backport: Engine mode fixes v7

src/runmode-af-packet.c

@@ -54,6 +54,7 @@
 #include "util-ioctl.h"
 #include "util-ebpf.h"
 #include "util-byte.h"
+#include "util-bpf.h"
 
 #include "source-af-packet.h"
 
@@ -118,7 +119,6 @@ static void *ParseAFPConfig(const char *iface)
     const char *copymodestr;
     intmax_t value;
     int boolval;
-    const char *bpf_filter = NULL;
     const char *out_iface = NULL;
     int cluster_type = PACKET_FANOUT_HASH;
     const char *ebpf_file = NULL;
@@ -157,14 +157,6 @@ static void *ParseAFPConfig(const char *iface)
     aconf->ebpf_t_config.cpus_count = UtilCpuGetNumProcessorsConfigured();
 #endif
 
-    if (ConfGet("bpf-filter", &bpf_filter) == 1) {
-        if (strlen(bpf_filter) > 0) {
-            aconf->bpf_filter = bpf_filter;
-            SCLogConfig("Going to use command-line provided bpf filter '%s'",
-                       aconf->bpf_filter);
-        }
-    }
-
     /* Find initial node */
     af_packet_node = ConfGetNode("af-packet");
     if (af_packet_node == NULL) {
@@ -370,16 +362,7 @@ static void *ParseAFPConfig(const char *iface)
                                        "tracking issues, use it at your own risk.");
     }
 
-    /*load af_packet bpf filter*/
-    /* command line value has precedence */
-    if (ConfGet("bpf-filter", &bpf_filter) != 1) {
-        if (ConfGetChildValueWithDefault(if_root, if_default, "bpf-filter", &bpf_filter) == 1) {
-            if (strlen(bpf_filter) > 0) {
-                aconf->bpf_filter = bpf_filter;
-                SCLogConfig("Going to use bpf filter %s", aconf->bpf_filter);
-            }
-        }
-    }
+    ConfSetBPFFilter(if_root, if_default, iface, &aconf->bpf_filter);
 
     if (ConfGetChildValueWithDefault(if_root, if_default, "ebpf-lb-file", &ebpf_file) != 1) {
         aconf->ebpf_lb_file = NULL;
@@ -719,7 +702,7 @@ static int AFPConfigGeThreadsCount(void *conf)
 
 int AFPRunModeIsIPS(void)
 {
-    int nlive = LiveGetDeviceCount();
+    int nlive = LiveGetDeviceNameCount();
     int ldev;
     ConfNode *if_root;
     ConfNode *if_default = NULL;
@@ -736,7 +719,7 @@ int AFPRunModeIsIPS(void)
     if_default = ConfNodeLookupKeyValue(af_packet_node, "interface", "default");
 
     for (ldev = 0; ldev < nlive; ldev++) {
-        const char *live_dev = LiveGetDeviceName(ldev);
+        const char *live_dev = LiveGetDeviceNameName(ldev);
         if (live_dev == NULL) {
             SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
             return 0;
@@ -768,7 +751,7 @@ int AFPRunModeIsIPS(void)
                 "AF_PACKET using both IPS and TAP/IDS mode, this will not "
                 "be allowed in Suricata 8 due to undefined behavior. See ticket #5588.");
         for (ldev = 0; ldev < nlive; ldev++) {
-            const char *live_dev = LiveGetDeviceName(ldev);
+            const char *live_dev = LiveGetDeviceNameName(ldev);
             if (live_dev == NULL) {
                 SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
                 return 0;

src/runmode-netmap.c

@@ -52,6 +52,7 @@
 #include "util-runmodes.h"
 #include "util-ioctl.h"
 #include "util-byte.h"
+#include "util-bpf.h"
 
 #if HAVE_NETMAP
 #define NETMAP_WITH_LIBS
@@ -142,15 +143,6 @@ static int ParseNetmapSettings(NetmapIfaceSettings *ns, const char *iface,
         ns->real = true;
     }
 
