suricata
flow-hash.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2026 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
23  *
24  * Flow Hashing functions.
25  */
26 
27 #include "suricata-common.h"
28 #include "threads.h"
29 
30 #include "decode.h"
31 #include "detect-engine-state.h"
32 
33 #include "flow.h"
34 #include "flow-hash.h"
35 #include "flow-util.h"
36 #include "flow-private.h"
37 #include "flow-manager.h"
38 #include "flow-storage.h"
39 #include "flow-timeout.h"
40 #include "flow-spare-pool.h"
41 #include "flow-callbacks.h"
42 #include "app-layer-parser.h"
43 
44 #include "util-time.h"
45 #include "util-debug.h"
46 #include "util-device-private.h"
47 
48 #include "util-hash-lookup3.h"
49 
50 #include "conf.h"
51 #include "output.h"
52 #include "output-flow.h"
53 #include "stream-tcp.h"
54 #include "util-exception-policy.h"
55 
57 
58 
59 FlowBucket *flow_hash;
60 SC_ATOMIC_EXTERN(unsigned int, flow_prune_idx);
61 SC_ATOMIC_EXTERN(unsigned int, flow_flags);
62 
63 static Flow *FlowGetUsedFlow(ThreadVars *tv, DecodeThreadVars *dtv, const SCTime_t ts);
64 
65 /** \brief compare two raw ipv6 addrs
66  *
67  * \note we don't care about the real ipv6 ip's, this is just
68  * to consistently fill the FlowHashKey6 struct, without all
69  * the SCNtohl calls.
70  *
71  * \warning do not use elsewhere unless you know what you're doing.
72  * detect-engine-address-ipv6.c's AddressIPv6GtU32 is likely
73  * what you are looking for.
74  */
75 static inline int FlowHashRawAddressIPv6GtU32(const uint32_t *a, const uint32_t *b)
76 {
77  for (uint8_t i = 0; i < 4; i++) {
78  if (a[i] > b[i])
79  return 1;
80  if (a[i] < b[i])
81  break;
82  }
83 
84  return 0;
85 }
86 
87 typedef struct FlowHashKey4_ {
88  union {
89  struct {
90  uint32_t addrs[2];
91  uint16_t ports[2];
92  uint8_t proto; /**< u8 so proto and recur and livedev add up to u32 */
93  uint8_t recur;
94  uint16_t livedev;
96  uint16_t pad[1];
97  };
98  const uint32_t u32[6];
99  };
101 
102 typedef struct FlowHashKey6_ {
103  union {
104  struct {
105  uint32_t src[4], dst[4];
106  uint16_t ports[2];
107  uint8_t proto; /**< u8 so proto and recur and livedev add up to u32 */
108  uint8_t recur;
109  uint16_t livedev;
111  uint16_t pad[1];
112  };
113  const uint32_t u32[12];
114  };
116 
117 static inline void FlowHashIp4Fill(FlowHashKey4 *fhk, const Packet *p)
118 {
119  fhk->proto = p->proto;
120  /* g_recurlvl_mask sets the recursion_level to 0 if
121  * decoder.recursion-level.use-for-tracking is disabled.
122  */
123  fhk->recur = (uint8_t)p->recursion_level & g_recurlvl_mask;
124  /* g_livedev_mask sets the livedev ids to 0 if livedev.use-for-tracking
125  * is disabled. */
126  uint16_t devid = p->livedev_id;
127  fhk->livedev = devid & g_livedev_mask;
128  /* g_vlan_mask sets the vlan_ids to 0 if vlan.use-for-tracking
129  * is disabled. */
130  fhk->vlan_id[0] = p->vlan_id[0] & g_vlan_mask;
131  fhk->vlan_id[1] = p->vlan_id[1] & g_vlan_mask;
132  fhk->vlan_id[2] = p->vlan_id[2] & g_vlan_mask;
133 }
134 
135 static inline void FlowHashIp6Fill(FlowHashKey6 *fhk, const Packet *p)
136 {
137  fhk->proto = p->proto;
138  fhk->recur = (uint8_t)p->recursion_level & g_recurlvl_mask;
139  uint16_t devid = p->livedev_id;
140  fhk->livedev = devid & g_livedev_mask;
141  fhk->vlan_id[0] = p->vlan_id[0] & g_vlan_mask;
142  fhk->vlan_id[1] = p->vlan_id[1] & g_vlan_mask;
143  fhk->vlan_id[2] = p->vlan_id[2] & g_vlan_mask;
144 }
145 
147 {
148  uint32_t hash = 0;
149  if (PacketIsIPv4(p)) {
150  FlowHashKey4 fhk = {
151  .pad[0] = 0,
152  };
153 
154  int ai = (p->src.addr_data32[0] > p->dst.addr_data32[0]);
155  fhk.addrs[1 - ai] = p->src.addr_data32[0];
156  fhk.addrs[ai] = p->dst.addr_data32[0];
157 
158  fhk.ports[0] = 0xfedc;
159  fhk.ports[1] = 0xba98;
160 
161  FlowHashIp4Fill(&fhk, p);
162 
163  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
164  } else if (PacketIsIPv6(p)) {
165  FlowHashKey6 fhk = {
166  .pad[0] = 0,
167  };
168  if (FlowHashRawAddressIPv6GtU32(p->src.addr_data32, p->dst.addr_data32)) {
169  fhk.src[0] = p->src.addr_data32[0];
170  fhk.src[1] = p->src.addr_data32[1];
171  fhk.src[2] = p->src.addr_data32[2];
172  fhk.src[3] = p->src.addr_data32[3];
173  fhk.dst[0] = p->dst.addr_data32[0];
174  fhk.dst[1] = p->dst.addr_data32[1];
175  fhk.dst[2] = p->dst.addr_data32[2];
176  fhk.dst[3] = p->dst.addr_data32[3];
177  } else {
178  fhk.src[0] = p->dst.addr_data32[0];
179  fhk.src[1] = p->dst.addr_data32[1];
180  fhk.src[2] = p->dst.addr_data32[2];
181  fhk.src[3] = p->dst.addr_data32[3];
182  fhk.dst[0] = p->src.addr_data32[0];
183  fhk.dst[1] = p->src.addr_data32[1];
184  fhk.dst[2] = p->src.addr_data32[2];
185  fhk.dst[3] = p->src.addr_data32[3];
186  }
187 
188  fhk.ports[0] = 0xfedc;
189  fhk.ports[1] = 0xba98;
190 
191  FlowHashIp6Fill(&fhk, p);
192 
193  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
194  }
195  return hash;
196 }
197 
198 /* calculate the hash key for this packet
199  *
200  * we're using:
201  * hash_rand -- set at init time
202  * source port
203  * destination port
204  * source address
205  * destination address
206  * recursion level -- for tunnels, make sure different tunnel layers can
207  * never get mixed up.
208  *
209  * For ICMP we only consider UNREACHABLE errors atm.
