suricata
flow-hash.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
23  *
24  * Flow Hashing functions.
25  */
26 
27 #include "suricata-common.h"
28 #include "threads.h"
29 
30 #include "decode.h"
31 #include "detect-engine-state.h"
32 
33 #include "flow.h"
34 #include "flow-hash.h"
35 #include "flow-util.h"
36 #include "flow-private.h"
37 #include "flow-manager.h"
38 #include "flow-storage.h"
39 #include "flow-timeout.h"
40 #include "flow-spare-pool.h"
41 #include "app-layer-parser.h"
42 
43 #include "util-time.h"
44 #include "util-debug.h"
45 
46 #include "util-hash-lookup3.h"
47 
48 #include "conf.h"
49 #include "output.h"
50 #include "output-flow.h"
51 #include "stream-tcp.h"
52 
54 
55 
56 FlowBucket *flow_hash;
57 SC_ATOMIC_EXTERN(unsigned int, flow_prune_idx);
58 SC_ATOMIC_EXTERN(unsigned int, flow_flags);
59 
60 static Flow *FlowGetUsedFlow(ThreadVars *tv, DecodeThreadVars *dtv, const struct timeval *ts);
61 
62 /** \brief compare two raw ipv6 addrs
63  *
64  * \note we don't care about the real ipv6 ip's, this is just
65  * to consistently fill the FlowHashKey6 struct, without all
66  * the SCNtohl calls.
67  *
68  * \warning do not use elsewhere unless you know what you're doing.
69  * detect-engine-address-ipv6.c's AddressIPv6GtU32 is likely
70  * what you are looking for.
71  */
72 static inline int FlowHashRawAddressIPv6GtU32(const uint32_t *a, const uint32_t *b)
73 {
74  for (int i = 0; i < 4; i++) {
75  if (a[i] > b[i])
76  return 1;
77  if (a[i] < b[i])
78  break;
79  }
80 
81  return 0;
82 }
83 
84 typedef struct FlowHashKey4_ {
85  union {
86  struct {
87  uint32_t addrs[2];
88  uint16_t ports[2];
89  uint16_t proto; /**< u16 so proto and recur add up to u32 */
90  uint16_t recur; /**< u16 so proto and recur add up to u32 */
91  uint16_t vlan_id[2];
92  };
93  const uint32_t u32[5];
94  };
96 
97 typedef struct FlowHashKey6_ {
98  union {
99  struct {
100  uint32_t src[4], dst[4];
101  uint16_t ports[2];
102  uint16_t proto; /**< u16 so proto and recur add up to u32 */
103  uint16_t recur; /**< u16 so proto and recur add up to u32 */
104  uint16_t vlan_id[2];
105  };
106  const uint32_t u32[11];
107  };
109 
110 /* calculate the hash key for this packet
111  *
112  * we're using:
113  * hash_rand -- set at init time
114  * source port
115  * destination port
116  * source address
117  * destination address
118  * recursion level -- for tunnels, make sure different tunnel layers can
119  * never get mixed up.
120  *
121  * For ICMP we only consider UNREACHABLE errors atm.
122  */
123 static inline uint32_t FlowGetHash(const Packet *p)
124 {
125  uint32_t hash = 0;
126 
127  if (p->ip4h != NULL) {
128  if (p->tcph != NULL || p->udph != NULL) {
129  FlowHashKey4 fhk;
130 
131  int ai = (p->src.addr_data32[0] > p->dst.addr_data32[0]);
132  fhk.addrs[1-ai] = p->src.addr_data32[0];
133  fhk.addrs[ai] = p->dst.addr_data32[0];
134 
135  const int pi = (p->sp > p->dp);
136  fhk.ports[1-pi] = p->sp;
137  fhk.ports[pi] = p->dp;
138 
139  fhk.proto = (uint16_t)p->proto;
140  fhk.recur = (uint16_t)p->recursion_level;
141  /* g_vlan_mask sets the vlan_ids to 0 if vlan.use-for-tracking
142  * is disabled. */
143  fhk.vlan_id[0] = p->vlan_id[0] & g_vlan_mask;
144  fhk.vlan_id[1] = p->vlan_id[1] & g_vlan_mask;
145 
146  hash = hashword(fhk.u32, 5, flow_config.hash_rand);
147 
148  } else if (ICMPV4_DEST_UNREACH_IS_VALID(p)) {
149  uint32_t psrc = IPV4_GET_RAW_IPSRC_U32(ICMPV4_GET_EMB_IPV4(p));
150  uint32_t pdst = IPV4_GET_RAW_IPDST_U32(ICMPV4_GET_EMB_IPV4(p));
151  FlowHashKey4 fhk;
152 
153  const int ai = (psrc > pdst);
154  fhk.addrs[1-ai] = psrc;
155  fhk.addrs[ai] = pdst;
156 
157  const int pi = (p->icmpv4vars.emb_sport > p->icmpv4vars.emb_dport);
158  fhk.ports[1-pi] = p->icmpv4vars.emb_sport;
159  fhk.ports[pi] = p->icmpv4vars.emb_dport;
160 
161  fhk.proto = (uint16_t)ICMPV4_GET_EMB_PROTO(p);
162  fhk.recur = (uint16_t)p->recursion_level;
163  fhk.vlan_id[0] = p->vlan_id[0] & g_vlan_mask;
164  fhk.vlan_id[1] = p->vlan_id[1] & g_vlan_mask;
165 
166  hash = hashword(fhk.u32, 5, flow_config.hash_rand);
167 
168  } else {
169  FlowHashKey4 fhk;
170  const int ai = (p->src.addr_data32[0] > p->dst.addr_data32[0]);
171  fhk.addrs[1-ai] = p->src.addr_data32[0];
172  fhk.addrs[ai] = p->dst.addr_data32[0];
173  fhk.ports[0] = 0xfeed;
174  fhk.ports[1] = 0xbeef;
175  fhk.proto = (uint16_t)p->proto;
176  fhk.recur = (uint16_t)p->recursion_level;
177  fhk.vlan_id[0] = p->vlan_id[0] & g_vlan_mask;
178  fhk.vlan_id[1] = p->vlan_id[1] & g_vlan_mask;
179 
180  hash = hashword(fhk.u32, 5, flow_config.hash_rand);
181  }
182  } else if (p->ip6h != NULL) {
183  FlowHashKey6 fhk;
184  if (FlowHashRawAddressIPv6GtU32(p->src.addr_data32, p->dst.addr_data32)) {
185  fhk.src[0] = p->src.addr_data32[0];
186  fhk.src[1] = p->src.addr_data32[1];
187  fhk.src[2] = p->src.addr_data32[2];
188  fhk.src[3] = p->src.addr_data32[3];
189  fhk.dst[0] = p->dst.addr_data32[0];
190  fhk.dst[1] = p->dst.addr_data32[1];
191  fhk.dst[2] = p->dst.addr_data32[2];
192  fhk.dst[3] = p->dst.addr_data32[3];
193  } else {
194  fhk.src[0] = p->dst.addr_data32[0];
195  fhk.src[1] = p->dst.addr_data32[1];
196  fhk.src[2] = p->dst.addr_data32[2];
197  fhk.src[3] = p->dst.addr_data32[3];
198  fhk.dst[0] = p->src.addr_data32[0];
199  fhk.dst[1] = p->src.addr_data32[1];
200  fhk.dst[2] = p->src.addr_data32[2];
201  fhk.dst[3] = p->src.addr_data32[3];
202  }
203 
204  const int pi = (p->sp > p->dp);
205  fhk.ports[1-pi] = p->sp;
206  fhk.ports[pi] = p->dp;
207  fhk.proto = (uint16_t)p->proto;
208  fhk.recur = (uint16_t)p->recursion_level;
209  fhk.vlan_id[0] = p->vlan_id[0] & g_vlan_mask;
210  fhk.vlan_id[1] = p->vlan_id[1] & g_vlan_mask;
211 
212  hash = hashword(fhk.u32, 11, flow_config.hash_rand);
213  }
214 
215  return hash;
216 }
217 
218 /**
219  * Basic hashing function for FlowKey
220  *
221  * \note Function only used for bypass and TCP or UDP flows
222  *
223  * \note this is only used at start to create Flow from pinned maps
