suricata
flow-hash.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
23  *
24  * Flow Hashing functions.
25  */
26 
27 #include "suricata-common.h"
28 #include "threads.h"
29 
30 #include "decode.h"
31 #include "detect-engine-state.h"
32 
33 #include "flow.h"
34 #include "flow-hash.h"
35 #include "flow-util.h"
36 #include "flow-private.h"
37 #include "flow-manager.h"
38 #include "flow-storage.h"
39 #include "flow-timeout.h"
40 #include "flow-spare-pool.h"
41 #include "app-layer-parser.h"
42 
43 #include "util-time.h"
44 #include "util-debug.h"
45 #include "util-device.h"
46 
47 #include "util-hash-lookup3.h"
48 
49 #include "conf.h"
50 #include "output.h"
51 #include "output-flow.h"
52 #include "stream-tcp.h"
53 #include "util-exception-policy.h"
54 
56 
57 
58 FlowBucket *flow_hash;
59 SC_ATOMIC_EXTERN(unsigned int, flow_prune_idx);
60 SC_ATOMIC_EXTERN(unsigned int, flow_flags);
61 
62 static Flow *FlowGetUsedFlow(ThreadVars *tv, DecodeThreadVars *dtv, const SCTime_t ts);
63 
64 /** \brief compare two raw ipv6 addrs
65  *
66  * \note we don't care about the real ipv6 ip's, this is just
67  * to consistently fill the FlowHashKey6 struct, without all
68  * the SCNtohl calls.
69  *
70  * \warning do not use elsewhere unless you know what you're doing.
71  * detect-engine-address-ipv6.c's AddressIPv6GtU32 is likely
72  * what you are looking for.
73  */
74 static inline int FlowHashRawAddressIPv6GtU32(const uint32_t *a, const uint32_t *b)
75 {
76  for (uint8_t i = 0; i < 4; i++) {
77  if (a[i] > b[i])
78  return 1;
79  if (a[i] < b[i])
80  break;
81  }
82 
83  return 0;
84 }
85 
86 typedef struct FlowHashKey4_ {
87  union {
88  struct {
89  uint32_t addrs[2];
90  uint16_t ports[2];
91  uint8_t proto; /**< u8 so proto and recur and livedev add up to u32 */
92  uint8_t recur;
93  uint16_t livedev;
95  uint16_t pad[1];
96  };
97  const uint32_t u32[6];
98  };
100 
101 typedef struct FlowHashKey6_ {
102  union {
103  struct {
104  uint32_t src[4], dst[4];
105  uint16_t ports[2];
106  uint8_t proto; /**< u8 so proto and recur and livedev add up to u32 */
107  uint8_t recur;
108  uint16_t livedev;
110  uint16_t pad[1];
111  };
112  const uint32_t u32[12];
113  };
115 
116 uint32_t FlowGetIpPairProtoHash(const Packet *p)
117 {
118  uint32_t hash = 0;
119  if (PacketIsIPv4(p)) {
120  FlowHashKey4 fhk = {
121  .pad[0] = 0,
122  };
123 
124  int ai = (p->src.addr_data32[0] > p->dst.addr_data32[0]);
125  fhk.addrs[1 - ai] = p->src.addr_data32[0];
126  fhk.addrs[ai] = p->dst.addr_data32[0];
127 
128  fhk.ports[0] = 0xfedc;
129  fhk.ports[1] = 0xba98;
130 
131  fhk.proto = (uint8_t)p->proto;
132  fhk.recur = (uint8_t)p->recursion_level;
133  /* g_vlan_mask sets the vlan_ids to 0 if vlan.use-for-tracking
134  * is disabled. */
135  fhk.vlan_id[0] = p->vlan_id[0] & g_vlan_mask;
136  fhk.vlan_id[1] = p->vlan_id[1] & g_vlan_mask;
137  fhk.vlan_id[2] = p->vlan_id[2] & g_vlan_mask;
138 
139  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
140  } else if (PacketIsIPv6(p)) {
141  FlowHashKey6 fhk = {
142  .pad[0] = 0,
143  };
144  if (FlowHashRawAddressIPv6GtU32(p->src.addr_data32, p->dst.addr_data32)) {
145  fhk.src[0] = p->src.addr_data32[0];
146  fhk.src[1] = p->src.addr_data32[1];
147  fhk.src[2] = p->src.addr_data32[2];
148  fhk.src[3] = p->src.addr_data32[3];
149  fhk.dst[0] = p->dst.addr_data32[0];
150  fhk.dst[1] = p->dst.addr_data32[1];
151  fhk.dst[2] = p->dst.addr_data32[2];
152  fhk.dst[3] = p->dst.addr_data32[3];
153  } else {
154  fhk.src[0] = p->dst.addr_data32[0];
155  fhk.src[1] = p->dst.addr_data32[1];
156  fhk.src[2] = p->dst.addr_data32[2];
157  fhk.src[3] = p->dst.addr_data32[3];
158  fhk.dst[0] = p->src.addr_data32[0];
159  fhk.dst[1] = p->src.addr_data32[1];
160  fhk.dst[2] = p->src.addr_data32[2];
161  fhk.dst[3] = p->src.addr_data32[3];
162  }
163 
164  fhk.ports[0] = 0xfedc;
165  fhk.ports[1] = 0xba98;
166  fhk.proto = (uint8_t)p->proto;
167  fhk.recur = (uint8_t)p->recursion_level;
168  fhk.vlan_id[0] = p->vlan_id[0] & g_vlan_mask;
169  fhk.vlan_id[1] = p->vlan_id[1] & g_vlan_mask;
170  fhk.vlan_id[2] = p->vlan_id[2] & g_vlan_mask;
171 
172  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
173  }
174  return hash;
175 }
176 
177 /* calculate the hash key for this packet
178  *
179  * we're using:
180  * hash_rand -- set at init time
181  * source port
182  * destination port
183  * source address
184  * destination address
185  * recursion level -- for tunnels, make sure different tunnel layers can
186  * never get mixed up.
187  *
188  * For ICMP we only consider UNREACHABLE errors atm.
