detect/iponly: use flow first flags

author Victor Julien <vjulien@oisf.net>

Thu, 23 Jan 2025 15:07:08 +0000 (16:07 +0100)

committer Victor Julien <victor@inliniac.net>

Tue, 28 Jan 2025 21:34:28 +0000 (22:34 +0100)
author Victor Julien <vjulien@oisf.net>
Thu, 23 Jan 2025 15:07:08 +0000 (16:07 +0100)
committer Victor Julien <victor@inliniac.net>
Tue, 28 Jan 2025 21:34:28 +0000 (22:34 +0100)
diff --git a/src/alert-debuglog.c b/src/alert-debuglog.c

index 8872b6e35e487db4adf88b18ddba52365d52f333..85ce29415056c77209292042dfe8b67d2e797b62 100644 (file)
--- a/src/alert-debuglog.c
+++ b/src/alert-debuglog.c
@@ -216,17 +216,14 @@ static TmEcode AlertDebugLogger(ThreadVars *tv, const Packet *p, void *thread_da
                               p->flow->todstpktcnt, p->flow->tosrcpktcnt,
                               p->flow->todstbytecnt + p->flow->tosrcbytecnt);
          MemBufferWriteString(aft->buffer,
-                             "FLOW IPONLY SET:   TOSERVER: %s, TOCLIENT: %s\n"
-                             "FLOW ACTION:       DROP: %s\n"
-                             "FLOW NOINSPECTION: PACKET: %s, PAYLOAD: %s, APP_LAYER: %s\n"
-                             "FLOW APP_LAYER:    DETECTED: %s, PROTO %"PRIu16"\n",
-                             p->flow->flags & FLOW_TOSERVER_IPONLY_SET ? "TRUE" : "FALSE",
-                             p->flow->flags & FLOW_TOCLIENT_IPONLY_SET ? "TRUE" : "FALSE",
-                             p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",
-                             p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE",
-                             p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
-                             applayer ? "TRUE" : "FALSE",
-                             (p->flow->alproto != ALPROTO_UNKNOWN) ? "TRUE" : "FALSE", p->flow->alproto);
+                "FLOW ACTION:       DROP: %s\n"
+                "FLOW NOINSPECTION: PACKET: %s, PAYLOAD: %s, APP_LAYER: %s\n"
+                "FLOW APP_LAYER:    DETECTED: %s, PROTO %" PRIu16 "\n",
+                p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",
+                p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE",
+                p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
+                applayer ? "TRUE" : "FALSE",
+                (p->flow->alproto != ALPROTO_UNKNOWN) ? "TRUE" : "FALSE", p->flow->alproto);
          AlertDebugLogFlowVars(aft, p);
      }
  
diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c

index fb333f0eda3de1a17e5bff99889f0f931b61f883..fd3fc66332399f8537642e1cebcd03e227d3dac9 100644 (file)
--- a/src/detect-engine-iponly.c
+++ b/src/detect-engine-iponly.c
@@ -2097,7 +2097,7 @@ static int IPOnlyTestSig15(void)
      p[0]->flow = &f;
      p[0]->flow->flowvar = &flowvar;
      p[0]->flags |= PKT_HAS_FLOW;
-    p[0]->flowflags |= FLOW_PKT_TOSERVER;
+    p[0]->flowflags |= (FLOW_PKT_TOSERVER | FLOW_PKT_TOSERVER_FIRST);
  
      const char *sigs[numsigs];
      sigs[0]= "alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; "
diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c

index 40f04d75f305f1b5d47731b6812218a8a4f431e8..937743dc054983eb50ab578fd0339931a8ec25d1 100644 (file)
--- a/src/detect-flowbits.c
+++ b/src/detect-flowbits.c
@@ -974,7 +974,7 @@ static int FlowBitsTestSig06(void)
      p->payload_len = buflen;
      p->proto = IPPROTO_TCP;
      p->flags |= PKT_HAS_FLOW;
-    p->flowflags |= FLOW_PKT_TOSERVER;
+    p->flowflags |= (FLOW_PKT_TOSERVER | FLOW_PKT_TOSERVER_FIRST);
  
      de_ctx = DetectEngineCtxInit();
      FAIL_IF_NULL(de_ctx);
diff --git a/src/detect.c b/src/detect.c

index b96d96d93a4601aa2519346416a30c80d2f9d726..1f169612443c30403021909b9783c7edc5a18a49 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -564,23 +564,12 @@ static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx
          Flow * const pflow, Packet * const p)
  {
      if (pflow) {
-        /* set the iponly stuff */
-        if (pflow->flags & FLOW_TOCLIENT_IPONLY_SET)
-            p->flowflags |= FLOW_PKT_TOCLIENT_IPONLY_SET;
-        if (pflow->flags & FLOW_TOSERVER_IPONLY_SET)
-            p->flowflags |= FLOW_PKT_TOSERVER_IPONLY_SET;
-
-        if (((p->flowflags & FLOW_PKT_TOSERVER) && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) ||
-            ((p->flowflags & FLOW_PKT_TOCLIENT) && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET)))
-        {
+        if (p->flowflags & (FLOW_PKT_TOSERVER_FIRST | FLOW_PKT_TOCLIENT_FIRST)) {
              SCLogDebug("testing against \"ip-only\" signatures");
  
