Task #8387
openfirewall: Validate and opt-in keywords that emit "has not been tested for firewall rules" warning
Description
Firewall mode gates keyword usage through the SIGMATCH_SUPPORT_FIREWALL flag. Keywords that lack this flag but take an inline value emit a warning at rule load time:
Warning: detect-parse: keyword 'X' has not been tested for firewall rules
The following 7 keywords currently produce this warning:
- icode — ICMP code matching
- pcre — Perl-compatible regular expressions
- urilen — URI length matching
- dns.opcode — DNS opcode matching
- tls.cert_chain_len — TLS certificate chain length
- dataset — dynamic dataset lookups
- datarep — dataset reputation lookups
All 7 are needed for our firewall policy rules. The rules load and execute correctly today despite the warning — the keyword gating is advisory, not blocking. We need these keywords formally validated and opted in (i.e., SIGMATCH_SUPPORT_FIREWALL flag added) so the warnings are eliminated.
Additionally, sticky buffer keywords ( tls.sni , http.host , dns.query , etc.) bypass the warning entirely because they don't take an inline value, but they also lack the SIGMATCH_SUPPORT_FIREWALL flag. These should be validated and opted in as well for completeness.
Evidence:
The test loads firewall rules exercising all 7 keywords and verifies each produces the warning. On Suricata 8.0.4:
Warning: detect-parse: keyword 'icode' has not been tested for firewall rules Warning: detect-parse: keyword 'pcre' has not been tested for firewall rules Warning: detect-parse: keyword 'urilen' has not been tested for firewall rules Warning: detect-parse: keyword 'dns.opcode' has not been tested for firewall rules Warning: detect-parse: keyword 'tls.cert_chain_len' has not been tested for firewall rules Warning: detect-parse: keyword 'dataset' has not been tested for firewall rules Warning: detect-parse: keyword 'datarep' has not been tested for firewall rules
Rules tested:
accept:hook icmp:all any any -> any any (icode:0; sid:1;) accept:hook http1:request_line any any -> any any (http.uri; pcre:"/test/"; sid:2;) accept:hook http1:request_line any any -> any any (urilen:1; sid:3;) accept:hook dns:request_started any any -> any any (dns.opcode:0; sid:4;) accept:flow tls:server_cert_done any any -> any any (tls.cert_chain_len:1; sid:5;) accept:hook http1:request_headers any any -> any any (http.host; dataset:set,testset,type string; sid:6;) accept:hook http1:request_headers any any -> any any (http.host; datarep:testrep,>,0,load datarep.rep,type string; sid:7;)
All rules load successfully (10 rules loaded, 0 failed) — the warnings are advisory only. The ask is to validate these keywords for firewall mode and add the SIGMATCH_SUPPORT_FIREWALL flag to suppress the warnings.
Files