210  */
211 static inline uint32_t FlowGetHash(const Packet *p)
212 {
213  uint32_t hash = 0;
214 
215  if (PacketIsIPv4(p)) {
216  if (PacketIsTCP(p) || PacketIsUDP(p)) {
217  FlowHashKey4 fhk = { .pad[0] = 0 };
218 
219  int ai = (p->src.addr_data32[0] > p->dst.addr_data32[0]);
220  fhk.addrs[1-ai] = p->src.addr_data32[0];
221  fhk.addrs[ai] = p->dst.addr_data32[0];
222 
223  const int pi = (p->sp > p->dp);
224  fhk.ports[1-pi] = p->sp;
225  fhk.ports[pi] = p->dp;
226 
227  FlowHashIp4Fill(&fhk, p);
228 
229  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
230 
231  } else if (ICMPV4_DEST_UNREACH_IS_VALID(p)) {
232  uint32_t psrc = IPV4_GET_RAW_IPSRC_U32(PacketGetICMPv4EmbIPv4(p));
233  uint32_t pdst = IPV4_GET_RAW_IPDST_U32(PacketGetICMPv4EmbIPv4(p));
234  FlowHashKey4 fhk = { .pad[0] = 0 };
235 
236  const int ai = (psrc > pdst);
237  fhk.addrs[1-ai] = psrc;
238  fhk.addrs[ai] = pdst;
239 
240  const int pi = (p->l4.vars.icmpv4.emb_sport > p->l4.vars.icmpv4.emb_dport);
241  fhk.ports[1 - pi] = p->l4.vars.icmpv4.emb_sport;
242  fhk.ports[pi] = p->l4.vars.icmpv4.emb_dport;
243 
244  FlowHashIp4Fill(&fhk, p);
246 
247  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
248 
249  } else {
250  FlowHashKey4 fhk = { .pad[0] = 0 };
251  const int ai = (p->src.addr_data32[0] > p->dst.addr_data32[0]);
252  fhk.addrs[1-ai] = p->src.addr_data32[0];
253  fhk.addrs[ai] = p->dst.addr_data32[0];
254  fhk.ports[0] = 0xfeed;
255  fhk.ports[1] = 0xbeef;
256  FlowHashIp4Fill(&fhk, p);
257 
258  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
259  }
260  } else if (PacketIsIPv6(p)) {
261  FlowHashKey6 fhk = { .pad[0] = 0 };
262  if (FlowHashRawAddressIPv6GtU32(p->src.addr_data32, p->dst.addr_data32)) {
263  fhk.src[0] = p->src.addr_data32[0];
264  fhk.src[1] = p->src.addr_data32[1];
265  fhk.src[2] = p->src.addr_data32[2];
266  fhk.src[3] = p->src.addr_data32[3];
267  fhk.dst[0] = p->dst.addr_data32[0];
268  fhk.dst[1] = p->dst.addr_data32[1];
269  fhk.dst[2] = p->dst.addr_data32[2];
270  fhk.dst[3] = p->dst.addr_data32[3];
271  } else {
272  fhk.src[0] = p->dst.addr_data32[0];
273  fhk.src[1] = p->dst.addr_data32[1];
274  fhk.src[2] = p->dst.addr_data32[2];
275  fhk.src[3] = p->dst.addr_data32[3];
276  fhk.dst[0] = p->src.addr_data32[0];
277  fhk.dst[1] = p->src.addr_data32[1];
278  fhk.dst[2] = p->src.addr_data32[2];
279  fhk.dst[3] = p->src.addr_data32[3];
280  }
281 
282  const int pi = (p->sp > p->dp);
283  fhk.ports[1-pi] = p->sp;
284  fhk.ports[pi] = p->dp;
285  FlowHashIp6Fill(&fhk, p);
286 
287  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
288  }
289 
290  return hash;
291 }
292 
293 /**
294  * Basic hashing function for FlowKey
295  *
296  * \note Function only used for bypass and TCP or UDP flows
297  *
298  * \note this is only used at start to create Flow from pinned maps
299  * so fairness is not an issue
300  */
301 uint32_t FlowKeyGetHash(FlowKey *fk)
302 {
303  uint32_t hash = 0;
304 
305  if (fk->src.family == AF_INET) {
306  FlowHashKey4 fhk = {
307  .pad[0] = 0,
308  };
309  int ai = (fk->src.address.address_un_data32[0] > fk->dst.address.address_un_data32[0]);
310  fhk.addrs[1-ai] = fk->src.address.address_un_data32[0];
311  fhk.addrs[ai] = fk->dst.address.address_un_data32[0];
312 
313  const int pi = (fk->sp > fk->dp);
314  fhk.ports[1-pi] = fk->sp;
315  fhk.ports[pi] = fk->dp;
316 
317  fhk.proto = fk->proto;
319  fhk.livedev = fk->livedev_id & g_livedev_mask;
320  fhk.vlan_id[0] = fk->vlan_id[0] & g_vlan_mask;
321  fhk.vlan_id[1] = fk->vlan_id[1] & g_vlan_mask;
322  fhk.vlan_id[2] = fk->vlan_id[2] & g_vlan_mask;
323 
324  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
325  } else {
326  FlowHashKey6 fhk = {
327  .pad[0] = 0,
328  };
329  if (FlowHashRawAddressIPv6GtU32(fk->src.address.address_un_data32,
331  fhk.src[0] = fk->src.address.address_un_data32[0];
332  fhk.src[1] = fk->src.address.address_un_data32[1];
333  fhk.src[2] = fk->src.address.address_un_data32[2];
334  fhk.src[3] = fk->src.address.address_un_data32[3];
335  fhk.dst[0] = fk->dst.address.address_un_data32[0];
336  fhk.dst[1] = fk->dst.address.address_un_data32[1];
337  fhk.dst[2] = fk->dst.address.address_un_data32[2];
338  fhk.dst[3] = fk->dst.address.address_un_data32[3];
339  } else {
340  fhk.src[0] = fk->dst.address.address_un_data32[0];
341  fhk.src[1] = fk->dst.address.address_un_data32[1];
342  fhk.src[2] = fk->dst.address.address_un_data32[2];
343  fhk.src[3] = fk->dst.address.address_un_data32[3];
344  fhk.dst[0] = fk->src.address.address_un_data32[0];
345  fhk.dst[1] = fk->src.address.address_un_data32[1];
346  fhk.dst[2] = fk->src.address.address_un_data32[2];
347  fhk.dst[3] = fk->src.address.address_un_data32[3];
348  }
349 
350  const int pi = (fk->sp > fk->dp);
351  fhk.ports[1-pi] = fk->sp;
352  fhk.ports[pi] = fk->dp;
353  fhk.proto = fk->proto;
355  fhk.livedev = fk->livedev_id & g_livedev_mask;
356  fhk.vlan_id[0] = fk->vlan_id[0] & g_vlan_mask;
357  fhk.vlan_id[1] = fk->vlan_id[1] & g_vlan_mask;
358  fhk.vlan_id[2] = fk->vlan_id[2] & g_vlan_mask;
359 
360  hash = hashword(fhk.u32, ARRAY_SIZE(fhk.u32), flow_config.hash_rand);
361  }
362  return hash;
363 }
364 
365 static inline bool CmpAddrs(const uint32_t addr1[4], const uint32_t addr2[4])
366 {
367  return addr1[0] == addr2[0] && addr1[1] == addr2[1] &&
368  addr1[2] == addr2[2] && addr1[3] == addr2[3];
369 }
370 
371 static inline bool CmpAddrsAndPorts(const uint32_t src1[4],
372  const uint32_t dst1[4], Port src_port1, Port dst_port1,
373  const uint32_t src2[4], const uint32_t dst2[4], Port src_port2,
374  Port dst_port2)
375 {
376  /* Compare the source and destination addresses. If they are not equal,
377  * compare the first source address with the second destination address,
378  * and vice versa. Likewise for ports. */
379  return (CmpAddrs(src1, src2) && CmpAddrs(dst1, dst2) &&
380  src_port1 == src_port2 && dst_port1 == dst_port2) ||
381  (CmpAddrs(src1, dst2) && CmpAddrs(dst1, src2) &&
382  src_port1 == dst_port2 && dst_port1 == src_port2);
383 }
384 
385 static inline bool CmpVlanIds(
386  const uint16_t vlan_id1[VLAN_MAX_LAYERS], const uint16_t vlan_id2[VLAN_MAX_LAYERS])
387 {
388  return ((vlan_id1[0] ^ vlan_id2[0]) & g_vlan_mask) == 0 &&
389  ((vlan_id1[1] ^ vlan_id2[1]) & g_vlan_mask) == 0 &&
390  ((vlan_id1[2] ^ vlan_id2[2]) & g_vlan_mask) == 0;
391 }
392 
393 static inline bool CmpLiveDevIds(const uint16_t id1, const uint16_t id2)
394 {
395  return (((id1 ^ id2) & g_livedev_mask) == 0);
396 }
397 
398 #define CmpFlowMisc(x, y) \
399  (((x)->proto == (y)->proto) && \
400  ((x)->recursion_level == (y)->recursion_level || g_recurlvl_mask == 0) && \
401  CmpVlanIds((x)->vlan_id, (y)->vlan_id))
402 
403 /* Since two or more flows can have the same hash key, we need to compare
404  * the flow with the current packet or flow key. */
405 static inline bool CmpFlowPacket(const Flow *f, const Packet *p)
406 {
407  const uint32_t *f_src = f->src.address.address_un_data32;
408  const uint32_t *f_dst = f->dst.address.address_un_data32;
409  const uint32_t *p_src = p->src.address.address_un_data32;
410  const uint32_t *p_dst = p->dst.address.address_un_data32;
411  return CmpAddrsAndPorts(f_src, f_dst, f->sp, f->dp, p_src, p_dst, p->sp, p->dp) &&
412  CmpFlowMisc(f, p) && (PacketIsIPv4(p) == FLOW_IS_IPV4(f)) &&
413  CmpLiveDevIds(p->livedev_id, f->livedev_id);
414 }
415 
416 static inline bool CmpFlowKey(const Flow *f, const FlowKey *k)
417 {
418  const uint32_t *f_src = f->src.address.address_un_data32;
419  const uint32_t *f_dst = f->dst.address.address_un_data32;
420  const uint32_t *k_src = k->src.address.address_un_data32;
421  const uint32_t *k_dst = k->dst.address.address_un_data32;
422  return CmpAddrsAndPorts(f_src, f_dst, f->sp, f->dp, k_src, k_dst, k->sp, k->dp) &&
423  CmpFlowMisc(f, k) && ((k->src.family == AF_INET) == FLOW_IS_IPV4(f)) &&
424  CmpLiveDevIds(f->livedev_id, k->livedev_id);
425 }
426 
427 static inline bool CmpAddrsAndICMPTypes(const uint32_t src1[4],
428  const uint32_t dst1[4], uint8_t icmp_s_type1, uint8_t icmp_d_type1,
429  const uint32_t src2[4], const uint32_t dst2[4], uint8_t icmp_s_type2,
430  uint8_t icmp_d_type2)
431 {
432  /* Compare the source and destination addresses. If they are not equal,
433  * compare the first source address with the second destination address,
434  * and vice versa. Likewise for icmp types. */
435  return (CmpAddrs(src1, src2) && CmpAddrs(dst1, dst2) &&
436  icmp_s_type1 == icmp_s_type2 && icmp_d_type1 == icmp_d_type2) ||
437  (CmpAddrs(src1, dst2) && CmpAddrs(dst1, src2) &&
438  icmp_s_type1 == icmp_d_type2 && icmp_d_type1 == icmp_s_type2);
439 }
440 
441 static inline bool CmpFlowICMPPacket(const Flow *f, const Packet *p)
442 {
443  const uint32_t *f_src = f->src.address.address_un_data32;
444  const uint32_t *f_dst = f->dst.address.address_un_data32;
445  const uint32_t *p_src = p->src.address.address_un_data32;
446  const uint32_t *p_dst = p->dst.address.address_un_data32;
447  return CmpAddrsAndICMPTypes(f_src, f_dst, f->icmp_s.type, f->icmp_d.type, p_src, p_dst,
448  p->icmp_s.type, p->icmp_d.type) &&
449  CmpFlowMisc(f, p) && CmpLiveDevIds(p->livedev_id, f->livedev_id);
450 }
451 
452 /**
453  * \brief See if a ICMP packet belongs to a flow by comparing the embedded
454  * packet in the ICMP error packet to the flow.
