From: Juliana Fajardini Date: Mon, 29 May 2023 19:55:00 +0000 (-0300) Subject: exceptions/midstream: parse midstream policy alone X-Git-Tag: suricata-7.0.0-rc2~26 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f97af0c0b1916ada6cf860b429e2ccfb5b4a3da2;p=thirdparty%2Fsuricata.git exceptions/midstream: parse midstream policy alone As the midstream exception policy has its own specific scenarios, have a dedicated function to parse and process its config values, and check for midstream enabled when needed. Related to Bug #5825 --- diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c index 9f42851b56..6eb869be2e 100644 --- a/src/util-exception-policy.c +++ b/src/util-exception-policy.c @@ -194,7 +194,8 @@ static enum ExceptionPolicy ExceptionPolicyMasterParse(const char *value) return policy; } -static enum ExceptionPolicy ExceptionPolicyGetDefault(const char *option, bool support_flow) +static enum ExceptionPolicy ExceptionPolicyGetDefault( + const char *option, bool support_flow, bool midstream) { enum ExceptionPolicy p = EXCEPTION_POLICY_NOT_SET; if (g_eps_have_exception_policy) { @@ -205,7 +206,7 @@ static enum ExceptionPolicy ExceptionPolicyGetDefault(const char *option, bool s SCLogConfig("%s: %s (defined via 'exception-policy' master switch)", option, ExceptionPolicyEnumToString(p)); return p; - } else if (EngineModeIsIPS()) { + } else if (EngineModeIsIPS() && !midstream) { p = EXCEPTION_POLICY_DROP_FLOW; } SCLogConfig("%s: %s (defined via 'built-in default' for %s-mode)", option, @@ -219,7 +220,7 @@ enum ExceptionPolicy ExceptionPolicyParse(const char *option, bool support_flow) enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET; const char *value_str = NULL; - if ((ConfGet(option, &value_str)) == 1 && value_str != NULL) { + if ((ConfGet(option, &value_str) == 1) && value_str != NULL) { if (strcmp(option, "exception-policy") == 0) { policy = ExceptionPolicyMasterParse(value_str); } else { @@ -230,7 +231,46 @@ enum ExceptionPolicy ExceptionPolicyParse(const char *option, bool support_flow) SCLogConfig("%s: %s", option, ExceptionPolicyEnumToString(policy)); } } else { - policy = ExceptionPolicyGetDefault(option, support_flow); + policy = ExceptionPolicyGetDefault(option, support_flow, false); + } + + return policy; +} + +enum ExceptionPolicy ExceptionPolicyMidstreamParse(bool midstream_enabled) +{ + enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET; + const char *value_str = NULL; + /* policy was set directly */ + if ((ConfGet("stream.midstream-policy", &value_str)) == 1 && value_str != NULL) { + policy = ExceptionPolicyConfigValueParse("midstream-policy", value_str); + if (midstream_enabled) { + if (policy != EXCEPTION_POLICY_NOT_SET && policy != EXCEPTION_POLICY_PASS_FLOW) { + FatalErrorOnInit( + "Error parsing stream.midstream-policy from config file. \"%s\" is " + "not a valid exception policy when midstream is enabled. Valid options " + "are pass-flow and ignore.", + value_str); + } + } + if (!EngineModeIsIPS()) { + if (policy == EXCEPTION_POLICY_DROP_FLOW) { + FatalErrorOnInit( + "Error parsing stream.midstream-policy from config file. \"%s\" is " + "not a valid exception policy in IDS mode. See our documentation for a " + "list of all possible values.", + value_str); + } + } + } else { + policy = ExceptionPolicyGetDefault("midstream-policy", true, midstream_enabled); + } + + if (policy == EXCEPTION_POLICY_PASS_PACKET || policy == EXCEPTION_POLICY_DROP_PACKET) { + FatalErrorOnInit("Error parsing stream.midstream-policy from config file. \"%s\" is " + "not valid for this exception policy. See our documentation for a list of " + "all possible values.", + value_str); } return policy; diff --git a/src/util-exception-policy.h b/src/util-exception-policy.h index c304f3e3f4..698e1ca54a 100644 --- a/src/util-exception-policy.h +++ b/src/util-exception-policy.h @@ -38,6 +38,7 @@ void SetMasterExceptionPolicy(void); void ExceptionPolicyApply( Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason); enum ExceptionPolicy ExceptionPolicyParse(const char *option, const bool support_flow); +enum ExceptionPolicy ExceptionPolicyMidstreamParse(bool midstream_enabled); extern enum ExceptionPolicy g_eps_master_switch; #ifdef DEBUG