189  */
190 static inline uint32_t FlowGetHash(const Packet *p)
191 {
192  uint32_t hash = 0;
193 
194  if (PacketIsIPv4(p)) {
195  if (PacketIsTCP(p) || PacketIsUDP(p)) {
196  FlowHashKey4 fhk = { .pad[0] = 0 };
197 
198  int ai = (p->src.addr_data32[0] > p->dst.addr_data32[0]);
199  fhk.addrs[1-ai] = p->src.addr_data32[0];
200  fhk.addrs[ai] = p->dst.addr_data32[0];
201 
202  const int pi = (p->sp > p->dp);
203  fhk.ports[1-pi] = p->sp;
204  fhk.ports[pi] = p->dp;
205 
206  fhk.proto = p->proto;
207  fhk.recur = p->recursion_level;
208  /* g_livedev_mask sets the livedev ids to 0 if livedev.use-for-tracking
209  * is disabled. */
210  uint16_t devid = p->livedev ? p->livedev->id : 0;
211  fhk.livedev = devid & g_livedev_mask;
212  /* g_vlan_mask sets the vlan_ids to 0 if vlan.use-for-tracking
213  * is disabled. */
214  fhk.vlan_id[0] = p->vlan_id[0] & g_vlan_mask;
215  fhk.vlan_id[1] = p->vlan_id[1] & g_vlan_mask;
216  fhk.vlan_id[2] = p->vlan_id[2] & g_vlan_mask;
217 
218  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
219 
220  } else if (ICMPV4_DEST_UNREACH_IS_VALID(p)) {
221  uint32_t psrc = IPV4_GET_RAW_IPSRC_U32(PacketGetICMPv4EmbIPv4(p));
222  uint32_t pdst = IPV4_GET_RAW_IPDST_U32(PacketGetICMPv4EmbIPv4(p));
223  FlowHashKey4 fhk = { .pad[0] = 0 };
224 
225  const int ai = (psrc > pdst);
226  fhk.addrs[1-ai] = psrc;
227  fhk.addrs[ai] = pdst;
228 
229  const int pi = (p->l4.vars.icmpv4.emb_sport > p->l4.vars.icmpv4.emb_dport);
230  fhk.ports[1 - pi] = p->l4.vars.icmpv4.emb_sport;
231  fhk.ports[pi] = p->l4.vars.icmpv4.emb_dport;
232 
233  fhk.proto = ICMPV4_GET_EMB_PROTO(p);
234  fhk.recur = p->recursion_level;
235  uint16_t devid = p->livedev ? p->livedev->id : 0;
236  fhk.livedev = devid & g_livedev_mask;
237  fhk.vlan_id[0] = p->vlan_id[0] & g_vlan_mask;
238  fhk.vlan_id[1] = p->vlan_id[1] & g_vlan_mask;
239  fhk.vlan_id[2] = p->vlan_id[2] & g_vlan_mask;
240 
241  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
242 
243  } else {
244  FlowHashKey4 fhk = { .pad[0] = 0 };
245  const int ai = (p->src.addr_data32[0] > p->dst.addr_data32[0]);
246  fhk.addrs[1-ai] = p->src.addr_data32[0];
247  fhk.addrs[ai] = p->dst.addr_data32[0];
248  fhk.ports[0] = 0xfeed;
249  fhk.ports[1] = 0xbeef;
250  fhk.proto = p->proto;
251  fhk.recur = p->recursion_level;
252  uint16_t devid = p->livedev ? p->livedev->id : 0;
253  fhk.livedev = devid & g_livedev_mask;
254  fhk.vlan_id[0] = p->vlan_id[0] & g_vlan_mask;
255  fhk.vlan_id[1] = p->vlan_id[1] & g_vlan_mask;
256  fhk.vlan_id[2] = p->vlan_id[2] & g_vlan_mask;
257 
258  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
259  }
260  } else if (PacketIsIPv6(p)) {
261  FlowHashKey6 fhk = { .pad[0] = 0 };
262  if (FlowHashRawAddressIPv6GtU32(p->src.addr_data32, p->dst.addr_data32)) {
263  fhk.src[0] = p->src.addr_data32[0];
264  fhk.src[1] = p->src.addr_data32[1];
265  fhk.src[2] = p->src.addr_data32[2];
266  fhk.src[3] = p->src.addr_data32[3];
267  fhk.dst[0] = p->dst.addr_data32[0];
268  fhk.dst[1] = p->dst.addr_data32[1];
269  fhk.dst[2] = p->dst.addr_data32[2];
270  fhk.dst[3] = p->dst.addr_data32[3];
271  } else {
272  fhk.src[0] = p->dst.addr_data32[0];
273  fhk.src[1] = p->dst.addr_data32[1];
274  fhk.src[2] = p->dst.addr_data32[2];
275  fhk.src[3] = p->dst.addr_data32[3];
276  fhk.dst[0] = p->src.addr_data32[0];
277  fhk.dst[1] = p->src.addr_data32[1];
278  fhk.dst[2] = p->src.addr_data32[2];
279  fhk.dst[3] = p->src.addr_data32[3];
280  }
281 
282  const int pi = (p->sp > p->dp);
283  fhk.ports[1-pi] = p->sp;
284  fhk.ports[pi] = p->dp;
285  fhk.proto = p->proto;
286  fhk.recur = p->recursion_level;
287  uint16_t devid = p->livedev ? p->livedev->id : 0;
288  fhk.livedev = devid & g_livedev_mask;
289  fhk.vlan_id[0] = p->vlan_id[0] & g_vlan_mask;
290  fhk.vlan_id[1] = p->vlan_id[1] & g_vlan_mask;
291  fhk.vlan_id[2] = p->vlan_id[2] & g_vlan_mask;
292 
293  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
294  }
295 
296  return hash;
297 }
298 
299 /**
300  * Basic hashing function for FlowKey
301  *
302  * \note Function only used for bypass and TCP or UDP flows
303  *
304  * \note this is only used at start to create Flow from pinned maps
305  * so fairness is not an issue
306  */
307 uint32_t FlowKeyGetHash(FlowKey *fk)
308 {
309  uint32_t hash = 0;
310 
311  if (fk->src.family == AF_INET) {
312  FlowHashKey4 fhk = {
313  .pad[0] = 0,
314  };
315  int ai = (fk->src.address.address_un_data32[0] > fk->dst.address.address_un_data32[0]);
316  fhk.addrs[1-ai] = fk->src.address.address_un_data32[0];
317  fhk.addrs[ai] = fk->dst.address.address_un_data32[0];
318 
319  const int pi = (fk->sp > fk->dp);
320  fhk.ports[1-pi] = fk->sp;
321  fhk.ports[pi] = fk->dp;
322 
323  fhk.proto = fk->proto;
324  fhk.recur = fk->recursion_level;
325  fhk.livedev = fk->livedev_id & g_livedev_mask;
326  fhk.vlan_id[0] = fk->vlan_id[0] & g_vlan_mask;
327  fhk.vlan_id[1] = fk->vlan_id[1] & g_vlan_mask;
328  fhk.vlan_id[2] = fk->vlan_id[2] & g_vlan_mask;
329 
330  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
331  } else {
332  FlowHashKey6 fhk = {
333  .pad[0] = 0,
334  };
335  if (FlowHashRawAddressIPv6GtU32(fk->src.address.address_un_data32,
337  fhk.src[0] = fk->src.address.address_un_data32[0];
338  fhk.src[1] = fk->src.address.address_un_data32[1];
339  fhk.src[2] = fk->src.address.address_un_data32[2];
340  fhk.src[3] = fk->src.address.address_un_data32[3];
341  fhk.dst[0] = fk->dst.address.address_un_data32[0];
342  fhk.dst[1] = fk->dst.address.address_un_data32[1];
343  fhk.dst[2] = fk->dst.address.address_un_data32[2];
344  fhk.dst[3] = fk->dst.address.address_un_data32[3];
345  } else {
346  fhk.src[0] = fk->dst.address.address_un_data32[0];
347  fhk.src[1] = fk->dst.address.address_un_data32[1];
348  fhk.src[2] = fk->dst.address.address_un_data32[2];
349  fhk.src[3] = fk->dst.address.address_un_data32[3];
350  fhk.dst[0] = fk->src.address.address_un_data32[0];
351  fhk.dst[1] = fk->src.address.address_un_data32[1];
352  fhk.dst[2] = fk->src.address.address_un_data32[2];
353  fhk.dst[3] = fk->src.address.address_un_data32[3];
354  }
355 
356  const int pi = (fk->sp > fk->dp);
357  fhk.ports[1-pi] = fk->sp;
358  fhk.ports[pi] = fk->dp;
359  fhk.proto = fk->proto;
360  fhk.recur = fk->recursion_level;
361  fhk.livedev = fk->livedev_id & g_livedev_mask;
362  fhk.vlan_id[0] = fk->vlan_id[0] & g_vlan_mask;
363  fhk.vlan_id[1] = fk->vlan_id[1] & g_vlan_mask;
364  fhk.vlan_id[2] = fk->vlan_id[2] & g_vlan_mask;
365 
366  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
367  }
368  return hash;
369 }
370 
371 static inline bool CmpAddrs(const uint32_t addr1[4], const uint32_t addr2[4])
372 {
373  return addr1[0] == addr2[0] && addr1[1] == addr2[1] &&
374  addr1[2] == addr2[2] && addr1[3] == addr2[3];
375 }
376 
377 static inline bool CmpAddrsAndPorts(const uint32_t src1[4],
378  const uint32_t dst1[4], Port src_port1, Port dst_port1,
379  const uint32_t src2[4], const uint32_t dst2[4], Port src_port2,
380  Port dst_port2)
381 {
382  /* Compare the source and destination addresses. If they are not equal,
383  * compare the first source address with the second destination address,
384  * and vice versa. Likewise for ports. */
385  return (CmpAddrs(src1, src2) && CmpAddrs(dst1, dst2) &&
386  src_port1 == src_port2 && dst_port1 == dst_port2) ||
387  (CmpAddrs(src1, dst2) && CmpAddrs(dst1, src2) &&