455  *
456  * \param f flow
457  * \param p ICMP packet
458  *
459  * \retval 1 match
460  * \retval 0 no match
461  */
462 static inline int FlowCompareICMPv4(Flow *f, const Packet *p)
463 {
465  /* first check the direction of the flow, in other words, the client ->
466  * server direction as it's most likely the ICMP error will be a
467  * response to the clients traffic */
468  if ((f->src.addr_data32[0] == IPV4_GET_RAW_IPSRC_U32(PacketGetICMPv4EmbIPv4(p))) &&
469  (f->dst.addr_data32[0] == IPV4_GET_RAW_IPDST_U32(PacketGetICMPv4EmbIPv4(p))) &&
470  f->sp == p->l4.vars.icmpv4.emb_sport && f->dp == p->l4.vars.icmpv4.emb_dport &&
471  f->proto == ICMPV4_GET_EMB_PROTO(p) && (PacketIsIPv4(p) == FLOW_IS_IPV4(f)) &&
473  CmpVlanIds(f->vlan_id, p->vlan_id) && CmpLiveDevIds(p->livedev_id, f->livedev_id)) {
474  return 1;
475 
476  /* check the less likely case where the ICMP error was a response to
477  * a packet from the server. */
478  } else if ((f->dst.addr_data32[0] == IPV4_GET_RAW_IPSRC_U32(PacketGetICMPv4EmbIPv4(p))) &&
479  (f->src.addr_data32[0] == IPV4_GET_RAW_IPDST_U32(PacketGetICMPv4EmbIPv4(p))) &&
480  f->dp == p->l4.vars.icmpv4.emb_sport && f->sp == p->l4.vars.icmpv4.emb_dport &&
481  f->proto == ICMPV4_GET_EMB_PROTO(p) && (PacketIsIPv4(p) == FLOW_IS_IPV4(f)) &&
483  CmpVlanIds(f->vlan_id, p->vlan_id) &&
484  CmpLiveDevIds(p->livedev_id, f->livedev_id)) {
485  return 1;
486  }
487 
488  /* no match, fall through */
489  } else {
490  /* just treat ICMP as a normal proto for now */
491  return CmpFlowICMPPacket(f, p);
492  }
493 
494  return 0;
495 }
496 
497 /**
498  * \brief See if a IP-ESP packet belongs to a flow by comparing the SPI
499  *
500  * \param f flow
501  * \param p ESP packet
502  *
503  * \retval 1 match
504  * \retval 0 no match
505  */
506 static inline int FlowCompareESP(Flow *f, const Packet *p)
507 {
508  const uint32_t *f_src = f->src.address.address_un_data32;
509  const uint32_t *f_dst = f->dst.address.address_un_data32;
510  const uint32_t *p_src = p->src.address.address_un_data32;
511  const uint32_t *p_dst = p->dst.address.address_un_data32;
512 
513  return CmpAddrs(f_src, p_src) && CmpAddrs(f_dst, p_dst) && CmpFlowMisc(f, p) &&
514  (PacketIsIPv4(p) == FLOW_IS_IPV4(f)) && f->esp.spi == ESP_GET_SPI(PacketGetESP(p)) &&
515  CmpLiveDevIds(p->livedev_id, f->livedev_id);
516 }
517 
519 {
520  p->flags |= PKT_WANTS_FLOW;
521  p->flow_hash = FlowGetHash(p);
522 }
523 
524 static inline int FlowCompare(Flow *f, const Packet *p)
525 {
526  if (p->proto == IPPROTO_ICMP) {
527  return FlowCompareICMPv4(f, p);
528  } else if (PacketIsESP(p)) {
529  return FlowCompareESP(f, p);
530  }
531  return CmpFlowPacket(f, p);
532 }
533 
534 /**
535  * \brief Check if we should create a flow based on a packet
536  *
537  * We use this check to filter out flow creation based on:
538  * - ICMP error messages
539  * - TCP flags (emergency mode only)
540  *
541  * \param p packet
542  * \retval true
543  * \retval false
544  */
545 static inline bool FlowCreateCheck(const Packet *p, const bool emerg)
546 {
547  /* if we're in emergency mode, don't try to create a flow for a TCP
548  * that is not a TCP SYN packet. */
549  if (emerg) {
550  if (PacketIsTCP(p)) {
551  const TCPHdr *tcph = PacketGetTCP(p);
552  if (((tcph->th_flags & (TH_SYN | TH_ACK | TH_RST | TH_FIN)) == TH_SYN) ||
554  ;
555  } else {
556  return false;
557  }
558  }
559  }
560 
561  if (PacketIsICMPv4(p)) {
562  if (ICMPV4_IS_ERROR_MSG(p->icmp_s.type)) {
563  return false;
564  }
565  }
566 
567  return true;
568 }
569 
570 static inline void FlowUpdateCounter(ThreadVars *tv, DecodeThreadVars *dtv,
571  uint8_t proto)
572 {
573 #ifdef UNITTESTS
574  if (tv && dtv) {
575 #endif
578  switch (proto){
579  case IPPROTO_UDP:
581  break;
582  case IPPROTO_TCP:
584  break;
585  case IPPROTO_ICMP:
587  break;
588  case IPPROTO_ICMPV6:
590  break;
591  }
592 #ifdef UNITTESTS
593  }
594 #endif
595 }
596 
597 /** \internal
598  * \brief try to fetch a new set of flows from the master flow pool.
599  *
600  * If in emergency mode, do this only once a second at max to avoid trying
601  * to synchronise per packet in the worse case. */
602 static inline Flow *FlowSpareSync(ThreadVars *tv, FlowLookupStruct *fls,
603  const Packet *p, const bool emerg)
604 {
605  Flow *f = NULL;
606  bool spare_sync = false;
607  if (emerg) {
608  if ((uint32_t)SCTIME_SECS(p->ts) > fls->emerg_spare_sync_stamp) {
609  fls->spare_queue = FlowSpareGetFromPool(); /* local empty, (re)populate and try again */
610  spare_sync = true;
612  if (f == NULL) {
613  /* wait till next full sec before retrying */
614  fls->emerg_spare_sync_stamp = (uint32_t)SCTIME_SECS(p->ts);
615  }
616  }
617  } else {
618  fls->spare_queue = FlowSpareGetFromPool(); /* local empty, (re)populate and try again */
620  spare_sync = true;
621  }
622 #ifdef UNITTESTS
623  if (tv && fls->dtv) {
624 #endif
625  if (spare_sync) {
626  if (f != NULL) {
628  fls->spare_queue.len + 1);
629  if (fls->spare_queue.len < 99) {
630  /* When a new flow pool is fetched it has 100 flows in sync,
631  * so there should be 99 left if we're in full sync.
