up

pkg/waf/waap_rule/modsecurity.go

@@ -7,7 +7,7 @@ import (
 )
 
 type ModsecurityRule struct {
-	id uint32
+	ids []uint32
 }
 
 var zonesMap map[string]string = map[string]string{
@@ -43,16 +43,16 @@ var matchMap map[string]string = map[string]string{
 	"le":              "@le",
 }
 
-func (m *ModsecurityRule) Build(rule *CustomRule, waapRuleName string) (string, uint32, error) {
+func (m *ModsecurityRule) Build(rule *CustomRule, waapRuleName string) (string, []uint32, error) {
 
 	rules, err := m.buildRules(rule, waapRuleName, false, 0)
 
 	if err != nil {
-		return "", 0, err
+		return "", nil, err
 	}
 
 	//We return the id of the first generated rule, as it's the interesting one in case of chain or skip
-	return strings.Join(rules, "\n"), m.id, nil
+	return strings.Join(rules, "\n"), m.ids, nil
 }
 
 func (m *ModsecurityRule) generateRuleID(rule *CustomRule, waapRuleName string) uint32 {
@@ -67,9 +67,7 @@ func (m *ModsecurityRule) generateRuleID(rule *CustomRule, waapRuleName string)
 		h.Write([]byte(transform))
 	}
 	id := h.Sum32()
-	if m.id == 0 {
-		m.id = id
-	}
+	m.ids = append(m.ids, id)
 	return id
 }
 

pkg/waf/waap_rule/waap_rule.go

@@ -42,18 +42,18 @@ type CustomRule struct {
 	Or        []CustomRule `yaml:"or,omitempty"`
 }
 
-func (v *CustomRule) Convert(ruleType string, waapRuleName string) (string, uint32, error) {
+func (v *CustomRule) Convert(ruleType string, waapRuleName string) (string, []uint32, error) {
 
 	if v.Zones == nil && v.And == nil && v.Or == nil {
-		return "", 0, fmt.Errorf("no zones defined")
+		return "", nil, fmt.Errorf("no zones defined")
 	}
 
 	if v.Match.Type == "" && v.And == nil && v.Or == nil {
-		return "", 0, fmt.Errorf("no match type defined")
+		return "", nil, fmt.Errorf("no match type defined")
 	}
 
 	if v.Match.Value == "" && v.And == nil && v.Or == nil {
-		return "", 0, fmt.Errorf("no match value defined")
+		return "", nil, fmt.Errorf("no match value defined")
 	}
 
 	switch ruleType {
@@ -61,6 +61,6 @@ func (v *CustomRule) Convert(ruleType string, waapRuleName string) (string, uint
 		r := ModsecurityRule{}
 		return r.Build(v, waapRuleName)
 	default:
-		return "", 0, fmt.Errorf("unknown rule format '%s'", ruleType)
+		return "", nil, fmt.Errorf("unknown rule format '%s'", ruleType)
 	}
 }

pkg/waf/waap_rules_collection.go

@@ -140,7 +140,7 @@ func LoadCollection(collection string) (WaapCollection, error) {
 
 	if loadedRule.Rules != nil {
 		for _, rule := range loadedRule.Rules {
-			strRule, ruleId, err := rule.Convert(waap_rule.ModsecurityRuleType, loadedRule.Name)
+			strRule, rulesId, err := rule.Convert(waap_rule.ModsecurityRuleType, loadedRule.Name)
 			if err != nil {
 				log.Errorf("unable to convert rule %s : %s", rule.Name, err)
 				return WaapCollection{}, err
@@ -148,15 +148,20 @@ func LoadCollection(collection string) (WaapCollection, error) {
 			log.Infof("Adding rule %s", strRule)
 			waapCol.Rules = append(waapCol.Rules, strRule)
 
-			if _, ok := WaapRulesDetails[int(ruleId)]; !ok {
-				WaapRulesDetails[int(ruleId)] = RulesDetails{
+			//We only take the first id, as it's the one of the "main" rule
+			if _, ok := WaapRulesDetails[int(rulesId[0])]; !ok {
+				WaapRulesDetails[int(rulesId[0])] = RulesDetails{
 					LogLevel: log.InfoLevel,
 					Hash:     loadedRule.hash,
 					Version:  loadedRule.version,
 					Name:     loadedRule.Name,
 				}
 			} else {
-				log.Warnf("conflicting id %d for rule %s !", ruleId, rule.Name)
+				log.Warnf("conflicting id %d for rule %s !", rulesId[0], rule.Name)
+			}
+
+			for _, id := range rulesId {
+				SetRuleDebug(int(id), loadedRule.Debug)
 			}
 		}
 	}