From: Juliana Fajardini Date: Mon, 29 May 2023 18:26:22 +0000 (-0300) Subject: exceptions: refactor exception policy parse fn X-Git-Tag: suricata-7.0.0-rc2~27 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf22129a0fc133b3f4f18997fc0d384c4f9d3751;p=thirdparty%2Fsuricata.git exceptions: refactor exception policy parse fn Split up ExceptionPolicyParse to try to improve readability. Related to Bug #5825 --- diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c index b3cf2952c0..9f42851b56 100644 --- a/src/util-exception-policy.c +++ b/src/util-exception-policy.c @@ -148,76 +148,89 @@ static enum ExceptionPolicy PickPacketAction(const char *option, enum ExceptionP return p; } -enum ExceptionPolicy ExceptionPolicyParse(const char *option, const bool support_flow) +static enum ExceptionPolicy ExceptionPolicyConfigValueParse( + const char *option, const char *value_str) { enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET; - const char *value_str = NULL; - if ((ConfGet(option, &value_str)) == 1 && value_str != NULL) { - if (strcmp(value_str, "drop-flow") == 0) { - policy = SetIPSOption(option, value_str, EXCEPTION_POLICY_DROP_FLOW); - } else if (strcmp(value_str, "pass-flow") == 0) { - policy = EXCEPTION_POLICY_PASS_FLOW; - } else if (strcmp(value_str, "bypass") == 0) { - policy = EXCEPTION_POLICY_BYPASS_FLOW; - } else if (strcmp(value_str, "drop-packet") == 0) { - policy = SetIPSOption(option, value_str, EXCEPTION_POLICY_DROP_PACKET); - } else if (strcmp(value_str, "pass-packet") == 0) { - policy = EXCEPTION_POLICY_PASS_PACKET; - } else if (strcmp(value_str, "reject") == 0) { - policy = EXCEPTION_POLICY_REJECT; - } else if (strcmp(value_str, "ignore") == 0) { // TODO name? + if (strcmp(value_str, "drop-flow") == 0) { + policy = SetIPSOption(option, value_str, EXCEPTION_POLICY_DROP_FLOW); + } else if (strcmp(value_str, "pass-flow") == 0) { + policy = EXCEPTION_POLICY_PASS_FLOW; + } else if (strcmp(value_str, "bypass") == 0) { + policy = EXCEPTION_POLICY_BYPASS_FLOW; + } else if (strcmp(value_str, "drop-packet") == 0) { + policy = SetIPSOption(option, value_str, EXCEPTION_POLICY_DROP_PACKET); + } else if (strcmp(value_str, "pass-packet") == 0) { + policy = EXCEPTION_POLICY_PASS_PACKET; + } else if (strcmp(value_str, "reject") == 0) { + policy = EXCEPTION_POLICY_REJECT; + } else if (strcmp(value_str, "ignore") == 0) { // TODO name? + policy = EXCEPTION_POLICY_NOT_SET; + } else if (strcmp(value_str, "auto") == 0) { + if (!EngineModeIsIPS()) { policy = EXCEPTION_POLICY_NOT_SET; - } else if (strcmp(value_str, "auto") == 0) { - if (!EngineModeIsIPS()) { - policy = EXCEPTION_POLICY_NOT_SET; - } else { - policy = EXCEPTION_POLICY_DROP_FLOW; - } } else { - FatalErrorOnInit( - "\"%s\" is not a valid exception policy value. Valid options are drop-flow, " - "pass-flow, bypass, drop-packet, pass-packet or ignore.", - value_str); + policy = EXCEPTION_POLICY_DROP_FLOW; } + } else { + FatalErrorOnInit( + "\"%s\" is not a valid exception policy value. Valid options are drop-flow, " + "pass-flow, bypass, reject, drop-packet, pass-packet or ignore.", + value_str); + } + + return policy; +} + +static enum ExceptionPolicy ExceptionPolicyMasterParse(const char *value) +{ + enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET; + + policy = ExceptionPolicyConfigValueParse("exception-policy", value); + g_eps_have_exception_policy = true; + policy = SetIPSOption("exception-policy", value, policy); + SCLogConfig("exception-policy set to: %s", ExceptionPolicyEnumToString(policy)); + return policy; +} + +static enum ExceptionPolicy ExceptionPolicyGetDefault(const char *option, bool support_flow) +{ + enum ExceptionPolicy p = EXCEPTION_POLICY_NOT_SET; + if (g_eps_have_exception_policy) { + p = GetMasterExceptionPolicy(option); if (!support_flow) { - policy = PickPacketAction(option, policy); + p = PickPacketAction(option, p); } + SCLogConfig("%s: %s (defined via 'exception-policy' master switch)", option, + ExceptionPolicyEnumToString(p)); + return p; + } else if (EngineModeIsIPS()) { + p = EXCEPTION_POLICY_DROP_FLOW; + } + SCLogConfig("%s: %s (defined via 'built-in default' for %s-mode)", option, + ExceptionPolicyEnumToString(p), EngineModeIsIPS() ? "IPS" : "IDS"); - if (strcmp(option, "exception-policy") == 0) { - g_eps_have_exception_policy = true; + return p; +} - if (strcmp(value_str, "auto") == 0) { - SCLogConfig("%s: %s (because of 'auto' setting in %s-mode)", option, - ExceptionPolicyEnumToString(policy), EngineModeIsIPS() ? "IPS" : "IDS"); - } else { - SCLogConfig("%s: %s", option, ExceptionPolicyEnumToString(policy)); - } - } else { - SCLogConfig("%s: %s", option, ExceptionPolicyEnumToString(policy)); - } +enum ExceptionPolicy ExceptionPolicyParse(const char *option, bool support_flow) +{ + enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET; + const char *value_str = NULL; - } else if (strcmp(option, "exception-policy") == 0) { - /* not enabled, we won't change the master exception policy, - for now */ - if (!EngineModeIsIPS()) { - policy = EXCEPTION_POLICY_NOT_SET; + if ((ConfGet(option, &value_str)) == 1 && value_str != NULL) { + if (strcmp(option, "exception-policy") == 0) { + policy = ExceptionPolicyMasterParse(value_str); } else { - policy = EXCEPTION_POLICY_DROP_FLOW; + policy = ExceptionPolicyConfigValueParse(option, value_str); + if (!support_flow) { + policy = PickPacketAction(option, policy); + } + SCLogConfig("%s: %s", option, ExceptionPolicyEnumToString(policy)); } - SCLogConfig("%s: %s (%s-mode)", option, ExceptionPolicyEnumToString(policy), - EngineModeIsIPS() ? "IPS" : "IDS"); - } else { - /* Exception Policy was not defined individually */ - policy = GetMasterExceptionPolicy(option); - if (g_eps_have_exception_policy) { - SCLogConfig("%s: %s (defined via 'exception-policy' master switch)", option, - ExceptionPolicyEnumToString(policy)); - } else { - SCLogConfig("%s: %s (defined via 'built-in default' for %s-mode)", option, - ExceptionPolicyEnumToString(policy), EngineModeIsIPS() ? "IPS" : "IDS"); - } + policy = ExceptionPolicyGetDefault(option, support_flow); } return policy;