From: Nirmala Venkata Subbaiah -X (nirmvenk - XORIANT CORPORATION at Cisco) Date: Thu, 31 Jul 2025 20:26:30 +0000 (+0000) Subject: Pull request #4816: main: notify DAQ via ioctl message when a packet is injected X-Git-Tag: 3.9.3.0~9 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bba54bb597179b2ee01062f5cb8829f4d831d7d4;p=thirdparty%2Fsnort3.git Pull request #4816: main: notify DAQ via ioctl message when a packet is injected Merge in SNORT/snort3 from ~NIRMVENK/snort3:ioctl to master Squashed commit of the following: commit 8e71d15e6b3c45f7aa429c4ca17ba023a84ace48 Author: Nirmala Subbaiah Date: Tue Jul 15 14:05:04 2025 -0400 main: notify DAQ via ioctl message when a packet is injected --- diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc index c5c953f2f..3b2961f8f 100644 --- a/src/main/analyzer.cc +++ b/src/main/analyzer.cc @@ -260,8 +260,11 @@ static DAQ_Verdict distill_verdict(Packet* p) // we never increase, only trim, but daq doesn't support resizing wire packet PacketManager::encode_update(p); - if ( p->inject() == DAQ_SUCCESS ) + int ret = p->inject(); + if ( ret == DAQ_SUCCESS ) verdict = DAQ_VERDICT_BLOCK; + else + PacketTracer::log("Packet inject failed: %d\n", ret); // FIXIT-M X Should we be blocking the wire packet even if the injection fails? } else if ( p->packet_flags & PKT_MODIFIED ) diff --git a/src/main/test/distill_verdict_stubs.h b/src/main/test/distill_verdict_stubs.h index b3e736ec3..8b177bbf4 100644 --- a/src/main/test/distill_verdict_stubs.h +++ b/src/main/test/distill_verdict_stubs.h @@ -164,6 +164,7 @@ bool SFDAQInstance::interrupt() { return false; } int SFDAQInstance::inject(DAQ_Msg_h, int, const uint8_t*, uint32_t) { return -1; } DAQ_RecvStatus SFDAQInstance::receive_messages(unsigned) { return DAQ_RSTAT_ERROR; } int SFDAQInstance::ioctl(DAQ_IoctlCmd, void*, size_t) { return -4; } +bool SFDAQInstance::can_invoke_inject_drop() const { return false; } void SFDAQ::set_local_instance(SFDAQInstance*) { } const char* SFDAQ::verdict_to_string(DAQ_Verdict) { return nullptr; } bool SFDAQ::forwarding_packet(const DAQ_PktHdr_t*) { return false; } diff --git a/src/packet_io/sfdaq_instance.cc b/src/packet_io/sfdaq_instance.cc index ff8af1328..1b7f37746 100644 --- a/src/packet_io/sfdaq_instance.cc +++ b/src/packet_io/sfdaq_instance.cc @@ -154,6 +154,11 @@ bool SFDAQInstance::can_whitelist() const return (daq_instance_get_capabilities(instance) & DAQ_CAPA_WHITELIST) != 0; } +bool SFDAQInstance::can_invoke_inject_drop() const +{ + return (daq_instance_get_capabilities(instance) & DAQ_CAPA_INJECT_DROP) != 0; +} + bool SFDAQInstance::start() { int rval = daq_instance_start(instance); diff --git a/src/packet_io/sfdaq_instance.h b/src/packet_io/sfdaq_instance.h index 90cf3e839..570366d71 100644 --- a/src/packet_io/sfdaq_instance.h +++ b/src/packet_io/sfdaq_instance.h @@ -69,6 +69,7 @@ public: bool can_inject_raw() const; bool can_replace() const; bool can_start_unprivileged() const; + bool can_invoke_inject_drop() const; SO_PUBLIC bool can_whitelist() const; int inject(DAQ_Msg_h, int rev, const uint8_t* buf, uint32_t len); diff --git a/src/protocols/packet.cc b/src/protocols/packet.cc index 4d1d73621..56fb9d681 100644 --- a/src/protocols/packet.cc +++ b/src/protocols/packet.cc @@ -21,6 +21,8 @@ #include "config.h" #endif +#include + #include "packet.h" #include "detection/ips_context.h" @@ -30,6 +32,7 @@ #include "log/obfuscator.h" #include "main/snort_config.h" #include "packet_io/active.h" +#include "packet_io/packet_tracer.h" #include "packet_io/sfdaq_instance.h" #include "packet_manager.h" @@ -326,6 +329,12 @@ bool Packet::is_from_application_server() const int Packet::inject() { set_pkt_injected(); + if ( daq_instance->can_invoke_inject_drop() ) + { + int ret = daq_instance->ioctl((DAQ_IoctlCmd)DIOCTL_SET_INJECT_DROP, (void*)daq_msg, sizeof(*daq_msg)); + if ( ret != DAQ_SUCCESS ) + PacketTracer::log("DIOCTL_SET_INJECT_DROP failed: %d\n", ret); + } return daq_instance->inject(daq_msg, 0, pkt, pktlen); } diff --git a/src/protocols/test/decode_err_len_test.cc b/src/protocols/test/decode_err_len_test.cc index 8d7548b6f..2cb7384b0 100644 --- a/src/protocols/test/decode_err_len_test.cc +++ b/src/protocols/test/decode_err_len_test.cc @@ -72,6 +72,8 @@ int layer::get_inner_ip6_frag_index(const Packet* const) { return 0; } uint8_t Stream::get_flow_ttl(Flow*, char, bool) { return 0; } bool SFDAQ::forwarding_packet(const DAQ_PktHdr_t*) { return false; } int SFDAQInstance::inject(_daq_msg const*, int, unsigned char const*, unsigned int) { return -1; } +int snort::SFDAQInstance::ioctl(DAQ_IoctlCmd cmd, void *arg, size_t arglen) { return DAQ_ERROR_NOTSUP; } +bool SFDAQInstance::can_invoke_inject_drop() const { return false; } void sum_stats(PegCount*, PegCount*, unsigned, bool) {} IpsContext::IpsContext(unsigned): packet(nullptr), encode_packet(nullptr), pkth (nullptr), buf(nullptr), diff --git a/src/protocols/test/get_geneve_opt_test.cc b/src/protocols/test/get_geneve_opt_test.cc index bc44c3069..b0ffbbe8b 100644 --- a/src/protocols/test/get_geneve_opt_test.cc +++ b/src/protocols/test/get_geneve_opt_test.cc @@ -24,6 +24,7 @@ #include "flow/expect_flow.h" #include "framework/api_options.h" #include "packet_io/sfdaq_instance.h" +#include "packet_io/packet_tracer.h" #include "protocols/packet.h" #include "protocols/packet_manager.h" @@ -39,6 +40,9 @@ const vlan::VlanTagHdr* layer::get_vlan_layer(const Packet*) { return nullptr; } const geneve::GeneveLyr* layer::get_geneve_layer(const Packet*, bool) { return nullptr; } void ip::IpApi::reset() {} int SFDAQInstance::inject(_daq_msg const*, int, unsigned char const*, unsigned int) { return -1; } +int snort::SFDAQInstance::ioctl(DAQ_IoctlCmd cmd, void *arg, size_t arglen) { return DAQ_SUCCESS; } +bool SFDAQInstance::can_invoke_inject_drop() const { return false; } +void PacketTracer::log(const char*, ...) { } uint8_t PacketManager::max_layers = DEFAULT_LAYERMAX;