Project

General

Profile

Actions
Copy link

Bug #7133

open

Could the midstream policy support "drop-packet"?

Added by Jamie Lavigne about 1 year ago. Updated 17 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Juliana Fajardini Reichow
Target version:
9.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

One small challenge we have encountered during the upgrade from Suricata 6 to 7 is that the midstream policy's "drop-packet" value is no longer supported, which is mentioned in the docs [1] and enforced in validation [2]. The documentation for Suricata 6 also mentions this but it was not enforced before, but despite this it has always worked and continues to work in v7 if we ignore the warning that the "fatal error" validation outputs.

Is there a technical or philosophical reason why this value is not officially supported? We would like to retain the existing behavior with the upgrade without maintaining our own patch.

[1] https://docs.suricata.io/en/latest/configuration/exception-policies.html#id6
[2] https://github.com/OISF/suricata/blob/daa6f6f7f38ba48fe4f1396277fb5ab60da7e464/src/util-exception-policy.c#L288-L293

Actions
Copy link
 #1

Updated by Philippe Antoine about 1 month ago

  • Assignee changed from OISF Dev to Juliana Fajardini Reichow

Juliana, would you know about this ?

Actions
Copy link
 #2

Updated by Juliana Fajardini Reichow about 1 month ago

The enforcing of non-valid policies in some exception policies scenarios, especially for midstream pickup sessions was due to some things:
- as stated in the docs, for policies that affect the whole flow, it didn't seem to make sense to us that a policy would affect each individual packet
- if midstream pickup sessions are enabled, it also didn't make sense in our understanding that the engine would track that flow just to drop or bypass it, thus also making such policies non-valid

(There are, however, scenarios where the behavior is faulty. The docs describe one thing, and we've noticed bugs around some cases, eg #6776.)

One question that comes to mind is: Would you like to have support for drop_packet with midstream enabled or disabled?

Actions
Copy link
 #3

Updated by Juliana Fajardini Reichow 25 days ago

  • Status changed from New to Feedback
Actions
Copy link
 #4

Updated by Juliana Fajardini Reichow 17 days ago

  • Target version changed from TBD to 9.0.0-beta1

Adding a target version so it's more visible. Once we better understand the scenario, we can then see if backportable and how. :)

Actions
Copy link

Also available in: Atom PDF