224  * so fairness is not an issue
225  */
226 uint32_t FlowKeyGetHash(FlowKey *fk)
227 {
228  uint32_t hash = 0;
229 
230  if (fk->src.family == AF_INET) {
231  FlowHashKey4 fhk;
232  int ai = (fk->src.address.address_un_data32[0] > fk->dst.address.address_un_data32[0]);
233  fhk.addrs[1-ai] = fk->src.address.address_un_data32[0];
234  fhk.addrs[ai] = fk->dst.address.address_un_data32[0];
235 
236  const int pi = (fk->sp > fk->dp);
237  fhk.ports[1-pi] = fk->sp;
238  fhk.ports[pi] = fk->dp;
239 
240  fhk.proto = (uint16_t)fk->proto;
241  fhk.recur = (uint16_t)fk->recursion_level;
242  fhk.vlan_id[0] = fk->vlan_id[0] & g_vlan_mask;
243  fhk.vlan_id[1] = fk->vlan_id[1] & g_vlan_mask;
244 
245  hash = hashword(fhk.u32, 5, flow_config.hash_rand);
246  } else {
247  FlowHashKey6 fhk;
248  if (FlowHashRawAddressIPv6GtU32(fk->src.address.address_un_data32,
250  fhk.src[0] = fk->src.address.address_un_data32[0];
251  fhk.src[1] = fk->src.address.address_un_data32[1];
252  fhk.src[2] = fk->src.address.address_un_data32[2];
253  fhk.src[3] = fk->src.address.address_un_data32[3];
254  fhk.dst[0] = fk->dst.address.address_un_data32[0];
255  fhk.dst[1] = fk->dst.address.address_un_data32[1];
256  fhk.dst[2] = fk->dst.address.address_un_data32[2];
257  fhk.dst[3] = fk->dst.address.address_un_data32[3];
258  } else {
259  fhk.src[0] = fk->dst.address.address_un_data32[0];
260  fhk.src[1] = fk->dst.address.address_un_data32[1];
261  fhk.src[2] = fk->dst.address.address_un_data32[2];
262  fhk.src[3] = fk->dst.address.address_un_data32[3];
263  fhk.dst[0] = fk->src.address.address_un_data32[0];
264  fhk.dst[1] = fk->src.address.address_un_data32[1];
265  fhk.dst[2] = fk->src.address.address_un_data32[2];
266  fhk.dst[3] = fk->src.address.address_un_data32[3];
267  }
268 
269  const int pi = (fk->sp > fk->dp);
270  fhk.ports[1-pi] = fk->sp;
271  fhk.ports[pi] = fk->dp;
272  fhk.proto = (uint16_t)fk->proto;
273  fhk.recur = (uint16_t)fk->recursion_level;
274  fhk.vlan_id[0] = fk->vlan_id[0] & g_vlan_mask;
275  fhk.vlan_id[1] = fk->vlan_id[1] & g_vlan_mask;
276 
277  hash = hashword(fhk.u32, 11, flow_config.hash_rand);
278  }
279  return hash;
280 }
281 
282 static inline bool CmpAddrs(const uint32_t addr1[4], const uint32_t addr2[4])
283 {
284  return addr1[0] == addr2[0] && addr1[1] == addr2[1] &&
285  addr1[2] == addr2[2] && addr1[3] == addr2[3];
286 }
287 
288 static inline bool CmpAddrsAndPorts(const uint32_t src1[4],
289  const uint32_t dst1[4], Port src_port1, Port dst_port1,
290  const uint32_t src2[4], const uint32_t dst2[4], Port src_port2,
291  Port dst_port2)
292 {
293  /* Compare the source and destination addresses. If they are not equal,
294  * compare the first source address with the second destination address,
295  * and vice versa. Likewise for ports. */
296  return (CmpAddrs(src1, src2) && CmpAddrs(dst1, dst2) &&
297  src_port1 == src_port2 && dst_port1 == dst_port2) ||
298  (CmpAddrs(src1, dst2) && CmpAddrs(dst1, src2) &&
299  src_port1 == dst_port2 && dst_port1 == src_port2);
300 }
301 
302 static inline bool CmpVlanIds(const uint16_t vlan_id1[2], const uint16_t vlan_id2[2])
303 {
304  return ((vlan_id1[0] ^ vlan_id2[0]) & g_vlan_mask) == 0 &&
305  ((vlan_id1[1] ^ vlan_id2[1]) & g_vlan_mask) == 0;
306 }
307 
308 /* Since two or more flows can have the same hash key, we need to compare
309  * the flow with the current packet or flow key. */
310 static inline bool CmpFlowPacket(const Flow *f, const Packet *p)
311 {
312  const uint32_t *f_src = f->src.address.address_un_data32;
313  const uint32_t *f_dst = f->dst.address.address_un_data32;
314  const uint32_t *p_src = p->src.address.address_un_data32;
315  const uint32_t *p_dst = p->dst.address.address_un_data32;
316  return CmpAddrsAndPorts(f_src, f_dst, f->sp, f->dp, p_src, p_dst, p->sp,
317  p->dp) && f->proto == p->proto &&
318  f->recursion_level == p->recursion_level &&
319  CmpVlanIds(f->vlan_id, p->vlan_id);
320 }
321 
322 static inline bool CmpFlowKey(const Flow *f, const FlowKey *k)
323 {
324  const uint32_t *f_src = f->src.address.address_un_data32;
325  const uint32_t *f_dst = f->dst.address.address_un_data32;
326  const uint32_t *k_src = k->src.address.address_un_data32;
327  const uint32_t *k_dst = k->dst.address.address_un_data32;
328  return CmpAddrsAndPorts(f_src, f_dst, f->sp, f->dp, k_src, k_dst, k->sp,
329  k->dp) && f->proto == k->proto &&
330  f->recursion_level == k->recursion_level &&
331  CmpVlanIds(f->vlan_id, k->vlan_id);
332 }
333 
334 static inline bool CmpAddrsAndICMPTypes(const uint32_t src1[4],
335  const uint32_t dst1[4], uint8_t icmp_s_type1, uint8_t icmp_d_type1,
336  const uint32_t src2[4], const uint32_t dst2[4], uint8_t icmp_s_type2,
337  uint8_t icmp_d_type2)
338 {
339  /* Compare the source and destination addresses. If they are not equal,
340  * compare the first source address with the second destination address,
341  * and vice versa. Likewise for icmp types. */
342  return (CmpAddrs(src1, src2) && CmpAddrs(dst1, dst2) &&
343  icmp_s_type1 == icmp_s_type2 && icmp_d_type1 == icmp_d_type2) ||
344  (CmpAddrs(src1, dst2) && CmpAddrs(dst1, src2) &&
345  icmp_s_type1 == icmp_d_type2 && icmp_d_type1 == icmp_s_type2);
346 }
347 
348 static inline bool CmpFlowICMPPacket(const Flow *f, const Packet *p)
349 {
350  const uint32_t *f_src = f->src.address.address_un_data32;
351  const uint32_t *f_dst = f->dst.address.address_un_data32;
352  const uint32_t *p_src = p->src.address.address_un_data32;
353  const uint32_t *p_dst = p->dst.address.address_un_data32;
354  return CmpAddrsAndICMPTypes(f_src, f_dst, f->icmp_s.type,
355  f->icmp_d.type, p_src, p_dst, p->icmp_s.type, p->icmp_d.type) &&
356  f->proto == p->proto && f->recursion_level == p->recursion_level &&
357  CmpVlanIds(f->vlan_id, p->vlan_id);
358 }
359 
360 /**
361  * \brief See if a ICMP packet belongs to a flow by comparing the embedded
362  * packet in the ICMP error packet to the flow.