-    const char *bpf_filter = NULL;
-    if (ConfGet("bpf-filter", &bpf_filter) == 1) {
-        if (strlen(bpf_filter) > 0) {
-            ns->bpf_filter = bpf_filter;
-            SCLogInfo("Going to use command-line provided bpf filter '%s'",
-                    ns->bpf_filter);
-        }
-    }
-
     if (if_root == NULL && if_default == NULL) {
         SCLogInfo("Unable to find netmap config for "
                 "interface \"%s\" or \"default\", using default values",
@@ -181,16 +173,7 @@ static int ParseNetmapSettings(NetmapIfaceSettings *ns, const char *iface,
         }
     }
 
-    /* load netmap bpf filter */
-    /* command line value has precedence */
-    if (ns->bpf_filter == NULL) {
-        if (ConfGetChildValueWithDefault(if_root, if_default, "bpf-filter", &bpf_filter) == 1) {
-            if (strlen(bpf_filter) > 0) {
-                ns->bpf_filter = bpf_filter;
-                SCLogInfo("Going to use bpf filter %s", ns->bpf_filter);
-            }
-        }
-    }
+    ConfSetBPFFilter(if_root, if_default, iface, &ns->bpf_filter);
 
     int boolval = 0;
     (void)ConfGetChildValueBoolWithDefault(if_root, if_default, "disable-promisc", (int *)&boolval);
@@ -377,7 +360,7 @@ static int NetmapConfigGeThreadsCount(void *conf)
 
 int NetmapRunModeIsIPS(void)
 {
-    int nlive = LiveGetDeviceCount();
+    int nlive = LiveGetDeviceNameCount();
     int ldev;
     ConfNode *if_root;
     ConfNode *if_default = NULL;
@@ -394,7 +377,7 @@ int NetmapRunModeIsIPS(void)
     if_default = ConfNodeLookupKeyValue(netmap_node, "interface", "default");
 
     for (ldev = 0; ldev < nlive; ldev++) {
-        const char *live_dev = LiveGetDeviceName(ldev);
+        const char *live_dev = LiveGetDeviceNameName(ldev);
         if (live_dev == NULL) {
             SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
             return 0;
@@ -426,7 +409,7 @@ int NetmapRunModeIsIPS(void)
                 "Netmap using both IPS and TAP/IDS mode, this will not be "
                 "allowed in Suricata 8 due to undefined behavior. See ticket #5588.");
         for (ldev = 0; ldev < nlive; ldev++) {
-            const char *live_dev = LiveGetDeviceName(ldev);
+            const char *live_dev = LiveGetDeviceNameName(ldev);
             if (live_dev == NULL) {
                 SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
                 return 0;

src/runmode-pfring.c

@@ -23,6 +23,7 @@
 #include "source-pfring.h"
 #include "output.h"
 
+#include "util-bpf.h"
 #include "util-debug.h"
 #include "util-time.h"
 #include "util-cpu.h"
@@ -72,9 +73,6 @@ static void PfringDerefConfig(void *conf)
 {
     PfringIfaceConfig *pfp = (PfringIfaceConfig *)conf;
     if (SC_ATOMIC_SUB(pfp->ref, 1) == 1) {
-        if (pfp->bpf_filter) {
-            SCFree(pfp->bpf_filter);
-        }
         SCFree(pfp);
     }
 }
@@ -204,7 +202,6 @@ static void *ParsePfringConfig(const char *iface)
     const char *tmpctype = NULL;
     cluster_type default_ctype = CLUSTER_ROUND_ROBIN;
     int getctype = 0;
-    const char *bpf_filter = NULL;
     int bool_val;
 
     if (unlikely(pfconf == NULL)) {
@@ -313,32 +310,11 @@ static void *ParsePfringConfig(const char *iface)
         }
     }
 
