if (p->flow != NULL) {
/* Update flow flags for iponly */
- FLOWLOCK_WRLOCK(p->flow);
- FlowSetIPOnlyFlagNoLock(p->flow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
+ FlowSetIPOnlyFlag(p->flow, (p->flowflags & FLOW_PKT_TOSERVER) ? 1 : 0);
if (s->action & ACTION_DROP)
p->flow->flags |= FLOW_ACTION_DROP;
if (s->action & ACTION_PASS) {
FlowSetNoPacketInspectionFlag(p->flow);
}
- FLOWLOCK_UNLOCK(p->flow);
}
}
}
(p->alerts.alerts[i].flags &
(PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_STREAM_MATCH)))
{
- FlowLockSetNoPacketInspectionFlag(p->flow);
+ FlowSetNoPacketInspectionFlag(p->flow);
}
break;
(s->flags & SIG_FLAG_APPLAYER))
&& p->flow != NULL)
{
- FLOWLOCK_WRLOCK(p->flow);
/* This will apply only on IPS mode (check StreamTcpPacket) */
- p->flow->flags |= FLOW_ACTION_DROP;
- FLOWLOCK_UNLOCK(p->flow);
+ p->flow->flags |= FLOW_ACTION_DROP; // XXX API?
}
}
}
else if (sm->type == DETECT_LUA) {
SCLogDebug("lua starting");
- /* for flowvar gets and sets we need to know the flow's lock status */
- int flow_lock = LUA_FLOW_LOCKED_BY_PARENT;
- if (inspection_mode <= DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM)
- flow_lock = LUA_FLOW_NOT_LOCKED_BY_PARENT;
if (DetectLuaMatchBuffer(det_ctx, s, sm, buffer, buffer_len,
- det_ctx->buffer_offset, f, flow_lock) != 1)
+ det_ctx->buffer_offset, f) != 1)
{
SCLogDebug("lua no_match");
goto no_match;
{
int r = 0;
- FLOWLOCK_WRLOCK(f);
-
if (!(flags & STREAM_EOF) && f->de_state &&
f->detect_alversion[flags & STREAM_TOSERVER ? 0 : 1] == alversion) {
SCLogDebug("unchanged state");
} else {
r = 0;
}
- FLOWLOCK_UNLOCK(f);
-
return r;
}
SCLogDebug("rule %u", s->id);
- FLOWLOCK_WRLOCK(f);
/* TX based matches (inspect engines) */
if (AppLayerParserProtocolSupportsTxs(f->proto, alproto)) {
uint64_t tx_id = 0;
}
end:
- FLOWLOCK_UNLOCK(f);
-
det_ctx->tx_id = 0;
det_ctx->tx_id_set = 0;
return alert_cnt ? 1:0;
RULE_PROFILING_END(det_ctx, s, (alert == 1), p);
if (alert) {
- det_ctx->flow_locked = 1;
SigMatchSignaturesRunPostMatch(tv, de_ctx, det_ctx, p, s);
- det_ctx->flow_locked = 0;
if (!(s->flags & SIG_FLAG_NOALERT)) {
PacketAlertAppend(det_ctx, s, p, inspect_tx_id,
item->nm = sm;
if (alert) {
- det_ctx->flow_locked = 1;
SigMatchSignaturesRunPostMatch(tv, de_ctx, det_ctx, p, s);
- det_ctx->flow_locked = 0;
if (!(s->flags & SIG_FLAG_NOALERT)) {
PacketAlertAppend(det_ctx, s, p, 0,
uint64_t total_txs = 0;
uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
- FLOWLOCK_WRLOCK(f);
-
SCLogDebug("starting continue detection for packet %"PRIu64, p->pcap_cnt);
if (AppLayerParserProtocolSupportsTxs(f->proto, alproto)) {
void *alstate = FlowGetAppState(f);
if (!StateIsValid(alproto, alstate)) {
- FLOWLOCK_UNLOCK(f);
return;
}
}
end:
- FLOWLOCK_UNLOCK(f);
det_ctx->tx_id = 0;
det_ctx->tx_id_set = 0;
return;
* \note it is possible that f->alstate, f->alparser are NULL */
void DeStateUpdateInspectTransactionId(Flow *f, const uint8_t flags)
{
- FLOWLOCK_WRLOCK(f);
if (f->alparser && f->alstate) {
AppLayerParserSetTransactionInspectId(f->alparser, f->proto,
f->alproto, f->alstate, flags);
}
- FLOWLOCK_UNLOCK(f);
-
return;
}
if (p->flow == NULL)
return 1;