363  *
364  * \param f flow
365  * \param p ICMP packet
366  *
367  * \retval 1 match
368  * \retval 0 no match
369  */
370 static inline int FlowCompareICMPv4(Flow *f, const Packet *p)
371 {
373  /* first check the direction of the flow, in other words, the client ->
374  * server direction as it's most likely the ICMP error will be a
375  * response to the clients traffic */
376  if ((f->src.addr_data32[0] == IPV4_GET_RAW_IPSRC_U32( ICMPV4_GET_EMB_IPV4(p) )) &&
377  (f->dst.addr_data32[0] == IPV4_GET_RAW_IPDST_U32( ICMPV4_GET_EMB_IPV4(p) )) &&
378  f->sp == p->icmpv4vars.emb_sport &&
379  f->dp == p->icmpv4vars.emb_dport &&
380  f->proto == ICMPV4_GET_EMB_PROTO(p) &&
381  f->recursion_level == p->recursion_level &&
382  f->vlan_id[0] == p->vlan_id[0] &&
383  f->vlan_id[1] == p->vlan_id[1])
384  {
385  return 1;
386 
387  /* check the less likely case where the ICMP error was a response to
388  * a packet from the server. */
389  } else if ((f->dst.addr_data32[0] == IPV4_GET_RAW_IPSRC_U32( ICMPV4_GET_EMB_IPV4(p) )) &&
390  (f->src.addr_data32[0] == IPV4_GET_RAW_IPDST_U32( ICMPV4_GET_EMB_IPV4(p) )) &&
391  f->dp == p->icmpv4vars.emb_sport &&
392  f->sp == p->icmpv4vars.emb_dport &&
393  f->proto == ICMPV4_GET_EMB_PROTO(p) &&
394  f->recursion_level == p->recursion_level &&
395  f->vlan_id[0] == p->vlan_id[0] &&
396  f->vlan_id[1] == p->vlan_id[1])
397  {
398  return 1;
399  }
400 
401  /* no match, fall through */
402  } else {
403  /* just treat ICMP as a normal proto for now */
404  return CmpFlowICMPPacket(f, p);
405  }
406 
407  return 0;
408 }
409 
411 {
412  p->flags |= PKT_WANTS_FLOW;
413  p->flow_hash = FlowGetHash(p);
414 }
415 
416 static inline int FlowCompare(Flow *f, const Packet *p)
417 {
418  if (p->proto == IPPROTO_ICMP) {
419  return FlowCompareICMPv4(f, p);
420  } else {
421  return CmpFlowPacket(f, p);
422  }
423 }
424 
425 /**
426  * \brief Check if we should create a flow based on a packet
427  *
428  * We use this check to filter out flow creation based on:
429  * - ICMP error messages
430  * - TCP flags (emergency mode only)
431  *
432  * \param p packet
433  * \retval 1 true
434  * \retval 0 false
435  */
436 static inline int FlowCreateCheck(const Packet *p, const bool emerg)
437 {
438  /* if we're in emergency mode, don't try to create a flow for a TCP
439  * that is not a TCP SYN packet. */
440  if (emerg) {
441  if (PKT_IS_TCP(p)) {
442  if (p->tcph->th_flags == TH_SYN || stream_config.midstream == FALSE) {
443  ;
444  } else {
445  return 0;
446  }
447  }
448  }
449 
450  if (PKT_IS_ICMPV4(p)) {
451  if (ICMPV4_IS_ERROR_MSG(p)) {
452  return 0;
453  }
454  }
455 
456  return 1;
457 }
458 
459 static inline void FlowUpdateCounter(ThreadVars *tv, DecodeThreadVars *dtv,
460  uint8_t proto)
461 {
462 #ifdef UNITTESTS
463  if (tv && dtv) {
464 #endif
465  switch (proto){
466  case IPPROTO_UDP:
468  break;
469  case IPPROTO_TCP:
471  break;
472  case IPPROTO_ICMP:
474  break;
475  case IPPROTO_ICMPV6:
477  break;
478  }
479 #ifdef UNITTESTS
480  }
481 #endif
482 }
483 
484 /** \internal
485  * \brief try to fetch a new set of flows from the master flow pool.
486  *
487  * If in emergency mode, do this only once a second at max to avoid trying
488  * to synchronise per packet in the worse case. */
489 static inline Flow *FlowSpareSync(ThreadVars *tv, FlowLookupStruct *fls,
490  const Packet *p, const bool emerg)
491 {
492  Flow *f = NULL;
493  bool spare_sync = false;
494  if (emerg) {
495  if ((uint32_t)p->ts.tv_sec > fls->emerg_spare_sync_stamp) {
496  fls->spare_queue = FlowSpareGetFromPool(); /* local empty, (re)populate and try again */
497  spare_sync = true;
499  if (f == NULL) {
500  /* wait till next full sec before retrying */
501  fls->emerg_spare_sync_stamp = (uint32_t)p->ts.tv_sec;
502  }
503  }
504  } else {
505  fls->spare_queue = FlowSpareGetFromPool(); /* local empty, (re)populate and try again */
507  spare_sync = true;
508  }
509 #ifdef UNITTESTS
510  if (tv && fls->dtv) {
511 #endif
512  if (spare_sync) {
513  if (f != NULL) {
515  if (fls->spare_queue.len < 99) {
517  }
518  } else if (fls->spare_queue.len == 0) {
520  }
522  }
523 #ifdef UNITTESTS
524  }
525 #endif
526  return f;
527 }
528 
529 /**
530  * \brief Get a new flow
531  *
532  * Get a new flow. We're checking memcap first and will try to make room
533  * if the memcap is reached.
