From: Steven Baigal (sbaigal) <sbaigal@cisco.com>
Date: Tue, 29 Nov 2022 14:54:21 +0000 (+0000)
Subject: Pull request #3660: stream: add logic to ensure metaACKs cause flushing
X-Git-Tag: 3.1.48.0~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae290cba781e41491b71f0ddbed1285153d15c81;p=thirdparty%2Fsnort3.git

Pull request #3660: stream: add logic to ensure metaACKs cause flushing

Merge in SNORT/snort3 from ~JALIIMRA/snort3:meta_ack_flush to master

Squashed commit of the following:

commit e108a08265012b8341d1baf06bab2d6f6da3c8a0
Author: Juweria Ali Imran <jaliimra@cisco.com>
Date:   Mon Nov 7 16:34:38 2022 -0500

    stream: add logic to ensure metaACKs cause flushing
---

diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc
index f8c3f70eb..30072d4d1 100644
--- a/src/detection/detection_engine.cc
+++ b/src/detection/detection_engine.cc
@@ -628,7 +628,7 @@ bool DetectionEngine::inspect(Packet* p)
 
         if ( p->ptrs.decode_flags & DECODE_ERR_FLAGS )
         {
-            if ( p->context->conf->inline_mode() and
+            if ( p->context->conf->ips_inline_mode() and
                 snort::get_network_policy()->checksum_drops(p->ptrs.decode_flags &
                     DECODE_ERR_CKSUM_ALL) )
             {
diff --git a/src/ips_options/ips_replace.cc b/src/ips_options/ips_replace.cc
index a75472c41..54405ed7e 100644
--- a/src/ips_options/ips_replace.cc
+++ b/src/ips_options/ips_replace.cc
@@ -52,7 +52,7 @@ static void replace_parse(const char* args, string& s)
 
 static bool replace_ok(const SnortConfig* sc)
 {
-    if ( sc->inline_mode() and SFDAQ::can_replace() )
+    if ( sc->ips_inline_mode() and SFDAQ::can_replace() )
         return true;
 
     static THREAD_LOCAL bool warned = false;
diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc
index 639a47cea..31e8ea62b 100644
--- a/src/main/analyzer.cc
+++ b/src/main/analyzer.cc
@@ -236,7 +236,7 @@ static DAQ_Verdict distill_verdict(Packet* p)
             daq_stats.internal_blacklist++;
             verdict = DAQ_VERDICT_BLOCK;
         }
-        else if ( p->context->conf->inline_mode() || act->packet_force_dropped() )
+        else if ( p->context->conf->ips_inline_mode() || act->packet_force_dropped() )
             verdict = DAQ_VERDICT_BLACKLIST;
         else
             verdict = DAQ_VERDICT_IGNORE;
diff --git a/src/main/snort_config.h b/src/main/snort_config.h
index dc496dd43..dfeb7df97 100644
--- a/src/main/snort_config.h
+++ b/src/main/snort_config.h
@@ -507,13 +507,16 @@ public:
     bool read_mode() const
     { return run_flags & RUN_FLAG__READ; }
 
-    bool inline_mode() const
+    bool ips_inline_mode() const
     { return get_ips_policy()->policy_mode == POLICY_MODE__INLINE; }
 
-    bool inline_test_mode() const
+    bool ips_inline_test_mode() const
     { return get_ips_policy()->policy_mode == POLICY_MODE__INLINE_TEST; }
 
-    bool passive_mode() const
+    bool nap_inline_mode() const
+    { return get_inspection_policy()->policy_mode == POLICY_MODE__INLINE; }
+
+    bool ips_passive_mode() const
     { return get_ips_policy()->policy_mode == POLICY_MODE__PASSIVE; }
 
     bool show_file_codes() const
diff --git a/src/packet_io/active.cc b/src/packet_io/active.cc
index b28be74c8..a390c543b 100644
--- a/src/packet_io/active.cc
+++ b/src/packet_io/active.cc
@@ -521,7 +521,7 @@ void Active::cant_drop()
 
 void Active::update_status_actionable(const Packet* p)
 {
-    if ( p->context->conf->inline_mode() )
+    if ( p->context->conf->ips_inline_mode() )
     {
         if ( !SFDAQ::forwarding_packet(p->pkth) )
         {
@@ -534,12 +534,12 @@ void Active::update_status_actionable(const Packet* p)
             active_would_reason = WHD_INTERFACE_IDS;
         }
     }
-    else if ( p->context->conf->inline_test_mode() )
+    else if ( p->context->conf->ips_inline_test_mode() )
     {
         active_status = AST_WOULD;
         active_would_reason = WHD_IPS_INLINE_TEST;
     }
-    else if ( p->context->conf->passive_mode() )
+    else if ( p->context->conf->ips_passive_mode() )
     {
         active_status = AST_WOULD;
         active_would_reason = WHD_INTERFACE_IDS;
@@ -680,7 +680,7 @@ void Active::block_session(Packet* p, bool force)
     active_action = ACT_BLOCK;
     update_status(p, force);
 
