reject: use host-mode to set interface

This patch update reject code to send the packet on the interface
it comes from when 'host-mode' is set to 'sniffer-only'. When
'host-mode' is set to 'router', the reject packet is sent via
the routing interface.

This should fix #957.

diff --git a/src/respond-reject-libnet11.c b/src/respond-reject-libnet11.c
index 4f914cf8bccfe302b5b742517bc9de88b58c9c78..e0ff22d49d62d8264e808f3327f4248709c33d55 100644 (file)
--- a/src/respond-reject-libnet11.c
+++ b/src/respond-reject-libnet11.c
@@ -47,6 +47,7 @@
 #include "action-globals.h"
 #include "respond-reject.h"
 #include "respond-reject-libnet11.h"
+#include "util-device.h"
 
 #ifdef HAVE_LIBNET11
 
@@ -56,6 +57,7 @@ extern int sc_set_caps;
 
 #include <libnet.h>
 
+extern uint8_t host_mode;
 
 typedef struct Libnet11Packet_ {
     uint32_t ack, seq;
@@ -77,6 +79,7 @@ int RejectSendLibnet11L3IPv4TCP(ThreadVars *tv, Packet *p, void *data, int dir)
     libnet_t *c; /* libnet context */
     char ebuf[LIBNET_ERRBUF_SIZE];
     int result;
+    char *devname = NULL;
 
     /* fill in struct defaults */
     lpacket.ttl = 0;
@@ -84,7 +87,11 @@ int RejectSendLibnet11L3IPv4TCP(ThreadVars *tv, Packet *p, void *data, int dir)
     lpacket.flow = 0;
     lpacket.class = 0;
 
-    if ((c = libnet_init(LIBNET_RAW4, NULL, ebuf)) == NULL) {
+    if (IS_SURI_HOST_MODE_SNIFFER_ONLY(host_mode) && (p->livedev)) {
+        devname = p->livedev->dev;
+        SCLogDebug("Will emit reject packet on dev %s", devname);
+    }
+    if ((c = libnet_init(LIBNET_RAW4, devname, ebuf)) == NULL) {
         SCLogError(SC_ERR_LIBNET_INIT,"libnet_inint failed: %s", ebuf);
         return 1;
     }
@@ -187,6 +194,7 @@ int RejectSendLibnet11L3IPv4ICMP(ThreadVars *tv, Packet *p, void *data, int dir)
     libnet_t *c; /* libnet context */
     char ebuf[LIBNET_ERRBUF_SIZE];
     int result;
+    char *devname = NULL;
 
     /* fill in struct defaults */
     lpacket.ttl = 0;
@@ -195,7 +203,11 @@ int RejectSendLibnet11L3IPv4ICMP(ThreadVars *tv, Packet *p, void *data, int dir)
     lpacket.class = 0;
 
     lpacket.len = (IPV4_GET_HLEN(p) + p->payload_len);
-    if ((c = libnet_init(LIBNET_RAW4, NULL, ebuf)) == NULL) {
+
+    if (IS_SURI_HOST_MODE_SNIFFER_ONLY(host_mode) && (p->livedev)) {
+        devname = p->livedev->dev;
+    }
+    if ((c = libnet_init(LIBNET_RAW4, devname, ebuf)) == NULL) {
         SCLogError(SC_ERR_LIBNET_INIT,"libnet_inint failed: %s", ebuf);
         return 1;
     }

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 4f038917bbcc3f85a1cac364ca09220e5b5f94b0..e428d80664f68c09d86a9de6e2ef8f3bce7ac1ea 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -36,6 +36,7 @@
 # it is a pure sniffing setup, set it to 'sniffer-only'.
 # If set to auto, the variable is internally switch to 'router' in IPS mode
 # and 'sniffer-only' in IDS mode.
+# This feature is currently only used by the reject* keywords.
 host-mode: auto
 
 # Run suricata as user and group.