From: Victor Julien Date: Wed, 31 May 2023 13:56:54 +0000 (+0200) Subject: flow/timeout: no pseudo packets for dropped flows X-Git-Tag: suricata-6.0.13~39 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=043bbb9f517fed4225acb639f9d356403cd441e6;p=thirdparty%2Fsuricata.git flow/timeout: no pseudo packets for dropped flows When a flow is in the drop flow state, don't use pseudo packets when it is timing out. There should be no work left to do at this point. (cherry picked from commit 2a9515471287d2b8fc5aa2e1879aabadaf5f421e) --- diff --git a/src/flow-manager.c b/src/flow-manager.c index 44d8446439..9cfd218df7 100644 --- a/src/flow-manager.c +++ b/src/flow-manager.c @@ -279,7 +279,8 @@ static uint32_t ProcessAsideQueue(FlowManagerTimeoutThread *td, FlowTimeoutCount while ((f = FlowQueuePrivateGetFromTop(&td->aside_queue)) != NULL) { /* flow is still locked */ - if (f->proto == IPPROTO_TCP && !(f->flags & FLOW_TIMEOUT_REASSEMBLY_DONE) && + if (f->proto == IPPROTO_TCP && + !(f->flags & (FLOW_TIMEOUT_REASSEMBLY_DONE | FLOW_ACTION_DROP)) && !FlowIsBypassed(f) && FlowForceReassemblyNeedReassembly(f) == 1) { /* Send the flow to its thread */ FlowForceReassemblyForFlow(f); diff --git a/src/flow-worker.c b/src/flow-worker.c index ab2a2a6385..5d4ccd28eb 100644 --- a/src/flow-worker.c +++ b/src/flow-worker.c @@ -171,8 +171,9 @@ static void CheckWorkQueue(ThreadVars *tv, FlowWorkerThreadData *fw, FlowTimeout f->flow_end_flags |= FLOW_END_FLAG_TIMEOUT; //TODO emerg if (f->proto == IPPROTO_TCP) { - if (!(f->flags & FLOW_TIMEOUT_REASSEMBLY_DONE) && !FlowIsBypassed(f) && - FlowForceReassemblyNeedReassembly(f) == 1 && f->ffr != 0) { + if (!(f->flags & (FLOW_TIMEOUT_REASSEMBLY_DONE | FLOW_ACTION_DROP)) && + !FlowIsBypassed(f) && FlowForceReassemblyNeedReassembly(f) == 1 && + f->ffr != 0) { /* read detect thread in case we're doing a reload */ void *detect_thread = SC_ATOMIC_GET(fw->detect_thread); int cnt = FlowFinish(tv, f, fw, detect_thread);