From: Juliana Fajardini <jufajardini@oisf.net>
Date: Mon, 29 May 2023 19:55:00 +0000 (-0300)
Subject: exception/midstream: parse midstream policy alone
X-Git-Tag: suricata-6.0.14~38
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d6bfcc0124c82bfa574bdcb5390f35a1605db2cb;p=thirdparty%2Fsuricata.git

exception/midstream: parse midstream policy alone

As the midstream exception policy has its own specific scenarios, have a
dedicated function to parse and process its config values, and check for
midstream enabled when needed.

Related to
Bug #5825

(cherry picked from commit f97af0c0b1916ada6cf860b429e2ccfb5b4a3da2)
---

diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c
index c3dc0d0da3..18aaf8ffee 100644
--- a/src/util-exception-policy.c
+++ b/src/util-exception-policy.c
@@ -192,7 +192,8 @@ static enum ExceptionPolicy ExceptionPolicyMasterParse(const char *value)
     return policy;
 }
 
-static enum ExceptionPolicy ExceptionPolicyGetDefault(const char *option, bool support_flow)
+static enum ExceptionPolicy ExceptionPolicyGetDefault(
+        const char *option, bool support_flow, bool midstream)
 {
     enum ExceptionPolicy p = EXCEPTION_POLICY_NOT_SET;
     if (g_eps_have_exception_policy) {
@@ -203,7 +204,7 @@ static enum ExceptionPolicy ExceptionPolicyGetDefault(const char *option, bool s
         SCLogConfig("%s: %s (defined via 'exception-policy' master switch)", option,
                 ExceptionPolicyEnumToString(p));
         return p;
-    } else if (EngineModeIsIPS()) {
+    } else if (EngineModeIsIPS() && !midstream) {
         p = EXCEPTION_POLICY_DROP_FLOW;
     }
     SCLogConfig("%s: %s (defined via 'built-in default' for %s-mode)", option,
@@ -217,7 +218,7 @@ enum ExceptionPolicy ExceptionPolicyParse(const char *option, bool support_flow)
     enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET;
     const char *value_str = NULL;
 
-    if ((ConfGet(option, &value_str)) == 1 && value_str != NULL) {
+    if ((ConfGet(option, &value_str) == 1) && value_str != NULL) {
         if (strcmp(option, "exception-policy") == 0) {
             policy = ExceptionPolicyMasterParse(value_str);
         } else {
@@ -228,7 +229,47 @@ enum ExceptionPolicy ExceptionPolicyParse(const char *option, bool support_flow)
             SCLogConfig("%s: %s", option, ExceptionPolicyEnumToString(policy));
         }
     } else {
-        policy = ExceptionPolicyGetDefault(option, support_flow);
+        policy = ExceptionPolicyGetDefault(option, support_flow, false);
+    }
+
+    return policy;
+}
+
+enum ExceptionPolicy ExceptionPolicyMidstreamParse(bool midstream_enabled)
+{
+    enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET;
+    const char *value_str = NULL;
+    /* policy was set directly */
+    if ((ConfGet("stream.midstream-policy", &value_str)) == 1 && value_str != NULL) {
+        policy = ExceptionPolicyConfigValueParse("midstream-policy", value_str);
+        if (midstream_enabled) {
+            if (policy != EXCEPTION_POLICY_NOT_SET && policy != EXCEPTION_POLICY_PASS_FLOW) {
+                FatalErrorOnInit(SC_ERR_INVALID_VALUE,
+                        "Error parsing stream.midstream-policy from config file. \"%s\" is "
+                        "not a valid exception policy when midstream is enabled. Valid options "
+                        "are pass-flow and ignore.",
+                        value_str);
+            }
+        }
+        if (!EngineModeIsIPS()) {
+            if (policy == EXCEPTION_POLICY_DROP_FLOW) {
+                FatalErrorOnInit(SC_ERR_INVALID_VALUE,
+                        "Error parsing stream.midstream-policy from config file. \"%s\" is "
+                        "not a valid exception policy in IDS mode. See our documentation for a "
+                        "list of all possible values.",
+                        value_str);
+            }
+        }
+    } else {
+        policy = ExceptionPolicyGetDefault("midstream-policy", true, midstream_enabled);
+    }
+
+    if (policy == EXCEPTION_POLICY_PASS_PACKET || policy == EXCEPTION_POLICY_DROP_PACKET) {
+        FatalErrorOnInit(SC_ERR_INVALID_VALUE,
+                "Error parsing stream.midstream-policy from config file. \"%s\" is "
+                "not valid for this exception policy. See our documentation for a list of "
+                "all possible values.",
+                value_str);
     }
     return policy;
 }
diff --git a/src/util-exception-policy.h b/src/util-exception-policy.h
index 924adb31ce..ddf1d3690c 100644
--- a/src/util-exception-policy.h
+++ b/src/util-exception-policy.h
@@ -36,6 +36,7 @@ void SetMasterExceptionPolicy(void);
 void ExceptionPolicyApply(
         Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason);
 enum ExceptionPolicy ExceptionPolicyParse(const char *option, const bool support_flow);
+enum ExceptionPolicy ExceptionPolicyMidstreamParse(bool midstream_enabled);
 
 extern enum ExceptionPolicy g_eps_master_switch;
 #ifdef DEBUG