From: Ron Dempster (rdempste) Date: Wed, 10 May 2023 14:15:40 +0000 (+0000) Subject: Pull request #3835: main, managers: set the network policy using the user id during... X-Git-Tag: 3.1.62.0~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2de65e10a63ddba6c4077cdfff8f38c130f91054;p=thirdparty%2Fsnort3.git Pull request #3835: main, managers: set the network policy using the user id during inspector delete Merge in SNORT/snort3 from ~RDEMPSTE/snort3:np_during_free to master Squashed commit of the following: commit aa69ac344a8eecf332d56c11d81a3dd97e11e5eb Author: Ron Dempster (rdempste) Date: Thu Apr 27 18:12:49 2023 -0400 main, managers: set the network policy using the user id during inspector delete --- diff --git a/src/framework/inspector.h b/src/framework/inspector.h index 37f83a4aa..c65e00e2a 100644 --- a/src/framework/inspector.h +++ b/src/framework/inspector.h @@ -164,6 +164,18 @@ public: const char* get_alias_name() const { return alias_name; } + void set_network_policy_user_id(uint32_t user_id) + { + network_policy_user_id = user_id; + network_policy_user_id_set = true; + } + + bool get_network_policy_user_id(uint32_t& user_id) const + { + user_id = network_policy_user_id; + return network_policy_user_id_set; + } + virtual bool is_control_channel() const { return false; } @@ -195,6 +207,8 @@ private: SnortProtocolId snort_protocol_id = 0; // FIXIT-E Use std::string to avoid storing a pointer to external std::string buffers const char* alias_name = nullptr; + uint32_t network_policy_user_id = 0; + bool network_policy_user_id_set = false; }; // at present there is no sequencing among like types except that appid diff --git a/src/main/policy.cc b/src/main/policy.cc index bfee72535..4d9d7765e 100644 --- a/src/main/policy.cc +++ b/src/main/policy.cc @@ -377,7 +377,7 @@ std::shared_ptr PolicyMap::get_policies(Shell* sh) return pt == shell_map.end() ? nullptr : pt->second; } -NetworkPolicy* PolicyMap::get_user_network(unsigned user_id) +NetworkPolicy* PolicyMap::get_user_network(unsigned user_id) const { auto it = user_network.find(user_id); NetworkPolicy* np = (it == user_network.end()) ? nullptr : it->second; diff --git a/src/main/policy.h b/src/main/policy.h index 1fa47fa64..1e98202b1 100644 --- a/src/main/policy.h +++ b/src/main/policy.h @@ -322,7 +322,7 @@ public: void set_user_ips(IpsPolicy* p) { user_ips[p->user_policy_id] = p; } - NetworkPolicy* get_user_network(unsigned user_id); + NetworkPolicy* get_user_network(unsigned user_id) const; IpsPolicy* get_user_ips(unsigned user_id) { diff --git a/src/main/snort.cc b/src/main/snort.cc index c76669aea..34875664c 100644 --- a/src/main/snort.cc +++ b/src/main/snort.cc @@ -339,13 +339,14 @@ void Snort::term() // since the "TraceApi::thread_term()" uses SnortConfig TraceApi::thread_term(); + SnortConfig::set_conf(nullptr); + /* free allocated memory */ if (sc != snort_cmd_line_conf) delete sc; delete snort_cmd_line_conf; snort_cmd_line_conf = nullptr; - SnortConfig::set_conf(nullptr); CleanupProtoNames(); HighAvailabilityManager::term(); diff --git a/src/main/snort_config.cc b/src/main/snort_config.cc index 7f6bc1ba9..dd4d45aa8 100644 --- a/src/main/snort_config.cc +++ b/src/main/snort_config.cc @@ -269,6 +269,7 @@ SnortConfig::~SnortConfig() delete fast_pattern_config; delete policy_map; + policy_map = nullptr; InspectorManager::delete_config(this); ActionManager::delete_config(this); diff --git a/src/managers/inspector_manager.cc b/src/managers/inspector_manager.cc index 5202e3512..4e1252cb2 100644 --- a/src/managers/inspector_manager.cc +++ b/src/managers/inspector_manager.cc @@ -404,6 +404,8 @@ struct TrafficPolicy : public InspectorList PHInstance* get_instance_by_type(const char* key, InspectorType); PHObjectList* get_specific_handlers(); + + void set_inspector_network_policy_user_id(uint32_t); }; TrafficPolicy::~TrafficPolicy() @@ -492,6 +494,12 @@ PHInstance* TrafficPolicy::get_instance_by_type(const char* key, InspectorType t return nullptr; } +void TrafficPolicy::set_inspector_network_policy_user_id(uint32_t user_id) +{ + for (auto* p : ilist) + p->handler->set_network_policy_user_id(user_id); +} + class SingleInstanceInspectorPolicy { public: @@ -1350,7 +1358,19 @@ bool InspectorManager::delete_inspector(SnortConfig* sc, const char* iname) void InspectorManager::free_inspector(Inspector* p) { + NetworkPolicy* np = get_network_policy(); + uint32_t user_id; + if ( p->get_network_policy_user_id(user_id) ) + { + const SnortConfig* sc = SnortConfig::get_conf(); + if ( sc && sc->policy_map ) + { + NetworkPolicy* user_np = sc->policy_map->get_user_network(user_id); + set_network_policy(user_np); + } + } p->get_api()->dtor(p); + set_network_policy(np); } InspectSsnFunc InspectorManager::get_session(uint16_t proto) @@ -1830,6 +1850,7 @@ void InspectorManager::prepare_inspectors(SnortConfig* sc) if (!tp->ts_handlers) tp->ts_handlers = new ThreadSpecificHandlers(ThreadConfig::get_instance_max()); tp->allocate_thread_storage(); + tp->set_inspector_network_policy_user_id(np->user_policy_id); } } diff --git a/src/managers/test/get_inspector_stubs.h b/src/managers/test/get_inspector_stubs.h index f3ce77a25..83a80e0fd 100644 --- a/src/managers/test/get_inspector_stubs.h +++ b/src/managers/test/get_inspector_stubs.h @@ -33,7 +33,7 @@ THREAD_LOCAL const snort::Trace* snort_trace = nullptr; std::shared_ptr PolicyMap::get_policies(Shell*) { return nullptr; } -NetworkPolicy* PolicyMap::get_user_network(unsigned) { return nullptr; } +NetworkPolicy* PolicyMap::get_user_network(unsigned) const { return nullptr; } void InspectionPolicy::configure() { } void BinderModule::add(const char*, const char*) { } void BinderModule::add(unsigned, const char*) { }