exception-policy: add 'reject-both' option

etc/schema.json

@@ -8753,6 +8753,10 @@
                 "reject": {
                     "type": "integer",
                     "minimum": 0
+                },
+                "reject_both": {
+                    "type": "integer",
+                    "minimum": 0
                 }
             }
         }

src/app-layer.c

@@ -115,6 +115,7 @@ ExceptionPolicyStatsSetts app_layer_error_eps_stats = {
        /* EXCEPTION_POLICY_DROP_PACKET */  false,
        /* EXCEPTION_POLICY_DROP_FLOW */    false,
        /* EXCEPTION_POLICY_REJECT */       true,
+       /* EXCEPTION_POLICY_REJECT_BOTH */  true,
     },
     .valid_settings_ips = {
        /* EXCEPTION_POLICY_NOT_SET */      false,
@@ -125,6 +126,7 @@ ExceptionPolicyStatsSetts app_layer_error_eps_stats = {
        /* EXCEPTION_POLICY_DROP_PACKET */  true,
        /* EXCEPTION_POLICY_DROP_FLOW */    true,
        /* EXCEPTION_POLICY_REJECT */       true,
+       /* EXCEPTION_POLICY_REJECT_BOTH */  true,
     },
 };
 // clang-format on

src/decode.c

@@ -93,6 +93,7 @@ ExceptionPolicyStatsSetts defrag_memcap_eps_stats = {
     /* EXCEPTION_POLICY_DROP_PACKET */  false,
     /* EXCEPTION_POLICY_DROP_FLOW */    false,
     /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
     },
     .valid_settings_ips = {
     /* EXCEPTION_POLICY_NOT_SET */      false,
@@ -103,6 +104,7 @@ ExceptionPolicyStatsSetts defrag_memcap_eps_stats = {
     /* EXCEPTION_POLICY_DROP_PACKET */  true,
     /* EXCEPTION_POLICY_DROP_FLOW */    false,
     /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
     },
 };
 // clang-format on
@@ -119,6 +121,7 @@ ExceptionPolicyStatsSetts flow_memcap_eps_stats = {
     /* EXCEPTION_POLICY_DROP_PACKET */  false,
     /* EXCEPTION_POLICY_DROP_FLOW */    false,
     /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
     },
     .valid_settings_ips = {
     /* EXCEPTION_POLICY_NOT_SET */      false,
@@ -129,6 +132,7 @@ ExceptionPolicyStatsSetts flow_memcap_eps_stats = {
     /* EXCEPTION_POLICY_DROP_PACKET */  true,
     /* EXCEPTION_POLICY_DROP_FLOW */    false,
     /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
     },
 };
 // clang-format on

src/stream-tcp.c

@@ -102,6 +102,7 @@ ExceptionPolicyStatsSetts stream_memcap_eps_stats = {
     /* EXCEPTION_POLICY_DROP_PACKET */  false,
     /* EXCEPTION_POLICY_DROP_FLOW */    false,
     /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
     },
     .valid_settings_ips = {
     /* EXCEPTION_POLICY_NOT_SET */      false,
@@ -112,6 +113,7 @@ ExceptionPolicyStatsSetts stream_memcap_eps_stats = {
     /* EXCEPTION_POLICY_DROP_PACKET */  true,
     /* EXCEPTION_POLICY_DROP_FLOW */    true,
     /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
     },
 };
 // clang-format on
@@ -128,6 +130,7 @@ ExceptionPolicyStatsSetts stream_reassembly_memcap_eps_stats = {
     /* EXCEPTION_POLICY_DROP_PACKET */  false,
     /* EXCEPTION_POLICY_DROP_FLOW */    false,
     /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
     },
     .valid_settings_ips = {
     /* EXCEPTION_POLICY_NOT_SET */      false,
@@ -138,6 +141,7 @@ ExceptionPolicyStatsSetts stream_reassembly_memcap_eps_stats = {
     /* EXCEPTION_POLICY_DROP_PACKET */  true,
     /* EXCEPTION_POLICY_DROP_FLOW */    true,
     /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
     },
 };
 // clang-format on
@@ -154,6 +158,7 @@ ExceptionPolicyStatsSetts stream_midstream_enabled_eps_stats = {
     /* EXCEPTION_POLICY_DROP_PACKET */  false,
     /* EXCEPTION_POLICY_DROP_FLOW */    false,
     /* EXCEPTION_POLICY_REJECT */       false,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  false,
     },
     .valid_settings_ips = {
     /* EXCEPTION_POLICY_NOT_SET */      false,
@@ -164,6 +169,7 @@ ExceptionPolicyStatsSetts stream_midstream_enabled_eps_stats = {
     /* EXCEPTION_POLICY_DROP_PACKET */  false,
     /* EXCEPTION_POLICY_DROP_FLOW */    false,
     /* EXCEPTION_POLICY_REJECT */       false,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  false,
     },
 };
 // clang-format on
@@ -180,6 +186,7 @@ ExceptionPolicyStatsSetts stream_midstream_disabled_eps_stats = {
     /* EXCEPTION_POLICY_DROP_PACKET */  false,
     /* EXCEPTION_POLICY_DROP_FLOW */    false,
     /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
     },
     .valid_settings_ips = {
     /* EXCEPTION_POLICY_NOT_SET */      false,
@@ -190,6 +197,7 @@ ExceptionPolicyStatsSetts stream_midstream_disabled_eps_stats = {
     /* EXCEPTION_POLICY_DROP_PACKET */  false,
     /* EXCEPTION_POLICY_DROP_FLOW */    true,
     /* EXCEPTION_POLICY_REJECT */       true,
+    /* EXCEPTION_POLICY_REJECT_BOTH */  true,
     },
 };
 // clang-format on

