From: Juliana Fajardini <jufajardini@oisf.net>
Date: Tue, 26 May 2026 20:41:03 +0000 (-0300)
Subject: tests: check replace keyword ban with firewall
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=8a352e52ed5e9f688e3d03dee6947eae65573b8d;p=thirdparty%2Fsuricata-verify.git

tests: check replace keyword ban with firewall

Related to
Ticket #8551
---

diff --git a/tests/firewall/ruletype-firewall-90-ban-replace-keyword/README.md b/tests/firewall/ruletype-firewall-90-ban-replace-keyword/README.md
new file mode 100644
index 000000000..c92ea9f1d
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-90-ban-replace-keyword/README.md
@@ -0,0 +1,8 @@
+# Test
+
+Ensure that the engine throws an error message if the `replace` keyword is used
+in firewall rules, as it's banned from them.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/8551
diff --git a/tests/firewall/ruletype-firewall-90-ban-replace-keyword/firewall.rules b/tests/firewall/ruletype-firewall-90-ban-replace-keyword/firewall.rules
new file mode 100644
index 000000000..374c13208
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-90-ban-replace-keyword/firewall.rules
@@ -0,0 +1,2 @@
+# should error out, as 'replace' is not allowed in firewall mode
+accept:hook http1:request_started any any -> any any (msg:"Test replace keyword with firewall rules or mode"; content:"foo"; replace:"bar"; sid:2000001;)
diff --git a/tests/firewall/ruletype-firewall-90-ban-replace-keyword/test.yaml b/tests/firewall/ruletype-firewall-90-ban-replace-keyword/test.yaml
new file mode 100644
index 000000000..0b8322d5f
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-90-ban-replace-keyword/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 9
+
+pcap: ../../tls/tls-random/input.pcap
+
+args:
+  - --simulate-ips
+  - -v
+exit-code: 1
+
+checks:
+  - shell:
+      args: grep "keyword 'replace' is not allowed in firewall mode" stderr | wc -l
+      expect: 1
+
diff --git a/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/README.md b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/README.md
new file mode 100644
index 000000000..094a47d90
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/README.md
@@ -0,0 +1,8 @@
+# Test
+
+Ensure that the engine throws an error message if the `replace` keyword is used
+in threat detection rules, as it's banned in firewall mode.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/8551
diff --git a/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/firewall.rules b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/firewall.rules
new file mode 100644
index 000000000..56a29a901
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/firewall.rules
@@ -0,0 +1 @@
+accept:hook tcp:all any any -> any any (msg:"Simple firewall rule."; sid: 1;)
diff --git a/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/td.rules b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/td.rules
new file mode 100644
index 000000000..7cb15ca5b
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/td.rules
@@ -0,0 +1,2 @@
+# should error out, as 'replace' is not allowed in firewall mode
+alert http any any -> any any (msg:"Test replace keyword with firewall rules"; content:"foo"; replace:"bar"; sid:2000001;)
diff --git a/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/test.yaml b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/test.yaml
new file mode 100644
index 000000000..0b8322d5f
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 9
+
+pcap: ../../tls/tls-random/input.pcap
+
+args:
+  - --simulate-ips
+  - -v
+exit-code: 1
+
+checks:
+  - shell:
+      args: grep "keyword 'replace' is not allowed in firewall mode" stderr | wc -l
+      expect: 1
+