Merge pull request #1463 in SNORT/snort3 from ~CWAXMAN/snort3:offload_actions to...

Squashed commit of the following:

commit 7647547294400c2572f0eef9d6f9f98e8fff5ef3
Author: Carter Waxman <cwaxman@cisco.com>
Date:   Wed Dec 12 09:11:36 2018 -0500

    ActionManager: actions are tracked per packet for accurate packet suspension

diff --git a/src/detection/context_switcher.cc b/src/detection/context_switcher.cc
index 6c4b8bee391a4f10770b80268f8c7a228f517912..385a8a00626d2cc2f11955c5ac3cf25abe857110 100644 (file)
--- a/src/detection/context_switcher.cc
+++ b/src/detection/context_switcher.cc
@@ -85,8 +85,10 @@ void ContextSwitcher::start()
     busy.emplace_back(idle.back());
     idle.pop_back();
 
-    busy.back()->packet->active = busy.back()->packet->active_inst;
-    busy.back()->packet->active->reset();
+    IpsContext* c = busy.back();
+    c->packet->active = c->packet->active_inst;
+    c->packet->active->reset();
+    c->packet->action = &c->packet->action_inst; 
 }
 
 void ContextSwitcher::stop()
@@ -100,6 +102,7 @@ void ContextSwitcher::stop()
     c->clear_context_data();
     idle.emplace_back(c);
     busy.back()->packet->active = nullptr;
+    busy.back()->packet->action = nullptr;
     busy.pop_back();
 }
 

diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc
index 152136304e53e6df31b928a20a47bd203d2cc389..6bc1e34caf5ebdb58beb5181875051c8894394f5 100644 (file)
--- a/src/detection/detection_engine.cc
+++ b/src/detection/detection_engine.cc
@@ -112,6 +112,7 @@ Packet* DetectionEngine::get_encode_packet()
 Packet* DetectionEngine::set_next_packet(Packet* parent)
 {
     static THREAD_LOCAL Active shutdown_active;
+    static THREAD_LOCAL IpsAction* shutdown_action = nullptr;
 
     IpsContext* c = Snort::get_switcher()->get_next();
     if ( parent )
@@ -130,15 +131,22 @@ Packet* DetectionEngine::set_next_packet(Packet* parent)
 
     // normal rebuild
     if ( parent )
+    {
         p->active = parent->active;
+        p->action = parent->action;
+    }
     
     // processing but parent is already gone (flow cache flush etc..)
     else if ( Snort::get_switcher()->get_context() )
+    {
         p->active = get_current_packet()->active;
+        p->action = get_current_packet()->action;
+    }
     
     // shutdown, so use a dummy so null checking is not needed everywhere
     else
     {
+        p->action = &shutdown_action;
         p->active = &shutdown_active;
         shutdown_active.reset();
     }

diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc
index b1b867bf2497260cbae18470eb777c6094023a8e..fb34ff4502d7adb058aff5a8c86ed63a8ae180a6 100644 (file)
--- a/src/detection/fp_detect.cc
+++ b/src/detection/fp_detect.cc
@@ -118,7 +118,7 @@ static inline void fpLogOther(
 
     // rule actions are queued here (eg reject)
     if ( rtn->listhead->action )
-        ActionManager::queue(rtn->listhead->action);
+        ActionManager::queue(rtn->listhead->action, p);
 }
 
 /*

diff --git a/src/main/snort.cc b/src/main/snort.cc
index 04816420291744b1bd58661e7545bd5c646ef947..c02133d226b9d377f3018475afd3bcad239f1f96 100644 (file)
--- a/src/main/snort.cc
+++ b/src/main/snort.cc
@@ -1019,7 +1019,7 @@ DAQ_Verdict Snort::packet_callback(
     DetectionEngine::reset();
 
     sfthreshold_reset();
-    ActionManager::reset_queue();
+    ActionManager::reset_queue(s_packet);
 
     DAQ_Verdict verdict = process_packet(s_packet, pkthdr, pkt);
     ActionManager::execute(s_packet);

diff --git a/src/managers/action_manager.cc b/src/managers/action_manager.cc
index 82ca0c683c21e5cc0400219ad09f7ff9deaf0741..7ea826d190120f527b45d274b76aadab80e48389 100644 (file)
--- a/src/managers/action_manager.cc
+++ b/src/managers/action_manager.cc
@@ -58,12 +58,11 @@ struct IpsActionsConfig
     IpsAction* reject = nullptr;
 };
 