src/util-exception-policy-types.h

@@ -30,10 +30,11 @@ enum ExceptionPolicy {
     EXCEPTION_POLICY_BYPASS_FLOW,
     EXCEPTION_POLICY_DROP_PACKET,
     EXCEPTION_POLICY_DROP_FLOW,
-    EXCEPTION_POLICY_REJECT,
+    EXCEPTION_POLICY_REJECT,     /**< reject src */
+    EXCEPTION_POLICY_REJECT_BOTH /**< reject both src and dest */
 };
 
-#define EXCEPTION_POLICY_MAX (EXCEPTION_POLICY_REJECT + 1)
+#define EXCEPTION_POLICY_MAX (EXCEPTION_POLICY_REJECT_BOTH + 1)
 
 /* Max length = possible exception policy scenarios + counter names
  * + exception policy type. E.g.:

src/util-exception-policy.c

@@ -47,6 +47,8 @@ const char *ExceptionPolicyEnumToString(enum ExceptionPolicy policy, bool is_jso
             return "reject";
         case EXCEPTION_POLICY_BYPASS_FLOW:
             return "bypass";
+        case EXCEPTION_POLICY_REJECT_BOTH:
+            return "reject_both";
         case EXCEPTION_POLICY_DROP_FLOW:
             return is_json ? "drop_flow" : "drop-flow";
         case EXCEPTION_POLICY_DROP_PACKET:
@@ -145,8 +147,14 @@ void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDro
         case EXCEPTION_POLICY_NOT_SET:
             break;
         case EXCEPTION_POLICY_REJECT:
-            SCLogDebug("EXCEPTION_POLICY_REJECT");
-            PacketDrop(p, ACTION_REJECT, drop_reason);
+        case EXCEPTION_POLICY_REJECT_BOTH:
+            if (policy == EXCEPTION_POLICY_REJECT) {
+                SCLogDebug("EXCEPTION_POLICY_REJECT");
+                PacketDrop(p, ACTION_REJECT, drop_reason);
+            } else {
+                SCLogDebug("EXCEPTION_POLICY_REJECT_BOTH");
+                PacketDrop(p, ACTION_REJECT_BOTH, drop_reason);
+            }
             if (!EngineModeIsIPS()) {
                 break;
             }
@@ -204,6 +212,7 @@ static enum ExceptionPolicy PickPacketAction(const char *option, enum ExceptionP
         case EXCEPTION_POLICY_PASS_PACKET:
             break;
         case EXCEPTION_POLICY_REJECT:
+        case EXCEPTION_POLICY_REJECT_BOTH:
             break;
         case EXCEPTION_POLICY_NOT_SET:
             break;
@@ -229,6 +238,8 @@ static enum ExceptionPolicy ExceptionPolicyConfigValueParse(
         policy = EXCEPTION_POLICY_PASS_PACKET;
     } else if (strcmp(value_str, "reject") == 0) {
         policy = EXCEPTION_POLICY_REJECT;
+    } else if (strcmp(value_str, "reject-both") == 0) {
+        policy = EXCEPTION_POLICY_REJECT_BOTH;
     } else if (strcmp(value_str, "ignore") == 0) { // TODO name?
         policy = EXCEPTION_POLICY_NOT_SET;
     } else if (strcmp(value_str, "auto") == 0) {