From: Victor Julien <vjulien@oisf.net>
Date: Fri, 11 Apr 2025 08:22:20 +0000 (+0200)
Subject: firewall: detect: set firewall support flag on select keywords
X-Git-Tag: suricata-8.0.0-rc1~468
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f9c05243cc7090b413109c9d01b26471f29d1b3;p=thirdparty%2Fsuricata.git

firewall: detect: set firewall support flag on select keywords
---

diff --git a/src/detect-app-layer-protocol.c b/src/detect-app-layer-protocol.c
index 96270318f3..b95d099db5 100644
--- a/src/detect-app-layer-protocol.c
+++ b/src/detect-app-layer-protocol.c
@@ -357,7 +357,7 @@ void DetectAppLayerProtocolRegister(void)
     sigmatch_table[DETECT_APP_LAYER_PROTOCOL].RegisterTests = DetectAppLayerProtocolRegisterTests;
 #endif
     sigmatch_table[DETECT_APP_LAYER_PROTOCOL].flags =
-            (SIGMATCH_QUOTES_OPTIONAL | SIGMATCH_HANDLE_NEGATION);
+            (SIGMATCH_QUOTES_OPTIONAL | SIGMATCH_HANDLE_NEGATION | SIGMATCH_SUPPORT_FIREWALL);
 
     sigmatch_table[DETECT_APP_LAYER_PROTOCOL].SetupPrefilter = PrefilterSetupAppProto;
     sigmatch_table[DETECT_APP_LAYER_PROTOCOL].SupportsPrefilter = PrefilterAppProtoIsPrefilterable;
diff --git a/src/detect-bsize.c b/src/detect-bsize.c
index 2fea92abbc..c007960a57 100644
--- a/src/detect-bsize.c
+++ b/src/detect-bsize.c
@@ -103,6 +103,7 @@ void DetectBsizeRegister(void)
     sigmatch_table[DETECT_BSIZE].Match = NULL;
     sigmatch_table[DETECT_BSIZE].Setup = DetectBsizeSetup;
     sigmatch_table[DETECT_BSIZE].Free = DetectBsizeFree;
+    sigmatch_table[DETECT_BSIZE].flags = SIGMATCH_SUPPORT_FIREWALL;
 #ifdef UNITTESTS
     sigmatch_table[DETECT_BSIZE].RegisterTests = DetectBsizeRegisterTests;
 #endif
diff --git a/src/detect-content.c b/src/detect-content.c
index 91ff95f295..7e35c60770 100644
--- a/src/detect-content.c
+++ b/src/detect-content.c
@@ -66,7 +66,8 @@ void DetectContentRegister (void)
 #ifdef UNITTESTS
     sigmatch_table[DETECT_CONTENT].RegisterTests = DetectContentRegisterTests;
 #endif
-    sigmatch_table[DETECT_CONTENT].flags = (SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION);
+    sigmatch_table[DETECT_CONTENT].flags =
+            (SIGMATCH_QUOTES_MANDATORY | SIGMATCH_HANDLE_NEGATION | SIGMATCH_SUPPORT_FIREWALL);
 }
 
 /**
diff --git a/src/detect-dsize.c b/src/detect-dsize.c
index 15859ff1f3..1aae09e896 100644
--- a/src/detect-dsize.c
+++ b/src/detect-dsize.c
@@ -66,6 +66,7 @@ void DetectDsizeRegister (void)
     sigmatch_table[DETECT_DSIZE].Match = DetectDsizeMatch;
     sigmatch_table[DETECT_DSIZE].Setup = DetectDsizeSetup;
     sigmatch_table[DETECT_DSIZE].Free  = DetectDsizeFree;
+    sigmatch_table[DETECT_DSIZE].flags = SIGMATCH_SUPPORT_FIREWALL;
 #ifdef UNITTESTS
     sigmatch_table[DETECT_DSIZE].RegisterTests = DsizeRegisterTests;
 #endif
diff --git a/src/detect-flow.c b/src/detect-flow.c
index cf267a6e0e..d970f06854 100644
--- a/src/detect-flow.c
+++ b/src/detect-flow.c
@@ -70,6 +70,7 @@ void DetectFlowRegister (void)
     sigmatch_table[DETECT_FLOW].Match = DetectFlowMatch;
     sigmatch_table[DETECT_FLOW].Setup = DetectFlowSetup;
     sigmatch_table[DETECT_FLOW].Free  = DetectFlowFree;
+    sigmatch_table[DETECT_FLOW].flags = SIGMATCH_SUPPORT_FIREWALL;
 #ifdef UNITTESTS
     sigmatch_table[DETECT_FLOW].RegisterTests = DetectFlowRegisterTests;
 #endif
diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c
index 79f3bb8806..290f46e696 100644
--- a/src/detect-flowbits.c
+++ b/src/detect-flowbits.c
@@ -79,7 +79,7 @@ void DetectFlowbitsRegister (void)
     sigmatch_table[DETECT_FLOWBITS].RegisterTests = FlowBitsRegisterTests;
 #endif
     /* this is compatible to ip-only signatures */
-    sigmatch_table[DETECT_FLOWBITS].flags |= SIGMATCH_IPONLY_COMPAT;
+    sigmatch_table[DETECT_FLOWBITS].flags |= (SIGMATCH_IPONLY_COMPAT | SIGMATCH_SUPPORT_FIREWALL);
 
