Actions
Bug #8698
open
VJ
VJ
firewall: non-sequential tx causes issues
Bug #8698:
firewall: non-sequential tx causes issues
Affected Versions:
Effort:
Difficulty:
Label:
Description
When non-sequential transactions are used (e.g. in http/2) the "apply to packet" logic fails in certain conditions. In the detection engine there is a lot of logic that hangs off the idea of a transaction being the last transaction. If this is the case accept:hook or accept:tx will also be applied to the packet. However in these non-sequential tx spaces, we might have a later tx that is not "updated", so it is skipped for inspection. This also means that the "last tx" logic is not triggered.
Can think of several possible solutions:- when determining if a tx "is_last" we can scan the list for inactive txs. This would be a linear scan though, so not ideal
- instead of trying to determine per tx is actions should be applied to the packet, delay this determination until the last tx has been processed. More intrusive change but avoids the linear scan
- still process (somewhat) each inactive (so non-updated) tx. It would then do just enough for that tx to apply accept:hook/accept:tx to the packet.
Actions