From: Victor Julien <vjulien@oisf.net>
Date: Fri, 17 Feb 2023 12:03:41 +0000 (+0100)
Subject: stream: implement config option for SYN queue
X-Git-Tag: suricata-7.0.0-rc2~560
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3948b160c7e6d52c65d80038d09828e3fd3a49cd;p=thirdparty%2Fsuricata.git

stream: implement config option for SYN queue

Default to allowing 10 SYNs to not trigger an event on a connection
attempt that times out.
---

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 7738d1b0f3..686381d2c7 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -87,6 +87,7 @@
 #define STREAMTCP_DEFAULT_REASSEMBLY_MEMCAP     (256 * 1024 * 1024) /* 256mb */
 #define STREAMTCP_DEFAULT_TOSERVER_CHUNK_SIZE   2560
 #define STREAMTCP_DEFAULT_TOCLIENT_CHUNK_SIZE   2560
+#define STREAMTCP_DEFAULT_MAX_SYN_QUEUED        10
 #define STREAMTCP_DEFAULT_MAX_SYNACK_QUEUED     5
 
 static int StreamTcpHandleFin(ThreadVars *tv, StreamTcpThread *, TcpSession *, Packet *);
@@ -503,6 +504,19 @@ void StreamTcpInitConfig(bool quiet)
         stream_config.flags |= STREAMTCP_INIT_FLAG_DROP_INVALID;
     }
 
+    if ((ConfGetInt("stream.max-syn-queued", &value)) == 1) {
+        if (value >= 0 && value <= 255) {
+            stream_config.max_syn_queued = (uint8_t)value;
+        } else {
+            stream_config.max_syn_queued = (uint8_t)STREAMTCP_DEFAULT_MAX_SYN_QUEUED;
+        }
+    } else {
+        stream_config.max_syn_queued = (uint8_t)STREAMTCP_DEFAULT_MAX_SYN_QUEUED;
+    }
+    if (!quiet) {
+        SCLogConfig("stream \"max-syn-queued\": %" PRIu8, stream_config.max_syn_queued);
+    }
+
     if ((ConfGetInt("stream.max-synack-queued", &value)) == 1) {
         if (value >= 0 && value <= 255) {
             stream_config.max_synack_queued = (uint8_t)value;
@@ -1655,7 +1669,7 @@ static int StreamTcp3whsStoreSyn(TcpSession *ssn, Packet *p)
     if (ssn->queue != NULL && StreamTcp3whsFindSyn(ssn, &search) != NULL)
         return 0;
 
-    if (ssn->queue_len == stream_config.max_synack_queued) { // TODO
+    if (ssn->queue_len == stream_config.max_syn_queued) {
         SCLogDebug("ssn %p: =~ SYN queue limit reached", ssn);
         StreamTcpSetEvent(p, STREAM_3WHS_SYN_FLOOD);
         return -1;
diff --git a/src/stream-tcp.h b/src/stream-tcp.h
index f83d266738..315c4b142f 100644
--- a/src/stream-tcp.h
+++ b/src/stream-tcp.h
@@ -59,6 +59,7 @@ typedef struct TcpStreamCnf_ {
     bool midstream;
     bool async_oneside;
     bool streaming_log_api;
+    uint8_t max_syn_queued;
 
     uint32_t reassembly_depth;  /**< Depth until when we reassemble the stream */
 
diff --git a/suricata.yaml.in b/suricata.yaml.in
index b337864264..d3647b9521 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1484,6 +1484,7 @@ flow-timeouts:
 #   async-oneside: false        # don't enable async stream handling
 #   inline: no                  # stream inline mode
 #   drop-invalid: yes           # in inline mode, drop packets that are invalid with regards to streaming engine
+#   max-syn-queued: 10          # Max different SYNs to queue
 #   max-synack-queued: 5        # Max different SYN/ACKs to queue
 #   bypass: no                  # Bypass packets when stream.reassembly.depth is reached.
 #                               # Warning: first side to reach this triggers