Skip to content

Fw updates/v17#15253

Closed
victorjulien wants to merge 20 commits into
OISF:mainfrom
victorjulien:fw-updates/v17
Closed

Fw updates/v17#15253
victorjulien wants to merge 20 commits into
OISF:mainfrom
victorjulien:fw-updates/v17

Conversation

@victorjulien

@victorjulien victorjulien commented Apr 24, 2026

Copy link
Copy Markdown
Member

#15252 with some smaller cleanups, improvements.

SV_BRANCH=OISF/suricata-verify#3044

jufajardini and others added 20 commits April 23, 2026 21:24
@jufajardini @victorjulien
detect: opt-in keywords for firewall mode
2e131fa 
- tls.cert_chain_len
- datarep
- dataset
- dns.opcode

Part of
Ticket OISF#8387
@jufajardini @victorjulien
detect/tcp: opt-in tcp.flags for firewall mode
ee02be6 
The firewall enabling flag for tcp.flags was being overwritten by
another line of code.

Related to
Ticket OISF#8387
@victorjulien
respond/reject: use livedev in bridge mode
0fbad96 
Clean up host mode tracking, which is used by reject to control how
rejects are sent. Before this patch there were 2 modes: sniffer only
and router. This patch introduces a bridge mode that is automatically
set by the bridge modes. In bridge mode the `Packet::livedev` is used.

Ticket: OISF#8390.
@victorjulien
device: add O(1) lookup by id
1407d69
@victorjulien
device: start id space at 1
5109a49 
So a value of 0 means no device.
@victorjulien
device: add get id func
f893ba5 
Most code uses an opague type for LiveDevice, so add an id getter.
@victorjulien
flow: store livedev by id
149be8b 
In prep for storing both directions for IPS.
@victorjulien
packet: store livedev by id
8e9448a
@victorjulien
af-packet: shrink AFPPeer struct by better layout
034d8bb
@victorjulien
packet: track outgoing livedev id
9e4ae70
@victorjulien
reject/respond: use dst livedev for rejectdst
f3ddcd5 
Update ctx caching to take direction into account.
@victorjulien
detect/firewall: clean up flow control
12b7319 
Use an enum for the firewall related flow control, to improve
readability of the firewall inspection logic.
@victorjulien
firewall: fix hooks getting skipped in some rulesets
ed6b86f 
If a ruleset would use `dns:request_complete` but not have a rule for
`dns:request_started`, the `request_started` hook default policy would
not get invoked.

Add a check to make sure it is invoked.

Ticket: OISF#8495.
@victorjulien
detect: minor code cleanup
75febe7
@victorjulien
detect: clean up of last_tx check
93fcd44
@victorjulien
detect: clean up firewall rule match handling
17387ff
@victorjulien
detect/firewall: add single call for applying app default policy
9e1c442
@victorjulien
firewall: limit action scope packet for app-hooks
b8da623 
For non-UDP (so TCP), don't allow `accept:packet` or `drop:packet` as
this makes the evaluation of other rule hooks unpredictable.

Ticket: OISF#8497.
@victorjulien
detect/firewall: apply default policy in no rules case
6f6b1b3 
When there are no rules after prefilter the default policy needs to be invoked.
@victorjulien
detect: suppress noisy debug messages
e96485d 
Fixes: 232276a ("detect: ethernet/arp matching")
@victorjulien victorjulien requested review from a team and jasonish as code owners April 24, 2026 07:31
@victorjulien victorjulien mentioned this pull request Apr 24, 2026
Closed
@codecov

codecov Bot commented Apr 24, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 68.69565% with 72 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.68%. Comparing base (be2d80a) to head (e96485d).
⚠️ Report is 25 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #15253      +/-   ##
==========================================
+ Coverage   81.42%   82.68%   +1.25%     
==========================================
  Files         994      994              
  Lines      311172   272291   -38881     
==========================================
- Hits       253378   225132   -28246     
+ Misses      57794    47159   -10635
Flag Coverage Δ
fuzzcorpus 61.02% <24.42%> (+1.74%) ⬆️
livemode 18.39% <26.24%> (-0.66%) ⬇️
netns 22.60% <47.98%> (-0.47%) ⬇️
pcap 45.27% <24.53%> (+1.14%) ⬆️
suricata-verify 66.32% <59.25%> (+1.02%) ⬆️
unittests 58.81% <19.11%> (+1.47%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa

suricata-qa commented Apr 24, 2026

Copy link
Copy Markdown

Information: QA ran without warnings.

Pipeline = 31070

This was referenced Apr 24, 2026
Closed
Closed
@victorjulien victorjulien mentioned this pull request May 1, 2026
Closed
@victorjulien

victorjulien commented May 1, 2026

Copy link
Copy Markdown
Member Author

Replaced by #15300

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@victorjulien @suricata-qa @jufajardini