Feature #8480
closedfirewall: allow specifying multiple actions
Description
Currently a rule that should accept and log, should do something like
accept:packet ... (alert; ...)
It would be clearer if the actions are grouped together in the "action" field.
E.g. something like
accept,log:packet
Some other options:
{accept,log}:packet
accept:flow,log:packet
(accept|alert):packet
Not sure which syntax makes most sense. One thing to consider is if an action like accept is applied to the flow, should alert (or log) also be applied to the flow? Or just trigger once?
VJ Updated by Victor Julien 2 months ago
- Related to Feature #8479: eve/firewall: dedicated log record type added
- Related to Feature #7701: firewall: configurable default policies added
VJ Updated by Victor Julien 2 months ago
This could turn the ideas of accept:pass_flow into a bit cleaner solution, I think. accept,pass:flow would apply accept and pass to the flow. This would keep actions and scope more cleanly defined.
VJ Updated by Victor Julien about 2 months ago
- Status changed from New to In Progress
- Assignee set to Victor Julien
- Target version changed from TBD to 9.0.0-beta1
VJ Updated by Victor Julien about 2 months ago
- Status changed from In Progress to In Review
https://github.com/OISF/suricata/pull/15300 implements the list approach:
accept:flow,pass:flow,alert accept:flow,alert
Still to do: more testing and the same for the packet filter table.
VJ Updated by Victor Julien about 1 month ago
- Status changed from In Review to Resolved
VJ Updated by Victor Julien about 1 month ago
- Label Needs backport to 8.0 added
OT Updated by OISF Ticketbot about 1 month ago
- Subtask #8572 added
OT Updated by OISF Ticketbot about 1 month ago
- Label deleted (
Needs backport to 8.0)
JL Updated by Jamie Lavigne 16 days ago
Are there restrictions on what combinations of actions are allowed? I'm trying to reason about what e.g. accept:hook,pass:flow would mean. The rest of this flow would bypass TD, but still be subject to firewall accepting the next hooks?
What about something like an accept:hook,pass:packet rule followed by an accept:flow on that connection? Would TD see that connection starting somewhere in the middle, since the earlier packets bypassed it?
VJ Updated by Victor Julien 4 days ago
Jamie Lavigne wrote in #note-10:
Are there restrictions on what combinations of actions are allowed? I'm trying to reason about what e.g.
accept:hook,pass:flowwould mean. The rest of this flow would bypass TD, but still be subject to firewall accepting the next hooks?What about something like an
accept:hook,pass:packetrule followed by anaccept:flowon that connection? Would TD see that connection starting somewhere in the middle, since the earlier packets bypassed it?
Yes, right now the scopes need to be the same. So you can mix accept:flow with pass:flow, but not with pass:packet.
VJ Updated by Victor Julien 4 days ago
- Status changed from Resolved to Closed