conf: deprecate multiple "include" statements at same level

The YAML spec considers duplicate keys to be an error, as do some YAML
implementations, most notably Rust's serde_yaml which would be nice to
use in the future.

Multiple include lines at the same level will still work, but a warning
will be emitted.

These can be fixed by moving to an "include" array:

include:
  - file1.yaml
  - file2.yaml

Ticket: #5939

diff --git a/src/conf-yaml-loader.c b/src/conf-yaml-loader.c
index 57b793aa69a5d2caad99f099418f6ef3c2c8a0ff..cef10ec88f07c178c1d9760ce6e5e7c0633fb31a 100644 (file)
--- a/src/conf-yaml-loader.c
+++ b/src/conf-yaml-loader.c
@@ -175,6 +175,7 @@ static int ConfYamlParse(yaml_parser_t *parser, ConfNode *parent, int inseq, int
     int seq_idx = 0;
     int retval = 0;
     int was_empty = -1;
+    int include_count = 0;
 
     if (rlevel++ > RECURSION_LIMIT) {
         SCLogError("Recursion limit reached while parsing "
@@ -298,6 +299,12 @@ static int ConfYamlParse(yaml_parser_t *parser, ConfNode *parent, int inseq, int
 
                     if (strcmp(value, "include") == 0) {
                         state = CONF_INCLUDE;
+                        if (++include_count > 1) {
+                            SCLogWarning("Multipline \"include\" fields at the same level are "
+                                         "deprecated and will not work in Suricata 8, please move "
+                                         "to an array of include files: line: %zu",
+                                    parser->mark.line);
+                        }
                         goto next;
                     }