Project

General

Profile

Actions
Copy link

Feature #5974

closed
JL VJ

flow: midstream exception policy "reject-both" support

Feature #5974: flow: midstream exception policy "reject-both" support

Added by Jamie Lavigne almost 3 years ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

When a flow is encountered midstream, Suricata can't tell which end of the connection is the client and which is the server. This means that when the exception-policy "reject" action is used, the reset is sent back in response to whichever packet arrives at Suricata first, which can be either the client or server end of the connection. In the cases where the reset is sent to the server end, the client side still needs to time out as its retries are dropped before giving up and establishing a new connection.

Adding midstream-policy support for a "reject-both" action would provide a solution by resetting both ends of the connections that are received midstream. This guarantees that the client end of the connection will always receive a reset and fail fast instead of waiting for a timeout.

Subtasks 3 (0 open3 closed)

Feature #6503: Midstream exception policy "reject-both" support (6.0.x backport)RejectedActions
Feature #6681: flow: midstream exception policy "reject-both" support (7.0.x backport)ClosedJuliana Fajardini ReichowActions
Feature #8072: flow: midstream exception policy "reject-both" support (8.0.x backport)ClosedVictor JulienActions

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #1

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Juliana Fajardini Reichow
  • Target version changed from TBD to 7.0.0

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #2

  • Target version changed from 7.0.0 to 8.0.0-beta1

OT Updated by OISF Ticketbot over 2 years ago Actions
Copy link
 #3

  • Subtask #6503 added

OT Updated by OISF Ticketbot over 2 years ago Actions
Copy link
 #4

  • Label deleted (Needs backport to 6.0)

JF Updated by Juliana Fajardini Reichow about 2 years ago Actions
Copy link
 #5

  • Label Needs backport to 7.0 added

OT Updated by OISF Ticketbot about 2 years ago Actions
Copy link
 #6

  • Subtask #6681 added

OT Updated by OISF Ticketbot about 2 years ago Actions
Copy link
 #7

  • Label deleted (Needs backport to 7.0)

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #8

  • Assignee changed from Juliana Fajardini Reichow to OISF Dev

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #9

  • Target version changed from 8.0.0-beta1 to 9.0.0-beta1

VJ Updated by Victor Julien 6 months ago Actions
Copy link
 #10

  • Assignee changed from OISF Dev to Victor Julien

VJ Updated by Victor Julien 6 months ago Actions
Copy link
 #11

  • Status changed from Assigned to In Review

https://github.com/OISF/suricata/pull/14060

@lavignen are you able to test this PR?

JL Updated by Jamie Lavigne 6 months ago Actions
Copy link
 #12

Haven't tested but I compared it against our internal patch. Your code is better, and is functionally almost the same except for one nasty edge case that we discovered and fixed. I've described it in the PR comments.

SB Updated by Shivani Bhardwaj 5 months ago Actions
Copy link
 #13

  • Subject changed from Midstream exception policy "reject-both" support to flow: midstream exception policy "reject-both" support

VJ Updated by Victor Julien 5 months ago Actions
Copy link
 #14

  • Status changed from In Review to Resolved
  • Label Needs backport to 8.0 added

OT Updated by OISF Ticketbot 5 months ago Actions
Copy link
 #15

  • Subtask #8072 added

OT Updated by OISF Ticketbot 5 months ago Actions
Copy link
 #16

  • Label deleted (Needs backport to 8.0)

VJ Updated by Victor Julien 2 months ago Actions
Copy link
 #17

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: PDF Atom