From: Victor Julien Date: Wed, 11 Jun 2025 07:25:44 +0000 (+0200) Subject: firewall: move config into yaml object X-Git-Tag: suricata-8.0.0-rc1~78 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0e18048ef0569322d6f4761253228bbf907bddbd;p=thirdparty%2Fsuricata.git firewall: move config into yaml object To make it easier to group settings or include them. --- diff --git a/src/detect-engine-loader.c b/src/detect-engine-loader.c index 9384aa5415..e474e5d38a 100644 --- a/src/detect-engine-loader.c +++ b/src/detect-engine-loader.c @@ -323,14 +323,14 @@ static int LoadFirewallRuleFiles(DetectEngineCtx *de_ctx) return 0; } - SCConfNode *default_fw_rule_path = SCConfGetNode("firewall-rule-path"); + SCConfNode *default_fw_rule_path = SCConfGetNode("firewall.rule-path"); if (default_fw_rule_path == NULL) { - SCLogNotice("fw: firewall-rule-path not defined, skip loading firewall rules"); + SCLogNotice("fw: firewall.rule-path not defined, skip loading firewall rules"); return 0; } - SCConfNode *rule_files = SCConfGetNode("firewall-rule-files"); + SCConfNode *rule_files = SCConfGetNode("firewall.rule-files"); if (rule_files == NULL) { - SCLogNotice("fw: firewall-rule-files not defined, skip loading firewall rules"); + SCLogNotice("fw: firewall.rule-files not defined, skip loading firewall rules"); return 0; } @@ -340,7 +340,7 @@ static int LoadFirewallRuleFiles(DetectEngineCtx *de_ctx) int32_t bad_sigs = 0; int32_t skipped_sigs = 0; - char *sfile = DetectLoadCompleteSigPathWithKey(de_ctx, "firewall-rule-path", file->val); + char *sfile = DetectLoadCompleteSigPathWithKey(de_ctx, "firewall.rule-path", file->val); SCLogNotice("fw: rule file full path \"%s\"", sfile); int ret = DetectLoadSigFile(de_ctx, sfile, &good_sigs, &bad_sigs, &skipped_sigs, true); diff --git a/suricata.yaml.in b/suricata.yaml.in index 49ee5eb92b..9ff696a999 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -2301,20 +2301,6 @@ default-rule-path: @e_defaultruledir@ rule-files: - suricata.rules -## -## Suricata as a Firewall options (experimental) -## - -# Firewall rule file are in their own path and are not managed -# by Suricata-Update. -#firewall-rule-path: /etc/suricata/firewall/ - -# List of files with firewall rules. Order matters, files are loaded -# in order and rules are applied in that order (per state, see docs) -#firewall-rule-files: -# - firewall.rules - - ## ## Auxiliary configuration files. ## @@ -2323,6 +2309,20 @@ classification-file: @e_sysconfdir@classification.config reference-config-file: @e_sysconfdir@reference.config # threshold-file: @e_sysconfdir@threshold.config +## +## Suricata as a Firewall options (experimental) +## +firewall: + # Firewall rule file are in their own path and are not managed + # by Suricata-Update. + #rule-path: /etc/suricata/firewall/ + + # List of files with firewall rules. Order matters, files are loaded + # in order and rules are applied in that order (per state, see docs) + #rule-files: + # - firewall.rules + + ## ## Include other configs ##