- FLOWLOCK_WRLOCK(p->flow);
iter = FlowGetStorageById(p->flow, flow_tag_id);
if (iter != NULL) {
/* First iterate installed entries searching a duplicated sid/gid */
SCLogDebug("Max tags for sessions reached (%"PRIu16")", tag_cnt);
}
- FLOWLOCK_UNLOCK(p->flow);
return updated;
}
/* First update and get session tags */
if (p->flow != NULL) {
- FLOWLOCK_WRLOCK(p->flow);
TagHandlePacketFlow(p->flow, p);
- FLOWLOCK_UNLOCK(p->flow);
}
Host *src = HostLookupHostFromHash(&p->src);
else
flags |= STREAM_TOSERVER;
- if (det_ctx->flow_locked == 0)
- FLOWLOCK_WRLOCK(p->flow);
-
FileContainer *ffc = AppLayerParserGetFiles(p->flow->proto, p->flow->alproto,
p->flow->alstate, flags);
}
}
- if (det_ctx->flow_locked == 0)
- FLOWLOCK_UNLOCK(p->flow);
-
SCReturnInt(0);
}
int DetectFlowintMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Packet *p, Signature *s, const SigMatchCtx *ctx)
{
- const int flow_locked = det_ctx->flow_locked;
const DetectFlowintData *sfd = (const DetectFlowintData *)ctx;
FlowVar *fv;
FlowVar *fvt;
uint32_t targetval;
int ret = 0;
- if (flow_locked == 0)
- FLOWLOCK_WRLOCK(p->flow);
-
/** ATM If we are going to compare the current var with another
* that doesn't exist, the default value will be zero;
* if you don't want this behaviour, you can use the keyword
}
end:
- if (flow_locked == 0)
- FLOWLOCK_UNLOCK(p->flow);
return ret;
}
int ret = 0;
DetectFlowvarData *fd = (DetectFlowvarData *)ctx;
- /* we need a lock */
- FLOWLOCK_RDLOCK(p->flow);
-
FlowVar *fv = FlowVarGet(p->flow, fd->idx);
if (fv != NULL) {
uint8_t *ptr = SpmSearch(fv->data.fv_str.value,
if (ptr != NULL)
ret = 1;
}
- FLOWLOCK_UNLOCK(p->flow);
return ret;
}
int DetectLuaMatchBuffer(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch *sm,
uint8_t *buffer, uint32_t buffer_len, uint32_t offset,
- Flow *f, int flow_lock)
+ Flow *f)
{
SCEnter();
int ret = 0;
SCReturnInt(0);
/* setup extension data for use in lua c functions */
+ int flow_lock = (f != NULL) ? /* if we have a flow, it's locked */
+ LUA_FLOW_LOCKED_BY_PARENT :
+ LUA_FLOW_NOT_LOCKED_BY_PARENT;
+
LuaExtensionsMatchSetup(tluajit->luastate, luajit, det_ctx,
f, flow_lock, /* no packet in the ctx */NULL, 0);
flags = STREAM_TOCLIENT;
LuaStateSetThreadVars(tluajit->luastate, tv);
+
+ int flow_lock = (p->flow != NULL) ? /* if we have a flow, it's locked */
+ LUA_FLOW_LOCKED_BY_PARENT :
+ LUA_FLOW_NOT_LOCKED_BY_PARENT;
+
LuaExtensionsMatchSetup(tluajit->luastate, luajit, det_ctx,
- p->flow, /* flow not locked */LUA_FLOW_NOT_LOCKED_BY_PARENT, p, flags);
+ p->flow, flow_lock, p, flags);
if ((tluajit->flags & DATATYPE_PAYLOAD) && p->payload_len == 0)
SCReturnInt(0);
if (p->flow == NULL)
SCReturnInt(0);
- FLOWLOCK_RDLOCK(p->flow);
- int alproto = p->flow->alproto;
- FLOWLOCK_UNLOCK(p->flow);
-
+ AppProto alproto = p->flow->alproto;
if (tluajit->alproto != alproto)
SCReturnInt(0);
}
lua_settable(tluajit->luastate, -3);
}
if (tluajit->alproto == ALPROTO_HTTP) {
- FLOWLOCK_RDLOCK(p->flow);
HtpState *htp_state = p->flow->alstate;
if (htp_state != NULL && htp_state->connp != NULL) {
htp_tx_t *tx = NULL;
}
}
}
- FLOWLOCK_UNLOCK(p->flow);
}
int retval = lua_pcall(tluajit->luastate, 1, 1, 0);
