suricata
defrag.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Endace Technology Limited, Jason Ish <jason.ish@endace.com>
22  */
23 
24 #ifndef SURICATA_DEFRAG_H
25 #define SURICATA_DEFRAG_H
26 
27 #include "threads.h"
28 #include "util-pool.h"
29 #include "threadvars.h"
30 #include "decode.h"
31 
32 /**
33  * A context for an instance of a fragmentation re-assembler, in case
34  * we ever need more than one.
35  */
36 typedef struct DefragContext_ {
37  Pool *frag_pool; /**< Pool of fragments. */
38  SCMutex frag_pool_lock;
39 
40  uint32_t timeout; /**< Default timeout. */
41 } DefragContext;
42 
43 /**
44  * Storage for an individual fragment.
45  */
46 typedef struct Frag_ {
47  uint16_t offset; /**< The offset of this fragment, already
48  * multiplied by 8. */
49 
50  uint32_t len; /**< The length of this fragment. */
51 
52  uint8_t hlen; /**< The length of this fragments IP header. */
53 
54  uint8_t more_frags:4; /**< More frags? */
55  uint8_t skip:4; /**< Skip this fragment during re-assembly. */
56 
57  uint16_t frag_hdr_offset; /**< Offset in the packet where the frag
58  * header starts. */
59 
60  uint16_t data_offset; /**< Offset to the packet data. */
61  uint16_t data_len; /**< Length of data. */
62 
63  uint16_t ltrim; /**< Number of leading bytes to trim when
64  * re-assembling the packet. */
65 
66  uint8_t *pkt; /**< The actual packet. */
67 
68 #ifdef DEBUG
69  uint64_t pcap_cnt; /**< pcap_cnt of original packet */
70 #endif
71 
72  RB_ENTRY(Frag_) rb;
73 } Frag;
74 
75 int DefragRbFragCompare(struct Frag_ *a, struct Frag_ *b);
76 
77 RB_HEAD(IP_FRAGMENTS, Frag_);
78 RB_PROTOTYPE(IP_FRAGMENTS, Frag_, rb, DefragRbFragCompare);
79 
80 /**
81  * A defragmentation tracker. Used to track fragments that make up a
82  * single packet.
83  */
84 typedef struct DefragTracker_ {
85  SCMutex lock; /**< Mutex for locking list operations on
86  * this tracker. */
87 
88  uint16_t vlan_id[VLAN_MAX_LAYERS]; /**< VLAN ID tracker applies to. */
89  uint16_t ip_hdr_offset; /**< Offset in the packet where the IP
90  * header starts. */
91 
92  uint32_t id; /**< IP ID for this tracker. 32 bits for IPv6, 16
93  * for IPv4. */
94 
95  uint8_t proto; /**< IP protocol for this tracker. */
96 
97  uint8_t policy; /**< Reassembly policy this tracker will use. */
98 
99  uint8_t af; /**< Address family for this tracker, AF_INET or
100  * AF_INET6. */
101 
102  uint8_t seen_last; /**< Has this tracker seen the last fragment? */
103 
104  uint8_t remove; /**< remove */
105 
106  Address src_addr; /**< Source address for this tracker. */
107  Address dst_addr; /**< Destination address for this tracker. */
108 
109  int datalink; /**< datalink for reassembled packet, set by first fragment */
110  SCTime_t timeout; /**< When this tracker will timeout. */
111  uint32_t host_timeout; /**< Host timeout, statically assigned from the yaml */
112 
113  /** use cnt, reference counter */
114  SC_ATOMIC_DECLARE(unsigned int, use_cnt);
115 
116  struct IP_FRAGMENTS fragment_tree;
117 
118  /** hash pointer, protected by hash row mutex/spin */
119  struct DefragTracker_ *hnext;
120 
121  /** stack pointer, protected by tracker-queue mutex/spin */
122  struct DefragTracker_ *lnext;
123 } DefragTracker;
124 
125 void DefragInit(void);
126 void DefragDestroy(void);
127 
128 uint8_t DefragGetOsPolicy(Packet *);
129 void DefragTrackerFreeFrags(DefragTracker *);
130 Packet *Defrag(ThreadVars *, DecodeThreadVars *, Packet *);
131 void DefragRegisterTests(void);
132 
133 #endif /* SURICATA_DEFRAG_H */
Frag_
Definition: defrag.h:46
DefragGetOsPolicy
uint8_t DefragGetOsPolicy(Packet *)
Get the defrag policy based on the destination address of the packet.