     sigmatch_table[DETECT_FLOWBITS].SupportsPrefilter = PrefilterFlowbitIsPrefilterable;
     sigmatch_table[DETECT_FLOWBITS].SetupPrefilter = PrefilterSetupFlowbits;
diff --git a/src/detect-itype.c b/src/detect-itype.c
index 28dcfa5f84..201c36ca6c 100644
--- a/src/detect-itype.c
+++ b/src/detect-itype.c
@@ -62,6 +62,7 @@ void DetectITypeRegister (void)
     sigmatch_table[DETECT_ITYPE].Match = DetectITypeMatch;
     sigmatch_table[DETECT_ITYPE].Setup = DetectITypeSetup;
     sigmatch_table[DETECT_ITYPE].Free = DetectITypeFree;
+    sigmatch_table[DETECT_ITYPE].flags = SIGMATCH_SUPPORT_FIREWALL;
 #ifdef UNITTESTS
     sigmatch_table[DETECT_ITYPE].RegisterTests = DetectITypeRegisterTests;
 #endif
diff --git a/src/detect-msg.c b/src/detect-msg.c
index 7f67d62497..7ffcb57f0a 100644
--- a/src/detect-msg.c
+++ b/src/detect-msg.c
@@ -50,7 +50,7 @@ void DetectMsgRegister (void)
 #ifdef UNITTESTS
     sigmatch_table[DETECT_MSG].RegisterTests = DetectMsgRegisterTests;
 #endif
-    sigmatch_table[DETECT_MSG].flags = SIGMATCH_QUOTES_MANDATORY;
+    sigmatch_table[DETECT_MSG].flags = (SIGMATCH_QUOTES_MANDATORY | SIGMATCH_SUPPORT_FIREWALL);
 }
 
 static int DetectMsgSetup (DetectEngineCtx *de_ctx, Signature *s, const char *msgstr)
diff --git a/src/detect-sid.c b/src/detect-sid.c
index 971be9df46..be017e2507 100644
--- a/src/detect-sid.c
+++ b/src/detect-sid.c
@@ -44,6 +44,7 @@ void DetectSidRegister (void)
     sigmatch_table[DETECT_SID].url = "/rules/meta.html#sid-signature-id";
     sigmatch_table[DETECT_SID].Match = NULL;
     sigmatch_table[DETECT_SID].Setup = DetectSidSetup;
+    sigmatch_table[DETECT_SID].flags = SIGMATCH_SUPPORT_FIREWALL;
 #ifdef UNITTESTS
     sigmatch_table[DETECT_SID].RegisterTests = DetectSidRegisterTests;
 #endif
diff --git a/src/detect-tcp-flags.c b/src/detect-tcp-flags.c
index 472ebcad5d..9c3a2260a5 100644
--- a/src/detect-tcp-flags.c
+++ b/src/detect-tcp-flags.c
@@ -82,6 +82,7 @@ void DetectFlagsRegister (void)
     sigmatch_table[DETECT_FLAGS].Match = DetectFlagsMatch;
     sigmatch_table[DETECT_FLAGS].Setup = DetectFlagsSetup;
     sigmatch_table[DETECT_FLAGS].Free  = DetectFlagsFree;
+    sigmatch_table[DETECT_FLAGS].flags = SIGMATCH_SUPPORT_FIREWALL;
 #ifdef UNITTESTS
     sigmatch_table[DETECT_FLAGS].RegisterTests = FlagsRegisterTests;
 #endif
diff --git a/src/detect-tls-version.c b/src/detect-tls-version.c
index 9df017cc82..1de6d3b9a4 100644
--- a/src/detect-tls-version.c
+++ b/src/detect-tls-version.c
@@ -78,6 +78,7 @@ void DetectTlsVersionRegister (void)
     sigmatch_table[DETECT_TLS_VERSION].AppLayerTxMatch = DetectTlsVersionMatch;
     sigmatch_table[DETECT_TLS_VERSION].Setup = DetectTlsVersionSetup;
     sigmatch_table[DETECT_TLS_VERSION].Free = DetectTlsVersionFree;
+    sigmatch_table[DETECT_TLS_VERSION].flags = SIGMATCH_SUPPORT_FIREWALL;
 #ifdef UNITTESTS
     sigmatch_table[DETECT_TLS_VERSION].RegisterTests = DetectTlsVersionRegisterTests;
 #endif
diff --git a/src/detect-xbits.c b/src/detect-xbits.c
index a02a8ea50f..50f88144f4 100644
--- a/src/detect-xbits.c
+++ b/src/detect-xbits.c
@@ -83,7 +83,7 @@ void DetectXbitsRegister (void)
     sigmatch_table[DETECT_XBITS].RegisterTests = XBitsRegisterTests;
 #endif
     /* this is compatible to ip-only signatures */
-    sigmatch_table[DETECT_XBITS].flags |= SIGMATCH_IPONLY_COMPAT;
+    sigmatch_table[DETECT_XBITS].flags |= (SIGMATCH_IPONLY_COMPAT | SIGMATCH_SUPPORT_FIREWALL);
 
     DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
 }