From: Victor Julien Date: Wed, 14 Mar 2012 10:18:43 +0000 (+0100) Subject: Simplify flow resetting on de_ctx update. Detect ctx id starts at 1. So in a flow... X-Git-Tag: suricata-1.3rc1~28 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4cde2355bd72a99a878610022fa8114209157599;p=thirdparty%2Fsuricata.git Simplify flow resetting on de_ctx update. Detect ctx id starts at 1. So in a flow 0 means uninitialized (thus set) and if we detect flow is not equal to detect id, we reset the sgh storage and de_state. --- diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index 3e714d720b..3cdf0d7444 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -366,7 +366,7 @@ void DeStateStoreFileNoMatch(DetectEngineState *de_state, uint8_t direction, * \retval 1 has state * \retval 0 has no state */ -int DeStateFlowHasState(DetectEngineCtx *de_ctx, Flow *f, uint8_t flags, uint16_t alversion) { +int DeStateFlowHasState(Flow *f, uint8_t flags, uint16_t alversion) { SCEnter(); int r = 0; @@ -679,15 +679,7 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, * the last SigMatch that didn't match */ if (f->de_state == NULL) { f->de_state = DetectEngineStateAlloc(); - f->de_state->de_ctx_id = de_ctx->id; - } else { - if (f->de_state->de_ctx_id != de_ctx->id) { - DetectEngineStateReset(f->de_state); - f->de_state = DetectEngineStateAlloc(); - f->de_state->de_ctx_id = de_ctx->id; - } } - if (f->de_state != NULL) { /* \todo shift to an array to transfer these match values*/ DeStateSignatureAppend(f->de_state, s, sm, match_flags); @@ -735,13 +727,6 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete if (f->de_state == NULL || f->de_state->cnt == 0) goto end; - if (f->de_state->de_ctx_id != de_ctx->id) { - DetectEngineStateReset(f->de_state); - f->de_state = NULL; - SCMutexUnlock(&f->de_state_m); - SCReturnInt(0); - } - DeStateResetFileInspection(f, alproto, alstate); /* loop through the stores */ diff --git a/src/detect-engine-state.h b/src/detect-engine-state.h index 1602dc1ad1..ad717be3ee 100644 --- a/src/detect-engine-state.h +++ b/src/detect-engine-state.h @@ -125,10 +125,6 @@ typedef struct DetectEngineState_ { * cannot match in to client direction. */ uint16_t toserver_filestore_cnt;/**< number of sigs with filestore that * cannot match in to server direction. */ - - /* the de_ctx id that the state belongs to */ - uint32_t de_ctx_id; - uint16_t flags; } DetectEngineState; @@ -141,7 +137,7 @@ void DetectEngineStateReset(DetectEngineState *state); DetectEngineState *DetectEngineStateAlloc(void); void DetectEngineStateFree(DetectEngineState *); -int DeStateFlowHasState(DetectEngineCtx *, Flow *, uint8_t, uint16_t); +int DeStateFlowHasState(Flow *, uint8_t, uint16_t); int DeStateDetectStartDetection(ThreadVars *, DetectEngineCtx *, DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *, diff --git a/src/detect-engine.c b/src/detect-engine.c index 3099b17b7e..815343b5c4 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -67,7 +67,7 @@ #define DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT 3000 -static uint32_t detect_engine_ctx_id = 0; +static uint32_t detect_engine_ctx_id = 1; static TmEcode DetectEngineThreadCtxInitForLiveRuleSwap(ThreadVars *, void *, void **); diff --git a/src/detect.c b/src/detect.c index e50e2b0cb3..f9a53ac3b5 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1304,6 +1304,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh Signature *s = NULL; SigMatch *sm = NULL; uint16_t alversion = 0; + int reset_de_state = 0; SCEnter(); @@ -1328,6 +1329,21 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh FLOWLOCK_WRLOCK(p->flow); { + /* live ruleswap check for flow updates */ + if (p->flow->de_ctx_id == 0) { + /* first time this flow is inspected, set id */ + p->flow->de_ctx_id = de_ctx->id; + } else if (p->flow->de_ctx_id != de_ctx->id) { + /* first time we inspect flow with this de_ctx, reset */ + p->flow->flags &= ~FLOW_SGH_TOSERVER; + p->flow->flags &= ~FLOW_SGH_TOCLIENT; + p->flow->sgh_toserver = NULL; + p->flow->sgh_toclient = NULL; + reset_de_state = 1; + + p->flow->de_ctx_id = de_ctx->id; + } + /* set the iponly stuff */ if (p->flow->flags & FLOW_TOCLIENT_IPONLY_SET) p->flowflags |= FLOW_PKT_TOCLIENT_IPONLY_SET; @@ -1339,19 +1355,11 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh if (IP_GET_IPPROTO(p) == p->flow->proto) { /* filter out icmp */ PACKET_PROFILING_DETECT_START(p, PROF_DETECT_GETSGH); if (p->flowflags & FLOW_PKT_TOSERVER && p->flow->flags & FLOW_SGH_TOSERVER) { - if (p->flow->sgh_toserver_de_ctx_id != de_ctx->id) { - p->flow->flags &= ~FLOW_SGH_TOSERVER; - } else { - det_ctx->sgh = p->flow->sgh_toserver; - sms_runflags |= SMS_USE_FLOW_SGH; - } + det_ctx->sgh = p->flow->sgh_toserver; + sms_runflags |= SMS_USE_FLOW_SGH; } else if (p->flowflags & FLOW_PKT_TOCLIENT && p->flow->flags & FLOW_SGH_TOCLIENT) { - if (p->flow->sgh_toclient_de_ctx_id != de_ctx->id) { - p->flow->flags &= ~FLOW_SGH_TOCLIENT; - } else { - det_ctx->sgh = p->flow->sgh_toclient; - sms_runflags |= SMS_USE_FLOW_SGH; - } + det_ctx->sgh = p->flow->sgh_toclient; + sms_runflags |= SMS_USE_FLOW_SGH; } PACKET_PROFILING_DETECT_END(p, PROF_DETECT_GETSGH); @@ -1392,8 +1400,13 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh } SCLogDebug("p->flowflags 0x%02x", p->flowflags); + /* reset because of ruleswap */ + if (reset_de_state) { + SCMutexLock(&p->flow->de_state_m); + DetectEngineStateReset(p->flow->de_state); + SCMutexUnlock(&p->flow->de_state_m); /* see if we need to increment the inspect_id and reset the de_state */ - if (alstate != NULL && alproto == ALPROTO_HTTP) { + } else if (alstate != NULL && alproto == ALPROTO_HTTP) { PACKET_PROFILING_DETECT_START(p, PROF_DETECT_STATEFUL); SCLogDebug("getting de_state_status"); int de_state_status = DeStateUpdateInspectTransactionId(p->flow, @@ -1488,7 +1501,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh memset(det_ctx->de_state_sig_array, 0x00, det_ctx->de_state_sig_array_len); /* if applicable, continue stateful detection */ - int state = DeStateFlowHasState(de_ctx, p->flow, flags, alversion); + int state = DeStateFlowHasState(p->flow, flags, alversion); if (state == 1) { DeStateDetectContinueDetection(th_v, de_ctx, det_ctx, p->flow, flags, alstate, alproto, alversion); @@ -1776,7 +1789,6 @@ end: if (p->flowflags & FLOW_PKT_TOSERVER && !(p->flow->flags & FLOW_SGH_TOSERVER)) { /* first time we see this toserver sgh, store it */ p->flow->sgh_toserver = det_ctx->sgh; - p->flow->sgh_toserver_de_ctx_id = de_ctx->id; p->flow->flags |= FLOW_SGH_TOSERVER; /* see if this sgh requires us to consider file storing */ @@ -1793,7 +1805,6 @@ end: } } else if (p->flowflags & FLOW_PKT_TOCLIENT && !(p->flow->flags & FLOW_SGH_TOCLIENT)) { p->flow->sgh_toclient = det_ctx->sgh; - p->flow->sgh_toclient_de_ctx_id = de_ctx->id; p->flow->flags |= FLOW_SGH_TOCLIENT; if (p->flow->sgh_toclient == NULL || p->flow->sgh_toclient->filestore_cnt == 0) { diff --git a/src/flow-util.h b/src/flow-util.h index c327c34700..e5c46a254d 100644 --- a/src/flow-util.h +++ b/src/flow-util.h @@ -43,13 +43,14 @@ (f)->sp = 0; \ (f)->dp = 0; \ SC_ATOMIC_INIT((f)->use_cnt); \ + (f)->probing_parser_toserver_al_proto_masks = 0; \ + (f)->probing_parser_toclient_al_proto_masks = 0; \ (f)->flags = 0; \ (f)->lastts_sec = 0; \ FLOWLOCK_INIT((f)); \ (f)->protoctx = NULL; \ (f)->alproto = 0; \ - (f)->probing_parser_toserver_al_proto_masks = 0; \ - (f)->probing_parser_toclient_al_proto_masks = 0; \ + (f)->de_ctx_id = 0; \ (f)->alparser = NULL; \ (f)->alstate = NULL; \ (f)->de_state = NULL; \ @@ -76,6 +77,8 @@ (f)->sp = 0; \ (f)->dp = 0; \ SC_ATOMIC_RESET((f)->use_cnt); \ + (f)->probing_parser_toserver_al_proto_masks = 0; \ + (f)->probing_parser_toclient_al_proto_masks = 0; \ (f)->flags = 0; \ (f)->lastts_sec = 0; \ (f)->protoctx = NULL; \ @@ -83,8 +86,7 @@ (f)->alparser = NULL; \ (f)->alstate = NULL; \ (f)->alproto = 0; \ - (f)->probing_parser_toserver_al_proto_masks = 0; \ - (f)->probing_parser_toclient_al_proto_masks = 0; \ + (f)->de_ctx_id = 0; \ if ((f)->de_state != NULL) { \ DetectEngineStateReset((f)->de_state); \ } \ diff --git a/src/flow.h b/src/flow.h index 46b4c8101d..ab34da4124 100644 --- a/src/flow.h +++ b/src/flow.h @@ -315,6 +315,11 @@ typedef struct Flow_ uint16_t alproto; /**< \brief application level protocol */ + /** detection engine ctx id used to inspect this flow. Set at initial + * inspection. If it doesn't match the currently in use de_ctx, the + * de_state and stored sgh ptrs are reset. */ + uint32_t de_ctx_id; + /** application level storage ptrs. * */ @@ -327,11 +332,9 @@ typedef struct Flow_ /** toclient sgh for this flow. Only use when FLOW_SGH_TOCLIENT flow flag * has been set. */ struct SigGroupHead_ *sgh_toclient; - uint32_t sgh_toclient_de_ctx_id; /** toserver sgh for this flow. Only use when FLOW_SGH_TOSERVER flow flag * has been set. */ struct SigGroupHead_ *sgh_toserver; - uint32_t sgh_toserver_de_ctx_id; /** List of tags of this flow (from "tag" keyword of type "session") */ void *tag_list;