action handling: define and use macros

The action field in Packet structure should not be accessed
directly as the tunneled packet needs to update the root packet
and not the initial packet.

This patch is fixing issue #819 where suricata was not able to
drop fragmented packets in AF_PACKET IPS mode. It also fixes
drop capability for tunneled packets.

diff --git a/src/decode.h b/src/decode.h
index a8b38e0e716e22ef59aaa532d71247ff0b1a0341..5b4452d7a7b4672eee13154e3eea184987ab15f2 100644 (file)
--- a/src/decode.h
+++ b/src/decode.h
@@ -779,6 +779,17 @@ typedef struct DecodeThreadVars_
      ((p)->action = ACTION_PASS)); \
 } while (0)
 
+#define TEST_PACKET_ACTION(p, a) \
+    ((p)->root ? \
+     ((p)->root->action & a) : \
+     ((p)->action & a))
+
+#define UPDATE_PACKET_ACTION(p, a) do { \
+    ((p)->root ? \
+     ((p)->root->action |= a) : \
+     ((p)->action |= a)); \
+} while (0)
+
 #define TUNNEL_INCR_PKT_RTV(p) do {                                                 \
         SCMutexLock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex);     \
         ((p)->root ? (p)->root->tunnel_rtv_cnt++ : (p)->tunnel_rtv_cnt++);          \

diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index e102daaa9cb42d681e0db39b61baa6763164b2ae..0b08efb638fb063f056d0aa3736942caf856285d 100644 (file)
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -248,7 +248,7 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
             }
 
             /* set verdict on packet */
-            p->action |= p->alerts.alerts[i].action;
+            UPDATE_PACKET_ACTION(p, p->alerts.alerts[i].action);
 
             if (p->action & ACTION_PASS) {
                 /* Ok, reset the alert cnt to end in the previous of pass

diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c
index fd520d84a29a88927a4e477d561b424c5ebebd0b..0c60f00510cc784594c7b07d2b4efaac55dd1b67 100644 (file)
--- a/src/detect-engine-iponly.c
+++ b/src/detect-engine-iponly.c
@@ -1076,7 +1076,7 @@ void IPOnlyMatchPacket(ThreadVars *tv,
                             PacketAlertAppend(det_ctx, s, p, 0);
                     } else {
                         /* apply actions for noalert/rule suppressed as well */
-                        p->action |= s->action;
+                        UPDATE_PACKET_ACTION(p, s->action);
                     }
                 }
             }

diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c
index ae1875a8f2e6c2a1c0b648155cf1a9df318ab112..4806d216707f4e1324b7f63f2f7fcffef1c28541 100644 (file)
--- a/src/detect-engine-state.c
+++ b/src/detect-engine-state.c
@@ -614,7 +614,7 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                 if (!(s->flags & SIG_FLAG_NOALERT)) {
                     PacketAlertAppend(det_ctx, s, p, 0);
                 } else {
-                    p->action |= s->action;
+                    UPDATE_PACKET_ACTION(p, s->action);
                 }
             }
 

diff --git a/src/detect.c b/src/detect.c
index 49e5d421f80a0b56e13b2b4482b5106ebcb4b65f..a06743e11b78817b8217f5ee85fbd20f0e54bb56 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1342,7 +1342,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
             if (p->flow->flags & FLOW_ACTION_DROP)
             {
                 alert_flags = PACKET_ALERT_FLAG_DROP_FLOW;
-                p->action |= ACTION_DROP;
+                UPDATE_PACKET_ACTION(p, ACTION_DROP);
             }
         }
 
@@ -1626,7 +1626,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                 PacketAlertAppend(det_ctx, s, p, alert_flags);
         } else {
             /* apply actions even if not alerting */
-            p->action |= s->action;
+            UPDATE_PACKET_ACTION(p, s->action);
         }
 next:
         DetectFlowvarProcessList(det_ctx, p->flow);

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index c6334b45cdbeddb235a7043e6d94db30972f6f74..0eb25d5515ddc884295c999926682f6accdeb211 100644 (file)
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -4006,7 +4006,7 @@ static int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
         FlowSetNoPacketInspectionFlag(p->flow);
         DecodeSetNoPacketInspectionFlag(p);
         FlowSetSessionNoApplayerInspectionFlag(p->flow);
-        p->action |= ACTION_DROP;
+        UPDATE_PACKET_ACTION(p, ACTION_DROP);
         /* return the segments to the pool */
         StreamTcpSessionPktFree(p);
         SCReturnInt(0);
@@ -4207,7 +4207,7 @@ error:
     }
 
     if (StreamTcpInlineMode()) {
-        p->action |= ACTION_DROP;
+        UPDATE_PACKET_ACTION(p, ACTION_DROP);
     }
     SCReturnInt(-1);
 }