From b1f955ef5a808d8e9cd42176fddfe7602ba77d5d Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 29 Apr 2025 14:45:07 +0200 Subject: [PATCH] firewall: move app action setting into helper func In preparation of adding another callsite. --- src/detect.c | 72 +++++++++++++++++++++++++++++++--------------------- 1 file changed, 43 insertions(+), 29 deletions(-) diff --git a/src/detect.c b/src/detect.c index 6b771fe61e..3f83aab01d 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1613,6 +1613,46 @@ static inline bool ApplyAcceptToPacket( return false; } +/** \internal + * \retval bool true: break_out_of_app_filter, false: don't break out */ +static bool ApplyAccept(Packet *p, const uint8_t flow_flags, const Signature *s, + DetectTransaction *tx, const int tx_end_state, const bool fw_next_progress_missing, + bool *tx_fw_verdict, bool *skip_fw_hook, uint8_t *skip_before_progress) +{ + *tx_fw_verdict = true; + + const enum ActionScope as = s->action_scope; + /* accept:hook: jump to first rule of next state. + * Implemented as skip until the first rule of next state. */ + if (as == ACTION_SCOPE_HOOK) { + *skip_fw_hook = true; + *skip_before_progress = s->app_progress_hook; + + /* if there is no fw rule for the next progress value, + * we invoke the default drop policy. */ + if (fw_next_progress_missing) { + SCLogDebug("%" PRIu64 ": %s default drop for progress", p->pcap_cnt, + flow_flags & STREAM_TOSERVER ? "toserver" : "toclient"); + PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_DEFAULT_APP_POLICY); + p->flow->flags |= FLOW_ACTION_DROP; + return true; + } + return false; + } else if (as == ACTION_SCOPE_TX) { + tx->tx_data_ptr->flags |= APP_LAYER_TX_ACCEPT; + *skip_fw_hook = true; + *skip_before_progress = (uint8_t)tx_end_state + 1; // skip all hooks + SCLogDebug( + "accept:tx applied, skip_fw_hook, skip_before_progress %u", *skip_before_progress); + return false; + } else if (as == ACTION_SCOPE_PACKET) { + return true; + } else if (as == ACTION_SCOPE_FLOW) { + return true; + } + return false; +} + static void DetectRunTx(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, @@ -1876,35 +1916,9 @@ static void DetectRunTx(ThreadVars *tv, AlertQueueAppend(det_ctx, s, p, tx.tx_id, alert_flags); if ((s->flags & SIG_FLAG_FIREWALL) && (s->action & ACTION_ACCEPT)) { - tx_fw_verdict = true; - - const enum ActionScope as = s->action_scope; - /* accept:hook: jump to first rule of next state. - * Implemented as skip until the first rule of next state. */ - if (as == ACTION_SCOPE_HOOK) { - skip_fw_hook = true; - skip_before_progress = s->app_progress_hook; - - /* if there is no fw rule for the next progress value, - * we invoke the default drop policy. */ - if (fw_next_progress_missing) { - SCLogDebug("%" PRIu64 ": %s default drop for progress", p->pcap_cnt, - flow_flags & STREAM_TOSERVER ? "toserver" : "toclient"); - PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_DEFAULT_APP_POLICY); - p->flow->flags |= FLOW_ACTION_DROP; - break_out_of_app_filter = true; - } - } else if (as == ACTION_SCOPE_TX) { - tx.tx_data_ptr->flags |= APP_LAYER_TX_ACCEPT; - skip_fw_hook = true; - skip_before_progress = (uint8_t)tx_end_state + 1; // skip all hooks - SCLogDebug("accept:tx applied, skip_fw_hook, skip_before_progress %u", - skip_before_progress); - } else if (as == ACTION_SCOPE_PACKET) { - break_out_of_app_filter = true; - } else if (as == ACTION_SCOPE_FLOW) { - break_out_of_app_filter = true; - } + break_out_of_app_filter = ApplyAccept(p, flow_flags, s, &tx, tx_end_state, + fw_next_progress_missing, &tx_fw_verdict, &skip_fw_hook, + &skip_before_progress); } } else if (last_for_progress) { SCLogDebug("sid %u: not a match: %s rule, last_for_progress %s", s->id, -- 2.47.2