632  * If len is below 99, means the spare sync is incomplete */
633  /* Track these instances */
635  }
636  } else if (fls->spare_queue.len == 0) {
638  }
640  }
641 #ifdef UNITTESTS
642  }
643 #endif
644  return f;
645 }
646 
647 static void FlowExceptionPolicyStatsIncr(
648  ThreadVars *tv, FlowLookupStruct *fls, enum ExceptionPolicy policy)
649 {
650 #ifdef UNITTESTS
651  if (tv == NULL || fls->dtv == NULL) {
652  return;
653  }
654 #endif
656  if (likely(id.id > 0)) {
657  StatsCounterIncr(&tv->stats, id);
658  }
659 }
660 
661 static inline void NoFlowHandleIPS(ThreadVars *tv, FlowLookupStruct *fls, Packet *p)
662 {
664  FlowExceptionPolicyStatsIncr(tv, fls, flow_config.memcap_policy);
665 }
666 
667 /**
668  * \brief Get a new flow
669  *
670  * Get a new flow. We're checking memcap first and will try to make room
671  * if the memcap is reached.
672  *
673  * \param tv thread vars
674  * \param fls lookup support vars
675  *
676  * \retval f *LOCKED* flow on success, NULL on error or if we should not create
677  * a new flow.
678  */
679 static Flow *FlowGetNew(ThreadVars *tv, FlowLookupStruct *fls, Packet *p)
680 {
681  const bool emerg = ((SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY) != 0);
682 #ifdef QA_SIMULATION
683  if (g_eps_flow_memcap != UINT64_MAX && g_eps_flow_memcap == PcapPacketCntGet(p)) {
684  NoFlowHandleIPS(tv, fls, p);
686  return NULL;
687  }
688 #endif
689  if (!FlowCreateCheck(p, emerg)) {
690  return NULL;
691  }
692 
693  /* get a flow from the spare queue */
695  if (f == NULL) {
696  f = FlowSpareSync(tv, fls, p, emerg);
697  }
698  if (f == NULL) {
699  /* If we reached the max memcap, we get a used flow */
700  if (!(FLOW_CHECK_MEMCAP(sizeof(Flow) + SCFlowStorageSize()))) {
701  /* declare state of emergency */
702  if (!(SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY)) {
703  SC_ATOMIC_OR(flow_flags, FLOW_EMERGENCY);
706  }
707 
708  f = FlowGetUsedFlow(tv, fls->dtv, p->ts);
709  if (f == NULL) {
710  NoFlowHandleIPS(tv, fls, p);
711 #ifdef UNITTESTS
712  if (tv != NULL && fls->dtv != NULL) {
713 #endif
715 #ifdef UNITTESTS
716  }
717 #endif
718  return NULL;
719  }
720 #ifdef UNITTESTS
721  if (tv != NULL && fls->dtv != NULL) {
722 #endif
724 #ifdef UNITTESTS
725  }
726 #endif
727  /* flow is still locked from FlowGetUsedFlow() */
728  FlowUpdateCounter(tv, fls->dtv, p->proto);
729  return f;
730  }
731 
732  /* now see if we can alloc a new flow */
733  f = FlowAlloc();
734  if (f == NULL) {
735 #ifdef UNITTESTS
736  if (tv != NULL && fls->dtv != NULL) {
737 #endif
739 #ifdef UNITTESTS
740  }
741 #endif
742  NoFlowHandleIPS(tv, fls, p);
743  return NULL;
744  }
745 
746  /* flow is initialized but *unlocked* */
747  } else {
748  /* flow has been recycled before it went into the spare queue */
749 
750  /* flow is initialized (recycled) but *unlocked* */
751  }
752 
753  FLOWLOCK_WRLOCK(f);
754  FlowUpdateCounter(tv, fls->dtv, p->proto);
755  return f;
756 }
757 
758 static Flow *TcpReuseReplace(ThreadVars *tv, FlowLookupStruct *fls, FlowBucket *fb, Flow *old_f,
759  const uint32_t hash, Packet *p)
760 {
761 #ifdef UNITTESTS
762  if (tv != NULL && fls->dtv != NULL) {
763 #endif
765 #ifdef UNITTESTS
766  }
767 #endif
768  /* get some settings that we move over to the new flow */
769  FlowThreadId thread_id[2] = { old_f->thread_id[0], old_f->thread_id[1] };
771 
772  /* flow is unlocked by caller */
773 
774  /* Get a new flow. It will be either a locked flow or NULL */
775  Flow *f = FlowGetNew(tv, fls, p);
776  if (f == NULL) {
777  return NULL;
778  }
779 
780  /* put at the start of the list */
781  f->next = fb->head;
782  fb->head = f;
783 
784  /* initialize and return */
785  FlowInit(tv, f, p);
786  f->flow_hash = hash;
787  f->fb = fb;
789 
790  f->thread_id[0] = thread_id[0];
791  f->thread_id[1] = thread_id[1];
792 
794  return f;
795 }
796 
797 static inline bool FlowBelongsToUs(const ThreadVars *tv, const Flow *f)
798 {
799 #ifdef UNITTESTS
800  if (RunmodeIsUnittests()) {
801  return true;
802  }
803 #endif
804  return f->thread_id[0] == tv->id;
805 }
806 
807 static inline void MoveToWorkQueue(ThreadVars *tv, FlowLookupStruct *fls,
808  FlowBucket *fb, Flow *f, Flow *prev_f)
809 {
811 
812  /* remove from hash... */
813  if (prev_f) {
814  prev_f->next = f->next;
815  }
816  if (f == fb->head) {
817  fb->head = f->next;
818  }
819 
820  if (f->proto != IPPROTO_TCP || FlowBelongsToUs(tv, f)) { // TODO thread_id[] direction
821  f->fb = NULL;
822  f->next = NULL;
824  } else {
825  /* implied: TCP but our thread does not own it. So set it
826  * aside for the Flow Manager to pick it up. */
827  f->next = fb->evicted;
828  fb->evicted = f;
829  if (SC_ATOMIC_GET(f->fb->next_ts) != 0) {
830  SC_ATOMIC_SET(f->fb->next_ts, 0);
831  }
832  }
833 }
834 
835 static inline bool FlowIsTimedOut(
836  const FlowThreadId ftid, const Flow *f, const SCTime_t pktts, const bool emerg)
837 {
838  SCTime_t timesout_at;
839  if (emerg) {
841  timesout_at = SCTIME_ADD_SECS(f->lastts,
842  FlowGetFlowTimeoutDirect(flow_timeouts_emerg, f->flow_state, f->protomap));
843  } else {
844  timesout_at = SCTIME_ADD_SECS(f->lastts, f->timeout_policy);
845  }
846  /* if time is live, we just use the pktts */
847  if (TimeModeIsLive() || ftid == f->thread_id[0] || f->thread_id[0] == 0) {
848  if (SCTIME_CMP_LT(pktts, timesout_at)) {
849  return false;
850  }
851  } else {
852  SCTime_t checkts = TmThreadsGetThreadTime(f->thread_id[0]);
853  /* do the timeout check */
854  if (SCTIME_CMP_LT(checkts, timesout_at)) {
855  return false;
856  }
857  }
858  return true;
859 }
860 
861 static inline uint16_t GetTvId(const ThreadVars *tv)
862 {
863  uint16_t tv_id;
864 #ifdef UNITTESTS
865  if (RunmodeIsUnittests()) {
866  tv_id = 0;
867  } else {
868  tv_id = (uint16_t)tv->id;
869  }
870 #else
871  tv_id = (uint16_t)tv->id;
872 #endif
873  return tv_id;
874 }
875 
876 /** \brief Get Flow for packet
877  *
878  * Hash retrieval function for flows. Looks up the hash bucket containing the
879  * flow pointer. Then compares the packet with the found flow to see if it is
880  * the flow we need. If it isn't, walk the list until the right flow is found.
881  *
882  * If the flow is not found or the bucket was empty, a new flow is taken from
883  * the spare pool. The pool will alloc new flows as long as we stay within our
884  * memcap limit.
885  *
886  * The p->flow pointer is updated to point to the flow.
