From ce175eaa09655ca6fbec87f1fc57baf0bf93a207 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Thu, 14 May 2026 16:41:53 -0300 Subject: [PATCH] exceptions: add dedicated flow drop reason To better control stats counters. --- etc/schema.json | 4 ++++ src/decode.c | 4 ++++ src/decode.h | 1 + src/flow.c | 2 ++ src/flow.h | 2 ++ src/util-exception-policy.c | 1 + 6 files changed, 14 insertions(+) diff --git a/etc/schema.json b/etc/schema.json index 3b96c2e7a9..00572e921f 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -8002,6 +8002,10 @@ "description": "Number of packets dropped due to defrag memcap exception policy" }, + "exception_policy_flow_drop": { + "type": "integer", + "description": "Number of packets dropped due to an exception policy flow dropping" + }, "flow_drop": { "type": "integer", "description": "Number of packets dropped due to dropped flows" diff --git a/src/decode.c b/src/decode.c index 8ca4c3308f..ce452930aa 100644 --- a/src/decode.c +++ b/src/decode.c @@ -934,6 +934,8 @@ const char *PacketDropReasonToString(enum PacketDropReason r) return "flow memcap"; case PKT_DROP_REASON_FLOW_DROP: return "flow drop"; + case PKT_DROP_REASON_EP_FLOW_DROP: + return "exception policy flow drop"; case PKT_DROP_REASON_STREAM_ERROR: return "stream error"; case PKT_DROP_REASON_STREAM_MEMCAP: @@ -988,6 +990,8 @@ static const char *PacketDropReasonToJsonString(enum PacketDropReason r) return "ips.drop_reason.flow_memcap"; case PKT_DROP_REASON_FLOW_DROP: return "ips.drop_reason.flow_drop"; + case PKT_DROP_REASON_EP_FLOW_DROP: + return "ips.drop_reason.exception_policy_flow_drop"; case PKT_DROP_REASON_STREAM_ERROR: return "ips.drop_reason.stream_error"; case PKT_DROP_REASON_STREAM_MEMCAP: diff --git a/src/decode.h b/src/decode.h index 5a37bfe0dd..5b6e2a1220 100644 --- a/src/decode.h +++ b/src/decode.h @@ -386,6 +386,7 @@ enum PacketDropReason { PKT_DROP_REASON_DEFRAG_MEMCAP, PKT_DROP_REASON_FLOW_MEMCAP, PKT_DROP_REASON_FLOW_DROP, + PKT_DROP_REASON_EP_FLOW_DROP, PKT_DROP_REASON_APPLAYER_ERROR, PKT_DROP_REASON_APPLAYER_MEMCAP, PKT_DROP_REASON_RULES, diff --git a/src/flow.c b/src/flow.c index 3f0fbb6823..75995cb9c1 100644 --- a/src/flow.c +++ b/src/flow.c @@ -537,6 +537,8 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p, ThreadVars *tv, DecodeThreadVars if (f->flags & FLOW_ACTION_DROP) { if (f->flags & FLOW_ACTION_BY_FIREWALL) { PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_FW_FLOW_DROP); + } else if (f->flags & FLOW_ACTION_BY_EXCEPTION_POLICY) { + PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_EP_FLOW_DROP); } else { PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_FLOW_DROP); } diff --git a/src/flow.h b/src/flow.h index 1e3a77f2bd..f3e7db8ce5 100644 --- a/src/flow.h +++ b/src/flow.h @@ -123,6 +123,8 @@ typedef struct AppLayerParserState_ AppLayerParserState; /** Flow action issued by firewall */ #define FLOW_ACTION_BY_FIREWALL BIT_U64(32) +/** Flow action issued by exception policy */ +#define FLOW_ACTION_BY_EXCEPTION_POLICY BIT_U64(33) /* File flags */ diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c index 4276636fb2..fd105d139c 100644 --- a/src/util-exception-policy.c +++ b/src/util-exception-policy.c @@ -163,6 +163,7 @@ void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDro SCLogDebug("EXCEPTION_POLICY_DROP_FLOW"); if (p->flow) { p->flow->flags |= FLOW_ACTION_DROP; + p->flow->flags |= FLOW_ACTION_BY_EXCEPTION_POLICY; FlowSetNoPayloadInspectionFlag(p->flow); StreamTcpDisableAppLayer(p->flow); }