-typedef vector<ActionClass> ACList;
+using ACList = vector<ActionClass>;
 
 static ACList s_actors;
 
 static THREAD_LOCAL ACList* s_tl_actors = nullptr;
-static THREAD_LOCAL IpsAction* s_tl_action = nullptr;
 
 //-------------------------------------------------------------------------
 // Main thread operations
@@ -227,28 +226,28 @@ void ActionManager::thread_term(SnortConfig*)
 
 void ActionManager::execute(Packet* p)
 {
-    if ( s_tl_action )
+    if ( *p->action )
     {
-        s_tl_action->exec(p);
-        s_tl_action = nullptr;
+        (*p->action)->exec(p);
+        *p->action = nullptr;
     }
 }
 
-void ActionManager::queue(IpsAction* a)
+void ActionManager::queue(IpsAction* a, Packet* p)
 {
-    if ( !s_tl_action || a->get_action() > s_tl_action->get_action() )
-        s_tl_action = a;
+    if ( !(*p->action) || a->get_action() > (*p->action)->get_action() )
+        *p->action = a;
 }
 
-void ActionManager::queue_reject(SnortConfig* sc)
+void ActionManager::queue_reject(SnortConfig* sc, Packet* p)
 {
     if ( sc->ips_actions_config->reject )
-        queue(sc->ips_actions_config->reject);
+        queue(sc->ips_actions_config->reject, p);
 }
 
-void ActionManager::reset_queue()
+void ActionManager::reset_queue(Packet* p)
 {
-    s_tl_action = nullptr;
+    *p->action = nullptr;
     Replace_ResetQueue();
 }
 

diff --git a/src/managers/action_manager.h b/src/managers/action_manager.h
index 774fe50033b65b222ef18593db30736b7255de30..7d82031777b3f2cf3b713db2221cdb50ef63d372 100644 (file)
--- a/src/managers/action_manager.h
+++ b/src/managers/action_manager.h
@@ -72,9 +72,9 @@ public:
     static void thread_reinit(snort::SnortConfig*);
     static void thread_term(snort::SnortConfig*);
 
-    static void reset_queue();
-    static void queue_reject(snort::SnortConfig*);
-    static void queue(snort::IpsAction*);
+    static void reset_queue(snort::Packet*);
+    static void queue_reject(snort::SnortConfig*, snort::Packet*);
+    static void queue(snort::IpsAction*, snort::Packet*);
     static void execute(snort::Packet*);
 
 #ifdef PIGLET

diff --git a/src/packet_io/active.cc b/src/packet_io/active.cc
index cadbcde16ebb928e40281f4083b5f27f7597c0ea..cad69f8af332eda06076cc13a724b2831b66c48a 100644 (file)
--- a/src/packet_io/active.cc
+++ b/src/packet_io/active.cc
@@ -470,7 +470,7 @@ void Active::reset_session(Packet* p, bool force)
 
     if ( enabled )
     {
-        ActionManager::queue_reject(SnortConfig::get_conf());
+        ActionManager::queue_reject(SnortConfig::get_conf(), p);
 
         if ( p->flow )
         {

diff --git a/src/protocols/packet.h b/src/protocols/packet.h
index 5ef29dc3bc17e387fdd7d42e2c5d8b3fed33a0cd..db38f028f453fe9d7f0b8e9750bbe0640c45dd48 100644 (file)
--- a/src/protocols/packet.h
+++ b/src/protocols/packet.h
@@ -33,6 +33,7 @@ namespace snort
 class Active;
 class Endianness;
 class Flow;
+class IpsAction;
 class IpsContext;
 class Obfuscator;
 
@@ -132,6 +133,8 @@ struct SO_PUBLIC Packet
     IpsContext* context;   // set by control
     Active* active;
     Active* active_inst;
+    IpsAction** action;
+    IpsAction* action_inst;
     const DAQ_PktHdr_t* pkth;    // packet meta data
     const uint8_t* pkt;          // raw packet data