887  *
888  * \param tv thread vars
889  * \param dtv decode thread vars (for flow log api thread data)
890  *
891  * \retval f *LOCKED* flow or NULL
892  */
894 {
895  Flow *f = NULL;
896 
897  /* get our hash bucket and lock it */
898  const uint32_t hash = p->flow_hash;
899  FlowBucket *fb = &flow_hash[hash % flow_config.hash_size];
900  FBLOCK_LOCK(fb);
901 
902  SCLogDebug("fb %p fb->head %p", fb, fb->head);
903 
904  /* see if the bucket already has a flow */
905  if (fb->head == NULL) {
906  f = FlowGetNew(tv, fls, p);
907  if (f == NULL) {
908  FBLOCK_UNLOCK(fb);
909  return NULL;
910  }
911 
912  /* flow is locked */
913  fb->head = f;
914 
915  /* got one, now lock, initialize and return */
916  FlowInit(tv, f, p);
917  f->flow_hash = hash;
918  f->fb = fb;
920 
921  FlowReference(dest, f);
922 
923  FBLOCK_UNLOCK(fb);
924  return f;
925  }
926 
927  const uint16_t tv_id = GetTvId(tv);
928  const bool emerg = (SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY) != 0;
929  const uint32_t fb_nextts = !emerg ? SC_ATOMIC_GET(fb->next_ts) : 0;
930  const bool timeout_check = (fb_nextts <= (uint32_t)SCTIME_SECS(p->ts));
931  /* ok, we have a flow in the bucket. Let's find out if it is our flow */
932  Flow *prev_f = NULL; /* previous flow */
933  f = fb->head;
934  do {
935  Flow *next_f = NULL;
936  const bool our_flow = FlowCompare(f, p) != 0;
937  if (our_flow || timeout_check) {
938  FLOWLOCK_WRLOCK(f);
939  const bool timedout = (timeout_check && FlowIsTimedOut(tv_id, f, p->ts, emerg));
940  if (timedout) {
941  next_f = f->next;
942  MoveToWorkQueue(tv, fls, fb, f, prev_f);
943  FLOWLOCK_UNLOCK(f);
944  goto flow_removed;
945  } else if (our_flow) {
946  /* found a matching flow that is not timed out */
948  Flow *new_f = TcpReuseReplace(tv, fls, fb, f, hash, p);
949  if (prev_f == NULL) /* if we have no prev it means new_f is now our prev */
950  prev_f = new_f;
951  MoveToWorkQueue(tv, fls, fb, f, prev_f); /* evict old flow */
952  FLOWLOCK_UNLOCK(f); /* unlock old replaced flow */
953 
954  if (new_f == NULL) {
955  FBLOCK_UNLOCK(fb);
956  return NULL;
957  }
958  f = new_f;
959  }
960  FlowReference(dest, f);
961  FBLOCK_UNLOCK(fb);
962  return f; /* return w/o releasing flow lock */
963  } else {
964  FLOWLOCK_UNLOCK(f);
965  }
966  }
967  /* unless we removed 'f', prev_f needs to point to
968  * current 'f' when adding a new flow below. */
969  prev_f = f;
970  next_f = f->next;
971 
972 flow_removed:
973  if (next_f == NULL) {
974  f = FlowGetNew(tv, fls, p);
975  if (f == NULL) {
976  FBLOCK_UNLOCK(fb);
977  return NULL;
978  }
979 
980  /* flow is locked */
981 
982  f->next = fb->head;
983  fb->head = f;
984 
985  /* initialize and return */
986  FlowInit(tv, f, p);
987  f->flow_hash = hash;
988  f->fb = fb;
990  FlowReference(dest, f);
991  FBLOCK_UNLOCK(fb);
992  return f;
993  }
994  f = next_f;
995  } while (f != NULL);
996 
997  /* should be unreachable */
998  BUG_ON(1);
999  return NULL;
1000 }
1001 
1002 /** \internal
1003  * \retval true if flow matches key
1004  * \retval false if flow does not match key, or unsupported protocol
1005  * \note only supports TCP & UDP
1006  */
1007 static inline bool FlowCompareKey(Flow *f, FlowKey *key)
1008 {
1009  if ((f->proto != IPPROTO_TCP) && (f->proto != IPPROTO_UDP))
1010  return false;
1011  return CmpFlowKey(f, key);
1012 }
1013 
1014 /** \brief Look for existing Flow using a flow id value
1015  *
1016  * Hash retrieval function for flows. Looks up the hash bucket containing the
1017  * flow pointer. Then compares the flow_id with the found flow's flow_id to see
1018  * if it is the flow we need.
1019  *
1020  * \param flow_id Flow ID of the flow to look for
1021  * \retval f *LOCKED* flow or NULL
1022  */
1024 {
1025  uint32_t hash = flow_id & 0x0000FFFF;
1026  FlowBucket *fb = &flow_hash[hash % flow_config.hash_size];
1027  FBLOCK_LOCK(fb);
1028  SCLogDebug("fb %p fb->head %p", fb, fb->head);
1029 
1030  for (Flow *f = fb->head; f != NULL; f = f->next) {
1031  if (FlowGetId(f) == flow_id) {
1032  /* found our flow, lock & return */
1033  FLOWLOCK_WRLOCK(f);
1034  FBLOCK_UNLOCK(fb);
1035  return f;
1036  }
1037  }
1038  FBLOCK_UNLOCK(fb);
1039  return NULL;
1040 }
1041 
1042 /** \brief Look for existing Flow using a FlowKey
1043  *
1044  * Hash retrieval function for flows. Looks up the hash bucket containing the
1045  * flow pointer. Then compares the key with the found flow to see if it is
1046  * the flow we need. If it isn't, walk the list until the right flow is found.
1047  *
1048  * \param key Pointer to FlowKey build using flow to look for
1049  * \param hash Value of the flow hash
1050  * \retval f *LOCKED* flow or NULL
1051  */
1052 static Flow *FlowGetExistingFlowFromHash(FlowKey *key, const uint32_t hash)
1053 {
1054  /* get our hash bucket and lock it */
1055  FlowBucket *fb = &flow_hash[hash % flow_config.hash_size];
1056  FBLOCK_LOCK(fb);
1057  SCLogDebug("fb %p fb->head %p", fb, fb->head);
1058 
1059  for (Flow *f = fb->head; f != NULL; f = f->next) {
1060  /* see if this is the flow we are looking for */
1061  if (FlowCompareKey(f, key)) {
1062  /* found our flow, lock & return */
1063  FLOWLOCK_WRLOCK(f);
1064  FBLOCK_UNLOCK(fb);
1065  return f;
1066  }
1067  }
1068 
1069  FBLOCK_UNLOCK(fb);
1070  return NULL;
1071 }
1072 
1073 /** \brief Get or create a Flow using a FlowKey
1074  *
1075  * Hash retrieval function for flows. Looks up the hash bucket containing the
1076  * flow pointer. Then compares the packet with the found flow to see if it is
1077  * the flow we need. If it isn't, walk the list until the right flow is found.
1078  * Return a new Flow if ever no Flow was found.
