suricata
flow-util.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Flow utility functions
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 
29 #include "flow.h"
30 #include "flow-private.h"
31 #include "flow-util.h"
32 #include "flow-callbacks.h"
33 #include "flow-var.h"
34 #include "app-layer.h"
35 
36 #include "util-var.h"
37 #include "util-debug.h"
38 #include "util-macset.h"
39 #include "util-flow-rate.h"
40 #include "flow-storage.h"
41 
42 #include "detect.h"
43 #include "detect-engine-state.h"
44 
45 #include "decode-icmpv4.h"
46 
47 #include "util-validate.h"
48 
49 /** \brief allocate a flow
50  *
51  * We check against the memuse counter. If it passes that check we increment
52  * the counter first, then we try to alloc.
53  *
54  * \retval f the flow or NULL on out of memory
55  */
56 Flow *FlowAlloc(void)
57 {
58  Flow *f;
59  size_t size = sizeof(Flow) + FlowStorageSize();
60 
61  if (!(FLOW_CHECK_MEMCAP(size))) {
62  return NULL;
63  }
64 
65  (void) SC_ATOMIC_ADD(flow_memuse, size);
66 
67  f = SCCalloc(1, size);
68  if (unlikely(f == NULL)) {
69  (void)SC_ATOMIC_SUB(flow_memuse, size);
70  return NULL;
71  }
72 
73  /* coverity[missing_lock] */
74  FLOW_INITIALIZE(f);
75  return f;
76 }
77 
78 
79 /**
80  * \brief cleanup & free the memory of a flow
81  *
82  * \param f flow to clear & destroy
83  */
84 void FlowFree(Flow *f)
85 {
86  FLOW_DESTROY(f);
87  SCFree(f);
88 
89  size_t size = sizeof(Flow) + FlowStorageSize();
90  (void) SC_ATOMIC_SUB(flow_memuse, size);
91 }
92 
93 /**
94  * \brief Function to map the protocol to the defined FLOW_PROTO_* enumeration.
95  *
96  * \param proto protocol which is needed to be mapped
97  */
98 
99 uint8_t FlowGetProtoMapping(uint8_t proto)
100 {
101  switch (proto) {
102  case IPPROTO_TCP:
103  return FLOW_PROTO_TCP;
104  case IPPROTO_UDP:
105  return FLOW_PROTO_UDP;
106  case IPPROTO_ICMP:
107  return FLOW_PROTO_ICMP;
108  default:
109  return FLOW_PROTO_DEFAULT;
110  }
111 }
112 
113 uint8_t FlowGetReverseProtoMapping(uint8_t rproto)
114 {
115  switch (rproto) {
116  case FLOW_PROTO_TCP:
117  return IPPROTO_TCP;
118  case FLOW_PROTO_UDP:
119  return IPPROTO_UDP;
120  case FLOW_PROTO_ICMP:
121  return IPPROTO_ICMP;
122  default:
123  exit(EXIT_FAILURE);
124  }
125 }
126 
127 static inline void FlowSetICMPv4CounterPart(Flow *f)
128 {
129  int ctype = ICMPv4GetCounterpart(f->icmp_s.type);
130  if (ctype == -1)
131  return;
132 
133  f->icmp_d.type = (uint8_t)ctype;
134 }
135 
136 static inline void FlowSetICMPv6CounterPart(Flow *f)
137 {
138  int ctype = ICMPv6GetCounterpart(f->icmp_s.type);
139  if (ctype == -1)
140  return;
141 
142  f->icmp_d.type = (uint8_t)ctype;
143 }
144 
145 /* initialize the flow from the first packet
146  * we see from it. */
147 void FlowInit(ThreadVars *tv, Flow *f, const Packet *p)
148 {
149  SCEnter();
150  SCLogDebug("flow %p", f);
151 
152  f->proto = p->proto;
153  f->recursion_level = p->recursion_level;
154  memcpy(&f->vlan_id[0], &p->vlan_id[0], sizeof(f->vlan_id));
155  f->vlan_idx = p->vlan_idx;
156 
157  f->thread_id[0] = (FlowThreadId)tv->id;
158 
159  f->livedev = p->livedev;
160 
161  if (PacketIsIPv4(p)) {
162  const IPV4Hdr *ip4h = PacketGetIPv4(p);
