Project

General

Profile

Actions

Bug #8698

open
VJ VJ

firewall: non-sequential tx causes issues

Bug #8698: firewall: non-sequential tx causes issues

Added by Victor Julien 2 days ago. Updated about 9 hours ago.

Status:
In Review
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When non-sequential transactions are used (e.g. in http/2) the "apply to packet" logic fails in certain conditions. In the detection engine there is a lot of logic that hangs off the idea of a transaction being the last transaction. If this is the case accept:hook or accept:tx will also be applied to the packet. However in these non-sequential tx spaces, we might have a later tx that is not "updated", so it is skipped for inspection. This also means that the "last tx" logic is not triggered.

Can think of several possible solutions:
  1. when determining if a tx "is_last" we can scan the list for inactive txs. This would be a linear scan though, so not ideal
  2. instead of trying to determine per tx is actions should be applied to the packet, delay this determination until the last tx has been processed. More intrusive change but avoids the linear scan
  3. still process (somewhat) each inactive (so non-updated) tx. It would then do just enough for that tx to apply accept:hook/accept:tx to the packet.

VJ Updated by Victor Julien 2 days ago Actions #1

  • Description updated (diff)

SB Updated by Shivani Bhardwaj 2 days ago Actions #2

Not sure if ideal here but maybe the problem of

when determining if a tx "is_last" we can scan the list for inactive txs. This would be a linear scan though, so not ideal

could possibly be solved by active reshuffling of large tx lists and always keeping inactive txs at the end of the list and accessing the list from rear end until an active tx is found.

VJ Updated by Victor Julien about 19 hours ago Actions #3

  • Status changed from Assigned to In Progress

VJ Updated by Victor Julien about 9 hours ago Actions #4

  • Status changed from In Progress to In Review
Actions

Also available in: PDF Atom