1079  *
1080  *
1081  * \param key Pointer to FlowKey build using flow to look for
1082  * \param ttime time to use for flow creation
1083  * \param hash Value of the flow hash
1084  * \retval f *LOCKED* flow or NULL
1085  */
1086 
1087 Flow *FlowGetFromFlowKey(FlowKey *key, struct timespec *ttime, const uint32_t hash)
1088 {
1089  Flow *f = FlowGetExistingFlowFromHash(key, hash);
1090 
1091  if (f != NULL) {
1092  return f;
1093  }
1094  /* TODO use spare pool */
1095  /* now see if we can alloc a new flow */
1096  f = FlowAlloc();
1097  if (f == NULL) {
1098  SCLogDebug("Can't get a spare flow at start");
1099  return NULL;
1100  }
1101  f->proto = key->proto;
1102  memcpy(&f->vlan_id[0], &key->vlan_id[0], sizeof(f->vlan_id));
1103  ;
1104  f->src.addr_data32[0] = key->src.addr_data32[0];
1105  f->src.addr_data32[1] = key->src.addr_data32[1];
1106  f->src.addr_data32[2] = key->src.addr_data32[2];
1107  f->src.addr_data32[3] = key->src.addr_data32[3];
1108  f->dst.addr_data32[0] = key->dst.addr_data32[0];
1109  f->dst.addr_data32[1] = key->dst.addr_data32[1];
1110  f->dst.addr_data32[2] = key->dst.addr_data32[2];
1111  f->dst.addr_data32[3] = key->dst.addr_data32[3];
1112  f->sp = key->sp;
1113  f->dp = key->dp;
1114  f->recursion_level = 0;
1115  // f->livedev is set by caller EBPFCreateFlowForKey
1116  f->flow_hash = hash;
1117  if (key->src.family == AF_INET) {
1118  f->flags |= FLOW_IPV4;
1119  } else if (key->src.family == AF_INET6) {
1120  f->flags |= FLOW_IPV6;
1121  }
1122 
1124  /* set timestamp to now */
1125  f->startts = SCTIME_FROM_TIMESPEC(ttime);
1126  f->lastts = f->startts;
1127 
1128  FlowBucket *fb = &flow_hash[hash % flow_config.hash_size];
1129  FBLOCK_LOCK(fb);
1130  f->fb = fb;
1131  f->next = fb->head;
1132  fb->head = f;
1133  FLOWLOCK_WRLOCK(f);
1134  FBLOCK_UNLOCK(fb);
1135  return f;
1136 }
1137 
1138 #define FLOW_GET_NEW_TRIES 5
1140 /* inline locking wrappers to make profiling easier */
1141 
1142 static inline int GetUsedTryLockBucket(FlowBucket *fb)
1143 {
1144  int r = FBLOCK_TRYLOCK(fb);
1145  return r;
1146 }
1147 static inline int GetUsedTryLockFlow(Flow *f)
1148 {
1149  int r = FLOWLOCK_TRYWRLOCK(f);
1150  return r;
1151 }
1152 static inline uint32_t GetUsedAtomicUpdate(const uint32_t val)
1153 {
1154  uint32_t r = SC_ATOMIC_ADD(flow_prune_idx, val);
1155  return r;
1156 }
1157 
1158 /** \internal
1159  * \brief check if flow has just seen an update.
1160  */
1161 static inline bool StillAlive(const Flow *f, const SCTime_t ts)
1162 {
1163  switch (f->flow_state) {
1164  case FLOW_STATE_NEW:
1165  if (SCTIME_SECS(ts) - SCTIME_SECS(f->lastts) <= 1) {
1166  return true;
1167  }
1168  break;
1170  if (SCTIME_SECS(ts) - SCTIME_SECS(f->lastts) <= 5) {
1171  return true;
1172  }
1173  break;
1174  case FLOW_STATE_CLOSED:
1175  if (SCTIME_SECS(ts) - SCTIME_SECS(f->lastts) <= 3) {
1176  return true;
1177  }
1178  break;
1179  default:
1180  if (SCTIME_SECS(ts) - SCTIME_SECS(f->lastts) < 30) {
1181  return true;
1182  }
1183  break;
1184  }
1185  return false;
1186 }
1187 
1188 #ifdef UNITTESTS
1189 #define STATSADDUI64(cnt, value) \
1190  if (tv && dtv) { \
1191  StatsCounterAddI64(&tv->stats, dtv->cnt, (value)); \
1192  }
1193 #else
1194 #define STATSADDUI64(cnt, value) StatsCounterAddI64(&tv->stats, dtv->cnt, (value));
1195 #endif
1196 
1197 /** \internal
1198  * \brief Get a flow from the hash directly.
1199  *
1200  * Called in conditions where the spare queue is empty and memcap is reached.
1201  *
1202  * Walks the hash until a flow can be freed. Timeouts are disregarded.
1203  * "flow_prune_idx" atomic int makes sure we don't start at the
1204  * top each time since that would clear the top of the hash leading to longer
1205  * and longer search times under high pressure (observed).
1206  *
1207  * \param tv thread vars
1208  * \param dtv decode thread vars (for flow log api thread data)
1209  *
1210  * \retval f flow or NULL
1211  */
1212 static Flow *FlowGetUsedFlow(ThreadVars *tv, DecodeThreadVars *dtv, const SCTime_t ts)
1213 {
1214  uint32_t idx = GetUsedAtomicUpdate(FLOW_GET_NEW_TRIES) % flow_config.hash_size;
1215  uint32_t tried = 0;
1216 
1217  while (1) {
1218  if (tried++ > FLOW_GET_NEW_TRIES) {
1219  STATSADDUI64(counter_flow_get_used_eval, tried);
1220  break;
1221  }
1222  if (++idx >= flow_config.hash_size)
1223  idx = 0;
1224 
1225  FlowBucket *fb = &flow_hash[idx];
1226 
1227  if (SC_ATOMIC_GET(fb->next_ts) == UINT_MAX)
1228  continue;
1229 
1230  if (GetUsedTryLockBucket(fb) != 0) {
1231  STATSADDUI64(counter_flow_get_used_eval_busy, 1);
1232  continue;
1233  }
1234 
1235  Flow *f = fb->head;
1236  if (f == NULL) {
1237  FBLOCK_UNLOCK(fb);
1238  continue;
1239  }
1240 
1241  if (GetUsedTryLockFlow(f) != 0) {
1242  STATSADDUI64(counter_flow_get_used_eval_busy, 1);
1243  FBLOCK_UNLOCK(fb);
1244  continue;
1245  }
1246 
1247  if (StillAlive(f, ts)) {
1248  STATSADDUI64(counter_flow_get_used_eval_reject, 1);
1249  FBLOCK_UNLOCK(fb);
1250  FLOWLOCK_UNLOCK(f);
1251  continue;
1252  }
1253 
1254  /* remove from the hash */
1255  fb->head = f->next;
1256  f->next = NULL;
1257  f->fb = NULL;
1258  FBLOCK_UNLOCK(fb);
1259 
1260  /* rest of the flags is updated on-demand in output */
1262  if (SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY)
1264 
1265  /* invoke flow log api */
1266 #ifdef UNITTESTS
1267  if (dtv) {
1268 #endif
1271  }
1272 #ifdef UNITTESTS
1273  }
1274 #endif
1275 
1277  FlowClearMemory(f, f->protomap);
1278 
1279  /* leave locked */
1280 
1281  STATSADDUI64(counter_flow_get_used_eval, tried);
1282  return f;
1283  }
1284 
1285  STATSADDUI64(counter_flow_get_used_failed, 1);
1286  return NULL;
1287 }
FlowHashKey4_::ports
uint16_t ports[2]
Definition: flow-hash.c:91
ESP_GET_SPI
#define ESP_GET_SPI(esph)
Get the spi field off a packet.
