Project

General

Profile

Actions
Copy link

Task #8204

open
OA VJ

firewall: add tests for hot reload of firewall mode rules

Task #8204: firewall: add tests for hot reload of firewall mode rules

Added by Olu Adeleke 3 months ago. Updated 1 day ago.

Status:
Resolved
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Rule reloading without restarts is not yet supported for firewall mode rules.

This implies that users need to restart Suricata whenever there is a need for to update firewall mode rules, and this can cause interruptions to packet processing, packet losses and cause flows to be re-categorized as midstream.

It would be useful to have some in built support to hot-reload firewall mode rules (similar to what exists for the existing IPS/IDS rules) without need for restarts.

Subtasks 1 (1 open0 closed)

Task #8409: firewall: add tests for hot reload of firewall mode rules (8.0.x backport)In ReviewVictor JulienActions

Related issues 1 (0 open1 closed)

Blocked by Suricata - Bug #8206: firewall: loading rules only through yaml failsClosedVictor JulienActions

OA Updated by Olu Adeleke 3 months ago Actions
Copy link
 #1

  • Description updated (diff)

VJ Updated by Victor Julien 3 months ago Actions
Copy link
 #2

  • Subject changed from Firewall mode: Support for hot reload of firewall mode rules to firewall: support for hot reload of firewall mode rules

It appears to be working for me. How are you concluding it is not supported?

VJ Updated by Victor Julien 3 months ago Actions
Copy link
 #3

Actually, it only works when not specifying the firewall rule file on the commandline. This is similar to using the -S option in regular rules. However it turns out the regular file loading didn't properly work, see #8206.

VJ Updated by Victor Julien 2 months ago Actions
Copy link
 #4

  • Blocked by Bug #8206: firewall: loading rules only through yaml fails added

VJ Updated by Victor Julien 11 days ago Actions
Copy link
 #5

VJ Updated by Victor Julien 7 days ago Actions
Copy link
 #6

  • Tracker changed from Feature to Task
  • Subject changed from firewall: support for hot reload of firewall mode rules to firewall: add tests for hot reload of firewall mode rules
  • Status changed from New to In Review
  • Assignee set to Victor Julien
  • Target version changed from TBD to 9.0.0-beta1

This works as expected, so turning ticket into tracker for test addition.

https://github.com/OISF/suricata/pull/15108

OT Updated by OISF Ticketbot 7 days ago Actions
Copy link
 #7

  • Subtask #8409 added

OT Updated by OISF Ticketbot 7 days ago Actions
Copy link
 #8

  • Label deleted (Needs backport to 8.0)

VJ Updated by Victor Julien 1 day ago Actions
Copy link
 #9

  • Status changed from In Review to Resolved
Actions
Copy link

Also available in: PDF Atom