388  src_port1 == dst_port2 && dst_port1 == src_port2);
389 }
390 
391 static inline bool CmpVlanIds(
392  const uint16_t vlan_id1[VLAN_MAX_LAYERS], const uint16_t vlan_id2[VLAN_MAX_LAYERS])
393 {
394  return ((vlan_id1[0] ^ vlan_id2[0]) & g_vlan_mask) == 0 &&
395  ((vlan_id1[1] ^ vlan_id2[1]) & g_vlan_mask) == 0 &&
396  ((vlan_id1[2] ^ vlan_id2[2]) & g_vlan_mask) == 0;
397 }
398 
399 static inline bool CmpLiveDevIds(const LiveDevice *livedev, const uint16_t id)
400 {
401  uint16_t devid = livedev ? livedev->id : 0;
402  return (((devid ^ id) & g_livedev_mask) == 0);
403 }
404 
405 /* Since two or more flows can have the same hash key, we need to compare
406  * the flow with the current packet or flow key. */
407 static inline bool CmpFlowPacket(const Flow *f, const Packet *p)
408 {
409  const uint32_t *f_src = f->src.address.address_un_data32;
410  const uint32_t *f_dst = f->dst.address.address_un_data32;
411  const uint32_t *p_src = p->src.address.address_un_data32;
412  const uint32_t *p_dst = p->dst.address.address_un_data32;
413  return CmpAddrsAndPorts(f_src, f_dst, f->sp, f->dp, p_src, p_dst, p->sp, p->dp) &&
414  f->proto == p->proto && f->recursion_level == p->recursion_level &&
415  CmpVlanIds(f->vlan_id, p->vlan_id) && (f->livedev == p->livedev || g_livedev_mask == 0);
416 }
417 
418 static inline bool CmpFlowKey(const Flow *f, const FlowKey *k)
419 {
420  const uint32_t *f_src = f->src.address.address_un_data32;
421  const uint32_t *f_dst = f->dst.address.address_un_data32;
422  const uint32_t *k_src = k->src.address.address_un_data32;
423  const uint32_t *k_dst = k->dst.address.address_un_data32;
424  return CmpAddrsAndPorts(f_src, f_dst, f->sp, f->dp, k_src, k_dst, k->sp, k->dp) &&
425  f->proto == k->proto && f->recursion_level == k->recursion_level &&
426  CmpVlanIds(f->vlan_id, k->vlan_id) && CmpLiveDevIds(f->livedev, k->livedev_id);
427 }
428 
429 static inline bool CmpAddrsAndICMPTypes(const uint32_t src1[4],
430  const uint32_t dst1[4], uint8_t icmp_s_type1, uint8_t icmp_d_type1,
431  const uint32_t src2[4], const uint32_t dst2[4], uint8_t icmp_s_type2,
432  uint8_t icmp_d_type2)
433 {
434  /* Compare the source and destination addresses. If they are not equal,
435  * compare the first source address with the second destination address,
436  * and vice versa. Likewise for icmp types. */
437  return (CmpAddrs(src1, src2) && CmpAddrs(dst1, dst2) &&
438  icmp_s_type1 == icmp_s_type2 && icmp_d_type1 == icmp_d_type2) ||
439  (CmpAddrs(src1, dst2) && CmpAddrs(dst1, src2) &&
440  icmp_s_type1 == icmp_d_type2 && icmp_d_type1 == icmp_s_type2);
441 }
442 
443 static inline bool CmpFlowICMPPacket(const Flow *f, const Packet *p)
444 {
445  const uint32_t *f_src = f->src.address.address_un_data32;
446  const uint32_t *f_dst = f->dst.address.address_un_data32;
447  const uint32_t *p_src = p->src.address.address_un_data32;
448  const uint32_t *p_dst = p->dst.address.address_un_data32;
449  return CmpAddrsAndICMPTypes(f_src, f_dst, f->icmp_s.type, f->icmp_d.type, p_src, p_dst,
450  p->icmp_s.type, p->icmp_d.type) &&
451  f->proto == p->proto && f->recursion_level == p->recursion_level &&
452  CmpVlanIds(f->vlan_id, p->vlan_id) && (f->livedev == p->livedev || g_livedev_mask == 0);
453 }
454 
455 /**
456  * \brief See if a ICMP packet belongs to a flow by comparing the embedded
457  * packet in the ICMP error packet to the flow.
458  *
459  * \param f flow
460  * \param p ICMP packet
461  *
462  * \retval 1 match
463  * \retval 0 no match
464  */
465 static inline int FlowCompareICMPv4(Flow *f, const Packet *p)
466 {
468  /* first check the direction of the flow, in other words, the client ->
469  * server direction as it's most likely the ICMP error will be a
470  * response to the clients traffic */
471  if ((f->src.addr_data32[0] == IPV4_GET_RAW_IPSRC_U32(PacketGetICMPv4EmbIPv4(p))) &&
472  (f->dst.addr_data32[0] == IPV4_GET_RAW_IPDST_U32(PacketGetICMPv4EmbIPv4(p))) &&
473  f->sp == p->l4.vars.icmpv4.emb_sport && f->dp == p->l4.vars.icmpv4.emb_dport &&
475  CmpVlanIds(f->vlan_id, p->vlan_id) &&
476  (f->livedev == p->livedev || g_livedev_mask == 0)) {
477  return 1;
478 
479  /* check the less likely case where the ICMP error was a response to
480  * a packet from the server. */
481  } else if ((f->dst.addr_data32[0] == IPV4_GET_RAW_IPSRC_U32(PacketGetICMPv4EmbIPv4(p))) &&
482  (f->src.addr_data32[0] == IPV4_GET_RAW_IPDST_U32(PacketGetICMPv4EmbIPv4(p))) &&
483  f->dp == p->l4.vars.icmpv4.emb_sport && f->sp == p->l4.vars.icmpv4.emb_dport &&
484  f->proto == ICMPV4_GET_EMB_PROTO(p) &&
485  f->recursion_level == p->recursion_level && CmpVlanIds(f->vlan_id, p->vlan_id) &&
486  (f->livedev == p->livedev || g_livedev_mask == 0)) {
487  return 1;
488  }
489 
490  /* no match, fall through */
491  } else {
492  /* just treat ICMP as a normal proto for now */
493  return CmpFlowICMPPacket(f, p);
494  }
495 
496  return 0;
497 }
498 
499 /**
500  * \brief See if a IP-ESP packet belongs to a flow by comparing the SPI
501  *
502  * \param f flow
503  * \param p ESP packet
504  *
505  * \retval 1 match
506  * \retval 0 no match
507  */
508 static inline int FlowCompareESP(Flow *f, const Packet *p)
509 {
510  const uint32_t *f_src = f->src.address.address_un_data32;
511  const uint32_t *f_dst = f->dst.address.address_un_data32;
512  const uint32_t *p_src = p->src.address.address_un_data32;
513  const uint32_t *p_dst = p->dst.address.address_un_data32;
514 
515  return CmpAddrs(f_src, p_src) && CmpAddrs(f_dst, p_dst) && f->proto == p->proto &&
516  f->recursion_level == p->recursion_level && CmpVlanIds(f->vlan_id, p->vlan_id) &&
517  f->esp.spi == ESP_GET_SPI(PacketGetESP(p)) &&
518  (f->livedev == p->livedev || g_livedev_mask == 0);
519 }
520 
522 {
523  p->flags |= PKT_WANTS_FLOW;
524  p->flow_hash = FlowGetHash(p);
525 }
526 
527 static inline int FlowCompare(Flow *f, const Packet *p)
528 {
529  if (p->proto == IPPROTO_ICMP) {
530  return FlowCompareICMPv4(f, p);
531  } else if (PacketIsESP(p)) {
532  return FlowCompareESP(f, p);
533  }
534  return CmpFlowPacket(f, p);
535 }
536 
537 /**
538  * \brief Check if we should create a flow based on a packet
539  *
540  * We use this check to filter out flow creation based on:
541  * - ICMP error messages
542  * - TCP flags (emergency mode only)
543  *
544  * \param p packet
545  * \retval true
546  * \retval false
547  */
548 static inline bool FlowCreateCheck(const Packet *p, const bool emerg)
549 {
550  /* if we're in emergency mode, don't try to create a flow for a TCP
551  * that is not a TCP SYN packet. */
552  if (emerg) {
553  if (PacketIsTCP(p)) {
554  const TCPHdr *tcph = PacketGetTCP(p);
555  if (((tcph->th_flags & (TH_SYN | TH_ACK | TH_RST | TH_FIN)) == TH_SYN) ||
557  ;
558  } else {
559  return false;
560  }
561  }
562  }
563 
564  if (PacketIsICMPv4(p)) {
565  if (ICMPV4_IS_ERROR_MSG(p->icmp_s.type)) {
566  return false;
567  }
568  }
569 
570  return true;
571 }
572 
573 static inline void FlowUpdateCounter(ThreadVars *tv, DecodeThreadVars *dtv,
574  uint8_t proto)
575 {
576 #ifdef UNITTESTS
577  if (tv && dtv) {
578 #endif
581  switch (proto){
582  case IPPROTO_UDP:
584  break;
585  case IPPROTO_TCP:
587  break;
588  case IPPROTO_ICMP:
590  break;
591  case IPPROTO_ICMPV6:
593  break;
594  }
595 #ifdef UNITTESTS
596  }
597 #endif
598 }
599 
600 /** \internal
601  * \brief try to fetch a new set of flows from the master flow pool.