Definition: decode-esp.h:29
FlowLookupStruct_::work_queue
FlowQueuePrivate work_queue
Definition: flow.h:546
Flow_::icmp_d
struct Flow_::@124::@130 icmp_d
util-device-private.h
DecodeThreadVars_::counter_flow_icmp6
StatsCounterId counter_flow_icmp6
Definition: decode.h:1078
OutputFlowLog
TmEcode OutputFlowLog(ThreadVars *tv, void *thread_data, Flow *f)
Run flow logger(s)
Definition: output-flow.c:87
Packet_::proto
uint8_t proto
Definition: decode.h:538
ts
uint64_t ts
Definition: source-erf-file.c:55
ExceptionPolicyApply
void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason)
Definition: util-exception-policy.c:138
g_livedev_mask
uint16_t g_livedev_mask
Definition: suricata.c:210
ICMPV4_GET_EMB_PROTO
#define ICMPV4_GET_EMB_PROTO(p)
Definition: decode-icmpv4.h:243
Flow_::recursion_level
uint8_t recursion_level
Definition: flow.h:377
IPV4_GET_RAW_IPDST_U32
#define IPV4_GET_RAW_IPDST_U32(ip4h)
Definition: decode-ipv4.h:110
Flow_::flags
uint64_t flags
Definition: flow.h:403
hashword
uint32_t hashword(const uint32_t *k, size_t length, uint32_t initval)
Definition: util-hash-lookup3.c:172
FLOW_STATE_ESTABLISHED
@ FLOW_STATE_ESTABLISHED
Definition: flow.h:505
flow-util.h
FBLOCK_LOCK
#define FBLOCK_LOCK(fb)
Definition: flow-hash.h:73
FlowLookupStruct_::dtv
DecodeThreadVars * dtv
Definition: flow.h:545
Flow_::startts
SCTime_t startts
Definition: flow.h:493
TcpSessionPacketSsnReuse
bool TcpSessionPacketSsnReuse(const Packet *p, const Flow *f, const void *tcp_ssn)
Definition: stream-tcp.c:6098
stream-tcp.h
Packet_::icmp_d
struct Packet_::@34::@40 icmp_d
FlowKey_::src
Address src
Definition: flow.h:308
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
PKT_DROP_REASON_FLOW_MEMCAP
@ PKT_DROP_REASON_FLOW_MEMCAP
Definition: decode.h:388
Flow_::icmp_s
struct Flow_::@122::@128 icmp_s
FlowCnf_::hash_size
uint32_t hash_size
Definition: flow.h:292
FlowAddress_::address_un_data32
uint32_t address_un_data32[4]
Definition: flow.h:318
FlowSpareGetFromPool
FlowQueuePrivate FlowSpareGetFromPool(void)
Definition: flow-spare-pool.c:173
PcapPacketCntGet
uint64_t PcapPacketCntGet(const Packet *p)
Definition: decode.c:1180
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
DecodeThreadVars_::counter_flow_spare_sync_empty
StatsCounterId counter_flow_spare_sync_empty
Definition: decode.h:1090
Flow_::proto
uint8_t proto
Definition: flow.h:376
Packet_::flags
uint32_t flags
Definition: decode.h:562
FlowKeyGetHash
uint32_t FlowKeyGetHash(FlowKey *fk)
Definition: flow-hash.c:301
threads.h
ICMPV4_DEST_UNREACH_IS_VALID
#define ICMPV4_DEST_UNREACH_IS_VALID(p)
Definition: decode-icmpv4.h:253
TH_RST
#define TH_RST
Definition: decode-tcp.h:36
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:354
FlowHashKey4_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: flow-hash.c:95
SCFlowStorageSize
unsigned int SCFlowStorageSize(void)
Definition: flow-storage.c:35
TH_FIN
#define TH_FIN
Definition: decode-tcp.h:34
Flow_::protomap
uint8_t protomap
Definition: flow.h:445
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
FlowProtoTimeout_
Definition: flow.h:518
FLOWLOCK_TRYWRLOCK
#define FLOWLOCK_TRYWRLOCK(fb)
Definition: flow.h:270
PKT_WANTS_FLOW
#define PKT_WANTS_FLOW
Definition: decode.h:1341
flow-hash.h
FlowLookupStruct_
Definition: flow.h:542
DecodeThreadVars_::counter_flow_get_used
StatsCounterId counter_flow_get_used
Definition: decode.h:1083
FlowHashKey4
struct FlowHashKey4_ FlowHashKey4
FBLOCK_TRYLOCK
#define FBLOCK_TRYLOCK(fb)
Definition: flow-hash.h:74
TcpStreamCnf_
Definition: stream-tcp.h:54
StatsCounterId
Definition: counters.h:30
Address_::address_un_data32
uint32_t address_un_data32[4]
Definition: decode.h:116
proto
uint8_t proto
Definition: decode-template.h:0
Flow_::livedev_id
uint16_t livedev_id
Definition: flow.h:399
p
Packet * p
Definition: fuzz_iprep.c:21
FlowHashKey6_::recur
uint8_t recur
Definition: flow-hash.c:108
Flow_::dp
Port dp
Definition: flow.h:370
stream_config
TcpStreamCnf stream_config
Definition: stream-tcp.c:229
DecodeThreadVars_::counter_flow_spare_sync
StatsCounterId counter_flow_spare_sync
Definition: decode.h:1089
FlowQueuePrivate_::len
uint32_t len
Definition: flow-queue.h:43
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
g_recurlvl_mask
uint8_t g_recurlvl_mask
Definition: suricata.c:214
TmThreadsGetThreadTime
SCTime_t TmThreadsGetThreadTime(const int idx)
Definition: tm-threads.c:2339
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:271
Flow_::flow_state
FlowStateType flow_state
Definition: flow.h:420
FlowWakeupFlowManagerThread
void FlowWakeupFlowManagerThread(void)
Definition: flow-manager.c:85
Packet_::icmp_s
struct Packet_::@32::@39 icmp_s
Address_::address
union Address_::@29 address
FLOW_CHECK_MEMCAP
#define FLOW_CHECK_MEMCAP(size)
check if a memory alloc would fit in the memcap
Definition: flow-util.h:134
FlowLookupStruct_::emerg_spare_sync_stamp
uint32_t emerg_spare_sync_stamp
Definition: flow.h:547
StatsCounterAvgAddI64
void StatsCounterAvgAddI64(StatsThreadContext *stats, StatsCounterAvgId id, int64_t x)
Definition: counters.c:239
DecodeThreadVars_::counter_flow_memcap
StatsCounterId counter_flow_memcap
Definition: decode.h:1069
flow-spare-pool.h
Flow_::dst
FlowAddress dst
Definition: flow.h:357
Flow_::fb
struct FlowBucket_ * fb
Definition: flow.h:491
FlowHashKey6_::ports
uint16_t ports[2]
Definition: flow-hash.c:106
FlowHashKey4_::u32
const uint32_t u32[6]
Definition: flow-hash.c:98
TCPHdr_::th_flags
uint8_t th_flags
Definition: decode-tcp.h:155
decode.h
Flow_::esp
struct Flow_::@122::@129 esp
util-debug.h
SCFlowRunFinishCallbacks
void SCFlowRunFinishCallbacks(ThreadVars *tv, Flow *f)
Definition: flow-callbacks.c:122
FLOW_GET_NEW_TRIES
#define FLOW_GET_NEW_TRIES
Definition: flow-hash.c:1138
STATSADDUI64
#define STATSADDUI64(cnt, value)
Definition: flow-hash.c:1189
SCTIME_FROM_TIMESPEC
#define SCTIME_FROM_TIMESPEC(ts)
Definition: util-time.h:91
PacketL4::L4Vars::icmpv4
ICMPV4Vars icmpv4
Definition: decode.h:492
Packet_::ts
SCTime_t ts
Definition: decode.h:570
FlowHashKey4_::livedev
uint16_t livedev
Definition: flow-hash.c:94
util-exception-policy.h
FlowHashKey6_::proto
uint8_t proto
Definition: flow-hash.c:107
Flow_::lastts
SCTime_t lastts
Definition: flow.h:418
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:268
SC_ATOMIC_EXTERN
SC_ATOMIC_EXTERN(unsigned int, flow_prune_idx)
FlowKey_::recursion_level
uint8_t recursion_level
Definition: flow.h:311
ICMPV4Vars_::emb_dport
uint16_t emb_dport
Definition: decode-icmpv4.h:197
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DecodeThreadVars_::counter_flow_active
StatsCounterId counter_flow_active
Definition: decode.h:1074
Flow_::flow_end_flags
uint8_t flow_end_flags
Definition: flow.h:447
Packet_::sp
Port sp
Definition: decode.h:523
StatsCounterIncr
void StatsCounterIncr(StatsThreadContext *stats, StatsCounterId id)
Increments the local counter.
Definition: counters.c:164
FlowHashKey6
struct FlowHashKey6_ FlowHashKey6
FlowHashKey4_::pad
uint16_t pad[1]
Definition: flow-hash.c:96
TH_ACK
#define TH_ACK
Definition: decode-tcp.h:38
util-time.h
FlowQueuePrivateGetFromTop
Flow * FlowQueuePrivateGetFromTop(FlowQueuePrivate *fqc)
Definition: flow-queue.c:151
app-layer-parser.h
FlowKey_::livedev_id
uint16_t livedev_id
Definition: flow.h:312
ThreadVars_::id
int id
Definition: threadvars.h:86
FlowHashKey6_::livedev
uint16_t livedev
Definition: flow-hash.c:109
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:325
FLOW_IS_IPV4
#define FLOW_IS_IPV4(f)
Definition: flow.h:168
DecodeThreadVars_::counter_flow_spare_sync_avg
StatsCounterAvgId counter_flow_spare_sync_avg
Definition: decode.h:1092
flow_timeouts_emerg
FlowProtoTimeout flow_timeouts_emerg[FLOW_PROTO_MAX]
Definition: flow.c:90
FlowThreadId
uint16_t FlowThreadId
Definition: flow.h:331
DecodeThreadVars_::counter_flow_icmp4
StatsCounterId counter_flow_icmp4
Definition: decode.h:1077
FlowKey_::sp
Port sp
Definition: flow.h:309
TimeModeIsLive
bool TimeModeIsLive(void)
Definition: util-time.c:112
FlowTimeoutsEmergency
void FlowTimeoutsEmergency(void)
Definition: flow-manager.c:104
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:100
Packet_
Definition: decode.h:516
FLOW_PROTO_MAX
@ FLOW_PROTO_MAX
Definition: flow-private.h:72
FlowHashKey6_::pad
uint16_t pad[1]
Definition: flow-hash.c:111
FLOW_END_FLAG_TCPREUSE
#define FLOW_END_FLAG_TCPREUSE
Definition: flow.h:244
conf.h
Packet_::l4
struct PacketL4 l4
Definition: decode.h:616
Port
uint16_t Port
Definition: decode.h:219
FLOW_END_FLAG_EMERGENCY
#define FLOW_END_FLAG_EMERGENCY
Definition: flow.h:240
FBLOCK_UNLOCK
#define FBLOCK_UNLOCK(fb)
Definition: flow-hash.h:75
SCTime_t
Definition: util-time.h:40
FlowHashKey4_
Definition: flow-hash.c:87
FlowClearMemory
int FlowClearMemory(Flow *f, uint8_t proto_map)
Function clear the flow memory before queueing it to spare flow queue.
