afpacket/netmap: warn about mixed ips, ids/tap deprecation

Suricata already logs if AF_PACKET or Netmap are running in a mixed IPS and IDS/TAP mode. As the behavior is undefined when these modes are mixed, it is best to deprecate and to not allow this behavior. For now warn that it will be unsupported and fail in Suricata 8. Ticket: 5587 (cherry picked from commit 0c00f28ebc)
4 years ago · e9a0ac187c
parent 10e3c151f6
commit e9a0ac187c
2 changed files with 6 additions and 2 deletions
--- a/src/runmode-af-packet.c
+++ b/src/runmode-af-packet.c
@ -764,7 +764,9 @@ int AFPRunModeIsIPS()
    }

    if (has_ids && has_ips) {
-        SCLogInfo("AF_PACKET mode using IPS and IDS mode");
+        SCLogWarning(SC_ERR_INVALID_ARGUMENT,
+                "AF_PACKET using both IPS and TAP/IDS mode, this will not "
+                "be allowed in Suricata 8 due to undefined behavior. See ticket #5588.");
        for (ldev = 0; ldev < nlive; ldev++) {
            const char *live_dev = LiveGetDeviceName(ldev);
            if (live_dev == NULL) {
--- a/src/runmode-netmap.c
+++ b/src/runmode-netmap.c
@ -420,7 +420,9 @@ int NetmapRunModeIsIPS()
    }

    if (has_ids && has_ips) {
-        SCLogInfo("Netmap mode using IPS and IDS mode");
+        SCLogWarning(SC_ERR_INVALID_ARGUMENT,
+                "Netmap using both IPS and TAP/IDS mode, this will not be "
+                "allowed in Suricata 8 due to undefined behavior. See ticket #5588.");
        for (ldev = 0; ldev < nlive; ldev++) {
            const char *live_dev = LiveGetDeviceName(ldev);
            if (live_dev == NULL) {