From: Victor Julien Date: Thu, 27 Feb 2025 19:31:32 +0000 (+0100) Subject: run.py: support firewall mode X-Git-Tag: suricata-7.0.11~106 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93b65c79a366345e3c57f2f67cf0eb0245ec0ee5;p=thirdparty%2Fsuricata-verify.git run.py: support firewall mode Treat firewall.rules special by loading it with --firewall-rules-exclusive Allow fw and td rules. --- diff --git a/run.py b/run.py index 770af271d..8cc3484f5 100755 --- a/run.py +++ b/run.py @@ -949,15 +949,31 @@ class TestRunner: args += ["-r", pcaps[0]] # Find rules. - rules = glob.glob(os.path.join(self.directory, "*.rules")) + rules = sorted(glob.glob(os.path.join(self.directory, "*.rules"))) if not rules: args.append("--disable-detection") elif len(rules) == 1: rulefile = rules[0] - if rule_is_version_compatible(os.path.basename(rulefile), self.suricata_config.version): + # switch to firewall mode if file is named firewall.rules + if rulefile.endswith("firewall.rules"): + args += ["--firewall-rules-exclusive", rulefile] + elif rule_is_version_compatible(os.path.basename(rulefile), self.suricata_config.version): args += ["-S", rulefile] else: args.append("--disable-detection") + elif len(rules) == 2: + rulefile = rules[0] + # switch to firewall mode if file is named firewall.rules + if rulefile.endswith("firewall.rules"): + args += ["--firewall-rules-exclusive", rulefile] + else: + raise TestError("multi rule file should have firewall.rules and td.rules. Got {} {}".format(rules[0],rules[1])) + + rulefile = rules[1] + if rulefile.endswith("td.rules"): + args += ["-S", rulefile] + else: + raise TestError("multi rule file should have firewall.rules and td.rules") else: raise TestError("More than 1 rule file found")