From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Tue, 21 Jan 2025 14:21:24 +0000 (-0500)
Subject: doc/csum: Stream checksum validation change
X-Git-Tag: suricata-8.0.0-beta1~498
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cfbf8fda94771461844b0fc805af5476f92328ce;p=thirdparty%2Fsuricata.git

doc/csum: Stream checksum validation change

Describe the change of behavior between the stream.checksum-validation
setting and checksum-based rule keywords.
---

diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
index 4bf74b6528..f5df98100f 100644
--- a/doc/userguide/upgrade.rst
+++ b/doc/userguide/upgrade.rst
@@ -82,6 +82,13 @@ Major changes
 - Unknown requirements in the ``requires`` keyword will now be treated
   as unmet requirements, causing the rule to not be loaded. See
   :ref:`keyword_requires`.
+- The configuration setting controlling stream checksum checks no longer affects
+  checksum keyword validation. In Suricata 7.0, when ``stream.checksum-validation``
+  was set to ``no``, the checksum keywords (e.g., ``ipv4-csum``, ``tcpv4-csum``, etc)
+  will always consider it valid; e.g., ``tcpv4-csum: invalid`` will never match. In
+  Suricata 8.0, ``stream.checksum-validation`` no longer affects the checksum rule keywords.
+  E.g., ``ipv4-csum: valid`` will only match if the check sum is valid, even when engine
+  checksum validations are disabled.
 
 Removals
 ~~~~~~~~