534  *
535  * \param tv thread vars
536  * \param fls lookup support vars
537  *
538  * \retval f *LOCKED* flow on succes, NULL on error.
539  */
540 static Flow *FlowGetNew(ThreadVars *tv, FlowLookupStruct *fls, const Packet *p)
541 {
542  const bool emerg = ((SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY) != 0);
543 
544  if (FlowCreateCheck(p, emerg) == 0) {
545  return NULL;
546  }
547 
548  /* get a flow from the spare queue */
550  if (f == NULL) {
551  f = FlowSpareSync(tv, fls, p, emerg);
552  }
553  if (f == NULL) {
554  /* If we reached the max memcap, we get a used flow */
555  if (!(FLOW_CHECK_MEMCAP(sizeof(Flow) + FlowStorageSize()))) {
556  /* declare state of emergency */
557  if (!(SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY)) {
558  SC_ATOMIC_OR(flow_flags, FLOW_EMERGENCY);
560  }
561 
562  f = FlowGetUsedFlow(tv, fls->dtv, &p->ts);
563  if (f == NULL) {
564  return NULL;
565  }
566 #ifdef UNITTESTS
567  if (tv != NULL && fls->dtv != NULL) {
568 #endif
570 #ifdef UNITTESTS
571  }
572 #endif
573  /* flow is still locked from FlowGetUsedFlow() */
574  FlowUpdateCounter(tv, fls->dtv, p->proto);
575  return f;
576  }
577 
578  /* now see if we can alloc a new flow */
579  f = FlowAlloc();
580  if (f == NULL) {
581 #ifdef UNITTESTS
582  if (tv != NULL && fls->dtv != NULL) {
583 #endif
585 #ifdef UNITTESTS
586  }
587 #endif
588  return NULL;
589  }
590 
591  /* flow is initialized but *unlocked* */
592  } else {
593  /* flow has been recycled before it went into the spare queue */
594 
595  /* flow is initialized (recylced) but *unlocked* */
596  }
597 
598  FLOWLOCK_WRLOCK(f);
599  FlowUpdateCounter(tv, fls->dtv, p->proto);
600  return f;
601 }
602 
603 static Flow *TcpReuseReplace(ThreadVars *tv, FlowLookupStruct *fls,
604  FlowBucket *fb, Flow *old_f,
605  const uint32_t hash, const Packet *p)
606 {
607 #ifdef UNITTESTS
608  if (tv != NULL && fls->dtv != NULL) {
609 #endif
611 #ifdef UNITTESTS
612  }
613 #endif
614  /* tag flow as reused so future lookups won't find it */
615  old_f->flags |= FLOW_TCP_REUSED;
616  /* time out immediately */
617  old_f->timeout_at = 0;
618  /* get some settings that we move over to the new flow */
619  FlowThreadId thread_id[2] = { old_f->thread_id[0], old_f->thread_id[1] };
620 
621  /* since fb lock is still held this flow won't be found until we are done */
622  FLOWLOCK_UNLOCK(old_f);
623 
624  /* Get a new flow. It will be either a locked flow or NULL */
625  Flow *f = FlowGetNew(tv, fls, p);
626  if (f == NULL) {
627  return NULL;
628  }
629 
630  /* flow is locked */
631 
632  /* put at the start of the list */
633  f->next = fb->head;
634  fb->head = f;
635 
636  /* initialize and return */
637  FlowInit(f, p);
638  f->flow_hash = hash;
639  f->fb = fb;
641 
642  f->thread_id[0] = thread_id[0];
643  f->thread_id[1] = thread_id[1];
644  return f;
645 }
646 
647 static inline bool FlowBelongsToUs(const ThreadVars *tv, const Flow *f)
648 {
649 #ifdef UNITTESTS
650  if (RunmodeIsUnittests()) {
651  return true;
652  }
653 #endif
654  return f->thread_id[0] == tv->id;
655 }
656 
657 static inline void MoveToWorkQueue(ThreadVars *tv, FlowLookupStruct *fls,
658  FlowBucket *fb, Flow *f, Flow *prev_f)
659 {
660  /* remove from hash... */
661  if (prev_f) {
662  prev_f->next = f->next;
663  }
664  if (f == fb->head) {
665  fb->head = f->next;
666  }
667 
668  if (f->proto != IPPROTO_TCP || FlowBelongsToUs(tv, f)) { // TODO thread_id[] direction
669  f->fb = NULL;
670  f->next = NULL;
672  } else {
673  /* implied: TCP but our thread does not own it. So set it
674  * aside for the Flow Manager to pick it up. */
675  f->next = fb->evicted;
676  fb->evicted = f;
677  if (SC_ATOMIC_GET(f->fb->next_ts) != 0) {
678  SC_ATOMIC_SET(f->fb->next_ts, 0);
679  }
680  FLOWLOCK_UNLOCK(f);
681  }
682 }
683 
684 static inline bool FlowIsTimedOut(const Flow *f, const uint32_t sec, const bool emerg)
685 {
686  if (unlikely(f->timeout_at < sec)) {
687  return true;
688  } else if (unlikely(emerg)) {
690 
691  int64_t timeout_at = f->timeout_at -
692  FlowGetFlowTimeoutDirect(flow_timeouts_delta, f->flow_state, f->protomap);
693  if ((int64_t)sec >= timeout_at)
694  return true;
695  }
696  return false;
697 }
698 
699 static inline void FromHashLockBucket(FlowBucket *fb)
700 {
701  FBLOCK_LOCK(fb);
702 }
703 static inline void FromHashLockTO(Flow *f)
704 {
705  FLOWLOCK_WRLOCK(f);
706 }
707 static inline void FromHashLockCMP(Flow *f)
708 {
709  FLOWLOCK_WRLOCK(f);
710 }
711 
712 /** \brief Get Flow for packet
713  *
714  * Hash retrieval function for flows. Looks up the hash bucket containing the
715  * flow pointer. Then compares the packet with the found flow to see if it is
716  * the flow we need. If it isn't, walk the list until the right flow is found.
717  *
718  * If the flow is not found or the bucket was emtpy, a new flow is taken from
719  * the spare pool. The pool will alloc new flows as long as we stay within our
720  * memcap limit.
721  *
722  * The p->flow pointer is updated to point to the flow.