163  FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(ip4h, &f->src);
164  FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(ip4h, &f->dst);
165  f->min_ttl_toserver = f->max_ttl_toserver = IPV4_GET_RAW_IPTTL(ip4h);
166  f->flags |= FLOW_IPV4;
167  } else if (PacketIsIPv6(p)) {
168  const IPV6Hdr *ip6h = PacketGetIPv6(p);
169  FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(ip6h, &f->src);
170  FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(ip6h, &f->dst);
171  f->min_ttl_toserver = f->max_ttl_toserver = IPV6_GET_RAW_HLIM(ip6h);
172  f->flags |= FLOW_IPV6;
173  } else {
174  SCLogDebug("neither IPv4 or IPv6, weird");
175  DEBUG_VALIDATE_BUG_ON(1);
176  }
177 
178  if (PacketIsTCP(p) || PacketIsUDP(p)) {
179  f->sp = p->sp;
180  f->dp = p->dp;
181  } else if (PacketIsICMPv4(p)) {
182  f->icmp_s.type = p->icmp_s.type;
183  f->icmp_s.code = p->icmp_s.code;
184  FlowSetICMPv4CounterPart(f);
185  } else if (PacketIsICMPv6(p)) {
186  f->icmp_s.type = p->icmp_s.type;
187  f->icmp_s.code = p->icmp_s.code;
188  FlowSetICMPv6CounterPart(f);
189  } else if (PacketIsSCTP(p)) {
190  f->sp = p->sp;
191  f->dp = p->dp;
192  } else if (PacketIsESP(p)) {
193  f->esp.spi = ESP_GET_SPI(PacketGetESP(p));
194  } else {
195  /* nothing to do for this IP proto. */
196  SCLogDebug("no special setup for IP proto %u", p->proto);
197  }
198  f->startts = p->ts;
199 
200  f->protomap = FlowGetProtoMapping(f->proto);
201  f->timeout_policy = FlowGetTimeoutPolicy(f);
202 
203  if (MacSetFlowStorageEnabled()) {
204  DEBUG_VALIDATE_BUG_ON(FlowGetStorageById(f, MacSetGetFlowStorageID()) != NULL);
205  MacSet *ms = MacSetInit(10);
206  FlowSetStorageById(f, MacSetGetFlowStorageID(), ms);
207  }
208 
209  if (FlowRateStorageEnabled()) {
210  DEBUG_VALIDATE_BUG_ON(FlowGetStorageById(f, FlowRateGetStorageID()) != NULL);
211  FlowRateStore *frs = FlowRateStoreInit();
212  FlowSetStorageById(f, FlowRateGetStorageID(), frs);
213  }
214 
215  SCFlowRunInitCallbacks(tv, f, p);
216 
217  SCReturn;
218 }
219 
220 FlowStorageId g_bypass_info_id = { .id = -1 };
221 
222 FlowStorageId GetFlowBypassInfoID(void)
223 {
224  return g_bypass_info_id;
225 }
226 
227 static void FlowBypassFree(void *x)
228 {
229  FlowBypassInfo *fb = (FlowBypassInfo *) x;
230 
231  if (fb == NULL)
232  return;
233 
234  if (fb->bypass_data && fb->BypassFree) {
235  fb->BypassFree(fb->bypass_data);
236  }
237  SCFree(fb);
238 }
239 
240 void RegisterFlowBypassInfo(void)
241 {
242  g_bypass_info_id = FlowStorageRegister("bypass_counters", sizeof(void *),
243  NULL, FlowBypassFree);
244 }
245 
246 void FlowEndCountersRegister(ThreadVars *t, FlowEndCounters *fec)
247 {
248  for (int i = 0; i < FLOW_STATE_SIZE; i++) {
249  const char *name = NULL;
250  if (i == FLOW_STATE_NEW) {
251  name = "flow.end.state.new";
252  } else if (i == FLOW_STATE_ESTABLISHED) {
253  name = "flow.end.state.established";
254  } else if (i == FLOW_STATE_CLOSED) {
255  name = "flow.end.state.closed";
256  } else if (i == FLOW_STATE_LOCAL_BYPASSED) {
257  name = "flow.end.state.local_bypassed";
258 #ifdef CAPTURE_OFFLOAD
259  } else if (i == FLOW_STATE_CAPTURE_BYPASSED) {
260  name = "flow.end.state.capture_bypassed";
261 #endif
262  }
