From: Juliana Fajardini <jufajardini@oisf.net>
Date: Fri, 24 Mar 2023 14:15:14 +0000 (-0300)
Subject: exception/policy: use pkt action if no flow support
X-Git-Tag: suricata-6.0.11~29
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e9da3378ca5fab0c29264ffd4a6f8cdb42aada53;p=thirdparty%2Fsuricata.git

exception/policy: use pkt action if no flow support

Defrag memcap and flow memcap do not support flow action for the
exception policies, as there is no flow when the exception condition is
hit. In such cases, the exception policy must be considered for the
packet only, when that makes sense, or should be ignored, in case of
`bypass`.

Bug #5940

(cherry picked from commit d4333fb959bf7e12651971d542dc36e77cc2d2ad)
---

diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c
index 6d19a423ec..a1ead76778 100644
--- a/src/util-exception-policy.c
+++ b/src/util-exception-policy.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2022 Open Information Security Foundation
+/* Copyright (C) 2023 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -71,6 +71,35 @@ void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDro
     SCLogDebug("end");
 }
 
+static enum ExceptionPolicy PickPacketAction(const char *option, enum ExceptionPolicy p)
+{
+    switch (p) {
+        case EXCEPTION_POLICY_DROP_FLOW:
+            SCLogWarning(SC_ERR_INVALID_VALUE,
+                    "flow actions not supported for %s, defaulting to \"drop-packet\"", option);
+            return EXCEPTION_POLICY_DROP_PACKET;
+        case EXCEPTION_POLICY_PASS_FLOW:
+            SCLogWarning(SC_ERR_INVALID_VALUE,
+                    "flow actions not supported for %s, defaulting to \"pass-packet\"", option);
+            return EXCEPTION_POLICY_PASS_PACKET;
+        case EXCEPTION_POLICY_BYPASS_FLOW:
+            SCLogWarning(SC_ERR_INVALID_VALUE,
+                    "flow actions not supported for %s, defaulting to \"ignore\"", option);
+            return EXCEPTION_POLICY_IGNORE;
+        /* add all cases, to make sure new cases not handle will raise
+         * errors */
+        case EXCEPTION_POLICY_DROP_PACKET:
+            break;
+        case EXCEPTION_POLICY_PASS_PACKET:
+            break;
+        case EXCEPTION_POLICY_REJECT:
+            break;
+        case EXCEPTION_POLICY_IGNORE:
+            break;
+    }
+    return p;
+}
+
 enum ExceptionPolicy ExceptionPolicyParse(const char *option, const bool support_flow)
 {
     enum ExceptionPolicy policy = EXCEPTION_POLICY_IGNORE;
@@ -105,12 +134,7 @@ enum ExceptionPolicy ExceptionPolicyParse(const char *option, const bool support
         }
 
         if (!support_flow) {
-            if (policy == EXCEPTION_POLICY_DROP_FLOW || policy == EXCEPTION_POLICY_PASS_FLOW ||
-                    policy == EXCEPTION_POLICY_BYPASS_FLOW) {
-                SCLogWarning(SC_WARN_COMPATIBILITY,
-                        "flow actions not supported for %s, defaulting to \"ignore\"", option);
-                policy = EXCEPTION_POLICY_IGNORE;
-            }
+            policy = PickPacketAction(option, policy);
         }
 
     } else {