Pull request #3311: Multiple Reject actions on a packet.

Merge in SNORT/snort3 from ~OSHUMEIK/snort3:ra_fix to master

Squashed commit of the following:

commit a066f83ec7ed7efa8afa691a9873e8e25f5ec782
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Fri Mar 18 12:13:08 2022 +0200

    packet_io: fix active action so the first reset occurred takes effect

commit 2aadec1c5b6a77d4ba32929fb0456001af9438f6
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Thu Mar 17 13:40:02 2022 +0200

    actions: set a delayed action on Reject IPS Action hit

commit 2296f7947952811a1a23044272388651249f85d4
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Wed Mar 16 19:14:10 2022 +0200

    framework: bump API

commit 10b0c6a86ea416466d50ec4df7c9f72e77d8ed99
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Wed Mar 16 18:51:55 2022 +0200

    actions: revert bf62a22d43bb2d15b7425c5ec3e3118ead470e8d

diff --git a/src/actions/act_reject.cc b/src/actions/act_reject.cc
index c888ed6ec4c697ee603ef61f5dba4cf2dd2caa41..6e1f78873436ca4ff2f61dca63eeffa6c90aaae8 100644 (file)
--- a/src/actions/act_reject.cc
+++ b/src/actions/act_reject.cc
@@ -170,11 +170,13 @@ RejectAction::RejectAction(uint32_t f) : IpsAction(s_name, &rej_act_action) , re
 
 void RejectAction::exec(Packet* p, const OptTreeNode* otn)
 {
-    p->active->update_reset_status(p, false);
+    p->active->set_delayed_action(Active::ACT_RESET, get_active_action());
+    p->active->set_drop_reason("ips");
+    p->active->reset_again();
+    p->active->update_status(p);
+
     if ( otn )
         Actions::alert(p, otn);
-
-    p->active->reset_session(p, get_active_action(), false, true);
 }
 
 //-------------------------------------------------------------------------

diff --git a/src/framework/base_api.h b/src/framework/base_api.h
index 3897ae0b0b2c963c11c063b91a1e97c91d39f280..b3d21230f5681b26020ca719b92f66c5287476ab 100644 (file)
--- a/src/framework/base_api.h
+++ b/src/framework/base_api.h
@@ -29,7 +29,7 @@
 
 // this is the current version of the base api
 // must be prefixed to subtype version
-#define BASE_API_VERSION 11
+#define BASE_API_VERSION 12
 
 // set options to API_OPTIONS to ensure compatibility
 #ifndef API_OPTIONS

diff --git a/src/packet_io/active.cc b/src/packet_io/active.cc
index 2ccdc609454b8dcd77025168f21ddc47f5e0cb5c..4ab8a33403438f58470381ce9e713c4508767850 100644 (file)
--- a/src/packet_io/active.cc
+++ b/src/packet_io/active.cc
@@ -679,16 +679,10 @@ void Active::reset_session(Packet* p, bool force)
     reset_session(p, &default_reset, force);
 }
 
-void Active::update_reset_status(Packet* p, bool force)
+void Active::reset_session(Packet* p, ActiveAction* reject, bool force)
 {
     active_action = ACT_RESET;
     update_status(p, force);
-}
-
-void Active::reset_session(Packet* p, ActiveAction* reject, bool force, bool skip_update_status)
-{
-    if ( !skip_update_status )
-        update_reset_status(p, force);
 
     if ( force or (p->context->conf->inline_mode() and SFDAQ::forwarding_packet(p->pkth)) )
         Stream::drop_flow(p);
@@ -719,8 +713,9 @@ void Active::set_delayed_action(ActiveActionType action, bool force)
 void Active::set_delayed_action(ActiveActionType action, ActiveAction* act, bool force)
 {
     delayed_active_action = action;
-    assert(delayed_reject == nullptr);
-    delayed_reject = act;
+
+    if (delayed_reject == nullptr)
+        delayed_reject = act;
 
     if ( force )
         active_status = AST_FORCE;

diff --git a/src/packet_io/active.h b/src/packet_io/active.h
index 7d2e379016501540920dfa7ba1c386179648dda1..403ee8ac58c2ce4797fe3312ef238aacbae0ea60 100644 (file)
--- a/src/packet_io/active.h
+++ b/src/packet_io/active.h
@@ -117,6 +117,8 @@ public:
     const char* get_action_string() const
     { return act_str[active_action][active_status]; }
 
+    void update_status(const Packet*, bool force = false);
+
     void drop_packet(const Packet*, bool force = false);
     void daq_drop_packet(const Packet*);
     bool retry_packet(const Packet*);
@@ -126,9 +128,7 @@ public:
     void trust_session(Packet*, bool force = false);
     void block_session(Packet*, bool force = false);
     void reset_session(Packet*, bool force = false);
-    void reset_session(Packet*, snort::ActiveAction* r, bool force = false,
-        bool skip_update_status = false);
-    void update_reset_status(Packet*, bool force);
+    void reset_session(Packet*, snort::ActiveAction* r, bool force = false);
 
     static void queue(snort::ActiveAction* a, snort::Packet* p);
     static void clear_queue(snort::Packet*);
@@ -212,7 +212,6 @@ private:
     static int send_ip(DAQ_Msg_h, int, const uint8_t* buf, uint32_t len);
 
     void update_status_actionable(const Packet*);
-    void update_status(const Packet*, bool force = false);
     void daq_update_status(const Packet*);
 
     void block_session(const Packet*, ActiveActionType, bool force = false);