From: Juliana Fajardini <jufajardini@oisf.net>
Date: Mon, 29 May 2023 18:26:22 +0000 (-0300)
Subject: exception: refactor exception policy parse fn
X-Git-Tag: suricata-6.0.14~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e067da14a822e512ee6108c0424fe412559f4ea;p=thirdparty%2Fsuricata.git

exception: refactor exception policy parse fn

Split up ExceptionPolicyParse to try to improve readability.

Related to
Bug #5825

(cherry picked from commit bf22129a0fc133b3f4f18997fc0d384c4f9d3751)
---

diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c
index 1812bf0163..c3dc0d0da3 100644
--- a/src/util-exception-policy.c
+++ b/src/util-exception-policy.c
@@ -25,6 +25,8 @@
 #include "stream-tcp-reassemble.h"
 
 enum ExceptionPolicy g_eps_master_switch = EXCEPTION_POLICY_NOT_SET;
+/** true if exception policy was defined in config */
+static bool g_eps_have_exception_policy = false;
 
 static const char *ExceptionPolicyEnumToString(enum ExceptionPolicy policy)
 {
@@ -144,65 +146,89 @@ static enum ExceptionPolicy SetIPSOption(
     return p;
 }
 
-enum ExceptionPolicy ExceptionPolicyParse(const char *option, const bool support_flow)
+static enum ExceptionPolicy ExceptionPolicyConfigValueParse(
+        const char *option, const char *value_str)
 {
     enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET;
-    const char *value_str = NULL;
-    if ((ConfGet(option, &value_str)) == 1 && value_str != NULL) {
-        if (strcmp(value_str, "drop-flow") == 0) {
-            policy = SetIPSOption(option, value_str, EXCEPTION_POLICY_DROP_FLOW);
-            SCLogConfig("%s: %s", option, value_str);
-        } else if (strcmp(value_str, "pass-flow") == 0) {
-            policy = EXCEPTION_POLICY_PASS_FLOW;
-            SCLogConfig("%s: %s", option, value_str);
-        } else if (strcmp(value_str, "bypass") == 0) {
-            policy = EXCEPTION_POLICY_BYPASS_FLOW;
-            SCLogConfig("%s: %s", option, value_str);
-        } else if (strcmp(value_str, "drop-packet") == 0) {
-            policy = SetIPSOption(option, value_str, EXCEPTION_POLICY_DROP_PACKET);
-            SCLogConfig("%s: %s", option, value_str);
-        } else if (strcmp(value_str, "pass-packet") == 0) {
-            policy = EXCEPTION_POLICY_PASS_PACKET;
-            SCLogConfig("%s: %s", option, value_str);
-        } else if (strcmp(value_str, "reject") == 0) {
-            policy = EXCEPTION_POLICY_REJECT;
-            SCLogConfig("%s: %s", option, value_str);
-        } else if (strcmp(value_str, "ignore") == 0) { // TODO name?
+    if (strcmp(value_str, "drop-flow") == 0) {
+        policy = SetIPSOption(option, value_str, EXCEPTION_POLICY_DROP_FLOW);
+    } else if (strcmp(value_str, "pass-flow") == 0) {
+        policy = EXCEPTION_POLICY_PASS_FLOW;
+    } else if (strcmp(value_str, "bypass") == 0) {
+        policy = EXCEPTION_POLICY_BYPASS_FLOW;
+    } else if (strcmp(value_str, "drop-packet") == 0) {
+        policy = SetIPSOption(option, value_str, EXCEPTION_POLICY_DROP_PACKET);
+    } else if (strcmp(value_str, "pass-packet") == 0) {
+        policy = EXCEPTION_POLICY_PASS_PACKET;
+    } else if (strcmp(value_str, "reject") == 0) {
+        policy = EXCEPTION_POLICY_REJECT;
+    } else if (strcmp(value_str, "ignore") == 0) { // TODO name?
+        policy = EXCEPTION_POLICY_NOT_SET;
+    } else if (strcmp(value_str, "auto") == 0) {
+        if (!EngineModeIsIPS()) {
             policy = EXCEPTION_POLICY_NOT_SET;
-            SCLogConfig("%s: %s", option, value_str);
-        } else if (strcmp(value_str, "auto") == 0) {
-            policy = SetIPSOption(option, value_str, EXCEPTION_POLICY_DROP_FLOW);
-            SCLogConfig("%s: %s", option, value_str);
         } else {
-            FatalErrorOnInit(SC_ERR_INVALID_ARGUMENT,
-                    "\"%s\" is not a valid exception policy value. Valid options are drop-flow, "
-                    "pass-flow, bypass, drop-packet, pass-packet or ignore.",
-                    value_str);
+            policy = EXCEPTION_POLICY_DROP_FLOW;
         }
+    } else {
+        FatalErrorOnInit(SC_ERR_INVALID_ARGUMENT,
+                "\"%s\" is not a valid exception policy value. Valid options are drop-flow, "
+                "pass-flow, bypass, reject, drop-packet, pass-packet or ignore.",
+                value_str);
+    }
+
+    return policy;
+}
+
+static enum ExceptionPolicy ExceptionPolicyMasterParse(const char *value)
+{
+    enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET;
+
+    policy = ExceptionPolicyConfigValueParse("exception-policy", value);
+    g_eps_have_exception_policy = true;
+    policy = SetIPSOption("exception-policy", value, policy);
+    SCLogConfig("exception-policy set to: %s", ExceptionPolicyEnumToString(policy));
+
+    return policy;
+}
 