602  *
603  * If in emergency mode, do this only once a second at max to avoid trying
604  * to synchronise per packet in the worse case. */
605 static inline Flow *FlowSpareSync(ThreadVars *tv, FlowLookupStruct *fls,
606  const Packet *p, const bool emerg)
607 {
608  Flow *f = NULL;
609  bool spare_sync = false;
610  if (emerg) {
611  if ((uint32_t)SCTIME_SECS(p->ts) > fls->emerg_spare_sync_stamp) {
612  fls->spare_queue = FlowSpareGetFromPool(); /* local empty, (re)populate and try again */
613  spare_sync = true;
615  if (f == NULL) {
616  /* wait till next full sec before retrying */
617  fls->emerg_spare_sync_stamp = (uint32_t)SCTIME_SECS(p->ts);
618  }
619  }
620  } else {
621  fls->spare_queue = FlowSpareGetFromPool(); /* local empty, (re)populate and try again */
623  spare_sync = true;
624  }
625 #ifdef UNITTESTS
626  if (tv && fls->dtv) {
627 #endif
628  if (spare_sync) {
629  if (f != NULL) {
631  if (fls->spare_queue.len < 99) {
633  }
634  } else if (fls->spare_queue.len == 0) {
636  }
638  }
639 #ifdef UNITTESTS
640  }
641 #endif
642  return f;
643 }
644 
645 static void FlowExceptionPolicyStatsIncr(
646  ThreadVars *tv, FlowLookupStruct *fls, enum ExceptionPolicy policy)
647 {
648 #ifdef UNITTESTS
649  if (tv == NULL) {
650  return;
651  }
652 #endif
653  uint16_t id = fls->dtv->counter_flow_memcap_eps.eps_id[policy];
654  if (likely(id > 0)) {
655  StatsIncr(tv, id);
656  }
657 }
658 
659 static inline void NoFlowHandleIPS(ThreadVars *tv, FlowLookupStruct *fls, Packet *p)
660 {
662  FlowExceptionPolicyStatsIncr(tv, fls, flow_config.memcap_policy);
663 }
664 
665 /**
666  * \brief Get a new flow
667  *
668  * Get a new flow. We're checking memcap first and will try to make room
669  * if the memcap is reached.
670  *
671  * \param tv thread vars
672  * \param fls lookup support vars
673  *
674  * \retval f *LOCKED* flow on success, NULL on error or if we should not create
675  * a new flow.
676  */
677 static Flow *FlowGetNew(ThreadVars *tv, FlowLookupStruct *fls, Packet *p)
678 {
679  const bool emerg = ((SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY) != 0);
680 #ifdef DEBUG
681  if (g_eps_flow_memcap != UINT64_MAX && g_eps_flow_memcap == p->pcap_cnt) {
682  NoFlowHandleIPS(tv, fls, p);
684  return NULL;
685  }
686 #endif
687  if (!FlowCreateCheck(p, emerg)) {
688  return NULL;
689  }
690 
691  /* get a flow from the spare queue */
693  if (f == NULL) {
694  f = FlowSpareSync(tv, fls, p, emerg);
695  }
696  if (f == NULL) {
697  /* If we reached the max memcap, we get a used flow */
698  if (!(FLOW_CHECK_MEMCAP(sizeof(Flow) + FlowStorageSize()))) {
699  /* declare state of emergency */
700  if (!(SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY)) {
701  SC_ATOMIC_OR(flow_flags, FLOW_EMERGENCY);
704  }
705 
706  f = FlowGetUsedFlow(tv, fls->dtv, p->ts);
707  if (f == NULL) {
708  NoFlowHandleIPS(tv, fls, p);
709 #ifdef UNITTESTS
710  if (tv != NULL && fls->dtv != NULL) {
711 #endif
713 #ifdef UNITTESTS
714  }
715 #endif
716  return NULL;
717  }
718 #ifdef UNITTESTS
719  if (tv != NULL && fls->dtv != NULL) {
720 #endif
722 #ifdef UNITTESTS
723  }
724 #endif
725  /* flow is still locked from FlowGetUsedFlow() */
726  FlowUpdateCounter(tv, fls->dtv, p->proto);
727  return f;
728  }
729 
730  /* now see if we can alloc a new flow */
731  f = FlowAlloc();
732  if (f == NULL) {
733 #ifdef UNITTESTS
734  if (tv != NULL && fls->dtv != NULL) {
735 #endif
737 #ifdef UNITTESTS
738  }
739 #endif
740  NoFlowHandleIPS(tv, fls, p);
741  return NULL;
742  }
743 
744  /* flow is initialized but *unlocked* */
745  } else {
746  /* flow has been recycled before it went into the spare queue */
747 
748  /* flow is initialized (recycled) but *unlocked* */
749  }
750 
751  FLOWLOCK_WRLOCK(f);
752  FlowUpdateCounter(tv, fls->dtv, p->proto);
753  return f;
754 }
755 
756 static Flow *TcpReuseReplace(ThreadVars *tv, FlowLookupStruct *fls, FlowBucket *fb, Flow *old_f,
757  const uint32_t hash, Packet *p)
758 {
759 #ifdef UNITTESTS
760  if (tv != NULL && fls->dtv != NULL) {
761 #endif
763 #ifdef UNITTESTS
764  }
765 #endif
766  /* time out immediately */
767  old_f->timeout_at = 0;
768  /* get some settings that we move over to the new flow */
769  FlowThreadId thread_id[2] = { old_f->thread_id[0], old_f->thread_id[1] };
770 
771  /* flow is unlocked by caller */
772 
773  /* Get a new flow. It will be either a locked flow or NULL */
774  Flow *f = FlowGetNew(tv, fls, p);
775  if (f == NULL) {
776  return NULL;
777  }
778 
779  /* put at the start of the list */
780  f->next = fb->head;
781  fb->head = f;
782 
783  /* initialize and return */
784  FlowInit(f, p);
785  f->flow_hash = hash;
786  f->fb = fb;
788 
789  f->thread_id[0] = thread_id[0];
790  f->thread_id[1] = thread_id[1];
791 
793  return f;
794 }
795 
796 static inline bool FlowBelongsToUs(const ThreadVars *tv, const Flow *f)
797 {
798 #ifdef UNITTESTS
799  if (RunmodeIsUnittests()) {
800  return true;
801  }
802 #endif
803  return f->thread_id[0] == tv->id;
804 }
805 
806 static inline void MoveToWorkQueue(ThreadVars *tv, FlowLookupStruct *fls,
807  FlowBucket *fb, Flow *f, Flow *prev_f)
808 {
810 
811  /* remove from hash... */
812  if (prev_f) {
813  prev_f->next = f->next;
814  }
815  if (f == fb->head) {
816  fb->head = f->next;
817  }
818 
819  if (f->proto != IPPROTO_TCP || FlowBelongsToUs(tv, f)) { // TODO thread_id[] direction
820  f->fb = NULL;
821  f->next = NULL;
823  } else {
824  /* implied: TCP but our thread does not own it. So set it
825  * aside for the Flow Manager to pick it up. */
826  f->next = fb->evicted;
827  fb->evicted = f;
828  if (SC_ATOMIC_GET(f->fb->next_ts) != 0) {
829  SC_ATOMIC_SET(f->fb->next_ts, 0);
830  }
831  }
832 }
833 
834 static inline bool FlowIsTimedOut(const Flow *f, const uint32_t sec, const bool emerg)
835 {
836  if (unlikely(f->timeout_at < sec)) {
837  return true;
838  } else if (unlikely(emerg)) {
840 
841  int64_t timeout_at = f->timeout_at -
842  FlowGetFlowTimeoutDirect(flow_timeouts_delta, f->flow_state, f->protomap);
843  if ((int64_t)sec >= timeout_at)
844  return true;
845  }
846  return false;
847 }
848 
849 /** \brief Get Flow for packet
850  *
851  * Hash retrieval function for flows. Looks up the hash bucket containing the
852  * flow pointer. Then compares the packet with the found flow to see if it is
853  * the flow we need. If it isn't, walk the list until the right flow is found.
