
     } else {
-        PacketUpdateAction(p, s->action);
+        if (pa->action & ACTION_PASS) {
+            SCLogDebug("[packet %p][PASS sid %u]", p, s->id);
+            // nothing to set in the packet
+        } else if (pa->action & (ACTION_ALERT | ACTION_CONFIG)) {
+            // nothing to set in the packet
+        } else {
+            DEBUG_VALIDATE_BUG_ON(1); // should be unreachable
+        }
 
-        if ((s->action & ACTION_PASS) && (p->flow != NULL) &&
-                (alert_flags & PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)) {
-            RuleActionToFlow(s->action, p->flow);
+        if ((pa->action & ACTION_PASS) && (p->flow != NULL) &&
+                (pa->flags & PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW)) {
+            RuleActionToFlow(pa->action, p->flow);
         }
     }
 }
@@ -357,9 +370,9 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
     uint16_t max_pos = det_ctx->alert_queue_size;
 
     while (i < max_pos) {
-        const Signature *s = de_ctx->sig_array[det_ctx->alert_queue[i].num];
-        int res = PacketAlertHandle(de_ctx, det_ctx, s, p, &det_ctx->alert_queue[i]);
-
+        PacketAlert *pa = &det_ctx->alert_queue[i];
+        const Signature *s = de_ctx->sig_array[pa->num];
+        int res = PacketAlertHandle(de_ctx, det_ctx, s, p, pa);
         if (res > 0) {
             /* Now, if we have an alert, we have to check if we want
              * to tag this session or src/dst host */
@@ -378,11 +391,13 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
             }
 
             /* set actions on the flow */
-            FlowApplySignatureActions(
-                    p, &det_ctx->alert_queue[i], s, det_ctx->alert_queue[i].flags);
+            FlowApplySignatureActions(p, pa, s, pa->flags);
+
+            SCLogDebug("det_ctx->alert_queue[i].action %02x (DROP %s, PASS %s)", pa->action,
+                    BOOL2STR(pa->action & ACTION_DROP), BOOL2STR(pa->action & ACTION_PASS));
 
             /* set actions on packet */
-            PacketApplySignatureActions(p, s, det_ctx->alert_queue[i].flags);
+            PacketApplySignatureActions(p, s, pa);
         }
 
         /* Thresholding removes this alert */
@@ -390,12 +405,11 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
             /* we will not copy this to the AlertQueue */
             p->alerts.suppressed++;
         } else if (p->alerts.cnt < packet_alert_max) {
-            p->alerts.alerts[p->alerts.cnt] = det_ctx->alert_queue[i];
+            p->alerts.alerts[p->alerts.cnt] = *pa;
             SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i);
 
-            if (PacketTestAction(p, ACTION_PASS)) {
-                /* Ok, reset the alert cnt to end in the previous of pass
-                 * so we ignore the rest with less prio */
+            /* pass "alert" found, we're done */
+            if (pa->action & ACTION_PASS) {
                 break;
             }
             p->alerts.cnt++;

diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c
index 771cbb10b110c70e31414f49b2afdf5f5c6f8479..3952ecc2cd4bde0471001c88d26a53b1036eb8dc 100644 (file)
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@@ -295,20 +295,20 @@ static inline void RateFilterSetAction(Packet *p, PacketAlert *pa, uint8_t new_a
 {
     switch (new_action) {
         case TH_ACTION_ALERT:
-            PACKET_ALERT(p);
             pa->flags |= PACKET_ALERT_RATE_FILTER_MODIFIED;
+            pa->action = ACTION_ALERT;
             break;
         case TH_ACTION_DROP:
-            PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_RULES_THRESHOLD);
             pa->flags |= PACKET_ALERT_RATE_FILTER_MODIFIED;
+            pa->action = ACTION_DROP;
             break;
         case TH_ACTION_REJECT:
-            PacketDrop(p, (ACTION_REJECT | ACTION_DROP), PKT_DROP_REASON_RULES_THRESHOLD);
             pa->flags |= PACKET_ALERT_RATE_FILTER_MODIFIED;
+            pa->action = (ACTION_REJECT | ACTION_DROP);
             break;
         case TH_ACTION_PASS:
-            PacketPass(p);
             pa->flags |= PACKET_ALERT_RATE_FILTER_MODIFIED;
+            pa->action = ACTION_PASS;
             break;
         default:
             /* Weird, leave the default action */

