Project

General

Profile

Actions
Copy link

Feature #5974

open

flow: midstream exception policy "reject-both" support

Added by Jamie Lavigne over 2 years ago. Updated about 9 hours ago.

Status:
Resolved
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

When a flow is encountered midstream, Suricata can't tell which end of the connection is the client and which is the server. This means that when the exception-policy "reject" action is used, the reset is sent back in response to whichever packet arrives at Suricata first, which can be either the client or server end of the connection. In the cases where the reset is sent to the server end, the client side still needs to time out as its retries are dropped before giving up and establishing a new connection.

Adding midstream-policy support for a "reject-both" action would provide a solution by resetting both ends of the connections that are received midstream. This guarantees that the client end of the connection will always receive a reset and fail fast instead of waiting for a timeout.

Subtasks 3 (2 open1 closed)

Feature #6503: Midstream exception policy "reject-both" support (6.0.x backport)RejectedActions
Feature #6681: flow: midstream exception policy "reject-both" support (7.0.x backport)AssignedOISF DevActions
Feature #8072: flow: midstream exception policy "reject-both" support (8.0.x backport)AssignedVictor JulienActions
Actions
Copy link
 #1

Updated by Victor Julien over 2 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Juliana Fajardini Reichow
  • Target version changed from TBD to 7.0.0
Actions
Copy link
 #2

Updated by Victor Julien over 2 years ago

  • Target version changed from 7.0.0 to 8.0.0-beta1
Actions
Copy link
 #3

Updated by OISF Ticketbot almost 2 years ago

  • Subtask #6503 added
Actions
Copy link
 #4

Updated by OISF Ticketbot almost 2 years ago

  • Label deleted (Needs backport to 6.0)
Actions
Copy link
 #5

Updated by Juliana Fajardini Reichow almost 2 years ago

  • Label Needs backport to 7.0 added
Actions
Copy link
 #6

Updated by OISF Ticketbot almost 2 years ago

  • Subtask #6681 added
Actions
Copy link
 #7

Updated by OISF Ticketbot almost 2 years ago

  • Label deleted (Needs backport to 7.0)
Actions
Copy link
 #8

Updated by Victor Julien over 1 year ago

  • Assignee changed from Juliana Fajardini Reichow to OISF Dev
Actions
Copy link
 #9

Updated by Victor Julien 8 months ago

  • Target version changed from 8.0.0-beta1 to 9.0.0-beta1
Actions
Copy link
 #10

Updated by Victor Julien 16 days ago

  • Assignee changed from OISF Dev to Victor Julien
Actions
Copy link
 #11

Updated by Victor Julien 15 days ago

  • Status changed from Assigned to In Review

https://github.com/OISF/suricata/pull/14060

@lavignen are you able to test this PR?

Actions
Copy link
 #12

Updated by Jamie Lavigne 15 days ago

Haven't tested but I compared it against our internal patch. Your code is better, and is functionally almost the same except for one nasty edge case that we discovered and fixed. I've described it in the PR comments.

Actions
Copy link
 #13

Updated by Shivani Bhardwaj 2 days ago

  • Subject changed from Midstream exception policy "reject-both" support to flow: midstream exception policy "reject-both" support
Actions
Copy link
 #14

Updated by Victor Julien about 9 hours ago

  • Status changed from In Review to Resolved
  • Label Needs backport to 8.0 added
Actions
Copy link
 #15

Updated by OISF Ticketbot about 9 hours ago

  • Subtask #8072 added
Actions
Copy link
 #16

Updated by OISF Ticketbot about 9 hours ago

  • Label deleted (Needs backport to 8.0)
Actions
Copy link

Also available in: Atom PDF