+static enum ExceptionPolicy ExceptionPolicyGetDefault(const char *option, bool support_flow)
+{
+    enum ExceptionPolicy p = EXCEPTION_POLICY_NOT_SET;
+    if (g_eps_have_exception_policy) {
+        p = GetMasterExceptionPolicy(option);
         if (!support_flow) {
-            policy = PickPacketAction(option, policy);
+            p = PickPacketAction(option, p);
         }
+        SCLogConfig("%s: %s (defined via 'exception-policy' master switch)", option,
+                ExceptionPolicyEnumToString(p));
+        return p;
+    } else if (EngineModeIsIPS()) {
+        p = EXCEPTION_POLICY_DROP_FLOW;
+    }
+    SCLogConfig("%s: %s (defined via 'built-in default' for %s-mode)", option,
+            ExceptionPolicyEnumToString(p), EngineModeIsIPS() ? "IPS" : "IDS");
 
-    } else if (strcmp(option, "exception-policy") == 0) {
-        /* not enabled, we won't change the master exception policy,
-             for now */
-        SCLogInfo("'exception-policy' master switch not set, so ignoring it."
-                  " This behavior will change in Suricata 8, so please update your"
-                  " config. See ticket #5219 for more details.");
-        g_eps_master_switch = EXCEPTION_POLICY_NOT_SET;
-    } else {
-        /* Exception Policy was not defined individually */
-        enum ExceptionPolicy master_policy = GetMasterExceptionPolicy(option);
-        if (master_policy == EXCEPTION_POLICY_NOT_SET) {
-            SCLogConfig("%s: ignore", option);
+    return p;
+}
+
+enum ExceptionPolicy ExceptionPolicyParse(const char *option, bool support_flow)
+{
+    enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET;
+    const char *value_str = NULL;
+
+    if ((ConfGet(option, &value_str)) == 1 && value_str != NULL) {
+        if (strcmp(option, "exception-policy") == 0) {
+            policy = ExceptionPolicyMasterParse(value_str);
         } else {
-            /* If the master switch was set and the Exception Policy option was not
-            individually set, use the defined master Exception Policy */
-            const char *value = ExceptionPolicyEnumToString(master_policy);
-            SCLogConfig("%s: %s (defined via 'exception-policy' master switch", option, value);
-            policy = master_policy;
+            policy = ExceptionPolicyConfigValueParse(option, value_str);
+            if (!support_flow) {
+                policy = PickPacketAction(option, policy);
+            }
+            SCLogConfig("%s: %s", option, ExceptionPolicyEnumToString(policy));
         }
+    } else {
+        policy = ExceptionPolicyGetDefault(option, support_flow);
     }
     return policy;
 }