exception-policy: add 'reject-both' option

author Victor Julien <vjulien@oisf.net>

Fri, 17 Oct 2025 10:16:48 +0000 (12:16 +0200)

committer Victor Julien <vjulien@oisf.net>

Tue, 4 Nov 2025 20:48:20 +0000 (20:48 +0000)
author Victor Julien <vjulien@oisf.net>
Fri, 17 Oct 2025 10:16:48 +0000 (12:16 +0200)
committer Victor Julien <vjulien@oisf.net>
Tue, 4 Nov 2025 20:48:20 +0000 (20:48 +0000)
diff --git a/etc/schema.json b/etc/schema.json

index d3a9d65a7dc0ac4696aff0eac434fa1f48d84097..84baff3f802792502dab18f2538fe5b7f6a4c542 100644 (file)
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -8698,6 +8698,10 @@
                  "reject": {
                      "type": "integer",
                      "minimum": 0
+                },
+                "reject_both": {
+                    "type": "integer",
+                    "minimum": 0
                  }
              }
          }
diff --git a/src/app-layer.c b/src/app-layer.c

index d5415e908e2deaf53ad96965ce7ab0e8740abb51..62acc6922a9e6e5117d90c3e48e0352aeaaabef1 100644 (file)
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -115,6 +115,7 @@ ExceptionPolicyStatsSetts app_layer_error_eps_stats = {
         /* EXCEPTION_POLICY_DROP_PACKET */  false,
         /* EXCEPTION_POLICY_DROP_FLOW */    false,
         /* EXCEPTION_POLICY_REJECT */       true,
+       /* EXCEPTION_POLICY_REJECT_BOTH */  true,
      },
      .valid_settings_ips = {
         /* EXCEPTION_POLICY_NOT_SET */      false,
@@ -125,6 +126,7 @@ ExceptionPolicyStatsSetts app_layer_error_eps_stats = {
         /* EXCEPTION_POLICY_DROP_PACKET */  true,
         /* EXCEPTION_POLICY_DROP_FLOW */    true,
         /* EXCEPTION_POLICY_REJECT */       true,
+       /* EXCEPTION_POLICY_REJECT_BOTH */  true,
      },
  };
  // clang-format on
diff --git a/src/decode.c b/src/decode.c

index 9ba91f23dcdb77b707a709be24bd992dd05fbf86..3554288612394bf1fc5a8e9137a714a84476fde1 100644 (file)
--- a/src/decode.c
+++ b/src/decode.c
@@ -93,6 +93,7 @@ ExceptionPolicyStatsSetts defrag_memcap_eps_stats = {
      /* EXCEPTION_POLICY_DROP_PACKET */  false,
      /* EXCEPTION_POLICY_DROP_FLOW */    false,
      /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
      },
      .valid_settings_ips = {
      /* EXCEPTION_POLICY_NOT_SET */      false,
@@ -103,6 +104,7 @@ ExceptionPolicyStatsSetts defrag_memcap_eps_stats = {
      /* EXCEPTION_POLICY_DROP_PACKET */  true,
      /* EXCEPTION_POLICY_DROP_FLOW */    false,
      /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
      },
  };
  // clang-format on
@@ -119,6 +121,7 @@ ExceptionPolicyStatsSetts flow_memcap_eps_stats = {
      /* EXCEPTION_POLICY_DROP_PACKET */  false,
      /* EXCEPTION_POLICY_DROP_FLOW */    false,
      /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
      },
      .valid_settings_ips = {
      /* EXCEPTION_POLICY_NOT_SET */      false,
@@ -129,6 +132,7 @@ ExceptionPolicyStatsSetts flow_memcap_eps_stats = {
      /* EXCEPTION_POLICY_DROP_PACKET */  true,
      /* EXCEPTION_POLICY_DROP_FLOW */    false,
      /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
      },
  };
  // clang-format on
diff --git a/src/stream-tcp.c b/src/stream-tcp.c

index d366828fe6f5bf2d10496d76fde5e074b28115ac..ea752e7f416aecb743737c519225fa257cac2c00 100644 (file)
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -102,6 +102,7 @@ ExceptionPolicyStatsSetts stream_memcap_eps_stats = {
      /* EXCEPTION_POLICY_DROP_PACKET */  false,
      /* EXCEPTION_POLICY_DROP_FLOW */    false,
      /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
      },
      .valid_settings_ips = {
      /* EXCEPTION_POLICY_NOT_SET */      false,
@@ -112,6 +113,7 @@ ExceptionPolicyStatsSetts stream_memcap_eps_stats = {
      /* EXCEPTION_POLICY_DROP_PACKET */  true,
      /* EXCEPTION_POLICY_DROP_FLOW */    true,
      /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
      },
  };
  // clang-format on
@@ -128,6 +130,7 @@ ExceptionPolicyStatsSetts stream_reassembly_memcap_eps_stats = {
      /* EXCEPTION_POLICY_DROP_PACKET */  false,
      /* EXCEPTION_POLICY_DROP_FLOW */    false,
      /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
      },
      .valid_settings_ips = {
      /* EXCEPTION_POLICY_NOT_SET */      false,
@@ -138,6 +141,7 @@ ExceptionPolicyStatsSetts stream_reassembly_memcap_eps_stats = {
      /* EXCEPTION_POLICY_DROP_PACKET */  true,
      /* EXCEPTION_POLICY_DROP_FLOW */    true,
      /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
      },
  };
  // clang-format on
@@ -154,6 +158,7 @@ ExceptionPolicyStatsSetts stream_midstream_enabled_eps_stats = {
      /* EXCEPTION_POLICY_DROP_PACKET */  false,
      /* EXCEPTION_POLICY_DROP_FLOW */    false,
      /* EXCEPTION_POLICY_REJECT */       false,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  false,
      },
      .valid_settings_ips = {
      /* EXCEPTION_POLICY_NOT_SET */      false,
@@ -164,6 +169,7 @@ ExceptionPolicyStatsSetts stream_midstream_enabled_eps_stats = {
      /* EXCEPTION_POLICY_DROP_PACKET */  false,
      /* EXCEPTION_POLICY_DROP_FLOW */    false,
      /* EXCEPTION_POLICY_REJECT */       false,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  false,
      },
  };
  // clang-format on
@@ -180,6 +186,7 @@ ExceptionPolicyStatsSetts stream_midstream_disabled_eps_stats = {
      /* EXCEPTION_POLICY_DROP_PACKET */  false,
      /* EXCEPTION_POLICY_DROP_FLOW */    false,
      /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
      },
      .valid_settings_ips = {
      /* EXCEPTION_POLICY_NOT_SET */      false,
@@ -190,6 +197,7 @@ ExceptionPolicyStatsSetts stream_midstream_disabled_eps_stats = {
      /* EXCEPTION_POLICY_DROP_PACKET */  false,
      /* EXCEPTION_POLICY_DROP_FLOW */    true,
      /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
      },
  };
  // clang-format on
diff --git a/src/util-exception-policy-types.h b/src/util-exception-policy-types.h