int negated;
char *filename;
uint32_t flags;
- int alproto;
+ AppProto alproto;
char *buffername; /* buffer name in case of a single buffer */
uint16_t flowint[DETECT_LUAJIT_MAX_FLOWINTS];
uint16_t flowints;
void DetectLuaRegister (void);
int DetectLuaMatchBuffer(DetectEngineThreadCtx *det_ctx, Signature *s, SigMatch *sm,
uint8_t *buffer, uint32_t buffer_len, uint32_t offset,
- Flow *f, int flow_lock);
+ Flow *f);
#ifdef HAVE_LUAJIT
int DetectLuajitSetupStatesPool(int num, int reloads);
/* all http based mpms */
if (has_state && alproto == ALPROTO_HTTP) {
- FLOWLOCK_WRLOCK(p->flow);
void *alstate = FlowGetAppState(p->flow);
if (alstate == NULL) {
SCLogDebug("no alstate");
- FLOWLOCK_UNLOCK(p->flow);
return;
}
HtpState *htp_state = (HtpState *)alstate;
if (htp_state->connp == NULL) {
SCLogDebug("no HTTP connp");
- FLOWLOCK_UNLOCK(p->flow);
return;
}
}
}
} /* for */
-
- FLOWLOCK_UNLOCK(p->flow);
}
/* all dns based mpms */
else if (alproto == ALPROTO_DNS && has_state) {
if (p->flowflags & FLOW_PKT_TOSERVER) {
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_DNSQUERY) {
- FLOWLOCK_RDLOCK(p->flow);
void *alstate = FlowGetAppState(p->flow);
if (alstate == NULL) {
SCLogDebug("no alstate");
- FLOWLOCK_UNLOCK(p->flow);
return;
}
DetectDnsQueryInspectMpm(det_ctx, p->flow, alstate, flags, tx, idx);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_DNSQUERY);
}
- FLOWLOCK_UNLOCK(p->flow);
}
}
} else if (alproto == ALPROTO_TLS && has_state) {
if (p->flowflags & FLOW_PKT_TOSERVER) {
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_TLSSNI) {
- FLOWLOCK_RDLOCK(p->flow);
void *alstate = FlowGetAppState(p->flow);
if (alstate == NULL) {
SCLogDebug("no alstate");
- FLOWLOCK_UNLOCK(p->flow);
return;
}
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_TLSSNI);
DetectTlsSniInspectMpm(det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_TLSSNI);
-
- FLOWLOCK_UNLOCK(p->flow);
}
}
} else if (alproto == ALPROTO_SMTP && has_state) {
if (p->flowflags & FLOW_PKT_TOSERVER) {
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_FD_SMTP) {
- FLOWLOCK_RDLOCK(p->flow);
void *alstate = FlowGetAppState(p->flow);
if (alstate == NULL) {
SCLogDebug("no alstate");
- FLOWLOCK_UNLOCK(p->flow);
return;
}
DetectEngineRunSMTPMpm(de_ctx, det_ctx, p->flow, smtp_state, flags, tx, idx);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_FD_SMTP);
}
- FLOWLOCK_UNLOCK(p->flow);
}
}
}
if (p->flowflags & FLOW_PKT_TOSERVER) {
SCLogDebug("mpm inspection");
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_DNSQUERY) {
- FLOWLOCK_RDLOCK(p->flow);
void *alstate = FlowGetAppState(p->flow);
if (alstate == NULL) {
SCLogDebug("no alstate");
- FLOWLOCK_UNLOCK(p->flow);
return;
}
DetectDnsQueryInspectMpm(det_ctx, p->flow, alstate, flags, tx, idx);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_DNSQUERY);
}
- FLOWLOCK_UNLOCK(p->flow);
}
}
}
SCLogDebug("STREAM_EOF set");
}
- FLOWLOCK_WRLOCK(pflow);
{
/* store tenant_id in the flow so that we can use it
* for creating pseudo packets */
pflow->alparser,
flow_flags);
}
- FLOWLOCK_UNLOCK(pflow);
if (((p->flowflags & FLOW_PKT_TOSERVER) && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) ||
