Skip to content

detect/proto: check ipproto enabled setting first#14754

Open
inashivb wants to merge 1 commit intoOISF:mainfrom
inashivb:appproto-enabling/v6
Open

detect/proto: check ipproto enabled setting first#14754
inashivb wants to merge 1 commit intoOISF:mainfrom
inashivb:appproto-enabling/v6

Conversation

@inashivb
Copy link
Member

@inashivb inashivb commented Feb 5, 2026

Previous PR: #14743

Link to ticket: https://redmine.openinfosecfoundation.org/issues/8205

Changes since v5:

  • fixed incorrect retval for detection-only in applayer parser
  • rebased on top of latest main

SV_BRANCH=OISF/suricata-verify#2893

@inashivb inashivb force-pushed the appproto-enabling/v6 branch from 4d34b7f to 907d397 Compare February 5, 2026 07:43
@inashivb
detect/proto: check ipproto enabled setting first
c1c8d71 
So far, suricata.yaml was probed by default for
`app-layer.protocols.PROTOCOL.enabled`. If this was not found, then, an
attempt was made to look for
`app-layer.protocols.PROTOCOL.IPPROTO.enabled`. This is not ideal
behavior and restricts user to explicitly disable a carrier proto
specific protocol.
By default, check for carrier proto specific setting. If it is not
found, then fall back to the generic setting.
Issue a warning in case an inconsistent combination of global and
ipproto specific setting is found.

Bug 8205
@inashivb inashivb force-pushed the appproto-enabling/v6 branch from 907d397 to c1c8d71 Compare February 5, 2026 07:56
@codecov
Copy link

codecov bot commented Feb 5, 2026

Codecov Report

❌ Patch coverage is 83.72093% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.16%. Comparing base (69eb567) to head (c1c8d71).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #14754   +/-   ##
=======================================
  Coverage   82.15%   82.16%           
=======================================
  Files        1003     1003           
  Lines      263643   263664   +21     
=======================================
+ Hits       216586   216627   +41     
+ Misses      47057    47037   -20
Flag Coverage Δ
fuzzcorpus 60.19% <52.32%> (+<0.01%) ⬆️
livemode 18.73% <67.44%> (+0.01%) ⬆️
netns 18.52% <44.18%> (-0.02%) ⬇️
pcap 44.63% <66.27%> (+0.03%) ⬆️
suricata-verify 65.47% <81.39%> (+0.01%) ⬆️
unittests 59.23% <69.76%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@inashivb inashivb marked this pull request as ready for review February 5, 2026 09:22
@suricata-qa
Copy link

suricata-qa commented Feb 5, 2026

Information: QA ran without warnings.

Pipeline = 29448

catenacyber
catenacyber reviewed Feb 5, 2026
View reviewed changes
src/app-layer-detect-proto.c
SCLogError("Invalid value found for %s.", param);
exit(EXIT_FAILURE);
if ((i_proto && g_proto) && (i_enabled ^ g_enabled)) {
/* these checks are also performed by app-layer-parser, no need to issue double warning */
Copy link
Contributor

@catenacyber catenacyber Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These checks are not performed by app-layer-parser if this is detection-only, so the warning should happen here, right ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@catenacyber catenacyber catenacyber left review comments

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@inashivb @suricata-qa @catenacyber