Project

General

Profile

Actions
Copy link

Task #8387

open

firewall: Validate and opt-in keywords that emit "has not been tested for firewall rules" warning

Added by Yash Datre 4 days ago. Updated 2 days ago.

Status:
Assigned
Priority:
High
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Firewall mode gates keyword usage through the SIGMATCH_SUPPORT_FIREWALL flag. Keywords that lack this flag but take an inline value emit a warning at rule load time:

Warning: detect-parse: keyword 'X' has not been tested for firewall rules

The following 7 keywords currently produce this warning:

  • icode — ICMP code matching
  • pcre — Perl-compatible regular expressions
  • urilen — URI length matching
  • dns.opcode — DNS opcode matching
  • tls.cert_chain_len — TLS certificate chain length
  • dataset — dynamic dataset lookups
  • datarep — dataset reputation lookups

All 7 are needed for our firewall policy rules. The rules load and execute correctly today despite the warning — the keyword gating is advisory, not blocking. We need these keywords formally validated and opted in (i.e., SIGMATCH_SUPPORT_FIREWALL flag added) so the warnings are eliminated.

Additionally, sticky buffer keywords ( tls.sni , http.host , dns.query , etc.) bypass the warning entirely because they don't take an inline value, but they also lack the SIGMATCH_SUPPORT_FIREWALL flag. These should be validated and opted in as well for completeness.

Evidence:
The test loads firewall rules exercising all 7 keywords and verifies each produces the warning. On Suricata 8.0.4:

Warning: detect-parse: keyword 'icode' has not been tested for firewall rules
Warning: detect-parse: keyword 'pcre' has not been tested for firewall rules
Warning: detect-parse: keyword 'urilen' has not been tested for firewall rules
Warning: detect-parse: keyword 'dns.opcode' has not been tested for firewall rules
Warning: detect-parse: keyword 'tls.cert_chain_len' has not been tested for firewall rules
Warning: detect-parse: keyword 'dataset' has not been tested for firewall rules
Warning: detect-parse: keyword 'datarep' has not been tested for firewall rules

Rules tested:

accept:hook icmp:all any any -> any any (icode:0; sid:1;)
accept:hook http1:request_line any any -> any any (http.uri; pcre:"/test/"; sid:2;)
accept:hook http1:request_line any any -> any any (urilen:1; sid:3;)
accept:hook dns:request_started any any -> any any (dns.opcode:0; sid:4;)
accept:flow tls:server_cert_done any any -> any any (tls.cert_chain_len:1; sid:5;)
accept:hook http1:request_headers any any -> any any (http.host; dataset:set,testset,type string; sid:6;)
accept:hook http1:request_headers any any -> any any (http.host; datarep:testrep,>,0,load datarep.rep,type string; sid:7;)

All rules load successfully (10 rules loaded, 0 failed) — the warnings are advisory only. The ask is to validate these keywords for firewall mode and add the SIGMATCH_SUPPORT_FIREWALL flag to suppress the warnings.

Files

Download all files
test.yaml (1.02 KB) test.yaml Yash Datre, 03/19/2026 12:14 AM
firewall.rules (1.3 KB) firewall.rules Yash Datre, 03/19/2026 12:14 AM

Subtasks 2 (1 open1 closed)

Task #8397: firewall: enable content inspect keywords for firewall modeNewOISF DevActions
Feature #8398: firewall: mark icode as supportedClosedVictor JulienActions
Actions
Copy link
 #1

Updated by Victor Julien 3 days ago

  • Tracker changed from Bug to Task
  • Subject changed from Firewall mode: Validate and opt-in keywords that emit "has not been tested for firewall rules" warning to firewall: Validate and opt-in keywords that emit "has not been tested for firewall rules" warning
  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Priority changed from Normal to High
  • Target version changed from TBD to 9.0.0-beta1
Actions
Copy link
 #2

Updated by Victor Julien 3 days ago

  • Subtask #8397 added
Actions
Copy link
 #3

Updated by Victor Julien 3 days ago

  • Subtask #8398 added
Actions
Copy link

Also available in: Atom PDF