Definition: flow.c:1127
STREAM_PKT_FLAG_TCP_SESSION_REUSE
#define STREAM_PKT_FLAG_TCP_SESSION_REUSE
Definition: stream-tcp-private.h:322
FlowCnf_::hash_rand
uint32_t hash_rand
Definition: flow.h:291
FlowHashKey4_::addrs
uint32_t addrs[2]
Definition: flow-hash.c:90
output-flow.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
FlowHashKey6_
Definition: flow-hash.c:102
flow-timeout.h
Flow_::flow_hash
uint32_t flow_hash
Definition: flow.h:396
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:292
FlowUpdateState
void FlowUpdateState(Flow *f, const enum FlowState s)
Definition: flow.c:1197
Flow_::src
FlowAddress src
Definition: flow.h:357
Flow_::next
struct Flow_ * next
Definition: flow.h:401
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:34
FlowHashKey6_::src
uint32_t src[4]
Definition: flow-hash.c:105
FlowLookupStruct_::spare_queue
FlowQueuePrivate spare_queue
Definition: flow.h:544
FlowGetIpPairProtoHash
uint32_t FlowGetIpPairProtoHash(const Packet *p)
Definition: flow-hash.c:146
SCTIME_CMP_LT
#define SCTIME_CMP_LT(a, b)
Definition: util-time.h:105
ARRAY_SIZE
#define ARRAY_SIZE(arr)
Definition: suricata-common.h:569
flow_hash
FlowBucket * flow_hash
Definition: flow-hash.c:59
flow-storage.h
TH_SYN
#define TH_SYN
Definition: decode-tcp.h:35
FLOW_STATE_NEW
@ FLOW_STATE_NEW
Definition: flow.h:504
flow-manager.h
suricata-common.h
IPV4_GET_RAW_IPSRC_U32
#define IPV4_GET_RAW_IPSRC_U32(ip4h)
Definition: decode-ipv4.h:108
FLOW_IPV6
#define FLOW_IPV6
Definition: flow.h:101
DecodeThreadVars_::counter_flow_udp
StatsCounterId counter_flow_udp
Definition: decode.h:1076
flow_config
FlowConfig flow_config
Definition: flow.c:94
FlowKey_::dst
Address dst
Definition: flow.h:308
Packet_::livedev_id
uint16_t livedev_id
Definition: decode.h:633
SCTIME_SECS
#define SCTIME_SECS(t)
Definition: util-time.h:57
VLAN_MAX_LAYERS
#define VLAN_MAX_LAYERS
Definition: decode-vlan.h:51
DecodeThreadVars_::counter_flow_memcap_eps
ExceptionPolicyCounters counter_flow_memcap_eps
Definition: decode.h:1070
util-hash-lookup3.h
FlowGetFlowFromHash
Flow * FlowGetFlowFromHash(ThreadVars *tv, FlowLookupStruct *fls, Packet *p, Flow **dest)
Get Flow for packet.
Definition: flow-hash.c:893
Flow_::timeout_policy
uint32_t timeout_policy
Definition: flow.h:413
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:33
FlowHashKey6_::dst
uint32_t dst[4]
Definition: flow-hash.c:105
TcpStreamCnf_::midstream
bool midstream
Definition: stream-tcp.h:70
FlowCnf_::memcap_policy
enum ExceptionPolicy memcap_policy
Definition: flow.h:300
g_vlan_mask
uint16_t g_vlan_mask
Definition: suricata.c:206
Packet_::flow_hash
uint32_t flow_hash
Definition: decode.h:568
FlowKey_::proto
uint8_t proto
Definition: flow.h:310
FLOW_STATE_CLOSED
@ FLOW_STATE_CLOSED
Definition: flow.h:506
flow-callbacks.h
DecodeThreadVars_::counter_flow_spare_sync_incomplete
StatsCounterId counter_flow_spare_sync_incomplete
Definition: decode.h:1091
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:995
FlowGetFromFlowKey
Flow * FlowGetFromFlowKey(FlowKey *key, struct timespec *ttime, const uint32_t hash)
Get or create a Flow using a FlowKey.
Definition: flow-hash.c:1087
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:541
DecodeThreadVars_::output_flow_thread_data
void * output_flow_thread_data
Definition: decode.h:1098
FlowInit
void FlowInit(ThreadVars *tv, Flow *f, const Packet *p)
Definition: flow-util.c:148
FlowKey_
Definition: flow.h:307
FlowHashKey6_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: flow-hash.c:110
FlowHashKey4_::proto
uint8_t proto
Definition: flow-hash.c:92
FLOW_EMERGENCY
#define FLOW_EMERGENCY
Definition: flow-private.h:37
STREAM_PKT_FLAG_SET
#define STREAM_PKT_FLAG_SET(p, f)
Definition: stream-tcp-private.h:326
Address_::family
char family
Definition: decode.h:114
Packet_::dst
Address dst
Definition: decode.h:521
Flow_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: flow.h:378
FLOW_END_FLAG_TIMEOUT
#define FLOW_END_FLAG_TIMEOUT
Definition: flow.h:241
FlowHashKey6_::u32
const uint32_t u32[12]
Definition: flow-hash.c:113
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:543
DecodeThreadVars_::counter_flow_total
StatsCounterId counter_flow_total
Definition: decode.h:1073
likely
#define likely(expr)
Definition: util-optimize.h:32
Flow_::sp
Port sp
Definition: flow.h:359
ICMPV4Vars_::emb_sport
uint16_t emb_sport
Definition: decode-icmpv4.h:196
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:375
FlowKey_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: flow.h:313
flow.h
FlowQueuePrivateAppendFlow
void FlowQueuePrivateAppendFlow(FlowQueuePrivate *fqc, Flow *f)
Definition: flow-queue.c:65
FlowAlloc
Flow * FlowAlloc(void)
allocate a flow
Definition: flow-util.c:57
SCTIME_ADD_SECS
#define SCTIME_ADD_SECS(ts, s)
Definition: util-time.h:64
FlowGetExistingFlowFromFlowId
Flow * FlowGetExistingFlowFromFlowId(uint64_t flow_id)
Look for existing Flow using a flow id value.
Definition: flow-hash.c:1023
Packet_::dp
Port dp
Definition: decode.h:531
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy-types.h:26
FLOW_END_FLAG_FORCED
#define FLOW_END_FLAG_FORCED
Definition: flow.h:242
ICMPV4_IS_ERROR_MSG
#define ICMPV4_IS_ERROR_MSG(type)
Definition: decode-icmpv4.h:267
FlowKey_::dp
Port dp
Definition: flow.h:309
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
FlowAddress_::address
union FlowAddress_::@121 address
ExceptionPolicyCounters_::eps_id
StatsCounterId eps_id[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:56
FlowSetupPacket
void FlowSetupPacket(Packet *p)
prepare packet for a life with flow Set PKT_WANTS_FLOW flag to indicate workers should do a flow look...
Definition: flow-hash.c:518
TCPHdr_
Definition: decode-tcp.h:149
Packet_::src
Address src
Definition: decode.h:520
PacketL4::vars
union PacketL4::L4Vars vars
FlowHashKey4_::recur
uint8_t recur
Definition: flow-hash.c:93
output.h
Flow_::thread_id
FlowThreadId thread_id[2]
Definition: flow.h:392
SC_ATOMIC_OR
#define SC_ATOMIC_OR(name, val)
Bitwise OR a value to our atomic variable.
Definition: util-atomic.h:350
DecodeThreadVars_::counter_flow_tcp_reuse
StatsCounterId counter_flow_tcp_reuse
Definition: decode.h:1079
CmpFlowMisc
#define CmpFlowMisc(x, y)
Definition: flow-hash.c:398
DecodeThreadVars_::counter_flow_tcp
StatsCounterId counter_flow_tcp
Definition: decode.h:1075