723  *
724  * \param tv thread vars
725  * \param dtv decode thread vars (for flow log api thread data)
726  *
727  * \retval f *LOCKED* flow or NULL
728  */
730  const Packet *p, Flow **dest)
731 {
732  Flow *f = NULL;
733 
734  /* get our hash bucket and lock it */
735  const uint32_t hash = p->flow_hash;
736  FlowBucket *fb = &flow_hash[hash % flow_config.hash_size];
737  FromHashLockBucket(fb);
738 
739  SCLogDebug("fb %p fb->head %p", fb, fb->head);
740 
741  /* see if the bucket already has a flow */
742  if (fb->head == NULL) {
743  f = FlowGetNew(tv, fls, p);
744  if (f == NULL) {
745  FBLOCK_UNLOCK(fb);
746  return NULL;
747  }
748 
749  /* flow is locked */
750  fb->head = f;
751 
752  /* got one, now lock, initialize and return */
753  FlowInit(f, p);
754  f->flow_hash = hash;
755  f->fb = fb;
757 
758  FlowReference(dest, f);
759 
760  FBLOCK_UNLOCK(fb);
761  return f;
762  }
763 
764  const bool emerg = (SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY) != 0;
765  const uint32_t fb_nextts = !emerg ? SC_ATOMIC_GET(fb->next_ts) : 0;
766  /* ok, we have a flow in the bucket. Let's find out if it is our flow */
767  Flow *prev_f = NULL; /* previous flow */
768  f = fb->head;
769  do {
770  Flow *next_f = NULL;
771  const bool timedout =
772  (fb_nextts < (uint32_t)p->ts.tv_sec && FlowIsTimedOut(f, (uint32_t)p->ts.tv_sec, emerg));
773  if (timedout) {
774  FromHashLockTO(f);//FLOWLOCK_WRLOCK(f);
775  if (f->use_cnt == 0) {
776  next_f = f->next;
777  MoveToWorkQueue(tv, fls, fb, f, prev_f);
778  /* flow stays locked, ownership xfer'd to MoveToWorkQueue */
779  goto flow_removed;
780  }
781  FLOWLOCK_UNLOCK(f);
782  } else if (FlowCompare(f, p) != 0) {
783  FromHashLockCMP(f);//FLOWLOCK_WRLOCK(f);
784  /* found a matching flow that is not timed out */
785  if (unlikely(TcpSessionPacketSsnReuse(p, f, f->protoctx) == 1)) {
786  f = TcpReuseReplace(tv, fls, fb, f, hash, p);
787  if (f == NULL) {
788  FBLOCK_UNLOCK(fb);
789  return NULL;
790  }
791  }
792  FlowReference(dest, f);
793  FBLOCK_UNLOCK(fb);
794  return f; /* return w/o releasing flow lock */
795  }
796  /* unless we removed 'f', prev_f needs to point to
797  * current 'f' when adding a new flow below. */
798  prev_f = f;
799  next_f = f->next;
800 
801 flow_removed:
802  if (next_f == NULL) {
803  f = FlowGetNew(tv, fls, p);
804  if (f == NULL) {
805  FBLOCK_UNLOCK(fb);
806  return NULL;
807  }
808 
809  /* flow is locked */
810 
811  f->next = fb->head;
812  fb->head = f;
813 
814  /* initialize and return */
815  FlowInit(f, p);
816  f->flow_hash = hash;
817  f->fb = fb;
819  FlowReference(dest, f);
820  FBLOCK_UNLOCK(fb);
821  return f;
822  }
823  f = next_f;
824  } while (f != NULL);
825 
826  /* should be unreachable */
827  BUG_ON(1);
828  return NULL;
829 }
830 
831 static inline int FlowCompareKey(Flow *f, FlowKey *key)
832 {
833  if ((f->proto != IPPROTO_TCP) && (f->proto != IPPROTO_UDP))
834  return 0;
835  return CmpFlowKey(f, key);
836 }
837 
838 /** \brief Get or create a Flow using a FlowKey
839  *
840  * Hash retrieval function for flows. Looks up the hash bucket containing the
841  * flow pointer. Then compares the packet with the found flow to see if it is
842  * the flow we need. If it isn't, walk the list until the right flow is found.
843  * Return a new Flow if ever no Flow was found.
844  *
845  *
846  * \param key Pointer to FlowKey build using flow to look for
847  * \param ttime time to use for flow creation
848  * \param hash Value of the flow hash
849  * \retval f *LOCKED* flow or NULL
850  */
851 
852 Flow *FlowGetFromFlowKey(FlowKey *key, struct timespec *ttime, const uint32_t hash)
853 {
854  Flow *f = FlowGetExistingFlowFromHash(key, hash);
855 
856  if (f != NULL) {
857  return f;
858  }
859  /* TODO use spare pool */
860  /* now see if we can alloc a new flow */
861  f = FlowAlloc();
862  if (f == NULL) {
863  SCLogDebug("Can't get a spare flow at start");
864  return NULL;
865  }
866  f->proto = key->proto;
867  f->vlan_id[0] = key->vlan_id[0];
868  f->vlan_id[1] = key->vlan_id[1];
869  f->src.addr_data32[0] = key->src.addr_data32[0];
870  f->src.addr_data32[1] = key->src.addr_data32[1];
871  f->src.addr_data32[2] = key->src.addr_data32[2];
872  f->src.addr_data32[3] = key->src.addr_data32[3];
873  f->dst.addr_data32[0] = key->dst.addr_data32[0];
874  f->dst.addr_data32[1] = key->dst.addr_data32[1];
875  f->dst.addr_data32[2] = key->dst.addr_data32[2];
876  f->dst.addr_data32[3] = key->dst.addr_data32[3];
877  f->sp = key->sp;
878  f->dp = key->dp;
879  f->recursion_level = 0;
880  f->flow_hash = hash;
881  if (key->src.family == AF_INET) {
882  f->flags |= FLOW_IPV4;
883  } else if (key->src.family == AF_INET6) {
884  f->flags |= FLOW_IPV6;
885  }
886 
888  /* set timestamp to now */
889  f->startts.tv_sec = ttime->tv_sec;
890  f->startts.tv_usec = ttime->tv_nsec * 1000;
891  f->lastts = f->startts;
892 
893  FlowBucket *fb = &flow_hash[hash % flow_config.hash_size];
894  FBLOCK_LOCK(fb);
895  f->fb = fb;
896  f->next = fb->head;
897  fb->head = f;
898  FLOWLOCK_WRLOCK(f);
899  FBLOCK_UNLOCK(fb);
900  return f;
901 }
902 
903 /** \brief Look for existing Flow using a FlowKey
904  *
905  * Hash retrieval function for flows. Looks up the hash bucket containing the
906  * flow pointer. Then compares the packet with the found flow to see if it is
907  * the flow we need. If it isn't, walk the list until the right flow is found.
