]> git.ipfire.org Git - thirdparty/snort3.git/commitdiff
Merge pull request #1462 in SNORT/snort3 from ~SBAIGAL/snort3:stream_cache_reload...
authorTom Peters (thopeter) <thopeter@cisco.com>
Fri, 14 Dec 2018 21:46:34 +0000 (16:46 -0500)
committerTom Peters (thopeter) <thopeter@cisco.com>
Fri, 14 Dec 2018 21:46:34 +0000 (16:46 -0500)
Squashed commit of the following:

commit 8187840a9cb93c782451c6dab1662e352226e3bc
Author: Steven Baigal (sbaigal) <sbaigal@cisco.com>
Date:   Mon Dec 10 10:40:12 2018 -0500

    reload: prompt reload failure and require restart when stream cache were changed

doc/reload_limitations.txt
src/stream/base/stream_module.cc
src/stream/base/stream_module.h

index cbc25a9a83a4b154fb53c279549bc46c873bcd42..b152a8629badfa25fd7099ca194879beb09f5ff7 100644 (file)
@@ -17,6 +17,25 @@ The following parameters can't be changed during reload, and require a restart:
 * process.daemon
 * process.set_gid
 * process.set_uid
+* stream.footprint
+* stream.ip_cache.max_sessions
+* stream.ip_cache.pruning_timeout
+* stream.ip_cache.idle_timeout
+* stream.icmp_cache.max_sessions
+* stream.icmp_cache.pruning_timeout
+* stream.icmp_cache.idle_timeout 
+* stream.tcp_cache.max_sessions
+* stream.tcp_cache.pruning_timeout 
+* stream.tcp_cache.idle_timeout 
+* stream.udp_cache.max_sessions 
+* stream.udp_cache.pruning_timeout
+* stream.udp_cache.idle_timeout 
+* stream.user_cache.max_sessions
+* stream.user_cache.pruning_timeout
+* stream.user_cache.idle_timeout 
+* stream.file_cache.max_sessions
+* stream.file_cache.pruning_timeout 
+* stream.file_cache.idle_timeout
 
 In addition, the following scenarios require a restart:
 
index b08dd7dd7ce644dd1fe241f2ab21818a4eb71e46..cf74876b48940296f435ea9a92302ef13a000006 100644 (file)
@@ -25,6 +25,8 @@
 #include "stream_module.h"
 
 #include "detection/rules.h"
+#include "log/messages.h"
+#include "main/snort.h"
 #include "main/snort_debug.h"
 
 using namespace snort;
@@ -171,6 +173,52 @@ bool StreamModule::set(const char* fqn, Value& v, SnortConfig* c)
     return true;
 }
 
+static int check_cache_change(const char* fqn, const char* name, const FlowConfig& new_cfg,
+    const FlowConfig& saved_cfg)
+{
+    int ret = 0;
+    if ( saved_cfg.max_sessions and strstr(fqn, name) )
+    {
+        if ( saved_cfg.max_sessions != new_cfg.max_sessions
+            or saved_cfg.pruning_timeout != new_cfg.pruning_timeout
+            or saved_cfg.nominal_timeout != new_cfg.nominal_timeout )
+        {
+            ParseError("Changing of %s requires a restart\n", name);
+            ret = 1;
+        }
+    }
+    return ret;
+}
+
+// FIXIT-L the detection of stream.xxx_cache changes below is a temporary workaround
+// remove this check when stream.xxx_cache params become reloadable
+bool StreamModule::end(const char* fqn, int, SnortConfig*)
+{
+    static StreamModuleConfig saved_config = {};
+    static int issue_found = 0;
+
+    issue_found += check_cache_change(fqn, "ip_cache", config.ip_cfg, saved_config.ip_cfg);
+    issue_found += check_cache_change(fqn, "icmp_cache", config.icmp_cfg, saved_config.icmp_cfg);
+    issue_found += check_cache_change(fqn, "tcp_cache", config.tcp_cfg, saved_config.tcp_cfg);
+    issue_found += check_cache_change(fqn, "udp_cache", config.udp_cfg, saved_config.udp_cfg);
+    issue_found += check_cache_change(fqn, "user_cache", config.ip_cfg, saved_config.user_cfg);
+    issue_found += check_cache_change(fqn, "file_cache", config.ip_cfg, saved_config.file_cfg);
+
+    if ( !strcmp(fqn, "stream") )
+    {
+        if ( saved_config.ip_cfg.max_sessions   // saved config is valid
+            and config.footprint != saved_config.footprint )
+        {
+            ParseError("Changing of stream.footprint requires a restart\n");
+            issue_found++;
+        }
+        if ( issue_found == 0 )
+            saved_config = config;
+        issue_found = 0;
+    }
+    return true;
+}
+
 void StreamModule::sum_stats(bool)
 { base_sum(); }
 
index 65828f1cae7506dc0c5fff0af31715ad9df9d68d..844d841b15167c72277a9797a01e080e81e61221 100644 (file)
@@ -84,6 +84,7 @@ public:
 
     bool begin(const char*, int, snort::SnortConfig*) override;
     bool set(const char*, snort::Value&, snort::SnortConfig*) override;
+    bool end(const char*, int, snort::SnortConfig*) override;
 
     const PegInfo* get_pegs() const override;
     PegCount* get_counts() const override;