diff --git a/src/detect.c b/src/detect.c
index 6b6699ca6a559808ac2272eb50b42e99eccb2f0a..4741eeba7daf08bbe6fa2d24c1fb5e7652489e0c 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1697,7 +1697,7 @@ static void DetectNoFlow(ThreadVars *tv,
                          Packet *p)
 {
     /* No need to perform any detection on this packet, if the the given flag is set.*/
-    if ((p->flags & PKT_NOPACKET_INSPECTION) || (PacketTestAction(p, ACTION_DROP))) {
+    if ((p->flags & PKT_NOPACKET_INSPECTION) || (PacketCheckAction(p, ACTION_DROP))) {
         return;
     }
 

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index cab6518671fde0a6cf73eb6d68a1ceaeecb6e742..a6e40e3a4a0295b75a27454e7ce52a950c9cc5fc 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -348,7 +348,7 @@ void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuil
     const char *action = "allowed";
     /* use packet action if rate_filter modified the action */
     if (unlikely(pa->flags & PACKET_ALERT_RATE_FILTER_MODIFIED)) {
-        if (PacketTestAction(
+        if (PacketCheckAction(
                     p, (ACTION_DROP | ACTION_REJECT | ACTION_REJECT_DST | ACTION_REJECT_BOTH))) {
             action = "blocked";
         }

diff --git a/src/output-json-drop.c b/src/output-json-drop.c
index 97596a7da3c5d5928aaa3f4d24b87d6ac48d522c..84e465c0244a68c05e65c101e5f2af54189f3812 100644 (file)
--- a/src/output-json-drop.c
+++ b/src/output-json-drop.c
@@ -354,7 +354,7 @@ static int JsonDropLogCondition(ThreadVars *tv, void *data, const Packet *p)
             ret = TRUE;
 
         return ret;
-    } else if (PacketTestAction(p, ACTION_DROP)) {
+    } else if (PacketCheckAction(p, ACTION_DROP)) {
         return TRUE;
     }
 

diff --git a/src/packet.c b/src/packet.c
index b419b5dc115aea632202e9339362b02898193af3..6a4af426b27abb5fb0b6c1ce10693fc7cd1cd60c 100644 (file)
--- a/src/packet.c
+++ b/src/packet.c
@@ -44,6 +44,16 @@ void PacketReleaseRefs(Packet *p)
  */
 void PacketReinit(Packet *p)
 {
+/* clear the address structure by setting all fields to 0 */
+#define CLEAR_ADDR(a)                                                                              \
+    do {                                                                                           \
+        (a)->family = 0;                                                                           \
+        (a)->addr_data32[0] = 0;                                                                   \
+        (a)->addr_data32[1] = 0;                                                                   \
+        (a)->addr_data32[2] = 0;                                                                   \
+        (a)->addr_data32[3] = 0;                                                                   \
+    } while (0)
+
     CLEAR_ADDR(&p->src);
     CLEAR_ADDR(&p->dst);
     p->sp = 0;
@@ -61,7 +71,8 @@ void PacketReinit(Packet *p)
     p->ts.tv_usec = 0;
     p->datalink = 0;
     p->drop_reason = 0;
-    PACKET_SET_ACTION(p, 0);
+#define PACKET_RESET_ACTION(p) (p)->action = 0
+    PACKET_RESET_ACTION(p);
     if (p->pktvar != NULL) {
         PktVarFree(p->pktvar);
         p->pktvar = NULL;
@@ -98,6 +109,7 @@ void PacketReinit(Packet *p)
     p->payload = NULL;
     p->payload_len = 0;
     p->BypassPacketsFlow = NULL;
+#define RESET_PKT_LEN(p) ((p)->pktlen = 0)
     RESET_PKT_LEN(p);
     p->alerts.cnt = 0;
     p->alerts.discarded = 0;

diff --git a/src/respond-reject.c b/src/respond-reject.c
index 8b19e277db9e24345785d77ca4382f9eabf9f813..da7b1911262b4c3b1c45610197967f83b3998fb0 100644 (file)
--- a/src/respond-reject.c
+++ b/src/respond-reject.c
@@ -64,7 +64,7 @@ static TmEcode RespondRejectThreadDeinit(ThreadVars *tv, void *data)
 static TmEcode RespondRejectFunc(ThreadVars *tv, Packet *p, void *data)
 {
     /* ACTION_REJECT defaults to rejecting the SRC */
-    if (likely(PacketTestAction(p, ACTION_REJECT_ANY) == 0)) {
+    if (likely(PacketCheckAction(p, ACTION_REJECT_ANY) == 0)) {
         return TM_ECODE_OK;
     }
 
