Actions
Feature #8480
open
VJ
VJ
firewall: allow specifying multiple actions
Feature #8480:
firewall: allow specifying multiple actions
Effort:
Difficulty:
Label:
Description
Currently a rule that should accept and log, should do something like
accept:packet ... (alert; ...)
It would be clearer if the actions are grouped together in the "action" field.
E.g. something like
accept,log:packet
Some other options:
{accept,log}:packet
accept:flow,log:packet
(accept|alert):packet
Not sure which syntax makes most sense. One thing to consider is if an action like accept is applied to the flow, should alert (or log) also be applied to the flow? Or just trigger once?
VJ Updated by Victor Julien about 2 months ago
- Related to Feature #8479: eve/firewall: dedicated log record type added
- Related to Feature #7701: firewall: configurable default policies added
VJ Updated by Victor Julien about 2 months ago
This could turn the ideas of accept:pass_flow into a bit cleaner solution, I think. accept,pass:flow would apply accept and pass to the flow. This would keep actions and scope more cleanly defined.
JI Updated by Jason Ish about 1 month ago
- Related to Bug #8444: firewall: accept:flow at app-layer hook bypasses app:td (IDS/IPS) evaluation added
VJ Updated by Victor Julien about 1 month ago
- Status changed from New to In Progress
- Assignee set to Victor Julien
- Target version changed from TBD to 9.0.0-beta1
VJ Updated by Victor Julien 30 days ago
- Status changed from In Progress to In Review
https://github.com/OISF/suricata/pull/15300 implements the list approach:
accept:flow,pass:flow,alert accept:flow,alert
Still to do: more testing and the same for the packet filter table.
VJ Updated by Victor Julien 14 days ago
- Status changed from In Review to Resolved
VJ Updated by Victor Julien 13 days ago
- Label Needs backport to 8.0 added
OT Updated by OISF Ticketbot 13 days ago
- Subtask #8572 added
OT Updated by OISF Ticketbot 13 days ago
- Label deleted (
Needs backport to 8.0)
Actions