              PACKET_PROFILING_DETECT_START(p, PROF_DETECT_IPONLY);
              IPOnlyMatchPacket(tv, de_ctx, det_ctx, &de_ctx->io_ctx, p);
              PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);
-
-            /* save in the flow that we scanned this direction... */
-            FlowSetIPOnlyFlag(pflow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
          }
      } else { /* p->flags & PKT_HAS_FLOW */
          /* no flow */
diff --git a/src/flow.c b/src/flow.c

index 5508ea7b923e153b7a20cccd55c6719fb59fc6ab..07c5b1291801f7abf15bd3b8b1b1c6bc90403828 100644 (file)
--- a/src/flow.c
+++ b/src/flow.c
@@ -144,16 +144,6 @@ void FlowCleanupAppLayer(Flow *f)
      f->alparser = NULL;
  }
  
-/** \brief Set the IPOnly scanned flag for 'direction'.
-  *
-  * \param f Flow to set the flag in
-  * \param direction direction to set the flag in
-  */
-void FlowSetIPOnlyFlag(Flow *f, int direction)
-{
-    direction ? (f->flags |= FLOW_TOSERVER_IPONLY_SET) : (f->flags |= FLOW_TOCLIENT_IPONLY_SET);
-}
-
  /** \brief Set flag to indicate that flow has alerts
   *
   * \param f flow
@@ -213,7 +203,6 @@ int FlowChangeProto(Flow *f)
  static inline void FlowSwapFlags(Flow *f)
  {
      SWAP_FLAGS(f->flags, FLOW_TO_SRC_SEEN, FLOW_TO_DST_SEEN);
-    SWAP_FLAGS(f->flags, FLOW_TOSERVER_IPONLY_SET, FLOW_TOCLIENT_IPONLY_SET);
      SWAP_FLAGS(f->flags, FLOW_SGH_TOSERVER, FLOW_SGH_TOCLIENT);
  
      SWAP_FLAGS(f->flags, FLOW_TOSERVER_DROP_LOGGED, FLOW_TOCLIENT_DROP_LOGGED);
diff --git a/src/flow.h b/src/flow.h

index 5afbc57012adb291c7e4d10dd1bb1a47721e8d05..69d4aff9858a72ac8d844b289b6f7d02471e701a 100644 (file)
--- a/src/flow.h
+++ b/src/flow.h
@@ -55,10 +55,9 @@ typedef struct AppLayerParserState_ AppLayerParserState;
  /** next packet in toclient direction will act on updated app-layer state */
  #define FLOW_TC_APP_UPDATE_NEXT BIT_U32(2)
  
-/** Flow was inspected against IP-Only sigs in the toserver direction */
-#define FLOW_TOSERVER_IPONLY_SET        BIT_U32(3)
-/** Flow was inspected against IP-Only sigs in the toclient direction */
-#define FLOW_TOCLIENT_IPONLY_SET        BIT_U32(4)
+// vacancy bit 3
+
+// vacancy bit 4
  
  /** Packet belonging to this flow should not be inspected at all */
  #define FLOW_NOPACKET_INSPECTION        BIT_U32(5)
@@ -232,13 +231,11 @@ typedef struct AppLayerParserState_ AppLayerParserState;
  #define FLOW_PKT_TOSERVER               0x01
  #define FLOW_PKT_TOCLIENT               0x02
  #define FLOW_PKT_ESTABLISHED            0x04
-#define FLOW_PKT_TOSERVER_IPONLY_SET    0x08
-#define FLOW_PKT_TOCLIENT_IPONLY_SET    0x10
-#define FLOW_PKT_TOSERVER_FIRST         0x20
-#define FLOW_PKT_TOCLIENT_FIRST         0x40
+#define FLOW_PKT_TOSERVER_FIRST         0x08
+#define FLOW_PKT_TOCLIENT_FIRST         0x10
  /** last pseudo packet in the flow. Can be used to trigger final clean,
   *  logging, etc. */
-#define FLOW_PKT_LAST_PSEUDO            0x80
+#define FLOW_PKT_LAST_PSEUDO 0x20
  
  #define FLOW_END_FLAG_EMERGENCY 0x01
  #define FLOW_END_FLAG_TIMEOUT   0x02
author	Victor Julien <vjulien@oisf.net>
	Thu, 23 Jan 2025 15:07:08 +0000 (16:07 +0100)
committer	Victor Julien <victor@inliniac.net>
	Tue, 28 Jan 2025 21:34:28 +0000 (22:34 +0100)
src/alert-debuglog.c		patch \| blob \| blame \| history
src/detect-engine-iponly.c		patch \| blob \| blame \| history
src/detect-flowbits.c		patch \| blob \| blame \| history
src/detect.c		patch \| blob \| blame \| history
src/flow.c		patch \| blob \| blame \| history
src/flow.h		patch \| blob \| blame \| history