@@ -92,13 +92,13 @@ static TmEcode RespondRejectFunc(ThreadVars *tv, Packet *p, void *data)
 int RejectSendIPv4TCP(ThreadVars *tv, Packet *p, void *data)
 {
     SCEnter();
-    if (PacketTestAction(p, ACTION_REJECT)) {
+    if (PacketCheckAction(p, ACTION_REJECT)) {
         int r = RejectSendLibnet11IPv4TCP(tv, p, data, REJECT_DIR_SRC);
         SCReturnInt(r);
-    } else if (PacketTestAction(p, ACTION_REJECT_DST)) {
+    } else if (PacketCheckAction(p, ACTION_REJECT_DST)) {
         int r = RejectSendLibnet11IPv4TCP(tv, p, data, REJECT_DIR_DST);
         SCReturnInt(r);
-    } else if (PacketTestAction(p, ACTION_REJECT_BOTH)) {
+    } else if (PacketCheckAction(p, ACTION_REJECT_BOTH)) {
         int r = RejectSendLibnet11IPv4TCP(tv, p, data, REJECT_DIR_SRC);
         r |= RejectSendLibnet11IPv4TCP(tv, p, data, REJECT_DIR_DST);
         SCReturnInt(r);
@@ -109,13 +109,13 @@ int RejectSendIPv4TCP(ThreadVars *tv, Packet *p, void *data)
 int RejectSendIPv4ICMP(ThreadVars *tv, Packet *p, void *data)
 {
     SCEnter();
-    if (PacketTestAction(p, ACTION_REJECT)) {
+    if (PacketCheckAction(p, ACTION_REJECT)) {
         int r = RejectSendLibnet11IPv4ICMP(tv, p, data, REJECT_DIR_SRC);
         SCReturnInt(r);
-    } else if (PacketTestAction(p, ACTION_REJECT_DST)) {
+    } else if (PacketCheckAction(p, ACTION_REJECT_DST)) {
         int r = RejectSendLibnet11IPv4ICMP(tv, p, data, REJECT_DIR_DST);
         SCReturnInt(r);
-    } else if (PacketTestAction(p, ACTION_REJECT_BOTH)) {
+    } else if (PacketCheckAction(p, ACTION_REJECT_BOTH)) {
         int r = RejectSendLibnet11IPv4ICMP(tv, p, data, REJECT_DIR_SRC);
         r |= RejectSendLibnet11IPv4ICMP(tv, p, data, REJECT_DIR_DST);
         SCReturnInt(r);
@@ -126,13 +126,13 @@ int RejectSendIPv4ICMP(ThreadVars *tv, Packet *p, void *data)
 int RejectSendIPv6TCP(ThreadVars *tv, Packet *p, void *data)
 {
     SCEnter();
-    if (PacketTestAction(p, ACTION_REJECT)) {
+    if (PacketCheckAction(p, ACTION_REJECT)) {
         int r = RejectSendLibnet11IPv6TCP(tv, p, data, REJECT_DIR_SRC);
         SCReturnInt(r);
-    } else if (PacketTestAction(p, ACTION_REJECT_DST)) {
+    } else if (PacketCheckAction(p, ACTION_REJECT_DST)) {
         int r = RejectSendLibnet11IPv6TCP(tv, p, data, REJECT_DIR_DST);
         SCReturnInt(r);
-    } else if (PacketTestAction(p, ACTION_REJECT_BOTH)) {
+    } else if (PacketCheckAction(p, ACTION_REJECT_BOTH)) {
         int r = RejectSendLibnet11IPv6TCP(tv, p, data, REJECT_DIR_SRC);
         r |= RejectSendLibnet11IPv6TCP(tv, p, data, REJECT_DIR_DST);
         SCReturnInt(r);
@@ -143,13 +143,13 @@ int RejectSendIPv6TCP(ThreadVars *tv, Packet *p, void *data)
 int RejectSendIPv6ICMP(ThreadVars *tv, Packet *p, void *data)
 {
     SCEnter();
-    if (PacketTestAction(p, ACTION_REJECT)) {
+    if (PacketCheckAction(p, ACTION_REJECT)) {
         int r = RejectSendLibnet11IPv6ICMP(tv, p, data, REJECT_DIR_SRC);
         SCReturnInt(r);
-    } else if (PacketTestAction(p, ACTION_REJECT_DST)) {
+    } else if (PacketCheckAction(p, ACTION_REJECT_DST)) {
         int r = RejectSendLibnet11IPv6ICMP(tv, p, data, REJECT_DIR_DST);
         SCReturnInt(r);
-    } else if (PacketTestAction(p, ACTION_REJECT_BOTH)) {
+    } else if (PacketCheckAction(p, ACTION_REJECT_BOTH)) {
         int r = RejectSendLibnet11IPv6ICMP(tv, p, data, REJECT_DIR_SRC);
         r |= RejectSendLibnet11IPv6ICMP(tv, p, data, REJECT_DIR_DST);
         SCReturnInt(r);