854  *
855  * If the flow is not found or the bucket was empty, a new flow is taken from
856  * the spare pool. The pool will alloc new flows as long as we stay within our
857  * memcap limit.
858  *
859  * The p->flow pointer is updated to point to the flow.
860  *
861  * \param tv thread vars
862  * \param dtv decode thread vars (for flow log api thread data)
863  *
864  * \retval f *LOCKED* flow or NULL
865  */
867 {
868  Flow *f = NULL;
869 
870  /* get our hash bucket and lock it */
871  const uint32_t hash = p->flow_hash;
872  FlowBucket *fb = &flow_hash[hash % flow_config.hash_size];
873  FBLOCK_LOCK(fb);
874 
875  SCLogDebug("fb %p fb->head %p", fb, fb->head);
876 
877  /* see if the bucket already has a flow */
878  if (fb->head == NULL) {
879  f = FlowGetNew(tv, fls, p);
880  if (f == NULL) {
881  FBLOCK_UNLOCK(fb);
882  return NULL;
883  }
884 
885  /* flow is locked */
886  fb->head = f;
887 
888  /* got one, now lock, initialize and return */
889  FlowInit(f, p);
890  f->flow_hash = hash;
891  f->fb = fb;
893 
894  FlowReference(dest, f);
895 
896  FBLOCK_UNLOCK(fb);
897  return f;
898  }
899 
900  const bool emerg = (SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY) != 0;
901  const uint32_t fb_nextts = !emerg ? SC_ATOMIC_GET(fb->next_ts) : 0;
902  /* ok, we have a flow in the bucket. Let's find out if it is our flow */
903  Flow *prev_f = NULL; /* previous flow */
904  f = fb->head;
905  do {
906  Flow *next_f = NULL;
907  const bool timedout = (fb_nextts < (uint32_t)SCTIME_SECS(p->ts) &&
908  FlowIsTimedOut(f, (uint32_t)SCTIME_SECS(p->ts), emerg));
909  if (timedout) {
910  FLOWLOCK_WRLOCK(f);
911  next_f = f->next;
912  MoveToWorkQueue(tv, fls, fb, f, prev_f);
913  FLOWLOCK_UNLOCK(f);
914  goto flow_removed;
915  } else if (FlowCompare(f, p) != 0) {
916  FLOWLOCK_WRLOCK(f);
917  /* found a matching flow that is not timed out */
918  if (unlikely(TcpSessionPacketSsnReuse(p, f, f->protoctx))) {
919  Flow *new_f = TcpReuseReplace(tv, fls, fb, f, hash, p);
920  if (prev_f == NULL) /* if we have no prev it means new_f is now our prev */
921  prev_f = new_f;
922  MoveToWorkQueue(tv, fls, fb, f, prev_f); /* evict old flow */
923  FLOWLOCK_UNLOCK(f); /* unlock old replaced flow */
924 
925  if (new_f == NULL) {
926  FBLOCK_UNLOCK(fb);
927  return NULL;
928  }
929  f = new_f;
930  }
931  FlowReference(dest, f);
932  FBLOCK_UNLOCK(fb);
933  return f; /* return w/o releasing flow lock */
934  }
935  /* unless we removed 'f', prev_f needs to point to
936  * current 'f' when adding a new flow below. */
937  prev_f = f;
938  next_f = f->next;
939 
940 flow_removed:
941  if (next_f == NULL) {
942  f = FlowGetNew(tv, fls, p);
943  if (f == NULL) {
944  FBLOCK_UNLOCK(fb);
945  return NULL;
946  }
947 
948  /* flow is locked */
949 
950  f->next = fb->head;
951  fb->head = f;
952 
953  /* initialize and return */
954  FlowInit(f, p);
955  f->flow_hash = hash;
956  f->fb = fb;
958  FlowReference(dest, f);
959  FBLOCK_UNLOCK(fb);
960  return f;
961  }
962  f = next_f;
963  } while (f != NULL);
964 
965  /* should be unreachable */
966  BUG_ON(1);
967  return NULL;
968 }
969 
970 /** \internal
971  * \retval true if flow matches key
972  * \retval false if flow does not match key, or unsupported protocol
973  * \note only supports TCP & UDP
974  */
975 static inline bool FlowCompareKey(Flow *f, FlowKey *key)
976 {
977  if ((f->proto != IPPROTO_TCP) && (f->proto != IPPROTO_UDP))
978  return false;
979  return CmpFlowKey(f, key);
980 }
981 
982 /** \brief Look for existing Flow using a flow id value
983  *
984  * Hash retrieval function for flows. Looks up the hash bucket containing the
985  * flow pointer. Then compares the flow_id with the found flow's flow_id to see
986  * if it is the flow we need.
987  *
988  * \param flow_id Flow ID of the flow to look for
989  * \retval f *LOCKED* flow or NULL
990  */
992 {
993  uint32_t hash = flow_id & 0x0000FFFF;
994  FlowBucket *fb = &flow_hash[hash % flow_config.hash_size];
995  FBLOCK_LOCK(fb);
996  SCLogDebug("fb %p fb->head %p", fb, fb->head);
997 
998  for (Flow *f = fb->head; f != NULL; f = f->next) {
999  if (FlowGetId(f) == flow_id) {
1000  /* found our flow, lock & return */
1001  FLOWLOCK_WRLOCK(f);
1002  FBLOCK_UNLOCK(fb);
1003  return f;
1004  }
1005  }
1006  FBLOCK_UNLOCK(fb);
1007  return NULL;
1008 }
1009 
1010 /** \brief Look for existing Flow using a FlowKey
1011  *
1012  * Hash retrieval function for flows. Looks up the hash bucket containing the
1013  * flow pointer. Then compares the key with the found flow to see if it is
1014  * the flow we need. If it isn't, walk the list until the right flow is found.
1015  *
1016  * \param key Pointer to FlowKey build using flow to look for
1017  * \param hash Value of the flow hash
1018  * \retval f *LOCKED* flow or NULL
1019  */
1020 static Flow *FlowGetExistingFlowFromHash(FlowKey *key, const uint32_t hash)
1021 {
1022  /* get our hash bucket and lock it */
1023  FlowBucket *fb = &flow_hash[hash % flow_config.hash_size];
1024  FBLOCK_LOCK(fb);
1025  SCLogDebug("fb %p fb->head %p", fb, fb->head);
1026 
1027  for (Flow *f = fb->head; f != NULL; f = f->next) {
1028  /* see if this is the flow we are looking for */
1029  if (FlowCompareKey(f, key)) {
1030  /* found our flow, lock & return */
1031  FLOWLOCK_WRLOCK(f);
1032  FBLOCK_UNLOCK(fb);
1033  return f;
1034  }
1035  }
1036 
1037  FBLOCK_UNLOCK(fb);
1038  return NULL;
1039 }
1040 
1041 /** \brief Get or create a Flow using a FlowKey
1042  *
1043  * Hash retrieval function for flows. Looks up the hash bucket containing the
1044  * flow pointer. Then compares the packet with the found flow to see if it is
1045  * the flow we need. If it isn't, walk the list until the right flow is found.
1046  * Return a new Flow if ever no Flow was found.