-    if ( force or (p->context->conf->inline_mode() and SFDAQ::forwarding_packet(p->pkth)))
+    if ( force or (p->context->conf->ips_inline_mode() and SFDAQ::forwarding_packet(p->pkth)))
         Stream::block_flow(p);
 
     p->disable_inspect = true;
@@ -696,7 +696,7 @@ void Active::reset_session(Packet* p, ActiveAction* reject, bool force)
     active_action = ACT_RESET;
     update_status(p, force);
 
-    if ( force or (p->context->conf->inline_mode() and SFDAQ::forwarding_packet(p->pkth)) )
+    if ( force or (p->context->conf->ips_inline_mode() and SFDAQ::forwarding_packet(p->pkth)) )
         Stream::drop_flow(p);
 
     if (reject)
diff --git a/src/stream/tcp/tcp_segment_descriptor.cc b/src/stream/tcp/tcp_segment_descriptor.cc
index fb15b5ce8..3eb5fadd0 100644
--- a/src/stream/tcp/tcp_segment_descriptor.cc
+++ b/src/stream/tcp/tcp_segment_descriptor.cc
@@ -76,6 +76,18 @@ TcpSegmentDescriptor::TcpSegmentDescriptor
     ma_pseudo_tcph.th_urp = 0;
 
     // init meta-ack Packet fields stream cares about for TCP ack processing
+    pkt->pkth = p->pkth;
+    pkt->ptrs = p->ptrs;
+    pkt->ptrs.ip_api.set(*p->ptrs.ip_api.get_dst(), *p->ptrs.ip_api.get_src());
+    pkt->active = p->active_inst;
+    if( p->is_from_client() )
+    {
+        pkt->packet_flags = PKT_FROM_SERVER;
+    }
+    else
+    {
+        pkt->packet_flags = PKT_FROM_CLIENT;
+    }
     pkt->flow = p->flow;
     pkt->context = p->context;
     pkt->dsize = 0;
@@ -94,7 +106,9 @@ TcpSegmentDescriptor::TcpSegmentDescriptor
 }
 
 void TcpSegmentDescriptor::setup()
-{ ma_pseudo_packet = new Packet(false); }
+{ 
+    ma_pseudo_packet = new Packet(false);
+}
 
 void TcpSegmentDescriptor::clear()
 {
@@ -172,3 +186,4 @@ void TcpSegmentDescriptor::set_retransmit_flag()
         pkt->packet_flags |= PKT_RETRANSMIT;
 }
 
+
diff --git a/src/stream/tcp/tcp_segment_descriptor.h b/src/stream/tcp/tcp_segment_descriptor.h
index ddbf8431e..9db49655f 100644
--- a/src/stream/tcp/tcp_segment_descriptor.h
+++ b/src/stream/tcp/tcp_segment_descriptor.h
@@ -46,8 +46,11 @@ public:
     static void setup();
     static void clear();
 
-    bool is_policy_inline()
-    { return pkt->context->conf->inline_mode(); }
+    bool is_ips_policy_inline()
+    { return pkt->context->conf->ips_inline_mode(); }
+
+    bool is_nap_policy_inline()
+    { return pkt->context->conf->nap_inline_mode(); }
 
     uint32_t init_mss(uint16_t* value);
     uint32_t init_wscale(uint16_t* value);
diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc
index 7e42d7eff..7a7010ef8 100644
--- a/src/stream/tcp/tcp_session.cc
+++ b/src/stream/tcp/tcp_session.cc
@@ -325,7 +325,7 @@ bool TcpSession::flow_exceeds_config_thresholds(TcpSegmentDescriptor& tsd)
         if ( space_left < (int32_t)tsd.get_len() )
         {
             tcpStats.exceeded_max_bytes++;
-            bool inline_mode = tsd.is_policy_inline();
+            bool inline_mode = tsd.is_nap_policy_inline();
             bool ret_val = true;
 
             if ( space_left > 0 )
@@ -355,7 +355,7 @@ bool TcpSession::flow_exceeds_config_thresholds(TcpSegmentDescriptor& tsd)
         if ( listener->reassembler.get_seg_count() + 1 > tcp_config->max_queued_segs )
         {
             tcpStats.exceeded_max_segs++;
-            bool inline_mode = tsd.is_policy_inline();
+            bool inline_mode = tsd.is_nap_policy_inline();
 
             if ( inline_mode )
             {
@@ -1089,7 +1089,7 @@ bool TcpSession::validate_packet_established_session(TcpSegmentDescriptor& tsd)
 {
     TcpStreamTracker* listener = tsd.get_listener();
 
-    if ( tsd.is_policy_inline() )
+    if ( tsd.is_nap_policy_inline() )
        if ( tsd.get_tcph()->is_ack() && !listener->is_ack_valid(tsd.get_ack()) )
        {
            listener->normalizer.packet_dropper(tsd, NORM_TCP_BLOCK);