diff --git a/src/source-af-packet.c b/src/source-af-packet.c
index dfa9f8e5422f8f10bb5fd7db7ddae4913553343f..029059ec9bb484433a94946aab661657c6149eee 100644 (file)
--- a/src/source-af-packet.c
+++ b/src/source-af-packet.c
@@ -649,7 +649,7 @@ static void AFPWritePacket(Packet *p, int version)
     int socket;
 
     if (p->afp_v.copy_mode == AFP_COPY_MODE_IPS) {
-        if (PacketTestAction(p, ACTION_DROP)) {
+        if (PacketCheckAction(p, ACTION_DROP)) {
             return;
         }
     }

diff --git a/src/source-dpdk.c b/src/source-dpdk.c
index 97b938d7e06b11438058619bc3c134f4167f10e4..43f26655dcc1503c449a50b9cde83393010ff108 100644 (file)
--- a/src/source-dpdk.c
+++ b/src/source-dpdk.c
@@ -301,7 +301,7 @@ static void DPDKReleasePacket(Packet *p)
        When enabling promiscuous mode on Intel cards, 2 ICMPv6 packets are generated.
        These get into the infinite cycle between the NIC and the switch in some cases */
     if ((p->dpdk_v.copy_mode == DPDK_COPY_MODE_TAP ||
-                (p->dpdk_v.copy_mode == DPDK_COPY_MODE_IPS && !PacketTestAction(p, ACTION_DROP)))
+                (p->dpdk_v.copy_mode == DPDK_COPY_MODE_IPS && !PacketCheckAction(p, ACTION_DROP)))
 #if defined(RTE_LIBRTE_I40E_PMD) || defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_ICE_PMD)
             && !(PKT_IS_ICMPV6(p) && p->icmpv6h->type == 143)
 #endif

diff --git a/src/source-ipfw.c b/src/source-ipfw.c
index 58f8c446f4a450ef15df850b908edf5939023d42..20c65b2c8b1ef461e683ac4904d77e505d1af92d 100644 (file)
--- a/src/source-ipfw.c
+++ b/src/source-ipfw.c
@@ -528,7 +528,7 @@ TmEcode IPFWSetVerdict(ThreadVars *tv, IPFWThreadVars *ptv, Packet *p)
     IPFWpoll.events = POLLWRNORM;
 #endif
 
-    if (PacketTestAction(p, ACTION_DROP)) {
+    if (PacketCheckAction(p, ACTION_DROP)) {
         verdict = IPFW_DROP;
     } else {
         verdict = IPFW_ACCEPT;

diff --git a/src/source-napatech.c b/src/source-napatech.c
index 6ac232b6dde9dcfe577b58f29e0787141cf5ccef..9f4df9fa0a6d4fbd8b9b904361a47b2bb44763b3 100644 (file)
--- a/src/source-napatech.c
+++ b/src/source-napatech.c
@@ -583,7 +583,7 @@ static int ProgramFlow(Packet *p, int is_inline)
     flow_match.gfi = 1; /* Generate FlowInfo records */
     flow_match.tau = 1; /* tcp automatic unlearn */
 
