Fw updates/v15#15239
Conversation
- tls.cert_chain_len - datarep - dataset - dns.opcode Part of Ticket OISF#8387
The firewall enabling flag for tcp.flags was being overwritten by another line of code. Related to Ticket OISF#8387
Clean up host mode tracking, which is used by reject to control how rejects are sent. Before this patch there were 2 modes: sniffer only and router. This patch introduces a bridge mode that is automatically set by the bridge modes. In bridge mode the `Packet::livedev` is used. Ticket: OISF#8390.
So a value of 0 means no device.
Most code uses an opague type for LiveDevice, so add an id getter.
In prep for storing both directions for IPS.
Update ctx caching to take direction into account.
Use an enum for the firewall related flow control, to improve readability of the firewall inspection logic.
If a ruleset would use `dns:request_complete` but not have a rule for `dns:request_started`, the `request_started` hook default policy would not get invoked. Add a check to make sure it is invoked. Ticket: OISF#8495.
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #15239 +/- ##
=======================================
Coverage 82.68% 82.69%
=======================================
Files 993 993
Lines 271880 271956 +76
=======================================
+ Hits 224807 224892 +85
+ Misses 47073 47064 -9
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
Information: QA ran without warnings. Pipeline = 31017 |
jufajardini
left a comment
jufajardini
left a comment
There was a problem hiding this comment.
To the extent that I can understand things, this is looking good.
| const bool accept_tx_applies_to_packet = last_tx; | ||
| if (accept_tx_applies_to_packet) { |
There was a problem hiding this comment.
nitty, but, do we need accept_tx_applies_to_packet now, if we'll just set it to last_tx and use it in this place?
There was a problem hiding this comment.
For no I will leave it as I think the focus is on being able to follow the logic. I think the whole code needs to be split and cleaned later.
| * - check for missing accept hooks | ||
| * | ||
| * \retval DETECT_TX_FW_FC_OK no action needed | ||
| * \retval DETECT_TX_FW_FC_BREAK rest of rules shouldn't inspected |
There was a problem hiding this comment.
nit:
| * \retval DETECT_TX_FW_FC_BREAK rest of rules shouldn't inspected | |
| * \retval DETECT_TX_FW_FC_BREAK rest of rules shouldn't be inspected |
There was a problem hiding this comment.
Fixed locally, will be part of the next PR.
|
Replaced by #15253 ? |
catenacyber
left a comment
catenacyber
left a comment
There was a problem hiding this comment.
Victor said he still wants to adress a comment here in a newer version of the PR
|
Replaced by #15253 |
4 participants
Various firewall related improvements, including fix for https://redmine.openinfosecfoundation.org/issues/8495
SV_BRANCH=OISF/suricata-verify#3039
Includes #15223