Bug #7133
openCould the midstream policy support "drop-packet"?
Description
One small challenge we have encountered during the upgrade from Suricata 6 to 7 is that the midstream policy's "drop-packet" value is no longer supported, which is mentioned in the docs [1] and enforced in validation [2]. The documentation for Suricata 6 also mentions this but it was not enforced before, but despite this it has always worked and continues to work in v7 if we ignore the warning that the "fatal error" validation outputs.
Is there a technical or philosophical reason why this value is not officially supported? We would like to retain the existing behavior with the upgrade without maintaining our own patch.
[1] https://docs.suricata.io/en/latest/configuration/exception-policies.html#id6
[2] https://github.com/OISF/suricata/blob/daa6f6f7f38ba48fe4f1396277fb5ab60da7e464/src/util-exception-policy.c#L288-L293
PA Updated by Philippe Antoine 9 months ago
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
Juliana, would you know about this ?
JF Updated by Juliana Fajardini Reichow 9 months ago
The enforcing of non-valid policies in some exception policies scenarios, especially for midstream pickup sessions was due to some things:
- as stated in the docs, for policies that affect the whole flow, it didn't seem to make sense to us that a policy would affect each individual packet
- if midstream pickup sessions are enabled, it also didn't make sense in our understanding that the engine would track that flow just to drop or bypass it, thus also making such policies non-valid
(There are, however, scenarios where the behavior is faulty. The docs describe one thing, and we've noticed bugs around some cases, eg #6776.)
One question that comes to mind is: Would you like to have support for drop_packet with midstream enabled or disabled?
JF Updated by Juliana Fajardini Reichow 8 months ago
- Status changed from New to Feedback
JF Updated by Juliana Fajardini Reichow 8 months ago
- Target version changed from TBD to 9.0.0-beta1
Adding a target version so it's more visible. Once we better understand the scenario, we can then see if backportable and how. :)