Engine mode fixes v1 #8681
Engine mode fixes v1 #8681
Conversation
Querying an engine mode with an unknown value signals a bug when the engine mode has not been determined but is already queried by other functions. Ticket: OISF#5959
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #8681 +/- ##
==========================================
- Coverage 81.87% 81.87% -0.01%
==========================================
Files 968 968
Lines 279014 279014
==========================================
- Hits 228449 228447 -2
- Misses 50565 50567 +2
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: ERROR: QA failed on IPS_AFP_drop_chk.
Pipeline 13021 |
| } | ||
| } | ||
| } | ||
| } | ||
|
|
||
| if (pfconf->bpf_filter != NULL && EngineModeIsIPS()) { |
There was a problem hiding this comment.
we don't support IPS for pfring
There was a problem hiding this comment.
removed the bpf_filter test from the condition but left the IPS test to stop user from running Suricata with PF_RING and IPS mode.
| @@ -2671,6 +2682,11 @@ int PostConfLoadedSetup(SCInstance *suri) | |||
| RunModeEngineIsIPS( | |||
| suricata.run_mode, suricata.runmode_custom_mode, suricata.capture_plugin_name); | |||
|
|
|||
| if (EngineModeIsUnknown()) { // if still uninitialized the set the default | |||
There was a problem hiding this comment.
No this is meant to ensure the default engine mode is set when it hasn't been set until now.
But the whole PR is about making sure that Suricata modules don't query engine mode while uninitialized.
If it is not initialized by other Suricata ways (e.g. config, command-line parameter) then set the default. But after this line, the engine mode (should) never change.
|
Continues in #8684 |
PR is a collection of:
PR fixes determination of engine mode. The main problem is that some parts of Suricata queries the state of the engine mode before it is determined. They are given the default engine mode state (IDS) while later Suricata determined IPS behavior. This then led to unwanted behavior in IPS mode.
BPF contained this issue but hasn't really affected Suricata. However, the policy settings did affect Suricata run in IPS mode. This has been tested in PRs #8668 and #8671. #8687 has moved the policy setting only after DeviceFinalization but still before engine mode evaluation. This PR has not triggered different behavior in the pipeline run. #8668 has moved the policy setting after the engine mode evaluation and the behavior of Suricata in IPS mode changed. The bug is also highlighted with the addition of unknown/uninitialized engine mode in combination with the BUG_ON macro.
IPS behavior deviation is expected and I suggest baseline adjustment.