From: Victor Julien Date: Mon, 13 Apr 2015 08:33:11 +0000 (+0200) Subject: multi-detect: set tenant id on pseudo packets X-Git-Tag: suricata-3.0RC1~195 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=82aa419431509bb9c54c22e989b6402d43a3b357;p=thirdparty%2Fsuricata.git multi-detect: set tenant id on pseudo packets Store the tenant id in the flow and use the stored id when setting up pesudo packets. For tunnel and defrag packets, get tenant from parent. This will only pass tenant_id's set at capture time. For defrag packets, the tenant selector based on vlan id will still work as the vlan id(s) are stored in the defrag tracker before being passed on. --- diff --git a/src/decode.c b/src/decode.c index aa6068bbc0..0dd9fa86fa 100644 --- a/src/decode.c +++ b/src/decode.c @@ -274,6 +274,7 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare p->ts.tv_sec = parent->ts.tv_sec; p->ts.tv_usec = parent->ts.tv_usec; p->datalink = DLT_RAW; + p->tenant_id = parent->tenant_id; /* set the root ptr to the lowest layer */ if (parent->root != NULL) @@ -345,6 +346,7 @@ Packet *PacketDefragPktSetup(Packet *parent, uint8_t *pkt, uint16_t len, uint8_t p->ts.tv_sec = parent->ts.tv_sec; p->ts.tv_usec = parent->ts.tv_usec; p->datalink = DLT_RAW; + p->tenant_id = parent->tenant_id; /* tell new packet it's part of a tunnel */ SET_TUNNEL_PKT(p); p->vlan_id[0] = parent->vlan_id[0]; diff --git a/src/detect.c b/src/detect.c index 7d608a0a24..e420f5e392 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1279,6 +1279,12 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh FLOWLOCK_WRLOCK(pflow); { + /* store tenant_id in the flow so that we can use it + * for creating pseudo packets */ + if (p->tenant_id > 0 && pflow->tenant_id == 0) { + pflow->tenant_id = p->tenant_id; + } + /* live ruleswap check for flow updates */ if (pflow->de_ctx_id == 0) { /* first time this flow is inspected, set id */ @@ -1991,7 +1997,9 @@ TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQue return TM_ECODE_OK; } - uint32_t tenant_id = det_ctx->TenantGetId(det_ctx, p); + uint32_t tenant_id = p->tenant_id; + if (tenant_id == 0) + tenant_id = det_ctx->TenantGetId(det_ctx, p); if (tenant_id > 0 && tenant_id < det_ctx->mt_det_ctxs_cnt) { p->tenant_id = tenant_id; det_ctx = GetTenantById(det_ctx->mt_det_ctxs_hash, tenant_id); diff --git a/src/flow-timeout.c b/src/flow-timeout.c index 534875c68b..8df85cddcd 100644 --- a/src/flow-timeout.c +++ b/src/flow-timeout.c @@ -80,6 +80,7 @@ static inline Packet *FlowForceReassemblyPseudoPacketSetup(Packet *p, TcpSession *ssn, int dummy) { + p->tenant_id = f->tenant_id; p->datalink = DLT_RAW; p->proto = IPPROTO_TCP; FlowReference(&p->flow, f); diff --git a/src/flow-util.h b/src/flow-util.h index 38257b1289..ca6a49cccb 100644 --- a/src/flow-util.h +++ b/src/flow-util.h @@ -42,6 +42,7 @@ (f)->proto = 0; \ SC_ATOMIC_INIT((f)->flow_state); \ SC_ATOMIC_INIT((f)->use_cnt); \ + (f)->tenant_id = 0; \ (f)->probing_parser_toserver_alproto_masks = 0; \ (f)->probing_parser_toclient_alproto_masks = 0; \ (f)->flags = 0; \ @@ -86,6 +87,7 @@ (f)->proto = 0; \ SC_ATOMIC_RESET((f)->flow_state); \ SC_ATOMIC_RESET((f)->use_cnt); \ + (f)->tenant_id = 0; \ (f)->probing_parser_toserver_alproto_masks = 0; \ (f)->probing_parser_toclient_alproto_masks = 0; \ (f)->flags = 0; \ diff --git a/src/flow.h b/src/flow.h index caa34c6fc8..eab7377609 100644 --- a/src/flow.h +++ b/src/flow.h @@ -329,6 +329,10 @@ typedef struct Flow_ /** flow queue id, used with autofp */ SC_ATOMIC_DECLARE(int16_t, autofp_tmqh_flow_qid); + /** flow tenant id, used to setup flow timeout and stream pseudo + * packets with the correct tenant id set */ + uint32_t tenant_id; + uint32_t probing_parser_toserver_alproto_masks; uint32_t probing_parser_toclient_alproto_masks; diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 88fe40d4be..6cde865138 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -5829,6 +5829,8 @@ void StreamTcpPseudoPacketCreateStreamEndPacket(ThreadVars *tv, StreamTcpThread /* Setup the IP and TCP headers */ StreamTcpPseudoPacketSetupHeader(np,p); + np->tenant_id = p->flow->tenant_id; + np->flowflags = p->flowflags; np->flags |= PKT_STREAM_EST;