263  if (name) {
264  fec->flow_state[i] = StatsRegisterCounter(name, t);
265  }
266  }
267 
268  for (enum TcpState i = TCP_NONE; i <= TCP_CLOSED; i++) {
269  const char *name = NULL;
270  switch (i) {
271  case TCP_NONE:
272  name = "flow.end.tcp_state.none";
273  break;
274  case TCP_SYN_SENT:
275  name = "flow.end.tcp_state.syn_sent";
276  break;
277  case TCP_SYN_RECV:
278  name = "flow.end.tcp_state.syn_recv";
279  break;
280  case TCP_ESTABLISHED:
281  name = "flow.end.tcp_state.established";
282  break;
283  case TCP_FIN_WAIT1:
284  name = "flow.end.tcp_state.fin_wait1";
285  break;
286  case TCP_FIN_WAIT2:
287  name = "flow.end.tcp_state.fin_wait2";
288  break;
289  case TCP_TIME_WAIT:
290  name = "flow.end.tcp_state.time_wait";
291  break;
292  case TCP_LAST_ACK:
293  name = "flow.end.tcp_state.last_ack";
294  break;
295  case TCP_CLOSE_WAIT:
296  name = "flow.end.tcp_state.close_wait";
297  break;
298  case TCP_CLOSING:
299  name = "flow.end.tcp_state.closing";
300  break;
301  case TCP_CLOSED:
302  name = "flow.end.tcp_state.closed";
303  break;
304  }
305 
306  fec->flow_tcp_state[i] = StatsRegisterCounter(name, t);
307  }
308  fec->flow_tcp_liberal = StatsRegisterCounter("flow.end.tcp_liberal", t);
309 }
ESP_GET_SPI
#define ESP_GET_SPI(esph)
Get the spi field off a packet.
Definition: decode-esp.h:29
FlowStorageId
Definition: flow-storage.h:31
Packet_::icmp_s
struct Packet_::@24::@31 icmp_s
TCP_SYN_RECV
@ TCP_SYN_RECV
Definition: stream-tcp-private.h:154
Packet_::proto
uint8_t proto
Definition: decode.h:514
Flow_::recursion_level
uint8_t recursion_level
Definition: flow.h:379
Flow_::icmp_s
struct Flow_::@118::@124 icmp_s
IPV6_GET_RAW_HLIM
#define IPV6_GET_RAW_HLIM(ip6h)
Definition: decode-ipv6.h:67
FLOW_STATE_ESTABLISHED
@ FLOW_STATE_ESTABLISHED
Definition: flow.h:505
TCP_SYN_SENT
@ TCP_SYN_SENT
Definition: stream-tcp-private.h:153
flow-util.h
Flow_::startts
SCTime_t startts
Definition: flow.h:493
GetFlowBypassInfoID
FlowStorageId GetFlowBypassInfoID(void)
Definition: flow-util.c:222
FlowBypassInfo_
Definition: flow.h:529
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ICMPv6GetCounterpart
int ICMPv6GetCounterpart(uint8_t type)
Definition: decode-icmpv6.c:145
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
TCP_FIN_WAIT2
@ TCP_FIN_WAIT2
Definition: stream-tcp-private.h:157
g_bypass_info_id
FlowStorageId g_bypass_info_id
Definition: flow-util.c:220
Flow_::proto
uint8_t proto
Definition: flow.h:378
threads.h
FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET
#define FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(ip6h, a)
Definition: flow.h:216
util-macset.h
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:520
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:356
RegisterFlowBypassInfo
void RegisterFlowBypassInfo(void)
Definition: flow-util.c:240
Flow_::protomap
uint8_t protomap
Definition: flow.h:445
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
TCP_FIN_WAIT1
@ TCP_FIN_WAIT1
Definition: stream-tcp-private.h:156
TCP_LAST_ACK
@ TCP_LAST_ACK
Definition: stream-tcp-private.h:159
FlowRateGetStorageID
FlowStorageId FlowRateGetStorageID(void)
Definition: util-flow-rate.c:134
Flow
struct Flow_ Flow
Flow data structure.
