From: Juliana Fajardini Date: Tue, 30 May 2023 13:41:49 +0000 (-0300) Subject: stream/tcp: re-enable midstream-policy usage X-Git-Tag: suricata-6.0.14~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0efcbc407937b2d0a311a8b4dab55b9ede4a56e;p=thirdparty%2Fsuricata.git stream/tcp: re-enable midstream-policy usage We were always setting it to ignore, due to bug 5825. The engine will now issue an initialization error if an invalid value is passed in the configuration file for midstream exception policy. 'pass-packet' or 'drop-packet' are never valid, as the midstream policy concerns the whole flow, not making sense for just a packet. If midstream is enabled, only two actual config values are allowed: 'ignore' and 'pass-flow', both in IDS and in IPS mode. In default mode ('auto' or if no policy is defined), midstream-policy is set to 'ignore'. All other values will lead to initialization error. In IDS mode, 'drop-flow' will also lead to initialization error. Part of Bug #5825 (cherry picked from commit 69d3750aaf29940c87797eb49ceef7c385e06f43) --- diff --git a/src/stream-tcp.c b/src/stream-tcp.c index d736edef2a..cad45ea7f0 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -478,15 +478,7 @@ void StreamTcpInitConfig(char quiet) stream_config.ssn_memcap_policy = ExceptionPolicyParse("stream.memcap-policy", true); stream_config.reassembly_memcap_policy = ExceptionPolicyParse("stream.reassembly.memcap-policy", true); - SCLogConfig("memcap-policy: %u/%u", stream_config.ssn_memcap_policy, - stream_config.reassembly_memcap_policy); - stream_config.midstream_policy = ExceptionPolicyParse("stream.midstream-policy", true); - if (stream_config.midstream && stream_config.midstream_policy != EXCEPTION_POLICY_NOT_SET) { - SCLogWarning(SC_WARN_COMPATIBILITY, - "stream.midstream_policy setting conflicting with stream.midstream enabled. " - "Ignoring stream.midstream_policy."); - stream_config.midstream_policy = EXCEPTION_POLICY_NOT_SET; - } + stream_config.midstream_policy = ExceptionPolicyMidstreamParse(stream_config.midstream); if (!quiet) { SCLogConfig("stream.\"inline\": %s", @@ -962,8 +954,7 @@ static int StreamTcpPacketStateNone(ThreadVars *tv, Packet *p, return 0; } if (!(stream_config.midstream_policy == EXCEPTION_POLICY_NOT_SET || - stream_config.midstream_policy == EXCEPTION_POLICY_PASS_FLOW || - stream_config.midstream_policy == EXCEPTION_POLICY_PASS_PACKET)) { + stream_config.midstream_policy == EXCEPTION_POLICY_PASS_FLOW)) { SCLogDebug("Midstream policy not permissive, so won't pick up a session"); return 0; } @@ -1133,8 +1124,7 @@ static int StreamTcpPacketStateNone(ThreadVars *tv, Packet *p, return 0; } if (!(stream_config.midstream_policy == EXCEPTION_POLICY_NOT_SET || - stream_config.midstream_policy == EXCEPTION_POLICY_PASS_FLOW || - stream_config.midstream_policy == EXCEPTION_POLICY_PASS_PACKET)) { + stream_config.midstream_policy == EXCEPTION_POLICY_PASS_FLOW)) { SCLogDebug("Midstream policy not permissive, so won't pick up a session"); return 0; }