exceptions/midstream: parse midstream policy alone

As the midstream exception policy has its own specific scenarios, have a dedicated function to parse and process its config values, and check for midstream enabled when needed. Related to Bug OISF#5825
victorjulien · Jun 13, 2023 · f97af0c · f97af0c
1 parent bf22129
commit f97af0c
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 4 deletions.
diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c
@@ -194,7 +194,8 @@ static enum ExceptionPolicy ExceptionPolicyMasterParse(const char *value)
     return policy;
 }
 
-static enum ExceptionPolicy ExceptionPolicyGetDefault(const char *option, bool support_flow)
+static enum ExceptionPolicy ExceptionPolicyGetDefault(
+        const char *option, bool support_flow, bool midstream)
 {
     enum ExceptionPolicy p = EXCEPTION_POLICY_NOT_SET;
     if (g_eps_have_exception_policy) {
@@ -205,7 +206,7 @@ static enum ExceptionPolicy ExceptionPolicyGetDefault(const char *option, bool s
         SCLogConfig("%s: %s (defined via 'exception-policy' master switch)", option,
                 ExceptionPolicyEnumToString(p));
         return p;
-    } else if (EngineModeIsIPS()) {
+    } else if (EngineModeIsIPS() && !midstream) {
         p = EXCEPTION_POLICY_DROP_FLOW;
     }
     SCLogConfig("%s: %s (defined via 'built-in default' for %s-mode)", option,
@@ -219,7 +220,7 @@ enum ExceptionPolicy ExceptionPolicyParse(const char *option, bool support_flow)
     enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET;
     const char *value_str = NULL;
 
-    if ((ConfGet(option, &value_str)) == 1 && value_str != NULL) {
+    if ((ConfGet(option, &value_str) == 1) && value_str != NULL) {
         if (strcmp(option, "exception-policy") == 0) {
             policy = ExceptionPolicyMasterParse(value_str);
         } else {
@@ -230,7 +231,46 @@ enum ExceptionPolicy ExceptionPolicyParse(const char *option, bool support_flow)
             SCLogConfig("%s: %s", option, ExceptionPolicyEnumToString(policy));
         }
     } else {
-        policy = ExceptionPolicyGetDefault(option, support_flow);
+        policy = ExceptionPolicyGetDefault(option, support_flow, false);
+    }
+
+    return policy;
+}
+
+enum ExceptionPolicy ExceptionPolicyMidstreamParse(bool midstream_enabled)
+{
+    enum ExceptionPolicy policy = EXCEPTION_POLICY_NOT_SET;
+    const char *value_str = NULL;
+    /* policy was set directly */
+    if ((ConfGet("stream.midstream-policy", &value_str)) == 1 && value_str != NULL) {
+        policy = ExceptionPolicyConfigValueParse("midstream-policy", value_str);
+        if (midstream_enabled) {
+            if (policy != EXCEPTION_POLICY_NOT_SET && policy != EXCEPTION_POLICY_PASS_FLOW) {
+                FatalErrorOnInit(
+                        "Error parsing stream.midstream-policy from config file. \"%s\" is "
+                        "not a valid exception policy when midstream is enabled. Valid options "
+                        "are pass-flow and ignore.",
+                        value_str);
+            }
+        }
+        if (!EngineModeIsIPS()) {
+            if (policy == EXCEPTION_POLICY_DROP_FLOW) {
+                FatalErrorOnInit(
+                        "Error parsing stream.midstream-policy from config file. \"%s\" is "
+                        "not a valid exception policy in IDS mode. See our documentation for a "
+                        "list of all possible values.",
+                        value_str);
+            }
+        }
+    } else {
+        policy = ExceptionPolicyGetDefault("midstream-policy", true, midstream_enabled);
+    }
+
+    if (policy == EXCEPTION_POLICY_PASS_PACKET || policy == EXCEPTION_POLICY_DROP_PACKET) {
+        FatalErrorOnInit("Error parsing stream.midstream-policy from config file. \"%s\" is "
+                         "not valid for this exception policy. See our documentation for a list of "
+                         "all possible values.",
+                value_str);
     }
 
     return policy;

diff --git a/src/util-exception-policy.h b/src/util-exception-policy.h
@@ -38,6 +38,7 @@ void SetMasterExceptionPolicy(void);
 void ExceptionPolicyApply(
         Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason);
 enum ExceptionPolicy ExceptionPolicyParse(const char *option, const bool support_flow);
+enum ExceptionPolicy ExceptionPolicyMidstreamParse(bool midstream_enabled);
 
 extern enum ExceptionPolicy g_eps_master_switch;
 #ifdef DEBUG