]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
doc/csum: Stream checksum validation change 12499/head
authorJeff Lucovsky <jlucovsky@oisf.net>
Tue, 21 Jan 2025 14:21:24 +0000 (09:21 -0500)
committerVictor Julien <victor@inliniac.net>
Tue, 28 Jan 2025 21:34:30 +0000 (22:34 +0100)
Describe the change of behavior between the stream.checksum-validation
setting and checksum-based rule keywords.

doc/userguide/upgrade.rst

index 4bf74b65284dffa858c4ff55243079b9c6c19b23..f5df98100fbac2f9508d2bb236d8cbfca5eb056a 100644 (file)
@@ -82,6 +82,13 @@ Major changes
 - Unknown requirements in the ``requires`` keyword will now be treated
   as unmet requirements, causing the rule to not be loaded. See
   :ref:`keyword_requires`.
+- The configuration setting controlling stream checksum checks no longer affects
+  checksum keyword validation. In Suricata 7.0, when ``stream.checksum-validation``
+  was set to ``no``, the checksum keywords (e.g., ``ipv4-csum``, ``tcpv4-csum``, etc)
+  will always consider it valid; e.g., ``tcpv4-csum: invalid`` will never match. In
+  Suricata 8.0, ``stream.checksum-validation`` no longer affects the checksum rule keywords.
+  E.g., ``ipv4-csum: valid`` will only match if the check sum is valid, even when engine
+  checksum validations are disabled.
 
 Removals
 ~~~~~~~~