From: Victor Julien <vjulien@oisf.net>
Date: Wed, 11 Jun 2025 13:57:46 +0000 (+0200)
Subject: detect: replace DetectEngineCtx flag with EngineModeIsFirewall
X-Git-Tag: suricata-8.0.0-rc1~73
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=d5ae9156b920cac7c3067b90e09ff562e379073c;p=thirdparty%2Fsuricata.git

detect: replace DetectEngineCtx flag with EngineModeIsFirewall
---

diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 6988b2825b..1378e8e0df 100644
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -16,6 +16,7 @@
  */
 
 #include "suricata-common.h"
+#include "suricata.h"
 
 #include "detect.h"
 #include "detect-engine-alert.h"
@@ -409,13 +410,12 @@ static inline void FlowApplySignatureActions(
 static inline void PacketAlertFinalizeProcessQueue(
         const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
 {
-    const bool have_fw_rules = (de_ctx->flags & DE_HAS_FIREWALL) != 0;
+    const bool have_fw_rules = EngineModeIsFirewall();
 
     if (det_ctx->alert_queue_size > 1) {
         /* sort the alert queue before thresholding and appending to Packet */
         qsort(det_ctx->alert_queue, det_ctx->alert_queue_size, sizeof(PacketAlert),
-                (de_ctx->flags & DE_HAS_FIREWALL) ? AlertQueueSortHelperFirewall
-                                                  : AlertQueueSortHelper);
+                have_fw_rules ? AlertQueueSortHelperFirewall : AlertQueueSortHelper);
     }
 
     bool dropped = false;
diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c
index 519c695775..4d3aac4538 100644
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@@ -2266,7 +2266,7 @@ int SigGroupBuild(DetectEngineCtx *de_ctx)
         VarNameStoreActivate();
     }
 
-    if (de_ctx->flags & DE_HAS_FIREWALL) {
+    if (EngineModeIsFirewall()) {
         FirewallAnalyzer(de_ctx);
     }
     return 0;
diff --git a/src/detect-engine-loader.c b/src/detect-engine-loader.c
index e474e5d38a..ac93b1b2a7 100644
--- a/src/detect-engine-loader.c
+++ b/src/detect-engine-loader.c
@@ -300,7 +300,6 @@ static int LoadFirewallRuleFiles(DetectEngineCtx *de_ctx)
         int32_t skipped_sigs = 0;
 
         SCLogNotice("fw: rule file full path \"%s\"", de_ctx->firewall_rule_file_exclusive);
-        de_ctx->flags |= DE_HAS_FIREWALL;
 
         int ret = DetectLoadSigFile(de_ctx, de_ctx->firewall_rule_file_exclusive, &good_sigs,
                 &bad_sigs, &skipped_sigs, true);
@@ -360,8 +359,6 @@ static int LoadFirewallRuleFiles(DetectEngineCtx *de_ctx)
             de_ctx->sig_stat.good_sigs_total += good_sigs;
         }
     }
-    de_ctx->flags |= DE_HAS_FIREWALL;
-
     return 0;
 }
 
diff --git a/src/detect.c b/src/detect.c
index d363686262..906a81200a 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -660,7 +660,7 @@ static inline uint8_t DetectRulePacketRules(ThreadVars *const tv,
 {
     uint8_t action = 0;
     bool fw_verdict = false;
-    const bool have_fw_rules = (de_ctx->flags & DE_HAS_FIREWALL) != 0;
+    const bool have_fw_rules = EngineModeIsFirewall();
     const Signature *next_s = NULL;
 
     /* inspect the sigs against the packet */
@@ -1043,8 +1043,8 @@ static inline void DetectRunPostRules(ThreadVars *tv, const DetectEngineCtx *de_
     /* firewall: "fail" closed if we don't have an ACCEPT. This can happen
      * if there was no rule group. */
     // TODO review packet src types here
-    if (de_ctx->flags & DE_HAS_FIREWALL && !(p->action & ACTION_ACCEPT) &&
-            p->pkt_src == PKT_SRC_WIRE && scratch->default_action == ACTION_DROP) {
+    if (EngineModeIsFirewall() && !(p->action & ACTION_ACCEPT) && p->pkt_src == PKT_SRC_WIRE &&
+            scratch->default_action == ACTION_DROP) {
         SCLogDebug("packet %" PRIu64 ": droppit as no ACCEPT set %02x (pkt %s)", p->pcap_cnt,
                 p->action, PktSrcToString(p->pkt_src));
         PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_DEFAULT_PACKET_POLICY);
@@ -1618,7 +1618,7 @@ static int DetectRunTxCheckFirewallPolicy(DetectEngineThreadCtx *det_ctx, Packet
 thread_local Signature default_accept;
 static inline void DetectRunAppendDefaultAccept(DetectEngineThreadCtx *det_ctx, Packet *p)
 {
-    if (det_ctx->de_ctx->flags & DE_HAS_FIREWALL) {
+    if (EngineModeIsFirewall()) {
         memset(&default_accept, 0, sizeof(default_accept));
         default_accept.action = ACTION_ACCEPT;
         default_accept.action_scope = ACTION_SCOPE_PACKET;
@@ -1724,7 +1724,7 @@ static void DetectRunTx(ThreadVars *tv,
 
     uint32_t fw_verdicted = 0;
     uint32_t tx_inspected = 0;
-    const bool have_fw_rules = (de_ctx->flags & DE_HAS_FIREWALL) != 0;
+    const bool have_fw_rules = EngineModeIsFirewall();
 
     SCLogDebug("packet %" PRIu64, p->pcap_cnt);
 
@@ -2263,7 +2263,7 @@ static void DetectFlow(ThreadVars *tv,
 
     /* in firewall mode, we still need to run the fw rulesets even for exception policy pass */
     bool skip = false;
-    if (de_ctx->flags & DE_HAS_FIREWALL) {
+    if (EngineModeIsFirewall()) {
         skip = (f->flags & (FLOW_ACTION_ACCEPT));
 
     } else {
diff --git a/src/detect.h b/src/detect.h
index dca1a0e16f..7f08f50fb3 100644
--- a/src/detect.h
+++ b/src/detect.h
@@ -327,8 +327,7 @@ typedef struct DetectPort_ {
 #define FILE_SIG_NEED_SIZE          0x80
 
 /* Detection Engine flags */
-#define DE_QUIET           0x01     /**< DE is quiet (esp for unittests) */
-#define DE_HAS_FIREWALL    0x02     /**< firewall rules loaded, default policies active */
+#define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */
 
 typedef struct IPOnlyCIDRItem_ {
     /* address data for this item */