Feature #8394
openTask #8388: firewall: support protocol hooks for all app-layer protocols
firewall: support NTP hook states for firewall rule evaluation
Description
NTP is a fundamental network protocol present in virtually all environments. In Suricata 8.0.4, NTP app-layer hook states are not registered for firewall mode. Attempting to use any ntp:* hook in a firewall rule fails with the error: "protocol ntp does not support hook" .
Without NTP hooks, NTP traffic on UDP port 123 can only be controlled at the packet layer. While packet-layer rules (accept:hook udp:all any any <> any 123) can accept NTP packets, the app-layer parser still engages and the flow may be subject to default_app_policy behavior. Registering NTP hooks would allow the firewall engine to make explicit accept/drop decisions at the application layer, consistent with how other protocols (DNS, TLS, HTTP1) are handled.
Potential NTP states:- Client request sent
- Server response received
- Synchronized
- Kiss-o'-Death received
- Unsynchronized
- Symmetric active/passive
- Broadcast mode
These states should be mapped to firewall hook points. At minimum, a request/response pair would enable basic firewall control. Additional hooks for Kiss-o'-Death and broadcast mode would allow more granular policy enforcement.
Updated by Victor Julien 3 days ago
- Tracker changed from Bug to Feature
- Subject changed from Firewall mode: Register NTP hook states for firewall rule evaluation to firewall: support NTP hook states for firewall rule evaluation
- Assignee set to OISF Dev
- Priority changed from Normal to High
- Target version changed from TBD to 9.0.0-beta1
- Affected Versions deleted (
8.0.4)