Definition: defrag.c:986
Defrag
Packet * Defrag(ThreadVars *, DecodeThreadVars *, Packet *)
Entry point for IPv4 and IPv6 fragments.
Definition: defrag.c:1064
DefragTracker_::hnext
struct DefragTracker_ * hnext
Definition: defrag.h:119
RB_PROTOTYPE
RB_PROTOTYPE(IP_FRAGMENTS, Frag_, rb, DefragRbFragCompare)
threads.h
DefragTracker_::ip_hdr_offset
uint16_t ip_hdr_offset
Definition: defrag.h:89
DefragTrackerFreeFrags
void DefragTrackerFreeFrags(DefragTracker *)
Free all frags associated with a tracker.
Definition: defrag.c:132
Frag_::data_len
uint16_t data_len
Definition: defrag.h:61
DefragContext_::frag_pool
Pool * frag_pool
Definition: defrag.h:37
DefragTracker_::host_timeout
uint32_t host_timeout
Definition: defrag.h:111
Address_
Definition: decode.h:108
Pool_
Definition: util-pool.h:43
DefragTracker_::SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(unsigned int, use_cnt)
DefragTracker_::lock
SCMutex lock
Definition: defrag.h:85
DefragContext_::frag_pool_lock
SCMutex frag_pool_lock
Definition: defrag.h:38
DefragTracker_::remove
uint8_t remove
Definition: defrag.h:104
decode.h
DefragRegisterTests
void DefragRegisterTests(void)
Definition: defrag.c:3179
DefragTracker_::seen_last
uint8_t seen_last
Definition: defrag.h:102
DefragTracker_::policy
uint8_t policy
Definition: defrag.h:97
DefragTracker_
Definition: defrag.h:84
DefragTracker_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: defrag.h:88
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DefragContext_::timeout
uint32_t timeout
Definition: defrag.h:40
DefragTracker_::dst_addr
Address dst_addr
Definition: defrag.h:107
Packet_
Definition: decode.h:473
DefragTracker_::id
uint32_t id
Definition: defrag.h:92
DefragTracker_::src_addr
Address src_addr
Definition: defrag.h:106
Frag_::skip
uint8_t skip
Definition: defrag.h:55
SCTime_t
Definition: util-time.h:40
Frag_::pkt
uint8_t * pkt
Definition: defrag.h:66
DefragInit
void DefragInit(void)
Definition: defrag.c:1113
Frag_::data_offset
uint16_t data_offset
Definition: defrag.h:60
DefragTracker_::proto
uint8_t proto
Definition: defrag.h:95
DefragContext_
Definition: defrag.h:36
DefragContext
struct DefragContext_ DefragContext
Frag_::ltrim
uint16_t ltrim
Definition: defrag.h:63
Frag_::RB_ENTRY
RB_ENTRY(Frag_) rb
DefragTracker_::fragment_tree
struct IP_FRAGMENTS fragment_tree
Definition: defrag.h:116
Frag_::len
uint32_t len
Definition: defrag.h:50
DefragTracker_::timeout
SCTime_t timeout
Definition: defrag.h:110
VLAN_MAX_LAYERS
#define VLAN_MAX_LAYERS
Definition: decode-vlan.h:51
Frag_::frag_hdr_offset
uint16_t frag_hdr_offset
Definition: defrag.h:57
threadvars.h
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:929
Frag_::more_frags
uint8_t more_frags
Definition: defrag.h:54
DefragTracker_::af
uint8_t af
Definition: defrag.h:99
DefragTracker_::lnext
struct DefragTracker_ * lnext
Definition: defrag.h:122
Frag
struct Frag_ Frag
DefragTracker_::datalink
int datalink
Definition: defrag.h:109
Frag_::hlen
uint8_t hlen
Definition: defrag.h:52
DefragRbFragCompare
int DefragRbFragCompare(struct Frag_ *a, struct Frag_ *b)
Definition: defrag.c:538
DefragTracker
struct DefragTracker_ DefragTracker
util-pool.h
SCMutex
#define SCMutex
Definition: threads-debug.h:114
Frag_::offset
uint16_t offset
Definition: defrag.h:47
DefragDestroy
void DefragDestroy(void)
Definition: defrag.c:1133
RB_HEAD
RB_HEAD(IP_FRAGMENTS, Frag_)