From: Tom Peters (thopeter) Date: Fri, 14 Dec 2018 21:46:34 +0000 (-0500) Subject: Merge pull request #1462 in SNORT/snort3 from ~SBAIGAL/snort3:stream_cache_reload... X-Git-Tag: 3.0.0-251~84 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb7c19e0c51d3ad2bf5675f4ffb49301140e4da0;p=thirdparty%2Fsnort3.git Merge pull request #1462 in SNORT/snort3 from ~SBAIGAL/snort3:stream_cache_reload to master Squashed commit of the following: commit 8187840a9cb93c782451c6dab1662e352226e3bc Author: Steven Baigal (sbaigal) Date: Mon Dec 10 10:40:12 2018 -0500 reload: prompt reload failure and require restart when stream cache were changed --- diff --git a/doc/reload_limitations.txt b/doc/reload_limitations.txt index cbc25a9a8..b152a8629 100644 --- a/doc/reload_limitations.txt +++ b/doc/reload_limitations.txt @@ -17,6 +17,25 @@ The following parameters can't be changed during reload, and require a restart: * process.daemon * process.set_gid * process.set_uid +* stream.footprint +* stream.ip_cache.max_sessions +* stream.ip_cache.pruning_timeout +* stream.ip_cache.idle_timeout +* stream.icmp_cache.max_sessions +* stream.icmp_cache.pruning_timeout +* stream.icmp_cache.idle_timeout +* stream.tcp_cache.max_sessions +* stream.tcp_cache.pruning_timeout +* stream.tcp_cache.idle_timeout +* stream.udp_cache.max_sessions +* stream.udp_cache.pruning_timeout +* stream.udp_cache.idle_timeout +* stream.user_cache.max_sessions +* stream.user_cache.pruning_timeout +* stream.user_cache.idle_timeout +* stream.file_cache.max_sessions +* stream.file_cache.pruning_timeout +* stream.file_cache.idle_timeout In addition, the following scenarios require a restart: diff --git a/src/stream/base/stream_module.cc b/src/stream/base/stream_module.cc index b08dd7dd7..cf74876b4 100644 --- a/src/stream/base/stream_module.cc +++ b/src/stream/base/stream_module.cc @@ -25,6 +25,8 @@ #include "stream_module.h" #include "detection/rules.h" +#include "log/messages.h" +#include "main/snort.h" #include "main/snort_debug.h" using namespace snort; @@ -171,6 +173,52 @@ bool StreamModule::set(const char* fqn, Value& v, SnortConfig* c) return true; } +static int check_cache_change(const char* fqn, const char* name, const FlowConfig& new_cfg, + const FlowConfig& saved_cfg) +{ + int ret = 0; + if ( saved_cfg.max_sessions and strstr(fqn, name) ) + { + if ( saved_cfg.max_sessions != new_cfg.max_sessions + or saved_cfg.pruning_timeout != new_cfg.pruning_timeout + or saved_cfg.nominal_timeout != new_cfg.nominal_timeout ) + { + ParseError("Changing of %s requires a restart\n", name); + ret = 1; + } + } + return ret; +} + +// FIXIT-L the detection of stream.xxx_cache changes below is a temporary workaround +// remove this check when stream.xxx_cache params become reloadable +bool StreamModule::end(const char* fqn, int, SnortConfig*) +{ + static StreamModuleConfig saved_config = {}; + static int issue_found = 0; + + issue_found += check_cache_change(fqn, "ip_cache", config.ip_cfg, saved_config.ip_cfg); + issue_found += check_cache_change(fqn, "icmp_cache", config.icmp_cfg, saved_config.icmp_cfg); + issue_found += check_cache_change(fqn, "tcp_cache", config.tcp_cfg, saved_config.tcp_cfg); + issue_found += check_cache_change(fqn, "udp_cache", config.udp_cfg, saved_config.udp_cfg); + issue_found += check_cache_change(fqn, "user_cache", config.ip_cfg, saved_config.user_cfg); + issue_found += check_cache_change(fqn, "file_cache", config.ip_cfg, saved_config.file_cfg); + + if ( !strcmp(fqn, "stream") ) + { + if ( saved_config.ip_cfg.max_sessions // saved config is valid + and config.footprint != saved_config.footprint ) + { + ParseError("Changing of stream.footprint requires a restart\n"); + issue_found++; + } + if ( issue_found == 0 ) + saved_config = config; + issue_found = 0; + } + return true; +} + void StreamModule::sum_stats(bool) { base_sum(); } diff --git a/src/stream/base/stream_module.h b/src/stream/base/stream_module.h index 65828f1ca..844d841b1 100644 --- a/src/stream/base/stream_module.h +++ b/src/stream/base/stream_module.h @@ -84,6 +84,7 @@ public: bool begin(const char*, int, snort::SnortConfig*) override; bool set(const char*, snort::Value&, snort::SnortConfig*) override; + bool end(const char*, int, snort::SnortConfig*) override; const PegInfo* get_pegs() const override; PegCount* get_counts() const override;