Actions
Bug #8645
open
VJ
VJ
firewall: accept-prior states logic doesn't work for built-in hooks
Bug #8645:
firewall: accept-prior states logic doesn't work for built-in hooks
Affected Versions:
Effort:
Difficulty:
Label:
Description
From https://redmine.openinfosecfoundation.org/issues/8472#note-13, this appears to be related to the code not handling < for the built-in hook names request_complete etc:
Found an edge case:
accept:flow dns:<request_complete/dns:<response_complete(the auto-accept-prior-hooks<syntax applied to DNS) corrupts thepacket:filtertable, causing ALL packets to be dropped by the default packet policy — even though packet-layer accept rules are present and loaded.
The same ruleset with explicit per-state DNS rules (no
<) works (test-23). TLS<and HTTP<together work fine; the bug is specific to DNS (registered for both TCP and UDP).
Evidence: suricata-verify test https://github.com/OISF/suricata-verify/pull/3146 — fails with:
Sub test #1: FAIL: expected 3 alerts sid:102, got 0 Sub test #3: FAIL: expected 0 drops "firewall default packet policy", got 8 PASSED: 0 FAILED: 1
OT Updated by OISF Ticketbot 2 days ago
- Subtask #8646 added
OT Updated by OISF Ticketbot 2 days ago
- Label deleted (
Needs backport to 8.0)
VJ Updated by Victor Julien 2 days ago
- Related to Feature #8472: firewall: Auto-Accept Prior States syntax for firewall mode intent rules added
VJ Updated by Victor Julien 2 days ago
- Status changed from In Progress to In Review
VJ Updated by Victor Julien about 23 hours ago
- Status changed from In Review to Resolved
Actions