index 7df6d0d82c06f71cba015ac4d7a231fb9f6480a3..a3a53084164b4d43db900842cb8aad3c8ebf6597 100644 (file)
--- a/src/util-exception-policy-types.h
+++ b/src/util-exception-policy-types.h
@@ -30,10 +30,11 @@ enum ExceptionPolicy {
      EXCEPTION_POLICY_BYPASS_FLOW,
      EXCEPTION_POLICY_DROP_PACKET,
      EXCEPTION_POLICY_DROP_FLOW,
-    EXCEPTION_POLICY_REJECT,
+    EXCEPTION_POLICY_REJECT,     /**< reject src */
+    EXCEPTION_POLICY_REJECT_BOTH /**< reject both src and dest */
  };
  
-#define EXCEPTION_POLICY_MAX (EXCEPTION_POLICY_REJECT + 1)
+#define EXCEPTION_POLICY_MAX (EXCEPTION_POLICY_REJECT_BOTH + 1)
  
  /* Max length = possible exception policy scenarios + counter names
   * + exception policy type. E.g.:
diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c

index f6d06add1a9600226282281924a98432d24470bb..d18aa5270629688159364ed24b0763573d583dde 100644 (file)
--- a/src/util-exception-policy.c
+++ b/src/util-exception-policy.c
@@ -47,6 +47,8 @@ const char *ExceptionPolicyEnumToString(enum ExceptionPolicy policy, bool is_jso
              return "reject";
          case EXCEPTION_POLICY_BYPASS_FLOW:
              return "bypass";
+        case EXCEPTION_POLICY_REJECT_BOTH:
+            return "reject_both";
          case EXCEPTION_POLICY_DROP_FLOW:
              return is_json ? "drop_flow" : "drop-flow";
          case EXCEPTION_POLICY_DROP_PACKET:
@@ -145,8 +147,14 @@ void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDro
          case EXCEPTION_POLICY_NOT_SET:
              break;
          case EXCEPTION_POLICY_REJECT:
-            SCLogDebug("EXCEPTION_POLICY_REJECT");
-            PacketDrop(p, ACTION_REJECT, drop_reason);
+        case EXCEPTION_POLICY_REJECT_BOTH:
+            if (policy == EXCEPTION_POLICY_REJECT) {
+                SCLogDebug("EXCEPTION_POLICY_REJECT");
+                PacketDrop(p, ACTION_REJECT, drop_reason);
+            } else {
+                SCLogDebug("EXCEPTION_POLICY_REJECT_BOTH");
+                PacketDrop(p, ACTION_REJECT_BOTH, drop_reason);
+            }
              if (!EngineModeIsIPS()) {
                  break;
              }
@@ -204,6 +212,7 @@ static enum ExceptionPolicy PickPacketAction(const char *option, enum ExceptionP
          case EXCEPTION_POLICY_PASS_PACKET:
              break;
          case EXCEPTION_POLICY_REJECT:
+        case EXCEPTION_POLICY_REJECT_BOTH:
              break;
          case EXCEPTION_POLICY_NOT_SET:
              break;
@@ -229,6 +238,8 @@ static enum ExceptionPolicy ExceptionPolicyConfigValueParse(
          policy = EXCEPTION_POLICY_PASS_PACKET;
      } else if (strcmp(value_str, "reject") == 0) {
          policy = EXCEPTION_POLICY_REJECT;
+    } else if (strcmp(value_str, "reject-both") == 0) {
+        policy = EXCEPTION_POLICY_REJECT_BOTH;
      } else if (strcmp(value_str, "ignore") == 0) { // TODO name?
          policy = EXCEPTION_POLICY_NOT_SET;
      } else if (strcmp(value_str, "auto") == 0) {
author	Victor Julien <vjulien@oisf.net>
	Fri, 17 Oct 2025 10:16:48 +0000 (12:16 +0200)
committer	Victor Julien <vjulien@oisf.net>
	Tue, 4 Nov 2025 20:48:20 +0000 (20:48 +0000)
etc/schema.json		patch \| blob \| blame \| history
src/app-layer.c		patch \| blob \| blame \| history
src/decode.c		patch \| blob \| blame \| history
src/stream-tcp.c		patch \| blob \| blame \| history
src/util-exception-policy-types.h		patch \| blob \| blame \| history
src/util-exception-policy.c		patch \| blob \| blame \| history