From 4e6f9e4a91a2204560cf6361d31148aa52ce2420 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 17 Oct 2025 12:16:48 +0200 Subject: [PATCH] exception-policy: add 'reject-both' option Allow rejecting both sides of a connection. Has the same support as regular reject (which is essentially rejectsrc). Ticket: #5974. (cherry picked from commit 4905f38470ab3425f0fff48927b05a34cda2f85f) --- etc/schema.json | 4 ++++ src/app-layer.c | 2 ++ src/decode.c | 4 ++++ src/stream-tcp.c | 8 ++++++++ src/util-exception-policy-types.h | 5 +++-- src/util-exception-policy.c | 15 +++++++++++++-- 6 files changed, 34 insertions(+), 4 deletions(-) diff --git a/etc/schema.json b/etc/schema.json index baae95d31e..4417bef686 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -5974,6 +5974,10 @@ "reject": { "type": "integer", "minimum": 0 + }, + "reject_both": { + "type": "integer", + "minimum": 0 } } } diff --git a/src/app-layer.c b/src/app-layer.c index 05523ddaf7..6f8e139e9d 100644 --- a/src/app-layer.c +++ b/src/app-layer.c @@ -114,6 +114,7 @@ ExceptionPolicyStatsSetts app_layer_error_eps_stats = { /* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_REJECT */ true, + /* EXCEPTION_POLICY_REJECT_BOTH */ true, }, .valid_settings_ips = { /* EXCEPTION_POLICY_NOT_SET */ false, @@ -124,6 +125,7 @@ ExceptionPolicyStatsSetts app_layer_error_eps_stats = { /* EXCEPTION_POLICY_DROP_PACKET */ true, /* EXCEPTION_POLICY_DROP_FLOW */ true, /* EXCEPTION_POLICY_REJECT */ true, + /* EXCEPTION_POLICY_REJECT_BOTH */ true, }, }; // clang-format on diff --git a/src/decode.c b/src/decode.c index 733f9492c6..9cc96a7218 100644 --- a/src/decode.c +++ b/src/decode.c @@ -92,6 +92,7 @@ ExceptionPolicyStatsSetts defrag_memcap_eps_stats = { /* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_REJECT */ true, + /* EXCEPTION_POLICY_REJECT_BOTH */ true, }, .valid_settings_ips = { /* EXCEPTION_POLICY_NOT_SET */ false, @@ -102,6 +103,7 @@ ExceptionPolicyStatsSetts defrag_memcap_eps_stats = { /* EXCEPTION_POLICY_DROP_PACKET */ true, /* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_REJECT */ true, + /* EXCEPTION_POLICY_REJECT_BOTH */ true, }, }; // clang-format on @@ -118,6 +120,7 @@ ExceptionPolicyStatsSetts flow_memcap_eps_stats = { /* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_REJECT */ true, + /* EXCEPTION_POLICY_REJECT_BOTH */ true, }, .valid_settings_ips = { /* EXCEPTION_POLICY_NOT_SET */ false, @@ -128,6 +131,7 @@ ExceptionPolicyStatsSetts flow_memcap_eps_stats = { /* EXCEPTION_POLICY_DROP_PACKET */ true, /* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_REJECT */ true, + /* EXCEPTION_POLICY_REJECT_BOTH */ true, }, }; // clang-format on diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 4312bf20e9..ccb729c07b 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -102,6 +102,7 @@ ExceptionPolicyStatsSetts stream_memcap_eps_stats = { /* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_REJECT */ true, + /* EXCEPTION_POLICY_REJECT_BOTH */ true, }, .valid_settings_ips = { /* EXCEPTION_POLICY_NOT_SET */ false, @@ -112,6 +113,7 @@ ExceptionPolicyStatsSetts stream_memcap_eps_stats = { /* EXCEPTION_POLICY_DROP_PACKET */ true, /* EXCEPTION_POLICY_DROP_FLOW */ true, /* EXCEPTION_POLICY_REJECT */ true, + /* EXCEPTION_POLICY_REJECT_BOTH */ true, }, }; // clang-format on @@ -128,6 +130,7 @@ ExceptionPolicyStatsSetts stream_reassembly_memcap_eps_stats = { /* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_REJECT */ true, + /* EXCEPTION_POLICY_REJECT_BOTH */ true, }, .valid_settings_ips = { /* EXCEPTION_POLICY_NOT_SET */ false, @@ -138,6 +141,7 @@ ExceptionPolicyStatsSetts stream_reassembly_memcap_eps_stats = { /* EXCEPTION_POLICY_DROP_PACKET */ true, /* EXCEPTION_POLICY_DROP_FLOW */ true, /* EXCEPTION_POLICY_REJECT */ true, + /* EXCEPTION_POLICY_REJECT_BOTH */ true, }, }; // clang-format on @@ -154,6 +158,7 @@ ExceptionPolicyStatsSetts stream_midstream_enabled_eps_stats = { /* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_REJECT */ false, + /* EXCEPTION_POLICY_REJECT_BOTH */ false, }, .valid_settings_ips = { /* EXCEPTION_POLICY_NOT_SET */ false, @@ -164,6 +169,7 @@ ExceptionPolicyStatsSetts stream_midstream_enabled_eps_stats = { /* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_REJECT */ false, + /* EXCEPTION_POLICY_REJECT_BOTH */ false, }, }; // clang-format on @@ -180,6 +186,7 @@ ExceptionPolicyStatsSetts stream_midstream_disabled_eps_stats = { /* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_FLOW */ false, /* EXCEPTION_POLICY_REJECT */ true, + /* EXCEPTION_POLICY_REJECT_BOTH */ true, }, .valid_settings_ips = { /* EXCEPTION_POLICY_NOT_SET */ false, @@ -190,6 +197,7 @@ ExceptionPolicyStatsSetts stream_midstream_disabled_eps_stats = { /* EXCEPTION_POLICY_DROP_PACKET */ false, /* EXCEPTION_POLICY_DROP_FLOW */ true, /* EXCEPTION_POLICY_REJECT */ true, + /* EXCEPTION_POLICY_REJECT_BOTH */ true, }, }; // clang-format on diff --git a/src/util-exception-policy-types.h b/src/util-exception-policy-types.h index 6bdfc158c2..a3a5308416 100644 --- a/src/util-exception-policy-types.h +++ b/src/util-exception-policy-types.h @@ -30,10 +30,11 @@ enum ExceptionPolicy { EXCEPTION_POLICY_BYPASS_FLOW, EXCEPTION_POLICY_DROP_PACKET, EXCEPTION_POLICY_DROP_FLOW, - EXCEPTION_POLICY_REJECT, + EXCEPTION_POLICY_REJECT, /**< reject src */ + EXCEPTION_POLICY_REJECT_BOTH /**< reject both src and dest */ }; -#define EXCEPTION_POLICY_MAX EXCEPTION_POLICY_REJECT + 1 +#define EXCEPTION_POLICY_MAX (EXCEPTION_POLICY_REJECT_BOTH + 1) /* Max length = possible exception policy scenarios + counter names * + exception policy type. E.g.: diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c index e186ddbe77..25cba3be72 100644 --- a/src/util-exception-policy.c +++ b/src/util-exception-policy.c @@ -48,6 +48,8 @@ const char *ExceptionPolicyEnumToString(enum ExceptionPolicy policy, bool is_jso return "reject"; case EXCEPTION_POLICY_BYPASS_FLOW: return "bypass"; + case EXCEPTION_POLICY_REJECT_BOTH: + return "reject_both"; case EXCEPTION_POLICY_DROP_FLOW: return is_json ? "drop_flow" : "drop-flow"; case EXCEPTION_POLICY_DROP_PACKET: @@ -146,8 +148,14 @@ void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDro case EXCEPTION_POLICY_NOT_SET: break; case EXCEPTION_POLICY_REJECT: - SCLogDebug("EXCEPTION_POLICY_REJECT"); - PacketDrop(p, ACTION_REJECT, drop_reason); + case EXCEPTION_POLICY_REJECT_BOTH: + if (policy == EXCEPTION_POLICY_REJECT) { + SCLogDebug("EXCEPTION_POLICY_REJECT"); + PacketDrop(p, ACTION_REJECT, drop_reason); + } else { + SCLogDebug("EXCEPTION_POLICY_REJECT_BOTH"); + PacketDrop(p, ACTION_REJECT_BOTH, drop_reason); + } if (!EngineModeIsIPS()) { break; } @@ -207,6 +215,7 @@ static enum ExceptionPolicy PickPacketAction(const char *option, enum ExceptionP case EXCEPTION_POLICY_PASS_PACKET: break; case EXCEPTION_POLICY_REJECT: + case EXCEPTION_POLICY_REJECT_BOTH: break; case EXCEPTION_POLICY_NOT_SET: break; @@ -232,6 +241,8 @@ static enum ExceptionPolicy ExceptionPolicyConfigValueParse( policy = EXCEPTION_POLICY_PASS_PACKET; } else if (strcmp(value_str, "reject") == 0) { policy = EXCEPTION_POLICY_REJECT; + } else if (strcmp(value_str, "reject-both") == 0) { + policy = EXCEPTION_POLICY_REJECT_BOTH; } else if (strcmp(value_str, "ignore") == 0) { // TODO name? policy = EXCEPTION_POLICY_NOT_SET; } else if (strcmp(value_str, "auto") == 0) {