908  *
909  *
910  * \param key Pointer to FlowKey build using flow to look for
911  * \param hash Value of the flow hash
912  * \retval f *LOCKED* flow or NULL
913  */
914 Flow *FlowGetExistingFlowFromHash(FlowKey *key, const uint32_t hash)
915 {
916  /* get our hash bucket and lock it */
917  FlowBucket *fb = &flow_hash[hash % flow_config.hash_size];
918  FBLOCK_LOCK(fb);
919 
920  SCLogDebug("fb %p fb->head %p", fb, fb->head);
921 
922  /* return if the bucket don't have a flow */
923  if (fb->head == NULL) {
924  FBLOCK_UNLOCK(fb);
925  return NULL;
926  }
927 
928  /* ok, we have a flow in the bucket. Let's find out if it is our flow */
929  Flow *f = fb->head;
930 
931  /* see if this is the flow we are looking for */
932  if (FlowCompareKey(f, key) == 0) {
933  while (f) {
934  f = f->next;
935 
936  if (f == NULL) {
937  FBLOCK_UNLOCK(fb);
938  return NULL;
939  }
940 
941  if (FlowCompareKey(f, key) != 0) {
942  /* found our flow, lock & return */
943  FLOWLOCK_WRLOCK(f);
944 
945  FBLOCK_UNLOCK(fb);
946  return f;
947  }
948  }
949  }
950 
951  /* lock & return */
952  FLOWLOCK_WRLOCK(f);
953 
954  FBLOCK_UNLOCK(fb);
955  return f;
956 }
957 
958 #define FLOW_GET_NEW_TRIES 5
959 
960 /* inline locking wrappers to make profiling easier */
961 
962 static inline int GetUsedTryLockBucket(FlowBucket *fb)
963 {
964  int r = FBLOCK_TRYLOCK(fb);
965  return r;
966 }
967 static inline int GetUsedTryLockFlow(Flow *f)
968 {
969  int r = FLOWLOCK_TRYWRLOCK(f);
970  return r;
971 }
972 static inline uint32_t GetUsedAtomicUpdate(const uint32_t val)
973 {
974  uint32_t r = SC_ATOMIC_ADD(flow_prune_idx, val);
975  return r;
976 }
977 
978 /** \internal
979  * \brief check if flow has just seen an update.
980  */
981 static inline bool StillAlive(const Flow *f, const struct timeval *ts)
982 {
983  switch (f->flow_state) {
984  case FLOW_STATE_NEW:
985  if (ts->tv_sec - f->lastts.tv_sec <= 1) {
986  return true;
987  }
988  break;
990  if (ts->tv_sec - f->lastts.tv_sec <= 5) {
991  return true;
992  }
993  break;
994  case FLOW_STATE_CLOSED:
995  if (ts->tv_sec - f->lastts.tv_sec <= 3) {
996  return true;
997  }
998  break;
999  default:
1000  if (ts->tv_sec - f->lastts.tv_sec < 30) {
1001  return true;
1002  }
1003  break;
1004  }
1005  return false;
1006 }
1007 
1008 #ifdef UNITTESTS
1009  #define STATSADDUI64(cnt, value) \
1010  if (tv && dtv) { \
1011  StatsAddUI64(tv, dtv->cnt, (value)); \
1012  }
1013 #else
1014  #define STATSADDUI64(cnt, value) \
1015  StatsAddUI64(tv, dtv->cnt, (value));
1016 #endif
1017 
1018 /** \internal
1019  * \brief Get a flow from the hash directly.
1020  *
1021  * Called in conditions where the spare queue is empty and memcap is reached.
1022  *
1023  * Walks the hash until a flow can be freed. Timeouts are disregarded, use_cnt
1024  * is adhered to. "flow_prune_idx" atomic int makes sure we don't start at the
1025  * top each time since that would clear the top of the hash leading to longer
1026  * and longer search times under high pressure (observed).
1027  *
1028  * \param tv thread vars
1029  * \param dtv decode thread vars (for flow log api thread data)
1030  *
1031  * \retval f flow or NULL
1032  */
1033 static Flow *FlowGetUsedFlow(ThreadVars *tv, DecodeThreadVars *dtv, const struct timeval *ts)
1034 {
1035  uint32_t idx = GetUsedAtomicUpdate(FLOW_GET_NEW_TRIES) % flow_config.hash_size;
1036  uint32_t tried = 0;
1037 
1038  while (1) {
1039  if (tried++ > FLOW_GET_NEW_TRIES) {
1040  STATSADDUI64(counter_flow_get_used_eval, tried);
1041  break;
1042  }
1043  if (++idx >= flow_config.hash_size)
1044  idx = 0;
1045 
1046  FlowBucket *fb = &flow_hash[idx];
1047 
1048  if (SC_ATOMIC_GET(fb->next_ts) == INT_MAX)
1049  continue;
1050 
1051  if (GetUsedTryLockBucket(fb) != 0) {
1052  STATSADDUI64(counter_flow_get_used_eval_busy, 1);
1053  continue;
1054  }
1055 
1056  Flow *f = fb->head;
1057  if (f == NULL) {
1058  FBLOCK_UNLOCK(fb);
1059  continue;
1060  }
1061 
1062  if (GetUsedTryLockFlow(f) != 0) {
1063  STATSADDUI64(counter_flow_get_used_eval_busy, 1);
1064  FBLOCK_UNLOCK(fb);
1065  continue;
1066  }
1067 
1068  /** never prune a flow that is used by a packet or stream msg
1069  * we are currently processing in one of the threads */
1070  if (f->use_cnt > 0) {
1071  STATSADDUI64(counter_flow_get_used_eval_busy, 1);
1072  FBLOCK_UNLOCK(fb);
1073  FLOWLOCK_UNLOCK(f);
1074  continue;
1075  }
1076 
1077  if (StillAlive(f, ts)) {
1078  STATSADDUI64(counter_flow_get_used_eval_reject, 1);
1079  FBLOCK_UNLOCK(fb);
1080  FLOWLOCK_UNLOCK(f);
1081  continue;
1082  }
1083 
1084  /* remove from the hash */
1085  fb->head = f->next;
1086  f->next = NULL;
1087  f->fb = NULL;
1088  FBLOCK_UNLOCK(fb);
1089 
1090  /* rest of the flags is updated on-demand in output */
1092  if (SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY)
1094 
1095  /* invoke flow log api */
1096 #ifdef UNITTESTS
1097  if (dtv) {
1098 #endif
1101  }
1102 #ifdef UNITTESTS
1103  }
1104 #endif
1105 
1106  FlowClearMemory(f, f->protomap);
1107 
1108  /* leave locked */
1109 
1110  STATSADDUI64(counter_flow_get_used_eval, tried);
1111  return f;
1112  }
1113 
1114  STATSADDUI64(counter_flow_get_used_failed, 1);
1115  return NULL;
1116 }
FlowHashKey4_::ports
uint16_t ports[2]
Definition: flow-hash.c:88
Flow_::icmp_d
struct Flow_::@122::@127 icmp_d
FlowLookupStruct_::work_queue
FlowQueuePrivate work_queue
Definition: flow.h:536
FlowHashKey6_::recur
uint16_t recur
Definition: flow-hash.c:103
OutputFlowLog
TmEcode OutputFlowLog(ThreadVars *tv, void *thread_data, Flow *f)
Run flow logger(s)
Definition: output-flow.c:91
Packet_::proto
uint8_t proto
Definition: decode.h:436
DecodeThreadVars_::counter_flow_udp
uint16_t counter_flow_udp
