firewall: detect: add feature flag for keywords supporting firewall

src/detect-engine-register.c

@@ -322,6 +322,12 @@ static void PrintFeatureList(const SigTableElmt *e, char sep)
         printf("sticky buffer");
         prev = 1;
     }
+    if (flags & SIGMATCH_SUPPORT_FIREWALL) {
+        if (prev == 1)
+            printf("%c", sep);
+        printf("supports firewall");
+        prev = 1;
+    }
     if (e->Transform) {
         if (prev == 1)
             printf("%c", sep);

src/detect-parse.c

@@ -978,6 +978,10 @@ static int SigParseOptions(DetectEngineCtx *de_ctx, Signature *s, char *optstr,
             goto error;
         }
 
+        if (s->init_data->firewall_rule && (st->flags & SIGMATCH_SUPPORT_FIREWALL) == 0) {
+            SCLogWarning("keyword \'%s\' has not been tested for firewall rules", optname);
+        }
+
         /* see if value is negated */
         if ((st->flags & SIGMATCH_HANDLE_NEGATION) && *ptr == '!') {
             s->init_data->negated = true;

src/detect.h

@@ -1618,6 +1618,8 @@ typedef struct SigGroupHead_ {
 #define SIGMATCH_INFO_DEPRECATED        BIT_U16(10)
 /** strict parsing is enabled */
 #define SIGMATCH_STRICT_PARSING         BIT_U16(11)
+/** keyword supported by firewall rules */
+#define SIGMATCH_SUPPORT_FIREWALL BIT_U16(12)
 
 enum DetectEngineTenantSelectors
 {