From: Victor Julien <vjulien@oisf.net>
Date: Tue, 16 Apr 2024 13:07:46 +0000 (+0200)
Subject: ips: check for livedev.use-for-tracking
X-Git-Tag: suricata-8.0.0-beta1~1451
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=08841f27ffc1b0e06d2d08d9336a73032261c78c;p=thirdparty%2Fsuricata.git

ips: check for livedev.use-for-tracking

For the capture methods that support livedev and IPS,
livedev.use-for-tracking is not supported.

This setting causes major flow tracking issues, as both sides of
a flow would be tracked in different flows.

This patch disables the livedev.use-for-tracking setting if it
is set to true. A warning will be issued.

Ticket: #6726.
---

diff --git a/src/runmodes.c b/src/runmodes.c
index ee5d77957f..a9bb444528 100644
--- a/src/runmodes.c
+++ b/src/runmodes.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2022 Open Information Security Foundation
+/* Copyright (C) 2007-2024 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -70,6 +70,7 @@
 #include "counters.h"
 
 #include "suricata-plugin.h"
+#include "util-device.h"
 
 int debuglog_enabled = 0;
 bool threading_set_cpu_affinity = false;
@@ -406,10 +407,19 @@ int RunModeEngineIsIPS(int capture_mode, const char *runmode, const char *captur
         return 0;
     }
 
+    int ips_enabled = 0;
     if (mode->RunModeIsIPSEnabled != NULL) {
-        return mode->RunModeIsIPSEnabled();
+        ips_enabled = mode->RunModeIsIPSEnabled();
+        if (ips_enabled == 1) {
+            extern uint16_t g_livedev_mask;
+            if (g_livedev_mask != 0 && LiveGetDeviceCount() > 0) {
+                SCLogWarning("disabling livedev.use-for-tracking with IPS mode. See ticket #6726.");
+                g_livedev_mask = 0;
+            }
+        }
     }
-    return 0;
+
+    return ips_enabled;
 }
 
 /**