1047  *
1048  *
1049  * \param key Pointer to FlowKey build using flow to look for
1050  * \param ttime time to use for flow creation
1051  * \param hash Value of the flow hash
1052  * \retval f *LOCKED* flow or NULL
1053  */
1054 
1055 Flow *FlowGetFromFlowKey(FlowKey *key, struct timespec *ttime, const uint32_t hash)
1056 {
1057  Flow *f = FlowGetExistingFlowFromHash(key, hash);
1058 
1059  if (f != NULL) {
1060  return f;
1061  }
1062  /* TODO use spare pool */
1063  /* now see if we can alloc a new flow */
1064  f = FlowAlloc();
1065  if (f == NULL) {
1066  SCLogDebug("Can't get a spare flow at start");
1067  return NULL;
1068  }
1069  f->proto = key->proto;
1070  memcpy(&f->vlan_id[0], &key->vlan_id[0], sizeof(f->vlan_id));
1071  ;
1072  f->src.addr_data32[0] = key->src.addr_data32[0];
1073  f->src.addr_data32[1] = key->src.addr_data32[1];
1074  f->src.addr_data32[2] = key->src.addr_data32[2];
1075  f->src.addr_data32[3] = key->src.addr_data32[3];
1076  f->dst.addr_data32[0] = key->dst.addr_data32[0];
1077  f->dst.addr_data32[1] = key->dst.addr_data32[1];
1078  f->dst.addr_data32[2] = key->dst.addr_data32[2];
1079  f->dst.addr_data32[3] = key->dst.addr_data32[3];
1080  f->sp = key->sp;
1081  f->dp = key->dp;
1082  f->recursion_level = 0;
1083  // f->livedev is set by caller EBPFCreateFlowForKey
1084  f->flow_hash = hash;
1085  if (key->src.family == AF_INET) {
1086  f->flags |= FLOW_IPV4;
1087  } else if (key->src.family == AF_INET6) {
1088  f->flags |= FLOW_IPV6;
1089  }
1090 
1092  /* set timestamp to now */
1093  f->startts = SCTIME_FROM_TIMESPEC(ttime);
1094  f->lastts = f->startts;
1095 
1096  FlowBucket *fb = &flow_hash[hash % flow_config.hash_size];
1097  FBLOCK_LOCK(fb);
1098  f->fb = fb;
1099  f->next = fb->head;
1100  fb->head = f;
1101  FLOWLOCK_WRLOCK(f);
1102  FBLOCK_UNLOCK(fb);
1103  return f;
1104 }
1105 
1106 #define FLOW_GET_NEW_TRIES 5
1108 /* inline locking wrappers to make profiling easier */
1109 
1110 static inline int GetUsedTryLockBucket(FlowBucket *fb)
1111 {
1112  int r = FBLOCK_TRYLOCK(fb);
1113  return r;
1114 }
1115 static inline int GetUsedTryLockFlow(Flow *f)
1116 {
1117  int r = FLOWLOCK_TRYWRLOCK(f);
1118  return r;
1119 }
1120 static inline uint32_t GetUsedAtomicUpdate(const uint32_t val)
1121 {
1122  uint32_t r = SC_ATOMIC_ADD(flow_prune_idx, val);
1123  return r;
1124 }
1125 
1126 /** \internal
1127  * \brief check if flow has just seen an update.
1128  */
1129 static inline bool StillAlive(const Flow *f, const SCTime_t ts)
1130 {
1131  switch (f->flow_state) {
1132  case FLOW_STATE_NEW:
1133  if (SCTIME_SECS(ts) - SCTIME_SECS(f->lastts) <= 1) {
1134  return true;
1135  }
1136  break;
1138  if (SCTIME_SECS(ts) - SCTIME_SECS(f->lastts) <= 5) {
1139  return true;
1140  }
1141  break;
1142  case FLOW_STATE_CLOSED:
1143  if (SCTIME_SECS(ts) - SCTIME_SECS(f->lastts) <= 3) {
1144  return true;
1145  }
1146  break;
1147  default:
1148  if (SCTIME_SECS(ts) - SCTIME_SECS(f->lastts) < 30) {
1149  return true;
1150  }
1151  break;
1152  }
1153  return false;
1154 }
1155 
1156 #ifdef UNITTESTS
1157  #define STATSADDUI64(cnt, value) \
1158  if (tv && dtv) { \
1159  StatsAddUI64(tv, dtv->cnt, (value)); \
1160  }
1161 #else
1162  #define STATSADDUI64(cnt, value) \
1163  StatsAddUI64(tv, dtv->cnt, (value));
1164 #endif
1165 
1166 /** \internal
1167  * \brief Get a flow from the hash directly.
1168  *
1169  * Called in conditions where the spare queue is empty and memcap is reached.
1170  *
1171  * Walks the hash until a flow can be freed. Timeouts are disregarded.
1172  * "flow_prune_idx" atomic int makes sure we don't start at the
1173  * top each time since that would clear the top of the hash leading to longer
1174  * and longer search times under high pressure (observed).
1175  *
1176  * \param tv thread vars
1177  * \param dtv decode thread vars (for flow log api thread data)
1178  *
1179  * \retval f flow or NULL
1180  */
1181 static Flow *FlowGetUsedFlow(ThreadVars *tv, DecodeThreadVars *dtv, const SCTime_t ts)
1182 {
1183  uint32_t idx = GetUsedAtomicUpdate(FLOW_GET_NEW_TRIES) % flow_config.hash_size;
1184  uint32_t tried = 0;
1185 
1186  while (1) {
1187  if (tried++ > FLOW_GET_NEW_TRIES) {
1188  STATSADDUI64(counter_flow_get_used_eval, tried);
1189  break;
1190  }
1191  if (++idx >= flow_config.hash_size)
1192  idx = 0;
1193 
1194  FlowBucket *fb = &flow_hash[idx];
1195 
1196  if (SC_ATOMIC_GET(fb->next_ts) == UINT_MAX)
1197  continue;
1198 
1199  if (GetUsedTryLockBucket(fb) != 0) {
1200  STATSADDUI64(counter_flow_get_used_eval_busy, 1);
1201  continue;
1202  }
1203 
1204  Flow *f = fb->head;
1205  if (f == NULL) {
1206  FBLOCK_UNLOCK(fb);
1207  continue;
1208  }
1209 
1210  if (GetUsedTryLockFlow(f) != 0) {
1211  STATSADDUI64(counter_flow_get_used_eval_busy, 1);
1212  FBLOCK_UNLOCK(fb);
1213  continue;
1214  }
1215 
1216  if (StillAlive(f, ts)) {
1217  STATSADDUI64(counter_flow_get_used_eval_reject, 1);
1218  FBLOCK_UNLOCK(fb);
1219  FLOWLOCK_UNLOCK(f);
1220  continue;
1221  }
1222 
1223  /* remove from the hash */
1224  fb->head = f->next;
1225  f->next = NULL;
1226  f->fb = NULL;
1227  FBLOCK_UNLOCK(fb);
1228 
1229  /* rest of the flags is updated on-demand in output */
1231  if (SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY)
1233 
1234  /* invoke flow log api */
1235 #ifdef UNITTESTS
1236  if (dtv) {
1237 #endif
1240  }
1241 #ifdef UNITTESTS
1242  }
1243 #endif
1244 
1245  FlowClearMemory(f, f->protomap);
1246 
1247  /* leave locked */
1248 
1249  STATSADDUI64(counter_flow_get_used_eval, tried);
1250  return f;
1251  }
1252 
1253  STATSADDUI64(counter_flow_get_used_failed, 1);
1254  return NULL;
1255 }
FlowHashKey4_::ports
uint16_t ports[2]
Definition: flow-hash.c:90
ESP_GET_SPI
#define ESP_GET_SPI(esph)
Get the spi field off a packet.
