From: Mike Stepanek (mstepane) <mstepane@cisco.com>
Date: Mon, 19 Nov 2018 21:03:38 +0000 (-0500)
Subject: Merge pull request #1440 in SNORT/snort3 from ~SMINUT/snort3:reject_forward_option... 
X-Git-Tag: 3.0.0-250~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ac6ff59eb5a68aa156b05bb6a07147e61d547d7d;p=thirdparty%2Fsnort3.git

Merge pull request #1440 in SNORT/snort3 from ~SMINUT/snort3:reject_forward_option to master

Squashed commit of the following:

commit 49f47f3950be7b6f9952be1866639a388508e9ec
Author: Silviu Minut <sminut@cisco.com>
Date:   Fri Nov 16 15:36:45 2018 -0500

    snort2lua: add code to output control = forward under the reject module.

commit bb5bf4702dc9b7b1673d352700b4b79ad66d5af6
Author: Masud Hasan <mashasan@cisco.com>
Date:   Fri Nov 16 11:48:42 2018 -0500

    actions: Fixing incorrect order of IPS reject unreachable codes and adding forward option
---

diff --git a/src/actions/act_reject.cc b/src/actions/act_reject.cc
index d01f47a3d..1ea4ef958 100644
--- a/src/actions/act_reject.cc
+++ b/src/actions/act_reject.cc
@@ -60,9 +60,10 @@ using namespace snort;
 #define REJ_UNR_NET  0x04
 #define REJ_UNR_HOST 0x08
 #define REJ_UNR_PORT 0x10
+#define REJ_UNR_FWD  0x20
 
 #define REJ_RST_BOTH (REJ_RST_SRC|REJ_RST_DST)
-#define REJ_UNR_ALL  (REJ_UNR_NET|REJ_UNR_HOST|REJ_UNR_PORT)
+#define REJ_UNR_ALL  (REJ_UNR_NET|REJ_UNR_HOST|REJ_UNR_PORT|REJ_UNR_FWD)
 
 #define s_name "reject"
 
@@ -134,6 +135,9 @@ void RejectAction::send(Packet* p)
     if ( flags & REJ_RST_DST )
         Active::send_reset(p, ENC_FLAG_FWD);
 
+    if ( flags & REJ_UNR_FWD )
+        Active::send_unreach(p, snort::UnreachResponse::FWD);
+
     if ( flags & REJ_UNR_NET )
         Active::send_unreach(p, snort::UnreachResponse::NET);
 
@@ -153,7 +157,7 @@ static const Parameter s_params[] =
     { "reset", Parameter::PT_ENUM, "source|dest|both", nullptr,
       "send TCP reset to one or both ends" },
 
-    { "control", Parameter::PT_ENUM, "network|host|port|all", nullptr,
+    { "control", Parameter::PT_ENUM, "network|host|port|forward|all", nullptr,
       "send ICMP unreachable(s)" },
 
     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
@@ -192,9 +196,10 @@ static const int rst[] =
 
 static const int unr[] =
 {
-    REJ_UNR_PORT,
-    REJ_UNR_HOST,
     REJ_UNR_NET,
+    REJ_UNR_HOST,
+    REJ_UNR_PORT,
+    REJ_UNR_FWD,
     REJ_UNR_ALL
 };
 
diff --git a/tools/snort2lua/preprocessor_states/pps_firewall.cc b/tools/snort2lua/preprocessor_states/pps_firewall.cc
index ccdf8a4b5..3fa54abbe 100644
--- a/tools/snort2lua/preprocessor_states/pps_firewall.cc
+++ b/tools/snort2lua/preprocessor_states/pps_firewall.cc
@@ -179,6 +179,7 @@ namespace preprocessors
         // Auto enable for firewall
         table_api.open_top_level_table("reject");
         table_api.add_option("reset", "both");
+        table_api.add_option("control", "forward");
         table_api.close_table();
 
         return retval;
@@ -201,4 +202,3 @@ namespace preprocessors
 
     const ConvertMap* firewall_map = &firewall_api;
 } // namespace preprocessors
-