Skip to content

Fw backports/v1#15409

Draft
victorjulien wants to merge 15 commits into
OISF:main-8.0.xfrom
victorjulien:fw-backports/v1
Draft

Fw backports/v1#15409
victorjulien wants to merge 15 commits into
OISF:main-8.0.xfrom
victorjulien:fw-backports/v1

Conversation

@victorjulien
Copy link
Copy Markdown
Member

@victorjulien victorjulien commented May 18, 2026

victorjulien added 15 commits May 18, 2026 07:16
@victorjulien
detect/firewall: clean up flow control
dde4188 
Use an enum for the firewall related flow control, to improve
readability of the firewall inspection logic.

(cherry picked from commit 6d3599e)
@victorjulien
firewall: fix hooks getting skipped in some rulesets
c8c85c0 
If a ruleset would use `dns:request_complete` but not have a rule for
`dns:request_started`, the `request_started` hook default policy would
not get invoked.

Add a check to make sure it is invoked.

Ticket: OISF#8495.
(cherry picked from commit 900ae89)
@victorjulien
detect: minor code cleanup
ee7ce8c 
(cherry picked from commit 4fd5bbe)
@victorjulien
detect: clean up of last_tx check
7a629f6 
(cherry picked from commit b922142)
@victorjulien
detect: clean up firewall rule match handling
0d77905 
(cherry picked from commit 171b147)
@victorjulien
detect/firewall: add single call for applying app default policy
957b9b3 
(cherry picked from commit d561f61)
@victorjulien
firewall: limit action scope packet for app-hooks
c4f3086 
For non-UDP (so TCP), don't allow `accept:packet` or `drop:packet` as
this makes the evaluation of other rule hooks unpredictable.

Ticket: OISF#8497.
(cherry picked from commit 33b3793)
@victorjulien
detect/firewall: apply default policy in no rules case
848b412 
When there are no rules after prefilter the default policy needs to be invoked.

(cherry picked from commit b695100)
@victorjulien
detect/firewall: rename flow control variable
0e612ee 
For improved readability.

(cherry picked from commit 0093bd6)
@victorjulien
firewall: accept:flow no longer implies pass:flow
217abb4 
Previously a `accept:flow` action would act as both a firewall "accept" and
a threat detection "pass" for the rest of the flow.

This patch changes that. The `accept:flow` action now only accepts the
rest of the packets for the firewall ruleset, but does still continue
threat detection rule evaluation.

Ticket: OISF#8444.
(cherry picked from commit eaacb41)
@victorjulien
firewall: support multi-action statements in rules
7e4208b 
For firewall rules, allow multiple actions to be specified in a list

        accept:flow,pass:flow,alert
        accept:flow,alert
        accept:flow,pass:flow

It is mandatory to make the first action the primary firewall policy
action: accept, drop, reject.

Ticket: OISF#8480.
(cherry picked from commit e76728a)
@victorjulien
detect/firewall: configurable default policies
3ffe0ac 
Allow configurable policies, including accept. For app-layer this
requires looping all available hooks to apply the policies.

Support configurable policies for packet-filter, pre-stream, pre-flow.

If there are no rules there is also no rule group (sgh). Make sure
the app hooks policies are correctly handled in this case by allowing
a NULL sgh to be handled as well.

For tx rule match actually apply drop directly. Previously this was
always handled by the default drop:flow policy.

Ticket: OISF#7701.
(cherry picked from commit 7134592)
@victorjulien
detect/analyzer: log actual policy for app firewall
aa35f0f 
(cherry picked from commit f7c44c4)
@victorjulien
firewall/analyzer: include all hooks
2cb3cd6 
For protocols using default 0-1 states, add support.

For others, print 'unknown' if no name is yet supported.

Ticket: OISF#8514.
(cherry picked from commit b29226c)
@victorjulien
detect/tx: minor debug additions and fixes
f39beb8 
(cherry picked from commit 367ca7f)
@codecov
Copy link
Copy Markdown

codecov Bot commented May 18, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 89.52880% with 60 lines in your changes missing coverage. Please review.
✅ Project coverage is 81.62%. Comparing base (1a09a05) to head (f39beb8).

Additional details and impacted files 
@@              Coverage Diff               @@
##           main-8.0.x   #15409      +/-   ##
==============================================
- Coverage       81.63%   81.62%   -0.01%     
==============================================
  Files            1012     1012              
  Lines          275234   275663     +429     
==============================================
+ Hits           224686   225009     +323     
- Misses          50548    50654     +106
Flag Coverage Δ
fuzzcorpus 63.96% <11.16%> (-0.17%) ⬇️
livemode 18.69% <5.06%> (-0.11%) ⬇️
netns 20.16% <61.43%> (+0.09%) ⬆️
pcap 44.46% <9.77%> (-0.18%) ⬇️
suricata-verify 65.01% <89.35%> (+0.05%) ⬆️
unittests 58.75% <9.94%> (-0.10%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link
Copy Markdown

suricata-qa commented May 18, 2026

ERROR:

ERROR: QA failed on SURI_TLPW1_rule_time.

Pipeline = 31537

@catenacyber
Copy link
Copy Markdown
Contributor

catenacyber commented May 21, 2026

CI/QA look happy enough

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@victorjulien @suricata-qa @catenacyber