FlowEndCounters_::flow_tcp_liberal
uint16_t flow_tcp_liberal
Definition: flow-util.h:149
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:155
FlowEndCounters_::flow_state
uint16_t flow_state[FLOW_STATE_SIZE]
Definition: flow-util.h:147
Flow_::max_ttl_toserver
uint8_t max_ttl_toserver
Definition: flow.h:468
proto
uint8_t proto
Definition: decode-template.h:0
Flow_::dp
Port dp
Definition: flow.h:372
FLOW_SET_IPV6_DST_ADDR_FROM_PACKET
#define FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(ip6h, a)
Definition: flow.h:224
util-var.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
FlowGetReverseProtoMapping
uint8_t FlowGetReverseProtoMapping(uint8_t rproto)
Definition: flow-util.c:113
TcpState
TcpState
Definition: stream-tcp-private.h:150
FLOW_CHECK_MEMCAP
#define FLOW_CHECK_MEMCAP(size)
check if a memory alloc would fit in the memcap
Definition: flow-util.h:134
Flow_::dst
FlowAddress dst
Definition: flow.h:359
FlowEndCounters_::flow_tcp_state
uint16_t flow_tcp_state[TCP_CLOSED+1]
Definition: flow-util.h:148
TCP_NONE
@ TCP_NONE
Definition: stream-tcp-private.h:151
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
util-flow-rate.h
FLOW_STATE_LOCAL_BYPASSED
@ FLOW_STATE_LOCAL_BYPASSED
Definition: flow.h:507
Flow_::min_ttl_toserver
uint8_t min_ttl_toserver
Definition: flow.h:467
TCP_CLOSE_WAIT
@ TCP_CLOSE_WAIT
Definition: stream-tcp-private.h:160
util-debug.h
FLOW_PROTO_ICMP
@ FLOW_PROTO_ICMP
Definition: flow-private.h:70
Flow_::icmp_d
struct Flow_::@120::@126 icmp_d
FlowBypassInfo_::BypassFree
void(* BypassFree)(void *data)
Definition: flow.h:531
Packet_::ts
SCTime_t ts
Definition: decode.h:546
FLOW_PROTO_UDP
@ FLOW_PROTO_UDP
Definition: flow-private.h:69
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
FLOW_PROTO_DEFAULT
@ FLOW_PROTO_DEFAULT
Definition: flow-private.h:71
FlowStorageSize
unsigned int FlowStorageSize(void)
Definition: flow-storage.c:35
Packet_::sp
Port sp
Definition: decode.h:499
FlowSetStorageById
int FlowSetStorageById(Flow *f, FlowStorageId id, void *ptr)
Definition: flow-storage.c:45
FlowStorageRegister
FlowStorageId FlowStorageRegister(const char *name, const unsigned int size, void *(*Alloc)(unsigned int), void(*Free)(void *))
Definition: flow-storage.c:66
FlowBypassInfo_::bypass_data
void * bypass_data
Definition: flow.h:532
Flow_::esp
struct Flow_::@118::@125 esp
ThreadVars_::id
int id
Definition: threadvars.h:87
MacSetFlowStorageEnabled
bool MacSetFlowStorageEnabled(void)
Definition: util-macset.c:86
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:341
FlowThreadId
uint16_t FlowThreadId
Definition: flow.h:333
SCReturn
#define SCReturn
Definition: util-debug.h:273
IPV6Hdr_
Definition: decode-ipv6.h:32
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:99
Packet_
Definition: decode.h:492
IPV4_GET_RAW_IPTTL
#define IPV4_GET_RAW_IPTTL(ip4h)
Definition: decode-ipv4.h:102
decode-icmpv4.h
MacSet_
Definition: util-macset.c:45
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:609
name
const char * name