Definition: decode.h:684
ts
uint64_t ts
Definition: source-erf-file.c:54
ICMPV4_GET_EMB_PROTO
#define ICMPV4_GET_EMB_PROTO(p)
Definition: decode-icmpv4.h:232
Flow_::recursion_level
uint8_t recursion_level
Definition: flow.h:366
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:169
IPV4_GET_RAW_IPDST_U32
#define IPV4_GET_RAW_IPDST_U32(ip4h)
Definition: decode-ipv4.h:108
hashword
uint32_t hashword(const uint32_t *k, size_t length, uint32_t initval)
Definition: util-hash-lookup3.c:174
FLOW_STATE_ESTABLISHED
@ FLOW_STATE_ESTABLISHED
Definition: flow.h:500
flow-util.h
FBLOCK_LOCK
#define FBLOCK_LOCK(fb)
Definition: flow-hash.h:71
FlowLookupStruct_::dtv
DecodeThreadVars * dtv
Definition: flow.h:535
DecodeThreadVars_::counter_flow_icmp4
uint16_t counter_flow_icmp4
Definition: decode.h:685
Flow_::startts
struct timeval startts
Definition: flow.h:490
Packet_::vlan_id
uint16_t vlan_id[2]
Definition: decode.h:441
stream-tcp.h
FlowHashKey6_::proto
uint16_t proto
Definition: flow-hash.c:102
FlowKey_::src
Address src
Definition: flow.h:302
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:387
FlowCnf_::hash_size
uint32_t hash_size
Definition: flow.h:285
FlowAddress_::address_un_data32
uint32_t address_un_data32[4]
Definition: flow.h:311
FlowSpareGetFromPool
FlowQueuePrivate FlowSpareGetFromPool(void)
Definition: flow-spare-pool.c:128
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DecodeThreadVars_::counter_flow_spare_sync_avg
uint16_t counter_flow_spare_sync_avg
Definition: decode.h:697
Flow_::proto
uint8_t proto
Definition: flow.h:365
TcpStreamCnf_::midstream
int midstream
Definition: stream-tcp.h:58
Packet_::flags
uint32_t flags
Definition: decode.h:449
FlowKeyGetHash
uint32_t FlowKeyGetHash(FlowKey *fk)
Definition: flow-hash.c:226
threads.h
ICMPV4_DEST_UNREACH_IS_VALID
#define ICMPV4_DEST_UNREACH_IS_VALID(p)
Definition: decode-icmpv4.h:247
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:347
Flow_::protomap
uint8_t protomap
Definition: flow.h:445
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:333
FlowProtoTimeout_
Definition: flow.h:508
FLOWLOCK_TRYWRLOCK
#define FLOWLOCK_TRYWRLOCK(fb)
Definition: flow.h:263
PKT_WANTS_FLOW
#define PKT_WANTS_FLOW
Definition: decode.h:1130
flow-hash.h
FlowHashKey6_::u32
const uint32_t u32[11]
Definition: flow-hash.c:106
FlowHashKey4_::u32
const uint32_t u32[5]
Definition: flow-hash.c:93
FlowLookupStruct_
Definition: flow.h:532
Flow_::vlan_id
uint16_t vlan_id[2]
Definition: flow.h:367
Flow_::use_cnt
FlowRefCount use_cnt
Definition: flow.h:373
FlowHashKey4_::vlan_id
uint16_t vlan_id[2]
Definition: flow-hash.c:91
FlowHashKey4
struct FlowHashKey4_ FlowHashKey4
FBLOCK_TRYLOCK
#define FBLOCK_TRYLOCK(fb)
Definition: flow-hash.h:72
TcpStreamCnf_
Definition: stream-tcp.h:42
DecodeThreadVars_::counter_flow_tcp
uint16_t counter_flow_tcp
Definition: decode.h:683
Address_::address_un_data32
uint32_t address_un_data32[4]
Definition: decode.h:119
proto
uint8_t proto
Definition: decode-template.h:0
Flow_::dp
Port dp
Definition: flow.h:359
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:119
FlowQueuePrivate_::len
uint32_t len
Definition: flow-queue.h:44
Flow_::protoctx
void * protoctx
Definition: flow.h:441
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:95
DecodeThreadVars_::counter_flow_get_used
uint16_t counter_flow_get_used
Definition: decode.h:688
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:264
Flow_::flow_state
FlowStateType flow_state
Definition: flow.h:412
DecodeThreadVars_::counter_flow_spare_sync_empty
uint16_t counter_flow_spare_sync_empty
Definition: decode.h:695
DecodeThreadVars_::counter_flow_tcp_reuse
uint16_t counter_flow_tcp_reuse
Definition: decode.h:687
Packet_::icmp_d
struct Packet_::@42::@50 icmp_d
FLOW_CHECK_MEMCAP
#define FLOW_CHECK_MEMCAP(size)
check if a memory alloc would fit in the memcap
Definition: flow-util.h:144
FlowLookupStruct_::emerg_spare_sync_stamp
uint32_t emerg_spare_sync_stamp
Definition: flow.h:537
TcpSessionPacketSsnReuse
int TcpSessionPacketSsnReuse(const Packet *p, const Flow *f, const void *tcp_ssn)
Definition: stream-tcp.c:5154
PKT_IS_TCP
#define PKT_IS_TCP(p)
Definition: decode.h:259
flow-spare-pool.h
DecodeThreadVars_::counter_flow_spare_sync
uint16_t counter_flow_spare_sync
Definition: decode.h:694
Flow_::dst
FlowAddress dst
Definition: flow.h:350
Flow_::fb
struct FlowBucket_ * fb
Definition: flow.h:488
FlowHashKey6_::ports
uint16_t ports[2]
Definition: flow-hash.c:101
FLOW_PROTO_MAX
@ FLOW_PROTO_MAX
Definition: flow-private.h:76
decode.h
util-debug.h
FLOW_GET_NEW_TRIES
#define FLOW_GET_NEW_TRIES
Definition: flow-hash.c:958
STATSADDUI64
#define STATSADDUI64(cnt, value)
Definition: flow-hash.c:1009
ICMPV4_GET_EMB_IPV4
#define ICMPV4_GET_EMB_IPV4(p)
Definition: decode-icmpv4.h:234
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:261
SC_ATOMIC_EXTERN
SC_ATOMIC_EXTERN(unsigned int, flow_prune_idx)
FlowKey_::recursion_level
uint8_t recursion_level
Definition: flow.h:305
ICMPV4Vars_::emb_dport
uint16_t emb_dport
Definition: decode-icmpv4.h:203
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
Flow_::flow_end_flags
uint8_t flow_end_flags
Definition: flow.h:447
FlowStorageSize
unsigned int FlowStorageSize(void)
Definition: flow-storage.c:34
Packet_::sp
Port sp
Definition: decode.h:421
FlowHashKey6
struct FlowHashKey6_ FlowHashKey6
util-time.h
FlowQueuePrivateGetFromTop
Flow * FlowQueuePrivateGetFromTop(FlowQueuePrivate *fqc)
Definition: flow-queue.c:152
app-layer-parser.h
ThreadVars_::id
int id
Definition: threadvars.h:87
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:282
FlowGetExistingFlowFromHash
Flow * FlowGetExistingFlowFromHash(FlowKey *key, const uint32_t hash)
Look for existing Flow using a FlowKey.
