From e9a0ac187c66dcd573cf59191b3dde8908ca6e31 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Wed, 19 Oct 2022 13:07:56 -0600 Subject: [PATCH] afpacket/netmap: warn about mixed ips, ids/tap deprecation Suricata already logs if AF_PACKET or Netmap are running in a mixed IPS and IDS/TAP mode. As the behavior is undefined when these modes are mixed, it is best to deprecate and to not allow this behavior. For now warn that it will be unsupported and fail in Suricata 8. Ticket: 5587 (cherry picked from commit 0c00f28ebcf168e4712f23d49c27508c27f6e774) --- src/runmode-af-packet.c | 4 +++- src/runmode-netmap.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c index 4af254927f..12bfbfb659 100644 --- a/src/runmode-af-packet.c +++ b/src/runmode-af-packet.c @@ -764,7 +764,9 @@ int AFPRunModeIsIPS() } if (has_ids && has_ips) { - SCLogInfo("AF_PACKET mode using IPS and IDS mode"); + SCLogWarning(SC_ERR_INVALID_ARGUMENT, + "AF_PACKET using both IPS and TAP/IDS mode, this will not " + "be allowed in Suricata 8 due to undefined behavior. See ticket #5588."); for (ldev = 0; ldev < nlive; ldev++) { const char *live_dev = LiveGetDeviceName(ldev); if (live_dev == NULL) { diff --git a/src/runmode-netmap.c b/src/runmode-netmap.c index 2450fba094..9e31b08b20 100644 --- a/src/runmode-netmap.c +++ b/src/runmode-netmap.c @@ -420,7 +420,9 @@ int NetmapRunModeIsIPS() } if (has_ids && has_ips) { - SCLogInfo("Netmap mode using IPS and IDS mode"); + SCLogWarning(SC_ERR_INVALID_ARGUMENT, + "Netmap using both IPS and TAP/IDS mode, this will not be " + "allowed in Suricata 8 due to undefined behavior. See ticket #5588."); for (ldev = 0; ldev < nlive; ldev++) { const char *live_dev = LiveGetDeviceName(ldev); if (live_dev == NULL) { -- 2.47.2