-    /*load pfring bpf filter*/
-    /* command line value has precedence */
-    if (ConfGet("bpf-filter", &bpf_filter) == 1) {
-        if (strlen(bpf_filter) > 0) {
-            pfconf->bpf_filter = SCStrdup(bpf_filter);
-            if (unlikely(pfconf->bpf_filter == NULL)) {
-                SCLogError(SC_ERR_MEM_ALLOC,
-                           "Can't allocate BPF filter string");
-            } else {
-                SCLogDebug("Going to use command-line provided bpf filter %s",
-                           pfconf->bpf_filter);
-            }
-        }
-    } else {
-        if (ConfGetChildValueWithDefault(if_root, if_default, "bpf-filter", &bpf_filter) == 1) {
-            if (strlen(bpf_filter) > 0) {
-                pfconf->bpf_filter = SCStrdup(bpf_filter);
-                if (unlikely(pfconf->bpf_filter == NULL)) {
-                    SCLogError(SC_ERR_MEM_ALLOC,
-                               "Can't allocate BPF filter string");
-                } else {
-                    SCLogDebug("Going to use bpf filter %s",
-                               pfconf->bpf_filter);
-                }
-            }
-        }
+    ConfSetBPFFilter(if_root, if_default, pfconf->iface, &pfconf->bpf_filter);
+
+    if (pfconf->bpf_filter != NULL && EngineModeIsIPS()) {
+        FatalError(SC_ERR_NOT_SUPPORTED,
+                "BPF filter not available in IPS mode. Use firewall filtering if possible.");
     }
 
     if (ConfGet("pfring.cluster-type", &tmpctype) == 1) {

src/runmode-unittests.c

@@ -228,6 +228,7 @@ void RunUnittests(int list_unittests, const char *regex_arg)
 #ifdef UNITTESTS
     /* Initializations for global vars, queues, etc (memsets, mutex init..) */
     GlobalsInitPreConfig();
+    EngineModeSetIDS();
 
 #ifdef HAVE_LUAJIT
     if (LuajitSetupStatesPool() != 0) {

src/source-pfring.h

@@ -44,7 +44,7 @@ typedef struct PfringIfaceConfig_
     /* number of threads */
     int threads;
 
-    char *bpf_filter;
+    const char *bpf_filter;
 
     ChecksumValidationMode checksum_mode;
     SC_ATOMIC_DECLARE(unsigned int, ref);

src/suricata.c

@@ -54,6 +54,7 @@
 #include "util-device.h"
 #include "util-misc.h"
 #include "util-running-modes.h"
+#include "util-validate.h"
 
 #include "detect-engine.h"
 #include "detect-parse.h"
@@ -207,7 +208,7 @@ int run_mode = RUNMODE_UNKNOWN;
 
 /** Engine mode: inline (ENGINE_MODE_IPS) or just
   * detection mode (ENGINE_MODE_IDS by default) */
-static enum EngineMode g_engine_mode = ENGINE_MODE_IDS;
+static enum EngineMode g_engine_mode = ENGINE_MODE_UNKNOWN;
 
 /** Host mode: set if box is sniffing only
  * or is a router */
@@ -246,13 +247,20 @@ int SuriHasSigFile(void)
     return (suricata.sig_file != NULL);
 }
 
+int EngineModeIsUnknown(void)
+{
+    return (g_engine_mode == ENGINE_MODE_UNKNOWN);
+}
+
 int EngineModeIsIPS(void)
 {
+    DEBUG_VALIDATE_BUG_ON(g_engine_mode == ENGINE_MODE_UNKNOWN);
     return (g_engine_mode == ENGINE_MODE_IPS);
 }
 
 int EngineModeIsIDS(void)
 {
+    DEBUG_VALIDATE_BUG_ON(g_engine_mode == ENGINE_MODE_UNKNOWN);
     return (g_engine_mode == ENGINE_MODE_IDS);
 }
 
@@ -471,16 +479,9 @@ static int SetBpfString(int argc, char *argv[])
     if (bpf_len == 0)
         return TM_ECODE_OK;
 