Definition: tm-threads.c:2123
Flow_::vlan_idx
uint8_t vlan_idx
Definition: flow.h:382
ICMPv4GetCounterpart
int ICMPv4GetCounterpart(uint8_t type)
Definition: decode-icmpv4.c:345
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET
#define FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(ip4h, a)
Definition: flow.h:198
MacSetGetFlowStorageID
FlowStorageId MacSetGetFlowStorageID(void)
Definition: util-macset.c:115
FLOW_PROTO_TCP
@ FLOW_PROTO_TCP
Definition: flow-private.h:68
FLOW_STATE_SIZE
#define FLOW_STATE_SIZE
Definition: flow.h:515
FlowGetStorageById
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
Definition: flow-storage.c:40
Flow_::src
FlowAddress src
Definition: flow.h:359
IPV4Hdr_
Definition: decode-ipv4.h:72
TCP_CLOSED
@ TCP_CLOSED
Definition: stream-tcp-private.h:162
flow-storage.h
FLOW_STATE_NEW
@ FLOW_STATE_NEW
Definition: flow.h:504
SCFlowRunInitCallbacks
void SCFlowRunInitCallbacks(ThreadVars *tv, Flow *f, const Packet *p)
Definition: flow-callbacks.c:64
suricata-common.h
FlowFree
void FlowFree(Flow *f)
cleanup & free the memory of a flow
Definition: flow-util.c:84
FLOW_IPV6
#define FLOW_IPV6
Definition: flow.h:102
FlowRateStoreInit
FlowRateStore * FlowRateStoreInit(void)
Definition: util-flow-rate.c:102
MacSetInit
MacSet * MacSetInit(int size)
Definition: util-macset.c:92
Flow_::timeout_policy
uint32_t timeout_policy
Definition: flow.h:405
TCP_CLOSING
@ TCP_CLOSING
Definition: stream-tcp-private.h:161
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
Flow_::livedev
struct LiveDevice_ * livedev
Definition: flow.h:398
util-validate.h
FLOW_STATE_CLOSED
@ FLOW_STATE_CLOSED
Definition: flow.h:506
flow-callbacks.h
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::flags
uint32_t flags
Definition: flow.h:421
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:517
FlowInit
void FlowInit(ThreadVars *tv, Flow *f, const Packet *p)
Definition: flow-util.c:147
TCP_TIME_WAIT
@ TCP_TIME_WAIT
Definition: stream-tcp-private.h:158
FlowStorageId::id
int id
Definition: flow-storage.h:32
FlowRateStorageEnabled
bool FlowRateStorageEnabled(void)
Definition: util-flow-rate.c:97
Flow_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: flow.h:380
FLOW_SET_IPV4_DST_ADDR_FROM_PACKET
#define FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(ip4h, a)
Definition: flow.h:206
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:519
Flow_::sp
Port sp
Definition: flow.h:361
flow.h
FlowAlloc
Flow * FlowAlloc(void)
allocate a flow
Definition: flow-util.c:56
FlowEndCountersRegister
void FlowEndCountersRegister(ThreadVars *t, FlowEndCounters *fec)
Definition: flow-util.c:246
Packet_::dp
Port dp
Definition: decode.h:507
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:952
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
FlowEndCounters_
Definition: flow-util.h:146
flow-var.h
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
FlowRateStore_
Definition: util-flow-rate.h:47
Flow_::thread_id
FlowThreadId thread_id[2]
Definition: flow.h:394
app-layer.h