((p->flowflags & FLOW_PKT_TOCLIENT) && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET)))
IPOnlyMatchPacket(th_v, de_ctx, det_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_IPONLY);
- /* save in the flow that we scanned this direction... locking is
- * done in the FlowSetIPOnlyFlag function. */
+ /* save in the flow that we scanned this direction... */
FlowSetIPOnlyFlag(pflow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
} else if (((p->flowflags & FLOW_PKT_TOSERVER) &&
#ifdef DEBUG
if (pflow) {
- SCMutexLock(&pflow->m);
DebugInspectIds(p, pflow, smsg);
- SCMutexUnlock(&pflow->m);
}
#endif
} else { /* p->flags & PKT_HAS_FLOW */
* and if so, if we actually have any in the flow. If not, the sig
* can't match and we skip it. */
if ((p->flags & PKT_HAS_FLOW) && (sflags & SIG_FLAG_REQUIRE_FLOWVAR)) {
- FLOWLOCK_RDLOCK(pflow);
int m = pflow->flowvar ? 1 : 0;
- FLOWLOCK_UNLOCK(pflow);
/* no flowvars? skip this sig */
if (m == 0) {
* up again for the next packet. Also return any stream chunk we processed
* to the pool. */
if (p->flags & PKT_HAS_FLOW) {
- FLOWLOCK_WRLOCK(pflow);
if (debuglog_enabled) {
if (p->alerts.cnt > 0) {
AlertDebugLogModeSyncFlowbitsNamesToPacketStruct(p, de_ctx);
/* if we had no alerts that involved the smsgs,
* we can get rid of them now. */
StreamMsgReturnListToPool(smsg);
-
- FLOWLOCK_UNLOCK(pflow);
}
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_CLEANUP);
}
if (p->flow) {
+ det_ctx->flow_locked = 1;
+ FLOWLOCK_WRLOCK(p->flow);
DetectFlow(tv, de_ctx, det_ctx, p);
+ FLOWLOCK_UNLOCK(p->flow);
+ det_ctx->flow_locked = 0;
} else {
DetectNoFlow(tv, de_ctx, det_ctx, p);
}
return TM_ECODE_OK;
-
error:
return TM_ECODE_FAILED;
}
int FlowBitIsset(Flow *f, uint16_t idx)
{
int r = 0;
- FLOWLOCK_RDLOCK(f);
FlowBit *fb = FlowBitGet(f, idx);
if (fb != NULL) {
r = 1;
}
- FLOWLOCK_UNLOCK(f);
return r;
}
int FlowBitIsnotset(Flow *f, uint16_t idx)
{
int r = 0;
- FLOWLOCK_RDLOCK(f);
FlowBit *fb = FlowBitGet(f, idx);
if (fb == NULL) {
r = 1;
}
- FLOWLOCK_UNLOCK(f);
return r;
}
return 1;
}
-/** \brief Set the IPOnly scanned flag for 'direction'. This function
- * handles the locking too.
- * \param f Flow to set the flag in
- * \param direction direction to set the flag in
- */
-void FlowSetIPOnlyFlag(Flow *f, char direction)
-{
- FLOWLOCK_WRLOCK(f);
- direction ? (f->flags |= FLOW_TOSERVER_IPONLY_SET) :
- (f->flags |= FLOW_TOCLIENT_IPONLY_SET);
- FLOWLOCK_UNLOCK(f);
- return;
-}
-
/** \brief Set the IPOnly scanned flag for 'direction'.
*
* \param f Flow to set the flag in
* \param direction direction to set the flag in
*/
-void FlowSetIPOnlyFlagNoLock(Flow *f, char direction)
+void FlowSetIPOnlyFlag(Flow *f, int direction)
{
direction ? (f->flags |= FLOW_TOSERVER_IPONLY_SET) :
(f->flags |= FLOW_TOCLIENT_IPONLY_SET);
void FlowInitConfig (char);
void FlowPrintQueueInfo (void);
void FlowShutdown(void);
-void FlowSetIPOnlyFlag(Flow *, char);
-void FlowSetIPOnlyFlagNoLock(Flow *, char);
+void FlowSetIPOnlyFlag(Flow *, int);
void FlowRegisterTests (void);
int FlowSetProtoTimeout(uint8_t ,uint32_t ,uint32_t ,uint32_t);
projects / thirdparty / suricata.git / commitdiff