Definition: decode-esp.h:29
FlowLookupStruct_::work_queue
FlowQueuePrivate work_queue
Definition: flow.h:552
OutputFlowLog
TmEcode OutputFlowLog(ThreadVars *tv, void *thread_data, Flow *f)
Run flow logger(s)
Definition: output-flow.c:85
Packet_::proto
uint8_t proto
Definition: decode.h:504
DecodeThreadVars_::counter_flow_udp
uint16_t counter_flow_udp
Definition: decode.h:1015
ts
uint64_t ts
Definition: source-erf-file.c:55
ExceptionPolicyApply
void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason)
Definition: util-exception-policy.c:69
g_livedev_mask
uint16_t g_livedev_mask
Definition: suricata.c:205
DecodeThreadVars_::counter_flow_active
uint16_t counter_flow_active
Definition: decode.h:1013
ICMPV4_GET_EMB_PROTO
#define ICMPV4_GET_EMB_PROTO(p)
Definition: decode-icmpv4.h:243
Flow_::recursion_level
uint8_t recursion_level
Definition: flow.h:383
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:166
IPV4_GET_RAW_IPDST_U32
#define IPV4_GET_RAW_IPDST_U32(ip4h)
Definition: decode-ipv4.h:110
hashword
uint32_t hashword(const uint32_t *k, size_t length, uint32_t initval)
Definition: util-hash-lookup3.c:172
FLOW_STATE_ESTABLISHED
@ FLOW_STATE_ESTABLISHED
Definition: flow.h:511
flow-util.h
FBLOCK_LOCK
#define FBLOCK_LOCK(fb)
Definition: flow-hash.h:73
FlowLookupStruct_::dtv
DecodeThreadVars * dtv
Definition: flow.h:551
DecodeThreadVars_::counter_flow_icmp4
uint16_t counter_flow_icmp4
Definition: decode.h:1016
Flow_::startts
SCTime_t startts
Definition: flow.h:499
TcpSessionPacketSsnReuse
bool TcpSessionPacketSsnReuse(const Packet *p, const Flow *f, const void *tcp_ssn)
Definition: stream-tcp.c:5879
stream-tcp.h
FlowKey_::src
Address src
Definition: flow.h:314
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
PKT_DROP_REASON_FLOW_MEMCAP
@ PKT_DROP_REASON_FLOW_MEMCAP
Definition: decode.h:371
FlowCnf_::hash_size
uint32_t hash_size
Definition: flow.h:298
FlowAddress_::address_un_data32
uint32_t address_un_data32[4]
Definition: flow.h:324
FlowSpareGetFromPool
FlowQueuePrivate FlowSpareGetFromPool(void)
Definition: flow-spare-pool.c:173
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:609
DecodeThreadVars_::counter_flow_spare_sync_avg
uint16_t counter_flow_spare_sync_avg
Definition: decode.h:1028
Flow_::proto
uint8_t proto
Definition: flow.h:382
Packet_::flags
uint32_t flags
Definition: decode.h:519
FlowKeyGetHash
uint32_t FlowKeyGetHash(FlowKey *fk)
Definition: flow-hash.c:307
threads.h
ICMPV4_DEST_UNREACH_IS_VALID
#define ICMPV4_DEST_UNREACH_IS_VALID(p)
Definition: decode-icmpv4.h:253
TH_RST
#define TH_RST
Definition: decode-tcp.h:36
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:360
FlowHashKey4_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: flow-hash.c:94
Address_::address
union Address_::@26 address
TH_FIN
#define TH_FIN
Definition: decode-tcp.h:34
Flow_::protomap
uint8_t protomap
Definition: flow.h:454
LiveDevice_
Definition: util-device.h:50
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
FlowProtoTimeout_
Definition: flow.h:524
LiveDevice_::id
uint16_t id
Definition: util-device.h:56
FLOWLOCK_TRYWRLOCK
#define FLOWLOCK_TRYWRLOCK(fb)
Definition: flow.h:276
PKT_WANTS_FLOW
#define PKT_WANTS_FLOW
Definition: decode.h:1311
flow-hash.h
FlowLookupStruct_
Definition: flow.h:548
FlowHashKey4
struct FlowHashKey4_ FlowHashKey4
FBLOCK_TRYLOCK
#define FBLOCK_TRYLOCK(fb)
Definition: flow-hash.h:74
TcpStreamCnf_
Definition: stream-tcp.h:44
DecodeThreadVars_::counter_flow_tcp
uint16_t counter_flow_tcp
Definition: decode.h:1014
Packet_::icmp_s
struct Packet_::@29::@36 icmp_s
Address_::address_un_data32
uint32_t address_un_data32[4]
Definition: decode.h:120
proto
uint8_t proto
Definition: decode-template.h:0
FlowHashKey6_::recur
uint8_t recur
Definition: flow-hash.c:107
Packet_::icmp_d
struct Packet_::@31::@37 icmp_d
Flow_::dp
Port dp
Definition: flow.h:376
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:219
FlowQueuePrivate_::len
uint32_t len
Definition: flow-queue.h:44
Flow_::protoctx
void * protoctx
Definition: flow.h:450
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
DecodeThreadVars_::counter_flow_get_used
uint16_t counter_flow_get_used
Definition: decode.h:1019
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:277
Flow_::icmp_s
struct Flow_::@115::@121 icmp_s
Flow_::flow_state
FlowStateType flow_state
Definition: flow.h:421
DecodeThreadVars_::counter_flow_spare_sync_empty
uint16_t counter_flow_spare_sync_empty
Definition: decode.h:1026
DecodeThreadVars_::counter_flow_tcp_reuse
uint16_t counter_flow_tcp_reuse
Definition: decode.h:1018
DecodeThreadVars_::counter_flow_total
uint16_t counter_flow_total
Definition: decode.h:1012
FlowWakeupFlowManagerThread
void FlowWakeupFlowManagerThread(void)
Definition: flow-manager.c:82
FLOW_CHECK_MEMCAP
#define FLOW_CHECK_MEMCAP(size)
check if a memory alloc would fit in the memcap
Definition: flow-util.h:136
FlowLookupStruct_::emerg_spare_sync_stamp
uint32_t emerg_spare_sync_stamp
Definition: flow.h:553
flow-spare-pool.h
DecodeThreadVars_::counter_flow_spare_sync
uint16_t counter_flow_spare_sync
Definition: decode.h:1025
Flow_::dst
FlowAddress dst
Definition: flow.h:363
Flow_::fb
struct FlowBucket_ * fb
Definition: flow.h:497
FlowHashKey6_::ports
uint16_t ports[2]
Definition: flow-hash.c:105
FlowHashKey4_::u32
const uint32_t u32[6]
Definition: flow-hash.c:97
TCPHdr_::th_flags
uint8_t th_flags
Definition: decode-tcp.h:155
decode.h
util-device.h
util-debug.h
STREAM_PKT_FLAG_TCP_PORT_REUSE
#define STREAM_PKT_FLAG_TCP_PORT_REUSE
Definition: stream-tcp-private.h:320
FLOW_GET_NEW_TRIES
#define FLOW_GET_NEW_TRIES
Definition: flow-hash.c:1106
STATSADDUI64
#define STATSADDUI64(cnt, value)
Definition: flow-hash.c:1157
SCTIME_FROM_TIMESPEC
#define SCTIME_FROM_TIMESPEC(ts)
Definition: util-time.h:91
PacketL4::L4Vars::icmpv4
ICMPV4Vars icmpv4
Definition: decode.h:460
Packet_::ts
SCTime_t ts
Definition: decode.h:530
FlowHashKey4_::livedev
uint16_t livedev
Definition: flow-hash.c:93
util-exception-policy.h
Flow_::icmp_d
struct Flow_::@117::@123 icmp_d
FlowHashKey6_::proto
uint8_t proto
Definition: flow-hash.c:106
Flow_::lastts
SCTime_t lastts
Definition: flow.h:419
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:274
SC_ATOMIC_EXTERN
SC_ATOMIC_EXTERN(unsigned int, flow_prune_idx)
ExceptionPolicyCounters_::eps_id
uint16_t eps_id[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:45
FlowKey_::recursion_level
uint8_t recursion_level
Definition: flow.h:317
ICMPV4Vars_::emb_dport
uint16_t emb_dport
Definition: decode-icmpv4.h:197
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
Flow_::flow_end_flags
uint8_t flow_end_flags
Definition: flow.h:456
FlowStorageSize
unsigned int FlowStorageSize(void)
Definition: flow-storage.c:35
Packet_::sp
Port sp
Definition: decode.h:489
FlowHashKey6
struct FlowHashKey6_ FlowHashKey6
FlowHashKey4_::pad
uint16_t pad[1]
Definition: flow-hash.c:95
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
util-time.h
FlowQueuePrivateGetFromTop
Flow * FlowQueuePrivateGetFromTop(FlowQueuePrivate *fqc)
Definition: flow-queue.c:151
app-layer-parser.h
FlowKey_::livedev_id
uint16_t livedev_id
Definition: flow.h:318
ThreadVars_::id
int id
Definition: threadvars.h:86
FlowHashKey6_::livedev
uint16_t livedev
Definition: flow-hash.c:108
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
Flow_::esp
struct Flow_::@115::@122 esp
FlowThreadId
uint16_t FlowThreadId
Definition: flow.h:337
FlowKey_::sp
Port sp
Definition: flow.h:315
FlowTimeoutsEmergency
void FlowTimeoutsEmergency(void)
Definition: flow-manager.c:101
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:97
Packet_
Definition: decode.h:482
FlowHashKey6_::pad
uint16_t pad[1]
Definition: flow-hash.c:110
FlowAddress_::address
union FlowAddress_::@114 address
FlowGetExistingFlowFromFlowId
Flow * FlowGetExistingFlowFromFlowId(int64_t flow_id)
Look for existing Flow using a flow id value.
