OISF · victorjulien · Feb 19, 2026 · Jan 21, 2026 · Jan 31, 2026 · Feb 18, 2026
@@ -271,6 +271,70 @@ You can also use the negation (!) before isdataat.
 
 .. image:: payload-keywords/isdataat1.png
 
+absolute vs relative values
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The absolute ``isdataat`` checks will succeed if the offset used is
+**less than** the size of the inspection buffer.
+
+For *relative* ``isdataat`` checks, there is a **1 byte difference** vs
+the absolute handling.
+
+Matching will succeed if the relative offset is **less than or equal to**
+the size of the inspection buffer. This is different from absolute
+``isdataat`` checks.
+
+As an example, consider a 32 byte payload:
+
++---------------------------+--------+
+| rule statement            | Match? |
++---------------------------+--------+
+| ``isdataat:31;``          | Yes    |
++---------------------------+--------+
+| ``isdataat:32;``          | No     |
++---------------------------+--------+
+| ``isdataat:31,relative;`` | Yes    |
++---------------------------+--------+
+| ``isdataat:32,relative;`` | Yes    |
++---------------------------+--------+
+| ``isdataat:33,relative;`` | No     |
++---------------------------+--------+
+
+Another example, consider the following payload:
+
++-------+---+---+---+---+---+---+---+---+
+| Index | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
++-------+---+---+---+---+---+---+---+---+
+| Value | a | b | c | d | e | f | g | h |
++-------+---+---+---+---+---+---+---+---+
+
+Then the following rules match the payload as follows:
+
++----------------------------------------+--------+
+| Rule statement                         | Match? |
++----------------------------------------+--------+
+| ``isdataat:7;``                        | Yes    |
++----------------------------------------+--------+
+| ``isdataat:8;``                        | No     |
++----------------------------------------+--------+
+| ``isdataat:7,relative;``               | Yes    |
++----------------------------------------+--------+
+| ``isdataat:8,relative;``               | Yes    |
++----------------------------------------+--------+
+| ``isdataat:9,relative;``               | No     |
++----------------------------------------+--------+
+| ``payload:"c"; isdataat:4,relative;``  | Yes    |
++----------------------------------------+--------+
+| ``payload:"c"; isdataat:5,relative;``  | Yes    |
++----------------------------------------+--------+
+| ``payload:"c"; isdataat:6,relative;``  | No     |
++----------------------------------------+--------+
+
+These differences are also discussed in :doc:`differences-from-snort`.
+
+A discussion of this difference can be found at
+https://redmine.openinfosecfoundation.org/issues/8031
+
 absent
 ------
 

@@ -181,11 +181,21 @@ static void OnThreadInit(ThreadVars *tv, void *_data)
 static int DetectnDPIProtocolPacketMatch(
         DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx)
 {
+    SCEnter();
+
     const Flow *f = p->flow;
+    if (f == NULL) {
+        SCLogDebug("packet %" PRIu64 ": no flow", p->pcap_cnt);
+        SCReturnInt(0);
+    }
+
     struct NdpiFlowContext *flowctx = FlowGetStorageById(f, flow_storage_id);
-    const DetectnDPIProtocolData *data = (const DetectnDPIProtocolData *)ctx;
+    if (flowctx == NULL) {
+        SCLogDebug("packet %" PRIu64 ": no flowctx", PcapPacketCntGet(p));
+        SCReturnInt(0);
+    }
 
-    SCEnter();
+    const DetectnDPIProtocolData *data = (const DetectnDPIProtocolData *)ctx;
 
     /* if the sig is PD-only we only match when PD packet flags are set */
     /*
@@ -201,11 +211,6 @@ static int DetectnDPIProtocolPacketMatch(
         SCReturnInt(0);
     }
 
-    if (f == NULL) {
-        SCLogDebug("packet %" PRIu64 ": no flow", p->pcap_cnt);
-        SCReturnInt(0);
-    }
-
     bool r = ndpi_is_proto_equals(flowctx->detected_l7_protocol.proto, data->l7_protocol, false);
     r = r ^ data->negated;
 
