git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Tue, 20 Jun 2017 10:13:14 +0000 (12:13 +0200)
committer	Victor Julien <victor@inliniac.net>
	Mon, 26 Jun 2017 07:46:05 +0000 (09:46 +0200)
commit	d61fa0c43c3dce72c10e58462544bf5d6443128c
tree	a674fdc23d356e3507d6d8960612cda92657aefc	tree
parent	7c119cc595bd1dc29dfc54665ee76a5caf604c82	commit \| diff

tunnel: refactor tunnel verdict handling

Observed:

STARTTLS creates 2 pseudo packets which are tied to a real packet.
TPR (tunnel packet ref) counter increased to 2.

Pseudo 1: goes through 'verdict', increments 'ready to verdict' to 1.
Packet pool return code frees this packet and decrements TPR in root
to 1. RTV counter not changed. So both are now 1.

Pseudo 2: verdict code sees RTV == TPR, so verdict is set based on
pseudo packet. This is too soon. Packet pool return code frees this
packet and decrements TPR in root to 0.

Real packet: TRP is 0 so set verdict on this packet. As verdict was
already set, NFQ reports an issue.

The decrementing of TPR doesn't seem to make sense as RTV is not
updated.

Solution:

This patch refactors the ref count and verdict count logic. The beef
is now handled in the generic function TmqhOutputPacketpool(). NFQ
and IPFW call a utility function VerdictTunnelPacket to see if they
need to verdict a packet.

Remove some unused macro's for managing these counters.

src/decode.h		diff \| blob \| blame \| history
src/source-ipfw.c		diff \| blob \| blame \| history
src/source-nfq.c		diff \| blob \| blame \| history
src/stream-tcp.c		diff \| blob \| blame \| history
src/tmqh-packetpool.c		diff \| blob \| blame \| history