From: Victor Julien <victor@inliniac.net>
Date: Fri, 20 Mar 2015 20:58:50 +0000 (+0100)
Subject: detect-state: cleanups and comments
X-Git-Tag: suricata-2.1beta4~103
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e177bc9d623ff83bfcf314989cd238debde5111;p=thirdparty%2Fsuricata.git

detect-state: cleanups and comments
---

diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c
index 8d17770a9d..5aac3bd9a9 100644
--- a/src/detect-engine-state.c
+++ b/src/detect-engine-state.c
@@ -755,16 +755,9 @@ static int DoInspectFlowRule(ThreadVars *tv,
     DeStateStoreFlowRule *item, const uint8_t dir_state_flags,
     Packet *p, Flow *f, AppProto alproto, uint8_t flags)
 {
-    if (item->flags & DE_STATE_FLAG_FULL_INSPECT) {
-        if (item->flags & DE_STATE_FLAG_FULL_INSPECT) {
-            det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NO_NEW_STATE;
-            return 0;
-        }
-    }
-
-    /* check if a sig in state 'cant match' needs to be reconsidered
-     * as the result of a new file in the existing tx */
-    if (item->flags & DE_STATE_FLAG_SIG_CANT_MATCH) {
+    /* flag rules that are either full inspected or unable to match
+     * in the de_state_sig_array so that prefilter filters them out */
+    if (item->flags & (DE_STATE_FLAG_FULL_INSPECT|DE_STATE_FLAG_SIG_CANT_MATCH)) {
         det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NO_NEW_STATE;
         return 0;
     }
@@ -820,10 +813,12 @@ static int DoInspectFlowRule(ThreadVars *tv,
                 alert = 1;
             inspect_flags |= DE_STATE_FLAG_FULL_INSPECT;
         }
+        /* prevent the rule loop from reinspecting this rule */
         det_ctx->de_state_sig_array[item->sid] = DE_STATE_MATCH_NO_NEW_STATE;
     }
     RULE_PROFILING_END(det_ctx, s, (alert == 1), p);
 
+    /* store the progress in the state */
     item->flags |= inspect_flags;
     item->nm = sm;
 
@@ -854,6 +849,7 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
     SigIntId state_cnt = 0;
     uint64_t inspect_tx_id = 0;
     uint64_t total_txs = 0;
+    uint8_t direction = (flags & STREAM_TOSERVER) ? 0 : 1;
 
     FLOWLOCK_WRLOCK(f);
 
@@ -887,7 +883,7 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                     SCLogDebug("NO STATE tx %"PRIu64" (%"PRIu64")", inspect_tx_id, total_txs);
                     continue;
                 }
-                DetectEngineStateDirection *tx_dir_state = &tx_de_state->dir_state[flags & STREAM_TOSERVER ? 0 : 1];
+                DetectEngineStateDirection *tx_dir_state = &tx_de_state->dir_state[direction];
                 DeStateStore *tx_store = tx_dir_state->head;
 
                 /* see if we need to consider the next tx in our decision to add
@@ -923,6 +919,8 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                     }
                 }
             }
+            /* if the current tx is in progress, we won't advance to any newer
+             * tx' just yet. */
             if (inspect_tx_inprogress) {
                 SCLogDebug("break out");
                 break;
@@ -932,7 +930,7 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
 
     /* continue on flow based state rules (AMATCH) */
     if (f->de_state != NULL) {
-        DetectEngineStateDirectionFlow *dir_state = &f->de_state->dir_state[flags & STREAM_TOSERVER ? 0 : 1];
+        DetectEngineStateDirectionFlow *dir_state = &f->de_state->dir_state[direction];
         DeStateStoreFlowRules *store = dir_state->head;
         /* Loop through stored 'items' (stateful rules) and inspect them */
         for (; store != NULL; store = store->next) {