Feature #5974
open
flow: midstream exception policy "reject-both" support
Added by Jamie Lavigne over 2 years ago.
Updated 28 days ago.
Description
When a flow is encountered midstream, Suricata can't tell which end of the connection is the client and which is the server. This means that when the exception-policy "reject" action is used, the reset is sent back in response to whichever packet arrives at Suricata first, which can be either the client or server end of the connection. In the cases where the reset is sent to the server end, the client side still needs to time out as its retries are dropped before giving up and establishing a new connection.
Adding midstream-policy support for a "reject-both" action would provide a solution by resetting both ends of the connections that are received midstream. This guarantees that the client end of the connection will always receive a reset and fail fast instead of waiting for a timeout.
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
- Target version changed from TBD to 7.0.0
- Target version changed from 7.0.0 to 8.0.0-beta1
- Label deleted (
Needs backport to 6.0)
- Label Needs backport to 7.0 added
- Label deleted (
Needs backport to 7.0)
- Assignee changed from Juliana Fajardini Reichow to OISF Dev
- Target version changed from 8.0.0-beta1 to 9.0.0-beta1
- Assignee changed from OISF Dev to Victor Julien
- Status changed from Assigned to In Review
Haven't tested but I compared it against our internal patch. Your code is better, and is functionally almost the same except for one nasty edge case that we discovered and fixed. I've described it in the PR comments.
- Subject changed from Midstream exception policy "reject-both" support to flow: midstream exception policy "reject-both" support
- Status changed from In Review to Resolved
- Label Needs backport to 8.0 added
- Label deleted (
Needs backport to 8.0)
Also available in: Atom
PDF