Definition: flow-hash.c:914
FALSE
#define FALSE
Definition: suricata-common.h:34
FlowThreadId
uint16_t FlowThreadId
Definition: flow.h:326
FlowKey_::sp
Port sp
Definition: flow.h:303
FlowTimeoutsEmergency
void FlowTimeoutsEmergency(void)
Definition: flow-manager.c:96
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
Packet_
Definition: decode.h:414
conf.h
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:509
Port
uint16_t Port
Definition: decode.h:241
FLOW_END_FLAG_EMERGENCY
#define FLOW_END_FLAG_EMERGENCY
Definition: flow.h:233
FBLOCK_UNLOCK
#define FBLOCK_UNLOCK(fb)
Definition: flow-hash.h:73
FlowKey_::vlan_id
uint16_t vlan_id[2]
Definition: flow.h:306
FlowHashKey4_
Definition: flow-hash.c:84
FlowClearMemory
int FlowClearMemory(Flow *f, uint8_t proto_map)
Function clear the flow memory before queueing it to spare flow queue.
Definition: flow.c:1060
flow_timeouts_delta
FlowProtoTimeout flow_timeouts_delta[FLOW_PROTO_MAX]
Definition: flow.c:95
FlowCnf_::hash_rand
uint32_t hash_rand
Definition: flow.h:284
FlowHashKey4_::addrs
uint32_t addrs[2]
Definition: flow-hash.c:87
output-flow.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
FlowHashKey6_
Definition: flow-hash.c:97
flow-timeout.h
FlowAddress_::address
union FlowAddress_::@119 address
Flow_::flow_hash
uint32_t flow_hash
Definition: flow.h:399
FlowGetFlowFromHash
Flow * FlowGetFlowFromHash(ThreadVars *tv, FlowLookupStruct *fls, const Packet *p, Flow **dest)
Get Flow for packet.
Definition: flow-hash.c:729
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:264
FlowUpdateState
void FlowUpdateState(Flow *f, const enum FlowState s)
Definition: flow.c:1138
Flow_::src
FlowAddress src
Definition: flow.h:350
Flow_::next
struct Flow_ * next
Definition: flow.h:394
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
Flow_::lastts
struct timeval lastts
Definition: flow.h:404
Packet_::icmp_s
struct Packet_::@40::@49 icmp_s
FlowHashKey6_::src
uint32_t src[4]
Definition: flow-hash.c:100
FlowLookupStruct_::spare_queue
FlowQueuePrivate spare_queue
Definition: flow.h:534
flow_hash
FlowBucket * flow_hash
Definition: flow-hash.c:56
Packet_::icmpv4vars
ICMPV4Vars icmpv4vars
Definition: decode.h:524
flow-storage.h
TH_SYN
#define TH_SYN
Definition: decode-tcp.h:35
FLOW_STATE_NEW
@ FLOW_STATE_NEW
Definition: flow.h:499
DecodeThreadVars_::counter_flow_spare_sync_incomplete
uint16_t counter_flow_spare_sync_incomplete
Definition: decode.h:696
Packet_::ts
struct timeval ts
Definition: decode.h:457
flow-manager.h
suricata-common.h
IPV4_GET_RAW_IPSRC_U32
#define IPV4_GET_RAW_IPSRC_U32(ip4h)
Definition: decode-ipv4.h:106
FLOW_IPV6
#define FLOW_IPV6
Definition: flow.h:97
DecodeThreadVars_::counter_flow_icmp6
uint16_t counter_flow_icmp6
Definition: decode.h:686
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:531
flow_config
FlowConfig flow_config
Definition: flow.c:98
FlowKey_::dst
Address dst
Definition: flow.h:302
FlowHashKey4_::recur
uint16_t recur
Definition: flow-hash.c:90
util-hash-lookup3.h
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
PKT_IS_ICMPV4
#define PKT_IS_ICMPV4(p)
Definition: decode.h:261
FlowHashKey6_::dst
uint32_t dst[4]
Definition: flow-hash.c:100
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:148
ICMPV4_IS_ERROR_MSG
#define ICMPV4_IS_ERROR_MSG(p)
Definition: decode-icmpv4.h:264
g_vlan_mask
uint16_t g_vlan_mask
Definition: suricata.c:234
Packet_::flow_hash
uint32_t flow_hash
Definition: decode.h:455
FLOW_TCP_REUSED
#define FLOW_TCP_REUSED
Definition: flow.h:52
FlowKey_::proto
uint8_t proto
Definition: flow.h:304
FLOW_STATE_CLOSED
@ FLOW_STATE_CLOSED
Definition: flow.h:501
FlowHashKey4_::proto
uint16_t proto
Definition: flow-hash.c:89
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:631
FlowGetFromFlowKey
Flow * FlowGetFromFlowKey(FlowKey *key, struct timespec *ttime, const uint32_t hash)
Get or create a Flow using a FlowKey.
Definition: flow-hash.c:852
Flow_::flags
uint32_t flags
Definition: flow.h:421
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:439
DecodeThreadVars_::output_flow_thread_data
void * output_flow_thread_data
Definition: decode.h:703
FlowKey_
Definition: flow.h:301
Packet_::udph
UDPHdr * udph
Definition: decode.h:533
FLOW_EMERGENCY
#define FLOW_EMERGENCY
Definition: flow-private.h:37
FlowHashKey6_::vlan_id
uint16_t vlan_id[2]
Definition: flow-hash.c:104
Address_::address
union Address_::@39 address
Address_::family
char family
Definition: decode.h:117
Packet_::dst
Address dst
Definition: decode.h:419
DecodeThreadVars_::counter_flow_memcap
uint16_t counter_flow_memcap
Definition: decode.h:681
Flow_::sp
Port sp
Definition: flow.h:352
ICMPV4Vars_::emb_sport
uint16_t emb_sport
Definition: decode-icmpv4.h:202
Packet_::ip6h
IPV6Hdr * ip6h
Definition: decode.h:511
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:376
flow.h
FlowQueuePrivateAppendFlow
void FlowQueuePrivateAppendFlow(FlowQueuePrivate *fqc, Flow *f)
Definition: flow-queue.c:66
FlowAlloc
Flow * FlowAlloc(void)
allocate a flow
Definition: flow-util.c:51
Packet_::dp
Port dp
Definition: decode.h:429
FLOW_END_FLAG_FORCED
#define FLOW_END_FLAG_FORCED
Definition: flow.h:235
Flow_::icmp_s
struct Flow_::@120::@126 icmp_s
Flow_::timeout_at
uint32_t timeout_at
Definition: flow.h:389
FlowKey_::dp
Port dp
Definition: flow.h:303
FlowInit
void FlowInit(Flow *f, const Packet *p)
Definition: flow-util.c:143
FlowSetupPacket
void FlowSetupPacket(Packet *p)
prepare packet for a life with flow Set PKT_WANTS_FLOW flag to incidate workers should do a flow look...
Definition: flow-hash.c:410
Packet_::src
Address src
Definition: decode.h:418
output.h
Flow_::thread_id
FlowThreadId thread_id[2]
Definition: flow.h:392
SC_ATOMIC_OR
#define SC_ATOMIC_OR(name, val)
Bitwise OR a value to our atomic variable.
Definition: util-atomic.h:351