Merge pull request #1480 in SNORT/snort3 from ~MDAGON/snort3:reload_stream_inspectors...

Squashed commit of the following:

commit cf95a4564e84c4da975a2e9643271678efb91afa
Author: Maya Dagon <mdagon@cisco.com>
Date:   Mon Dec 10 19:17:00 2018 -0500

    reload: fail reload if stream is in the original config and stream_* is added/removed

diff --git a/src/file_api/file_service.cc b/src/file_api/file_service.cc
index 0c96c203addee602202f151cce3c00e15285c69a..ade3ac59f9cc149b04f6d5c031cf5f818ccbf4e1 100644 (file)
--- a/src/file_api/file_service.cc
+++ b/src/file_api/file_service.cc
@@ -87,14 +87,14 @@ void FileService::verify_reload(SnortConfig* sc)
         return;
 
     if (max_files_cached != conf->max_files_cached)
-        ParseError("Changing max_files_cached requires a restart\n");
+        ParseError("Changing file_id:max_files_cached requires a restart\n");
 
     if (file_capture_enabled)
     {
         if (capture_memcap != conf->capture_memcap)
-            ParseError("Changing capture_memcap requires a restart\n");
+            ParseError("Changing file_id:capture_memcap requires a restart\n");
         if (capture_block_size != conf->capture_block_size)
-            ParseError("Changing capture_block_size requires a restart\n");
+            ParseError("Changing file_id:capture_block_size requires a restart\n");
     }
 }
 

diff --git a/src/main/snort_config.cc b/src/main/snort_config.cc
index 8f48625fa415025f14b0bac74faa848f11c22150..74065aa1591d6357838d0677f0434ae1bb5df300 100644 (file)
--- a/src/main/snort_config.cc
+++ b/src/main/snort_config.cc
@@ -194,7 +194,7 @@ void SnortConfig::init(const SnortConfig* const other_conf, ProtocolReference* p
         InspectorManager::new_config(this);
 
         num_slots = ThreadConfig::get_instance_max();
-        state = new std::vector<void *>[num_slots];
+        state = new std::vector<void*>[num_slots];
 
         profiler = new ProfilerConfig;
         latency = new LatencyConfig();
@@ -290,7 +290,7 @@ SnortConfig::~SnortConfig()
         MpseManager::stop_search_engine(fast_pattern_config->get_search_api());
     }
     delete fast_pattern_config;
- 
+
     flowbits_gterm(this);
 
     delete policy_map;
@@ -398,7 +398,7 @@ void SnortConfig::merge(SnortConfig* cmd_line)
 
     int cl_chk = cmd_line->policy_map->get_network_policy()->checksum_eval;
     int cl_drop = cmd_line->policy_map->get_network_policy()->checksum_drop;
-    
+
     NetworkPolicy* nw_policy = nullptr;
 
     for ( unsigned idx = 0; idx < policy_map->network_policy_count(); ++idx )
@@ -493,7 +493,50 @@ void SnortConfig::merge(SnortConfig* cmd_line)
 
     delete[] state;
     num_slots = ThreadConfig::get_instance_max();
-    state = new std::vector<void *>[num_slots];
+    state = new std::vector<void*>[num_slots];
+}
+
+// FIXIT-L this is a work around till snort supports adding/removing 
+// stream cache during reload
+bool SnortConfig::verify_stream_inspectors()
+{
+    const std::vector<const char*> inspector_names
+        { "stream_file", "stream_icmp", "stream_ip", "stream_tcp", "stream_udp", "stream_user" };
+    static std::map <const char*, bool> orig_inspectors;
+
+    // If wasn't initialized before try to initialize from current config
+    if (orig_inspectors.empty())
+    {
+        const Inspector* const ptr = InspectorManager::get_inspector("stream", true);
+        if (ptr != nullptr)
+        {
+            for (auto name: inspector_names)
+            {
+                const bool in_orig = InspectorManager::inspector_exists_in_any_policy(name, get_conf());
+                orig_inspectors[name] = in_orig;
+            }
+        }
+    }
+
+    // If now available - compare
+    if (!orig_inspectors.empty())
+    {
+        const Inspector* const ptr = InspectorManager::get_inspector("stream", true, this);
+        if (ptr != nullptr)
+        {
+            for (auto name: inspector_names)
+            {
+                const bool in_new = InspectorManager::inspector_exists_in_any_policy(name, this);
+                if (orig_inspectors[name] != in_new)
+                {
+                    ErrorMessage("Snort Reload: Adding/removing %s requires a restart.\n", name);
+                    return false;
+                }
+            }
+        }
+    }
+
+    return true;
 }
 
 bool SnortConfig::verify()
@@ -609,7 +652,7 @@ bool SnortConfig::verify()
         return false;
     }
 
