From 1b7496bf5bfa2b97ae353ba4be5259064a8773b9 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Tue, 22 Apr 2025 12:23:14 -0600 Subject: [PATCH] decode: use BIT macros for flags; consistent naming Use the BIT_U8 macros for packet alert flags and rename PACKET_ALERT_RATE_FILTER_MODIFIED to PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED for consistency. --- src/decode.h | 16 ++++++++-------- src/detect-engine-alert.c | 5 +++-- src/detect-engine-threshold.c | 8 ++++---- src/output-json-alert.c | 2 +- 4 files changed, 16 insertions(+), 15 deletions(-) diff --git a/src/decode.h b/src/decode.h index cef710c49b..b49359936f 100644 --- a/src/decode.h +++ b/src/decode.h @@ -250,21 +250,21 @@ typedef struct PacketAlert_ { } PacketAlert; /* flag to indicate the rule action (drop/pass) needs to be applied to the flow */ -#define PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW 0x1 +#define PACKET_ALERT_FLAG_APPLY_ACTION_TO_FLOW BIT_U8(0) /** alert was generated based on state */ -#define PACKET_ALERT_FLAG_STATE_MATCH 0x02 +#define PACKET_ALERT_FLAG_STATE_MATCH BIT_U8(1) /** alert was generated based on stream */ -#define PACKET_ALERT_FLAG_STREAM_MATCH 0x04 +#define PACKET_ALERT_FLAG_STREAM_MATCH BIT_U8(2) /** alert is in a tx, tx_id set */ -#define PACKET_ALERT_FLAG_TX 0x08 +#define PACKET_ALERT_FLAG_TX BIT_U8(3) /** action was changed by rate_filter */ -#define PACKET_ALERT_RATE_FILTER_MODIFIED 0x10 +#define PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED BIT_U8(4) /** alert is in a frame, frame_id set */ -#define PACKET_ALERT_FLAG_FRAME 0x20 +#define PACKET_ALERT_FLAG_FRAME BIT_U8(5) /** alert in a tx was forced */ -#define PACKET_ALERT_FLAG_TX_GUESSED 0x40 +#define PACKET_ALERT_FLAG_TX_GUESSED BIT_U8(6) /** accept should be applied to packet */ -#define PACKET_ALERT_FLAG_APPLY_ACTION_TO_PACKET 0x80 +#define PACKET_ALERT_FLAG_APPLY_ACTION_TO_PACKET BIT_U8(7) extern uint16_t packet_alert_max; #define PACKET_ALERT_MAX 15 diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index d803e28fd8..bb182e05d4 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -193,8 +193,9 @@ static void PacketApplySignatureActions(Packet *p, const Signature *s, const Pac if (pa->action & ACTION_DROP_REJECT) { /* PacketDrop will update the packet action, too */ PacketDrop(p, pa->action, - (pa->flags & PACKET_ALERT_RATE_FILTER_MODIFIED) ? PKT_DROP_REASON_RULES_THRESHOLD - : PKT_DROP_REASON_RULES); + (pa->flags & PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED) + ? PKT_DROP_REASON_RULES_THRESHOLD + : PKT_DROP_REASON_RULES); SCLogDebug("[packet %p][DROP sid %u]", p, s->id); if (p->alerts.drop.action == 0) { diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c index 307e9c08cf..b61661b911 100644 --- a/src/detect-engine-threshold.c +++ b/src/detect-engine-threshold.c @@ -625,19 +625,19 @@ static inline void RateFilterSetAction(PacketAlert *pa, uint8_t new_action) { switch (new_action) { case TH_ACTION_ALERT: - pa->flags |= PACKET_ALERT_RATE_FILTER_MODIFIED; + pa->flags |= PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED; pa->action = ACTION_ALERT; break; case TH_ACTION_DROP: - pa->flags |= PACKET_ALERT_RATE_FILTER_MODIFIED; + pa->flags |= PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED; pa->action = ACTION_DROP; break; case TH_ACTION_REJECT: - pa->flags |= PACKET_ALERT_RATE_FILTER_MODIFIED; + pa->flags |= PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED; pa->action = (ACTION_REJECT | ACTION_DROP); break; case TH_ACTION_PASS: - pa->flags |= PACKET_ALERT_RATE_FILTER_MODIFIED; + pa->flags |= PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED; pa->action = ACTION_PASS; break; default: diff --git a/src/output-json-alert.c b/src/output-json-alert.c index d5ad6f30b1..cd59701a99 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -204,7 +204,7 @@ void AlertJsonHeader(const Packet *p, const PacketAlert *pa, SCJsonBuilder *js, { const char *action = "allowed"; /* use packet action if rate_filter modified the action */ - if (unlikely(pa->flags & PACKET_ALERT_RATE_FILTER_MODIFIED)) { + if (unlikely(pa->flags & PACKET_ALERT_FLAG_RATE_FILTER_MODIFIED)) { if (PacketCheckAction(p, ACTION_DROP_REJECT)) { action = "blocked"; } -- 2.47.2