-    if (EngineModeIsIPS()) {
-        SCLogError(SC_ERR_NOT_SUPPORTED,
-                   "BPF filter not available in IPS mode."
-                   " Use firewall filtering if possible.");
-        return TM_ECODE_FAILED;
-    }
-
     bpf_filter = SCMalloc(bpf_len);
     if (unlikely(bpf_filter == NULL))
-        return TM_ECODE_OK;
+        return TM_ECODE_FAILED;
     memset(bpf_filter, 0x00, bpf_len);
 
     tmpindex = optind;
@@ -518,12 +519,6 @@ static void SetBpfStringFromFile(char *filename)
     FILE *fp = NULL;
     size_t nm = 0;
 
-    if (EngineModeIsIPS()) {
-                   FatalError(SC_ERR_FATAL,
-                              "BPF filter not available in IPS mode."
-                              " Use firewall filtering if possible.");
-    }
-
 #ifdef OS_WIN32
     if(_stat(filename, &st) != 0) {
 #else
@@ -2460,15 +2455,14 @@ void PostConfLoadedDetectSetup(SCInstance *suri)
     }
 }
 
-static int PostDeviceFinalizedSetup(SCInstance *suri)
+static void RunModeEngineIsIPS(SCInstance *suri)
 {
-    SCEnter();
-
 #ifdef HAVE_AF_PACKET
     if (suri->run_mode == RUNMODE_AFP_DEV) {
         if (AFPRunModeIsIPS()) {
             SCLogInfo("AF_PACKET: Setting IPS mode");
             EngineModeSetIPS();
+            return;
         }
     }
 #endif
@@ -2477,11 +2471,10 @@ static int PostDeviceFinalizedSetup(SCInstance *suri)
         if (NetmapRunModeIsIPS()) {
             SCLogInfo("Netmap: Setting IPS mode");
             EngineModeSetIPS();
+            return;
         }
     }
 #endif
-
-    SCReturnInt(TM_ECODE_OK);
 }
 
 static void PostConfLoadedSetupHostMode(void)
@@ -2606,6 +2599,14 @@ int PostConfLoadedSetup(SCInstance *suri)
 
     MacSetRegisterFlowStorage();
 
+    /* set engine mode if L2 IPS */
+    RunModeEngineIsIPS(suri);
+
+    if (EngineModeIsUnknown()) { // if still uninitialized the set the default
+        SCLogInfo("Setting engine mode to IDS mode by default");
+        EngineModeSetIDS();
+    }
+
     AppLayerSetup();
 
     /* Suricata will use this umask if provided. By default it will use the
@@ -2725,11 +2726,6 @@ int PostConfLoadedSetup(SCInstance *suri)
 
     LiveDeviceFinalize();
 
-    /* set engine mode if L2 IPS */
-    if (PostDeviceFinalizedSetup(suri) != TM_ECODE_OK) {
-        exit(EXIT_FAILURE);
-    }
-
     /* hostmode depends on engine mode being set */
     PostConfLoadedSetupHostMode();
 

src/suricata.h

@@ -100,12 +100,14 @@ enum {
 
 /* Engine is acting as */
 enum EngineMode {
+    ENGINE_MODE_UNKNOWN,
     ENGINE_MODE_IDS,
     ENGINE_MODE_IPS,
 };
 
 void EngineModeSetIPS(void);
 void EngineModeSetIDS(void);
+int EngineModeIsUnknown(void);
 int EngineModeIsIPS(void);
 int EngineModeIsIDS(void);
 

src/tests/fuzz/fuzz_applayerprotodetectgetproto.c

@@ -44,6 +44,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
         }
         MpmTableSetup();
         SpmTableSetup();
+        EngineModeSetIDS();
         AppLayerProtoDetectSetup();
         AppLayerParserSetup();
         AppLayerParserRegisterProtocolParsers();

src/tests/fuzz/fuzz_siginit.c

@@ -26,6 +26,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
         run_mode = RUNMODE_UNITTEST;
         MpmTableSetup();
         SpmTableSetup();
+        EngineModeSetIDS();
         SigTableSetup();
         SCReferenceConfInit();
         SCClassConfInit();