-    return true;
+    return verify_stream_inspectors();
 }
 
 void SnortConfig::set_alert_before_pass(bool enabled)
@@ -741,7 +784,7 @@ void SnortConfig::set_no_logging_timestamps(bool enabled)
 
 void SnortConfig::set_obfuscation_mask(const char* mask)
 {
-   if (!mask)
+    if (!mask)
         return;
 
     output_flags |= OUTPUT_FLAG__OBFUSCATE;
@@ -775,7 +818,7 @@ void SnortConfig::set_gid(const char* args)
         return;
     }
     else
-        gr = getgrgid((gid_t) target_gid); // main thread only
+        gr = getgrgid((gid_t)target_gid);  // main thread only
 
     if (!gr)
     {
@@ -785,7 +828,7 @@ void SnortConfig::set_gid(const char* args)
 
     /* If we're already running as the desired group ID, don't bother to try changing it later. */
     if (gr->gr_gid != getgid())
-        group_id = (int) gr->gr_gid;
+        group_id = (int)gr->gr_gid;
 }
 
 void SnortConfig::set_uid(const char* args)
@@ -806,7 +849,7 @@ void SnortConfig::set_uid(const char* args)
         return;
     }
     else
-        pw = getpwuid((uid_t) target_uid); // main thread only
+        pw = getpwuid((uid_t)target_uid);  // main thread only
 
     if (!pw)
     {
@@ -818,11 +861,10 @@ void SnortConfig::set_uid(const char* args)
        If we're already running as the desired user and/or group ID,
        don't bother to try changing it later. */
     if (pw->pw_uid != getuid())
-        user_id = (int) pw->pw_uid;
+        user_id = (int)pw->pw_uid;
 
     if (group_id == -1 && pw->pw_gid != getgid())
-        group_id = (int) pw->pw_gid;
-
+        group_id = (int)pw->pw_gid;
 }
 
 void SnortConfig::set_show_year(bool enabled)
@@ -999,7 +1041,7 @@ void SnortConfig::set_log_mode(const char* val)
 
 void SnortConfig::enable_syslog()
 {
-   static bool syslog_configured = false;
+    static bool syslog_configured = false;
 
     if (syslog_configured)
         return;

diff --git a/src/main/snort_config.h b/src/main/snort_config.h
index b3de653224845729d774f44c738ed5ec1e359d38..b0413f78e6a8616742495288e5be5400947cc9b4 100644 (file)
--- a/src/main/snort_config.h
+++ b/src/main/snort_config.h
@@ -154,6 +154,7 @@ struct SnortConfig
 {
 private:
     void init(const SnortConfig* const, ProtocolReference*);
+    bool verify_stream_inspectors();
 
 public:
     SnortConfig(const SnortConfig* const other_conf = nullptr);

diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc
index 497020e7a6879379a16c438e7f29bf9607e5ba0a..c587456bb710c0eb1acbb33c0e62f1cf5184d726 100644 (file)
--- a/src/managers/inspector_manager.cc
+++ b/src/managers/inspector_manager.cc
@@ -507,6 +507,29 @@ Binder* InspectorManager::get_binder()
     return (Binder*)pi->framework_policy->binder;
 }
 
+bool InspectorManager::inspector_exists_in_any_policy(const char* key, SnortConfig* sc)
+{
+    PolicyMap* pm = sc->policy_map;
+
+    if (pm == nullptr)
+        return false;
+
+    for (unsigned i=0; i<pm->inspection_policy_count(); i++)
+    {
+        const InspectionPolicy* const pi = pm->get_inspection_policy(i);
+
+        if ( !pi || !pi->framework_policy )
+            continue; 
+
+        const PHInstance* const p = get_instance(pi->framework_policy, key);
+
+        if ( p )
+            return true;
+    }
+
+    return false;
+}
+
 // FIXIT-P cache get_inspector() returns or provide indexed lookup
 Inspector* InspectorManager::get_inspector(const char* key, bool dflt_only, SnortConfig* sc)
 {

diff --git a/src/managers/inspector_manager.h b/src/managers/inspector_manager.h
index 831e4e46ced3833a2784fdb8d4844c663de3089a..9051edacfcaa9543fbe7caadce7f333f405422d3 100644 (file)
--- a/src/managers/inspector_manager.h
+++ b/src/managers/inspector_manager.h
@@ -83,6 +83,7 @@ public:
 
     static void clear(Packet*);
     static void empty_trash();
+    static bool inspector_exists_in_any_policy(const char* key, SnortConfig* sc);
 
 #ifdef PIGLET
     static Inspector* instantiate(const char*, Module*, SnortConfig*);