-    if (PacketTestAction(p, ACTION_DROP)) {
+    if (PacketCheckAction(p, ACTION_DROP)) {
         flow_match.keySetId = NAPATECH_FLOWTYPE_DROP;
     } else {
         if (is_inline) {
@@ -685,7 +685,7 @@ static void NapatechReleasePacket(struct Packet_ *p)
      * before releasing the Napatech buffer back to NTService.
      */
 #ifdef NAPATECH_ENABLE_BYPASS
-    if (is_inline && PacketTestAction(p, ACTION_DROP)) {
+    if (is_inline && PacketCheckAction(p, ACTION_DROP)) {
         p->ntpv.dyn3->wireLength = 0;
     }
 

diff --git a/src/source-netmap.c b/src/source-netmap.c
index 2cfea7aee614be644001bf30647232d7dc8bb2f3..0c5920feff02e7b63cbf97701a07eaa1c18c4b37 100644 (file)
--- a/src/source-netmap.c
+++ b/src/source-netmap.c
@@ -604,7 +604,7 @@ error:
 static TmEcode NetmapWritePacket(NetmapThreadVars *ntv, Packet *p)
 {
     if (ntv->copy_mode == NETMAP_COPY_MODE_IPS) {
-        if (PacketTestAction(p, ACTION_DROP)) {
+        if (PacketCheckAction(p, ACTION_DROP)) {
             return TM_ECODE_OK;
         }
     }

diff --git a/src/source-nfq.c b/src/source-nfq.c
index 9172eef150675214d2dede661eed9fb9272fc1f9..a3d2566fcf5e27d218ec9eb0af5f9d30a355c986 100644 (file)
--- a/src/source-nfq.c
+++ b/src/source-nfq.c
@@ -1039,7 +1039,7 @@ static inline uint32_t GetVerdict(const Packet *p)
 {
     uint32_t verdict = NF_ACCEPT;
 
-    if (PacketTestAction(p, ACTION_DROP)) {
+    if (PacketCheckAction(p, ACTION_DROP)) {
         verdict = NF_DROP;
     } else {
         switch (nfq_config.mode) {
@@ -1061,7 +1061,7 @@ static inline uint32_t GetVerdict(const Packet *p)
 #ifdef COUNTERS
 static inline void UpdateCounters(NFQQueueVars *t, const Packet *p)
 {
-    if (PacketTestAction(p, ACTION_DROP)) {
+    if (PacketCheckAction(p, ACTION_DROP)) {
         t->dropped++;
     } else {
         if (p->flags & PKT_STREAM_MODIFIED) {

diff --git a/src/source-windivert.c b/src/source-windivert.c
index edd0d7753b12ee861f944feb99edce028828f69f..6f6253728ec5f5ee16ccdd1041eb4abe9759862d 100644 (file)
--- a/src/source-windivert.c
+++ b/src/source-windivert.c
@@ -789,7 +789,7 @@ static TmEcode WinDivertVerdictHelper(ThreadVars *tv, Packet *p)
 
     /* DROP simply means we do nothing; the WinDivert driver does the rest.
      */
-    if (PacketTestAction(p, ACTION_DROP)) {
+    if (PacketCheckAction(p, ACTION_DROP)) {
 #ifdef COUNTERS
         SCMutexLock(&wd_qv->counters_mutex);
         wd_qv->dropped++;

diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c
index 577cba3b40184d9b8cef5ed82a227b29638ca1cb..68763faeb44300f7984cc8c94e1a321c113300be 100644 (file)
--- a/src/util-exception-policy.c
+++ b/src/util-exception-policy.c
@@ -65,7 +65,6 @@ void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDro
                 SCLogDebug("EXCEPTION_POLICY_PASS_PACKET");
                 DecodeSetNoPayloadInspectionFlag(p);
                 DecodeSetNoPacketInspectionFlag(p);
-                PacketPass(p);
                 break;
         }
     }