From 57c73880dbf24c2ab7df3d53e4d767c74d883f36 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Tue, 8 Apr 2025 10:15:07 +0200
Subject: [PATCH] lua: enable lua rules by default

Now that sandboxing is in place, lua rule support is enabled by default.
---
 doc/userguide/configuration/suricata-yaml.rst | 4 ++--
 doc/userguide/rules/lua-detection.rst         | 4 ----
 src/detect-lua.c                              | 3 +--
 suricata.yaml.in                              | 4 ++--
 4 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
index 16b208613b..5881a5401d 100644
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@@ -3000,8 +3000,8 @@ can be completely disabled the same as the Suricata 7.0 default:
 
    security:
      lua:
-       # Allow Lua rules. Disabled by default.
-       #allow-rules: false
+       # Allow Lua rules. Enabled by default.
+       #allow-rules: true
 
        # Upper bound of allocations by a Lua rule before it will fail
        #max-bytes: 500000 
diff --git a/doc/userguide/rules/lua-detection.rst b/doc/userguide/rules/lua-detection.rst
index 9ed8d9d1c5..d47b9e8564 100644
--- a/doc/userguide/rules/lua-detection.rst
+++ b/doc/userguide/rules/lua-detection.rst
@@ -3,10 +3,6 @@
 Lua Scripting for Detection
 ===========================
 
-.. note:: Lua is disabled by default for use in rules, it must be
-          enabled in the configuration file. See the ``security.lua``
-          section of ``suricata.yaml`` and enable ``allow-rules``.
-
 Syntax:
 
 ::
diff --git a/src/detect-lua.c b/src/detect-lua.c
index 93df2f944e..1ba922788b 100644
--- a/src/detect-lua.c
+++ b/src/detect-lua.c
@@ -706,8 +706,7 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, const char *st
     /* First check if Lua rules are enabled, by default Lua in rules
      * is disabled. */
     int enabled = 0;
-    (void)SCConfGetBool("security.lua.allow-rules", &enabled);
-    if (!enabled) {
+    if (SCConfGetBool("security.lua.allow-rules", &enabled) == 1 && !enabled) {
         SCLogError("Lua rules disabled by security configuration: security.lua.allow-rules");
         return -1;
     }
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 66e121b12c..93e2671eb1 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1306,8 +1306,8 @@ security:
         - @e_sysconfdir@
 
   lua:
-    # Allow Lua rules. Disabled by default.
-    #allow-rules: false
+    # Allow Lua rules. Enabled by default.
+    #allow-rules: true
 
 # Some logging modules will use that name in event as identifier. The default
 # value is the hostname
-- 
2.47.2