-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bypass: really bypass udp flow from first packet #11182
Conversation
Ticket: 7053 As flow state would be overwritten by established...
SV test would show |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #11182 +/- ##
===========================================
- Coverage 82.93% 74.84% -8.09%
===========================================
Files 942 875 -67
Lines 250797 144738 -106059
===========================================
- Hits 207994 108331 -99663
+ Misses 42803 36407 -6396
Flags with carried forward coverage won't be shown. Click here to find out more. |
Information: QA ran without warnings. Pipeline 20876 |
(f->flow_state != FLOW_STATE_CAPTURE_BYPASSED) && | ||
#endif | ||
(f->flow_state != FLOW_STATE_LOCAL_BYPASSED)) { | ||
FlowUpdateState(f, FLOW_STATE_ESTABLISHED); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we flag the packet as part of an established flow in this case, as we do on line 486?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess so.
We have
- UDP from client to server, nothing special
- UDP from server to client, we trigger a
bypass
rule thatFlowUpdateState(FLOW_STATE_LOCAL_BYPASSED)
, and in later processing, we callFlowHandlePacketUpdate
that also sees the flow as established...
Rebased in #11287 |
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7053
Describe changes:
SV_BRANCH=OISF/suricata-verify#1870