Project

General

Profile

Actions

Bug #7133

open

Could the midstream policy support "drop-packet"?

Added by Jamie Lavigne 6 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

One small challenge we have encountered during the upgrade from Suricata 6 to 7 is that the midstream policy's "drop-packet" value is no longer supported, which is mentioned in the docs [1] and enforced in validation [2]. The documentation for Suricata 6 also mentions this but it was not enforced before, but despite this it has always worked and continues to work in v7 if we ignore the warning that the "fatal error" validation outputs.

Is there a technical or philosophical reason why this value is not officially supported? We would like to retain the existing behavior with the upgrade without maintaining our own patch.

[1] https://docs.suricata.io/en/latest/configuration/exception-policies.html#id6
[2] https://github.com/OISF/suricata/blob/daa6f6f7f38ba48fe4f1396277fb5ab60da7e464/src/util-exception-policy.c#L288-L293

No data to display

Actions

Also available in: Atom PDF