Actions
Feature #8480
open
VJ
VJ
firewall: allow specifying multiple actions
Feature #8480:
firewall: allow specifying multiple actions
Effort:
Difficulty:
Label:
Description
Currently a rule that should accept and log, should do something like
accept:packet ... (alert; ...)
It would be clearer if the actions are grouped together in the "action" field.
E.g. something like
accept,log:packet
Some other options:
{accept,log}:packet
accept:flow,log:packet
(accept|alert):packet
Not sure which syntax makes most sense. One thing to consider is if an action like accept is applied to the flow, should alert (or log) also be applied to the flow? Or just trigger once?
VJ Updated by Victor Julien 22 days ago
- Related to Feature #8479: eve/firewall: dedicated log record type added
- Related to Feature #7701: firewall: configurable default policies added
VJ Updated by Victor Julien 22 days ago
This could turn the ideas of accept:pass_flow into a bit cleaner solution, I think. accept,pass:flow would apply accept and pass to the flow. This would keep actions and scope more cleanly defined.
VJ Updated by Victor Julien 7 days ago
- Status changed from New to In Progress
- Assignee set to Victor Julien
- Target version changed from TBD to 9.0.0-beta1
VJ Updated by Victor Julien 6 days ago
- Status changed from In Progress to In Review
https://github.com/OISF/suricata/pull/15300 implements the list approach:
accept:flow,pass:flow,alert accept:flow,alert
Still to do: more testing and the same for the packet filter table.
Actions