Definition: flow-hash.c:991
conf.h
Packet_::l4
struct PacketL4 l4
Definition: decode.h:584
Port
uint16_t Port
Definition: decode.h:223
FLOW_END_FLAG_EMERGENCY
#define FLOW_END_FLAG_EMERGENCY
Definition: flow.h:246
FBLOCK_UNLOCK
#define FBLOCK_UNLOCK(fb)
Definition: flow-hash.h:75
SCTime_t
Definition: util-time.h:40
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:601
FlowHashKey4_
Definition: flow-hash.c:86
FlowClearMemory
int FlowClearMemory(Flow *f, uint8_t proto_map)
Function clear the flow memory before queueing it to spare flow queue.
Definition: flow.c:1093
flow_timeouts_delta
FlowProtoTimeout flow_timeouts_delta[FLOW_PROTO_MAX]
Definition: flow.c:87
FlowCnf_::hash_rand
uint32_t hash_rand
Definition: flow.h:297
FlowHashKey4_::addrs
uint32_t addrs[2]
Definition: flow-hash.c:89
output-flow.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
FlowHashKey6_
Definition: flow-hash.c:101
flow-timeout.h
Flow_::flow_hash
uint32_t flow_hash
Definition: flow.h:410
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:253
FlowUpdateState
void FlowUpdateState(Flow *f, const enum FlowState s)
Definition: flow.c:1158
Flow_::src
FlowAddress src
Definition: flow.h:363
Flow_::next
struct Flow_ * next
Definition: flow.h:405
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
FlowHashKey6_::src
uint32_t src[4]
Definition: flow-hash.c:104
FlowLookupStruct_::spare_queue
FlowQueuePrivate spare_queue
Definition: flow.h:550
FlowGetIpPairProtoHash
uint32_t FlowGetIpPairProtoHash(const Packet *p)
Definition: flow-hash.c:116
ARRAY_SIZE
#define ARRAY_SIZE(arr)
Definition: suricata-common.h:539
flow_hash
FlowBucket * flow_hash
Definition: flow-hash.c:58
FLOW_PROTO_MAX
@ FLOW_PROTO_MAX
Definition: flow-private.h:74
flow-storage.h
TH_SYN
#define TH_SYN
Definition: decode-tcp.h:35
FLOW_STATE_NEW
@ FLOW_STATE_NEW
Definition: flow.h:510
DecodeThreadVars_::counter_flow_spare_sync_incomplete
uint16_t counter_flow_spare_sync_incomplete
Definition: decode.h:1027
flow-manager.h
suricata-common.h
IPV4_GET_RAW_IPSRC_U32
#define IPV4_GET_RAW_IPSRC_U32(ip4h)
Definition: decode-ipv4.h:108
FLOW_IPV6
#define FLOW_IPV6
Definition: flow.h:101
DecodeThreadVars_::counter_flow_icmp6
uint16_t counter_flow_icmp6
Definition: decode.h:1017
flow_config
FlowConfig flow_config
Definition: flow.c:90
FlowKey_::dst
Address dst
Definition: flow.h:314
SCTIME_SECS
#define SCTIME_SECS(t)
Definition: util-time.h:57
VLAN_MAX_LAYERS
#define VLAN_MAX_LAYERS
Definition: decode-vlan.h:51
DecodeThreadVars_::counter_flow_memcap_eps
ExceptionPolicyCounters counter_flow_memcap_eps
Definition: decode.h:1009
util-hash-lookup3.h
FlowGetFlowFromHash
Flow * FlowGetFlowFromHash(ThreadVars *tv, FlowLookupStruct *fls, Packet *p, Flow **dest)
Get Flow for packet.
Definition: flow-hash.c:866
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
Flow_::livedev
struct LiveDevice_ * livedev
Definition: flow.h:407
FlowHashKey6_::dst
uint32_t dst[4]
Definition: flow-hash.c:104
TcpStreamCnf_::midstream
bool midstream
Definition: stream-tcp.h:60
FlowCnf_::memcap_policy
enum ExceptionPolicy memcap_policy
Definition: flow.h:306
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
g_vlan_mask
uint16_t g_vlan_mask
Definition: suricata.c:201
Packet_::flow_hash
uint32_t flow_hash
Definition: decode.h:525
FlowKey_::proto
uint8_t proto
Definition: flow.h:316
FLOW_STATE_CLOSED
@ FLOW_STATE_CLOSED
Definition: flow.h:512
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:946
FlowGetFromFlowKey
Flow * FlowGetFromFlowKey(FlowKey *key, struct timespec *ttime, const uint32_t hash)
Get or create a Flow using a FlowKey.
Definition: flow-hash.c:1055
Flow_::flags
uint32_t flags
Definition: flow.h:430
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:507
DecodeThreadVars_::output_flow_thread_data
void * output_flow_thread_data
Definition: decode.h:1034
FlowKey_
Definition: flow.h:313
FlowHashKey6_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: flow-hash.c:109
FlowHashKey4_::proto
uint8_t proto
Definition: flow-hash.c:91
FLOW_EMERGENCY
#define FLOW_EMERGENCY
Definition: flow-private.h:37
STREAM_PKT_FLAG_SET
#define STREAM_PKT_FLAG_SET(p, f)
Definition: stream-tcp-private.h:324
Address_::family
char family
Definition: decode.h:118
Packet_::dst
Address dst
Definition: decode.h:487
Flow_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: flow.h:384
DecodeThreadVars_::counter_flow_memcap
uint16_t counter_flow_memcap
Definition: decode.h:1008
FLOW_END_FLAG_TIMEOUT
#define FLOW_END_FLAG_TIMEOUT
Definition: flow.h:247
FlowHashKey6_::u32
const uint32_t u32[12]
Definition: flow-hash.c:112
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:509
likely
#define likely(expr)
Definition: util-optimize.h:32
Flow_::sp
Port sp
Definition: flow.h:365
ICMPV4Vars_::emb_sport
uint16_t emb_sport
Definition: decode-icmpv4.h:196
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:375
FlowKey_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: flow.h:319
flow.h
FlowQueuePrivateAppendFlow
void FlowQueuePrivateAppendFlow(FlowQueuePrivate *fqc, Flow *f)
Definition: flow-queue.c:65
FlowAlloc
Flow * FlowAlloc(void)
allocate a flow
Definition: flow-util.c:54
Packet_::dp
Port dp
Definition: decode.h:497
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy-types.h:25
FLOW_END_FLAG_FORCED
#define FLOW_END_FLAG_FORCED
Definition: flow.h:248
ICMPV4_IS_ERROR_MSG
#define ICMPV4_IS_ERROR_MSG(type)
Definition: decode-icmpv4.h:267
Flow_::timeout_at
uint32_t timeout_at
Definition: flow.h:400
FlowKey_::dp
Port dp
Definition: flow.h:315
FlowInit
void FlowInit(Flow *f, const Packet *p)
Definition: flow-util.c:145
FlowSetupPacket
void FlowSetupPacket(Packet *p)
prepare packet for a life with flow Set PKT_WANTS_FLOW flag to indicate workers should do a flow look...
Definition: flow-hash.c:521
TCPHdr_
Definition: decode-tcp.h:149
Packet_::src
Address src
Definition: decode.h:486
PacketL4::vars
union PacketL4::L4Vars vars
FlowHashKey4_::recur
uint8_t recur
Definition: flow-hash.c:92
output.h
Flow_::thread_id
FlowThreadId thread_id[2]
Definition: flow.h:403
SC_ATOMIC_OR
#define SC_ATOMIC_OR(name, val)
Bitwise OR a value to our atomic variable.
Definition: util-atomic.h:350