From: Ron Dempster (rdempste) <rdempste@cisco.com>
Date: Tue, 12 Sep 2023 19:18:14 +0000 (+0000)
Subject: Pull request #3989: flow: generate flow setup and established events for ha flows
X-Git-Tag: 3.1.71.0~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f5a00f342ba271f9461e8387ab86486dfb1b4e6;p=thirdparty%2Fsnort3.git

Pull request #3989: flow: generate flow setup and established events for ha flows

Merge in SNORT/snort3 from ~RDEMPSTE/snort3:ha_flow_events to master

Squashed commit of the following:

commit 0586aa711d765efb73bd75863886f8790e1a4d48
Author: Ron Dempster (rdempste) <rdempste@cisco.com>
Date:   Thu Sep 7 08:55:57 2023 -0400

    flow: generate flow setup and established events for ha flows
---

diff --git a/src/flow/flow.h b/src/flow/flow.h
index 530a81edd..836e04024 100644
--- a/src/flow/flow.h
+++ b/src/flow/flow.h
@@ -496,6 +496,7 @@ public:  // FIXIT-M privatize if possible
         bool efd_flow : 1;  // Indicate that current flow is an elephant flow
         bool svc_event_generated : 1; // Set if FLOW_NO_SERVICE_EVENT was generated for this flow
         bool retry_queued : 1; // Set if a packet was queued for retry for this flow
+        bool ha_flow : 1; // Set if this flow was created by an HA message
     } flags = {};
 
     FlowState flow_state = FlowState::SETUP;
diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc
index fe975b0c5..e84f3e847 100644
--- a/src/flow/flow_control.cc
+++ b/src/flow/flow_control.cc
@@ -393,11 +393,14 @@ bool FlowControl::process(PktType type, Packet* p, bool* new_flow)
     if (flow)
         flow = stale_flow_cleanup(cache, flow, p);
 
+    bool new_ha_flow = false;
     if ( !flow )
     {
         flow = HighAvailabilityManager::import(*p, key);
 
-        if ( !flow )
+        if ( flow )
+            new_ha_flow = true;
+        else
         {
             if ( !want_flow(type, p) )
                 return true;
@@ -418,7 +421,7 @@ bool FlowControl::process(PktType type, Packet* p, bool* new_flow)
         flow->session = get_proto_session[to_utype(type)](flow);
     }
 
-    num_flows += process(flow, p);
+    num_flows += process(flow, p, new_ha_flow);
 
     // FIXIT-M refactor to unlink_uni immediately after session
     // is processed by inspector manager (all flows)
@@ -428,7 +431,7 @@ bool FlowControl::process(PktType type, Packet* p, bool* new_flow)
     return true;
 }
 
-unsigned FlowControl::process(Flow* flow, Packet* p)
+unsigned FlowControl::process(Flow* flow, Packet* p, bool new_ha_flow)
 {
     unsigned news = 0;
 
@@ -452,8 +455,10 @@ unsigned FlowControl::process(Flow* flow, Packet* p)
 
     if ( flow->flow_state != Flow::FlowState::SETUP )
     {
+        if ( new_ha_flow )
+            DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::FLOW_STATE_SETUP, p);
         unsigned reload_id = SnortConfig::get_thread_reload_id();
-        if (flow->reload_id != reload_id)
+        if ( flow->reload_id != reload_id )
             flow->network_policy_id = get_network_policy()->policy_id;
         else
         {
@@ -462,7 +467,7 @@ unsigned FlowControl::process(Flow* flow, Packet* p)
         }
         p->filtering_state = flow->filtering_state;
         update_stats(flow, p);
-        if (p->is_retry())
+        if ( p->is_retry() )
         {
             RetryPacketEvent retry_event(p);
             DataBus::publish(intrinsic_pub_id, IntrinsicEventIds::RETRY_PACKET, retry_event);
@@ -479,7 +484,7 @@ unsigned FlowControl::process(Flow* flow, Packet* p)
     else
     {
         flow->network_policy_id = get_network_policy()->policy_id;
-        if (PacketTracer::is_active())
+        if ( PacketTracer::is_active() )
             PacketTracer::log("Session: new snort session\n");
 
         init_roles(p, flow);
diff --git a/src/flow/flow_control.h b/src/flow/flow_control.h
index 500d9f5a8..f40836611 100644
--- a/src/flow/flow_control.h
+++ b/src/flow/flow_control.h
@@ -101,7 +101,7 @@ public:
 
 private:
     void set_key(snort::FlowKey*, snort::Packet*);
-    unsigned process(snort::Flow*, snort::Packet*);
+    unsigned process(snort::Flow*, snort::Packet*, bool new_ha_flow);
     void update_stats(snort::Flow*, snort::Packet*);
 
 private:
diff --git a/src/network_inspectors/binder/binder.cc b/src/network_inspectors/binder/binder.cc
index f09395a98..da0b12642 100644
--- a/src/network_inspectors/binder/binder.cc
+++ b/src/network_inspectors/binder/binder.cc
@@ -527,7 +527,7 @@ public:
     void handle(DataEvent&, Flow* flow) override
     {
         Binder* binder = InspectorManager::get_binder();
-        if (binder && flow)
+        if (binder && flow && !flow->flags.ha_flow)
             binder->handle_flow_setup(*flow);
     }
 };
diff --git a/src/stream/base/stream_ha.cc b/src/stream/base/stream_ha.cc
index fdc549df8..8b63072fa 100644
--- a/src/stream/base/stream_ha.cc
+++ b/src/stream/base/stream_ha.cc
@@ -104,6 +104,7 @@ bool StreamHAClient::consume(Flow*& flow, const FlowKey* key, HAMessage& msg, ui
         if ( (flow = protocol_create_session(key)) == nullptr )
             return false;
 
+        flow->flags.ha_flow = true;
         BareDataEvent event;
         DataBus::publish(Stream::get_pub_id(), StreamEventIds::HA_NEW_FLOW, event, flow);
 
@@ -126,6 +127,7 @@ bool StreamHAClient::consume(Flow*& flow, const FlowKey* key, HAMessage& msg, ui
     }
 
     flow->ssn_state = hac->ssn_state;
+    flow->ssn_state.session_flags &= ~SSNFLAG_ESTABLISHED;  // clear flag for tcp established event to be generated
     flow->flow_state = hac->flow_state;
 
     if ( !flow->ha_state->check_any(FlowHAState::STANDBY) )