Set DROP flag on a packet in addition to the REJECT flags. This makes sure we not only send a reject, but also drop the offending packet. Closes #248.

src/action-globals.h

@@ -23,6 +23,7 @@
 
 #ifndef __ACTION_GLOBALS_H__
 #define __ACTION_GLOBALS_H__
+
 /* Changing them as flags, so later we can have alerts
  * and drop simultaneously */
 #define ACTION_ALERT        0x01
@@ -31,4 +32,5 @@
 #define ACTION_REJECT_DST   0x08
 #define ACTION_REJECT_BOTH  0x10
 #define ACTION_PASS         0x20
+
 #endif /* __ACTION_GLOBALS_H__ */

src/alert-prelude.c

@@ -234,8 +234,7 @@ static int EventToImpact(PacketAlert *pa, Packet *p, idmef_alert_t *alert)
 
     idmef_impact_set_severity(impact, severity);
 
-    if (p->action & ACTION_REJECT || p->action & ACTION_REJECT_BOTH ||
-        p->action & ACTION_REJECT_DST || p->action & ACTION_DROP) {
+    if (p->action & ACTION_DROP) {
         idmef_action_t *action;
 
         ret = idmef_action_new(&action);

src/decode.h

@@ -608,11 +608,47 @@ typedef struct DecodeThreadVars_
 /* macro's for setting the action
  * handle the case of a root packet
  * for tunnels */
-#define ACCEPT_PACKET(p)       ((p)->root ? ((p)->root->action = ACTION_ACCEPT) : ((p)->action = ACTION_ACCEPT))
-#define DROP_PACKET(p)         ((p)->root ? ((p)->root->action = ACTION_DROP) : ((p)->action = ACTION_DROP))
-#define REJECT_PACKET(p)       ((p)->root ? ((p)->root->action = ACTION_REJECT) : ((p)->action = ACTION_REJECT))
-#define REJECT_PACKET_DST(p)   ((p)->root ? ((p)->root->action = ACTION_REJECT_DST) : ((p)->action = ACTION_REJECT_DST))
-#define REJECT_PACKET_BOTH(p)  ((p)->root ? ((p)->root->action = ACTION_REJECT_BOTH) : ((p)->action = ACTION_REJECT_BOTH))
+#define ALERT_PACKET(p) do { \
+    ((p)->root ? \
+     ((p)->root->action = ACTION_ALERT) : \
+     ((p)->action = ACTION_ALERT)); \
+} while (0)
+
+#define ACCEPT_PACKET(p) do { \
+    ((p)->root ? \
+     ((p)->root->action = ACTION_ACCEPT) : \
+     ((p)->action = ACTION_ACCEPT)); \
+} while (0)
+
+#define DROP_PACKET(p) do { \
+    ((p)->root ? \
+     ((p)->root->action = ACTION_DROP) : \
+     ((p)->action = ACTION_DROP)); \
+} while (0)
+
+#define REJECT_PACKET(p) do { \
+    ((p)->root ? \
+     ((p)->root->action = (ACTION_REJECT|ACTION_DROP)) : \
+     ((p)->action = (ACTION_REJECT|ACTION_DROP))); \
+} while (0)
+
+#define REJECT_PACKET_DST(p) do { \
+    ((p)->root ? \
+     ((p)->root->action = (ACTION_REJECT_DST|ACTION_DROP)) : \
+     ((p)->action = (ACTION_REJECT_DST|ACTION_DROP))); \
+} while (0)
+
+#define REJECT_PACKET_BOTH(p) do { \
+    ((p)->root ? \
+     ((p)->root->action = (ACTION_REJECT_BOTH|ACTION_DROP)) : \
+     ((p)->action = (ACTION_REJECT_BOTH|ACTION_DROP))); \
+} while (0)
+
+#define PASS_PACKET(p) do { \
+    ((p)->root ? \
+     ((p)->root->action = ACTION_PASS) : \
+     ((p)->action = ACTION_PASS)); \
+} while (0)
 
 #define TUNNEL_INCR_PKT_RTV(p) do {                                                 \
         SCMutexLock((p)->root ? &(p)->root->mutex_rtv_cnt : &(p)->mutex_rtv_cnt);   \

src/detect-engine-threshold.c

@@ -449,20 +449,20 @@ int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
                     /* Take the action to perform */
                     switch (td->new_action) {
                         case TH_ACTION_ALERT:
-                            p->action |= ACTION_ALERT;
-                        break;
+                            ALERT_PACKET(p);
+                            break;
                         case TH_ACTION_DROP:
-                            p->action |= ACTION_DROP;
-                        break;
+                            DROP_PACKET(p);
+                            break;
                         case TH_ACTION_REJECT:
-                            p->action |= ACTION_REJECT;
-                        break;
+                            REJECT_PACKET(p);
+                            break;
                         case TH_ACTION_PASS:
-                            p->action |= ACTION_PASS;
-                        break;
+                            PASS_PACKET(p);
+                            break;
                         default:
                             /* Weird, leave the default action */
-                        break;
+                            break;
                     }
                     ret = 1;
                 }
@@ -477,20 +477,20 @@ int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
                     /* Take the action to perform */
                     switch (td->new_action) {
                         case TH_ACTION_ALERT:
-                            p->action |= ACTION_ALERT;
-                        break;
+                            ALERT_PACKET(p);
+                            break;
                         case TH_ACTION_DROP:
-                            p->action |= ACTION_DROP;
-                        break;
+                            DROP_PACKET(p);
+                            break;
                         case TH_ACTION_REJECT:
-                            p->action |= ACTION_REJECT;
-                        break;
+                            REJECT_PACKET(p);
+                            break;
                         case TH_ACTION_PASS:
-                            p->action |= ACTION_PASS;
-                        break;
+                            PASS_PACKET(p);
+                            break;
                         default:
                             /* Weird, leave the default action */
-                        break;
+                            break;
                     }
                         ret = 1;
                     }

src/source-ipfw.c

@@ -469,8 +469,7 @@ TmEcode IPFWSetVerdict(ThreadVars *tv, IPFWThreadVars *ptv, Packet *p) {
     IPFWpoll.fd=ipfw_sock;
     IPFWpoll.events= POLLWRNORM;
 
-    if (p->action & ACTION_REJECT || p->action & ACTION_REJECT_BOTH ||
-        p->action & ACTION_REJECT_DST || p->action & ACTION_DROP) {
+    if (p->action & ACTION_DROP) {
         verdict = IPFW_DROP;
     } else {
         verdict = IPFW_ACCEPT;

src/source-nfq.c

@@ -758,14 +758,14 @@ void NFQSetVerdict(Packet *p) {
     //printf("%p verdicting on queue %" PRIu32 "\n", t, t->queue_num);
     SCMutexLock(&t->mutex_qh);
 
-    if (p->action & ACTION_REJECT || p->action & ACTION_REJECT_BOTH ||
-        p->action & ACTION_REJECT_DST || p->action & ACTION_DROP) {
+    if (p->action & ACTION_DROP) {
         verdict = NF_DROP;
 #ifdef COUNTERS
         t->dropped++;
 #endif /* COUNTERS */
     } else {
         switch (nfq_config.mode) {
+            default:
             case NFQ_ACCEPT_MODE:
                 verdict = NF_ACCEPT;
                 break;