Feature #5974
openflow: midstream exception policy "reject-both" support
Description
When a flow is encountered midstream, Suricata can't tell which end of the connection is the client and which is the server. This means that when the exception-policy "reject" action is used, the reset is sent back in response to whichever packet arrives at Suricata first, which can be either the client or server end of the connection. In the cases where the reset is sent to the server end, the client side still needs to time out as its retries are dropped before giving up and establishing a new connection.
Adding midstream-policy support for a "reject-both" action would provide a solution by resetting both ends of the connections that are received midstream. This guarantees that the client end of the connection will always receive a reset and fail fast instead of waiting for a timeout.
Updated by Victor Julien over 2 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
- Target version changed from TBD to 7.0.0
Updated by Victor Julien over 2 years ago
- Target version changed from 7.0.0 to 8.0.0-beta1
Updated by OISF Ticketbot about 2 years ago
- Label deleted (
Needs backport to 6.0)
Updated by Juliana Fajardini Reichow almost 2 years ago
- Label Needs backport to 7.0 added
Updated by OISF Ticketbot almost 2 years ago
- Label deleted (
Needs backport to 7.0)
Updated by Victor Julien over 1 year ago
- Assignee changed from Juliana Fajardini Reichow to OISF Dev
Updated by Victor Julien 9 months ago
- Target version changed from 8.0.0-beta1 to 9.0.0-beta1
Updated by Victor Julien about 2 months ago
- Assignee changed from OISF Dev to Victor Julien
Updated by Victor Julien about 2 months ago
- Status changed from Assigned to In Review
https://github.com/OISF/suricata/pull/14060
@lavignen are you able to test this PR?
Updated by Jamie Lavigne about 2 months ago
Haven't tested but I compared it against our internal patch. Your code is better, and is functionally almost the same except for one nasty edge case that we discovered and fixed. I've described it in the PR comments.
Updated by Shivani Bhardwaj about 1 month ago
- Subject changed from Midstream exception policy "reject-both" support to flow: midstream exception policy "reject-both" support
Updated by Victor Julien about 1 month ago
- Status changed from In Review to Resolved
- Label Needs backport to 8.0 added
Updated by OISF Ticketbot about 1 month ago
- Label deleted (
Needs backport to 8.0)