@@ -311,22 +316,27 @@ static void DetectnDPIProtocolFree(DetectEngineCtx *de_ctx, void *ptr)
 static int DetectnDPIRiskPacketMatch(
         DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx)
 {
+    SCEnter();
+
     const Flow *f = p->flow;
+    if (f == NULL) {
+        SCLogDebug("packet %" PRIu64 ": no flow", p->pcap_cnt);
+        SCReturnInt(0);
+    }
+
     struct NdpiFlowContext *flowctx = FlowGetStorageById(f, flow_storage_id);
-    const DetectnDPIRiskData *data = (const DetectnDPIRiskData *)ctx;
+    if (flowctx == NULL) {
+        SCLogDebug("packet %" PRIu64 ": no flowctx", p->pcap_cnt);
+        SCReturnInt(0);
+    }
 
-    SCEnter();
+    const DetectnDPIRiskData *data = (const DetectnDPIRiskData *)ctx;
 
     if (!flowctx->detection_completed) {
         SCLogDebug("packet %" PRIu64 ": ndpi risks not yet detected", p->pcap_cnt);
         SCReturnInt(0);
     }
 
-    if (f == NULL) {
-        SCLogDebug("packet %" PRIu64 ": no flow", p->pcap_cnt);
-        SCReturnInt(0);
-    }
-
     bool r = ((flowctx->ndpi_flow->risk & data->risk_mask) == data->risk_mask);
     r = r ^ data->negated;
 

@@ -72,7 +72,7 @@ void DetectIPRepRegister (void)
     sigmatch_table[DETECT_IPREP].RegisterTests = IPRepRegisterTests;
 #endif
     /* this is compatible to ip-only signatures */
-    sigmatch_table[DETECT_IPREP].flags |= SIGMATCH_IPONLY_COMPAT;
+    sigmatch_table[DETECT_IPREP].flags |= SIGMATCH_IPONLY_COMPAT | SIGMATCH_SUPPORT_FIREWALL;
 }
 
 static inline int8_t GetRep(const SReputation *r, const uint8_t cat, const uint32_t version)

@@ -439,6 +439,7 @@ static TmEcode OpenXSKSocket(AFXDPThreadVars *ptv)
     if ((ret = xsk_socket__create(&ptv->xsk.xsk, ptv->livedev->dev, ptv->xsk.queue.queue_num,
                  ptv->umem.umem, &ptv->xsk.rx, &ptv->xsk.tx, &ptv->xsk.cfg))) {
         SCLogError("Failed to create socket: %s", strerror(-ret));
+        SCMutexUnlock(&xsk_protect.queue_protect);
         SCReturnInt(TM_ECODE_FAILED);
     }
     SCLogDebug("bind to %s on queue %u", ptv->iface, ptv->xsk.queue.queue_num);

@@ -660,8 +660,7 @@ static int HwLocDeviceNumaGet(hwloc_topology_t topo, hwloc_obj_t obj)
         return nodes[0]->logical_index;
     }
     return -1;
-#endif /* HWLOC_VERSION_MAJOR >= 2 && HWLOC_VERSION_MINOR >= 5 */
-
+#else
     hwloc_obj_t non_io_ancestor = hwloc_get_non_io_ancestor_obj(topo, obj);
     if (non_io_ancestor == NULL) {
         return -1;
@@ -676,6 +675,7 @@ static int HwLocDeviceNumaGet(hwloc_topology_t topo, hwloc_obj_t obj)
     }
 
     return -1;
+#endif /* ! HWLOC_VERSION_MAJOR >= 2 && HWLOC_VERSION_MINOR >= 5 */
 }
 
 static hwloc_obj_t HwLocDeviceGetByKernelName(hwloc_topology_t topo, const char *interface_name)