suricata
flow-util.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Flow utility functions
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 
29 #include "flow.h"
30 #include "flow-private.h"
31 #include "flow-util.h"
32 #include "flow-callbacks.h"
33 #include "flow-var.h"
34 #include "app-layer.h"
35 
36 #include "util-var.h"
37 #include "util-debug.h"
38 #include "util-macset.h"
39 #include "flow-storage.h"
40 
41 #include "detect.h"
42 #include "detect-engine-state.h"
43 
44 #include "decode-icmpv4.h"
45 
46 #include "util-validate.h"
47 
48 /** \brief allocate a flow
49  *
50  * We check against the memuse counter. If it passes that check we increment
51  * the counter first, then we try to alloc.
52  *
53  * \retval f the flow or NULL on out of memory
54  */
55 Flow *FlowAlloc(void)
56 {
57  Flow *f;
58  size_t size = sizeof(Flow) + FlowStorageSize();
59 
60  if (!(FLOW_CHECK_MEMCAP(size))) {
61  return NULL;
62  }
63 
64  (void) SC_ATOMIC_ADD(flow_memuse, size);
65 
66  f = SCCalloc(1, size);
67  if (unlikely(f == NULL)) {
68  (void)SC_ATOMIC_SUB(flow_memuse, size);
69  return NULL;
70  }
71 
72  /* coverity[missing_lock] */
73  FLOW_INITIALIZE(f);
74  return f;
75 }
76 
77 
78 /**
79  * \brief cleanup & free the memory of a flow
80  *
81  * \param f flow to clear & destroy
82  */
83 void FlowFree(Flow *f)
84 {
85  FLOW_DESTROY(f);
86  SCFree(f);
87 
88  size_t size = sizeof(Flow) + FlowStorageSize();
89  (void) SC_ATOMIC_SUB(flow_memuse, size);
90 }
91 
92 /**
93  * \brief Function to map the protocol to the defined FLOW_PROTO_* enumeration.
94  *
95  * \param proto protocol which is needed to be mapped
96  */
97 
98 uint8_t FlowGetProtoMapping(uint8_t proto)
99 {
100  switch (proto) {
101  case IPPROTO_TCP:
102  return FLOW_PROTO_TCP;
103  case IPPROTO_UDP:
104  return FLOW_PROTO_UDP;
105  case IPPROTO_ICMP:
106  return FLOW_PROTO_ICMP;
107  default:
108  return FLOW_PROTO_DEFAULT;
109  }
110 }
111 
112 uint8_t FlowGetReverseProtoMapping(uint8_t rproto)
113 {
114  switch (rproto) {
115  case FLOW_PROTO_TCP:
116  return IPPROTO_TCP;
117  case FLOW_PROTO_UDP:
118  return IPPROTO_UDP;
119  case FLOW_PROTO_ICMP:
120  return IPPROTO_ICMP;
121  default:
122  exit(EXIT_FAILURE);
123  }
124 }
125 
126 static inline void FlowSetICMPv4CounterPart(Flow *f)
127 {
128  int ctype = ICMPv4GetCounterpart(f->icmp_s.type);
129  if (ctype == -1)
130  return;
131 
132  f->icmp_d.type = (uint8_t)ctype;
133 }
134 
135 static inline void FlowSetICMPv6CounterPart(Flow *f)
136 {
137  int ctype = ICMPv6GetCounterpart(f->icmp_s.type);
138  if (ctype == -1)
139  return;
140 
141  f->icmp_d.type = (uint8_t)ctype;
142 }
143 
144 /* initialize the flow from the first packet
145  * we see from it. */
146 void FlowInit(ThreadVars *tv, Flow *f, const Packet *p)
147 {
148  SCEnter();
149  SCLogDebug("flow %p", f);
150 
151  f->proto = p->proto;
152  f->recursion_level = p->recursion_level;
153  memcpy(&f->vlan_id[0], &p->vlan_id[0], sizeof(f->vlan_id));
154  f->vlan_idx = p->vlan_idx;
155  f->livedev = p->livedev;
156 
157  if (PacketIsIPv4(p)) {
158  const IPV4Hdr *ip4h = PacketGetIPv4(p);
159  FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(ip4h, &f->src);
160  FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(ip4h, &f->dst);
161  f->min_ttl_toserver = f->max_ttl_toserver = IPV4_GET_RAW_IPTTL(ip4h);
162  f->flags |= FLOW_IPV4;
163  } else if (PacketIsIPv6(p)) {
164  const IPV6Hdr *ip6h = PacketGetIPv6(p);
165  FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(ip6h, &f->src);
166  FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(ip6h, &f->dst);
167  f->min_ttl_toserver = f->max_ttl_toserver = IPV6_GET_RAW_HLIM(ip6h);
168  f->flags |= FLOW_IPV6;
169  } else {
170  SCLogDebug("neither IPv4 or IPv6, weird");
171  DEBUG_VALIDATE_BUG_ON(1);
172  }
173 
174  if (PacketIsTCP(p) || PacketIsUDP(p)) {
175  f->sp = p->sp;
176  f->dp = p->dp;
177  } else if (PacketIsICMPv4(p)) {
178  f->icmp_s.type = p->icmp_s.type;
179  f->icmp_s.code = p->icmp_s.code;
180  FlowSetICMPv4CounterPart(f);
181  } else if (PacketIsICMPv6(p)) {
182  f->icmp_s.type = p->icmp_s.type;
183  f->icmp_s.code = p->icmp_s.code;
184  FlowSetICMPv6CounterPart(f);
185  } else if (PacketIsSCTP(p)) {
186  f->sp = p->sp;
187  f->dp = p->dp;
188  } else if (PacketIsESP(p)) {
189  f->esp.spi = ESP_GET_SPI(PacketGetESP(p));
190  } else {
191  /* nothing to do for this IP proto. */
192  SCLogDebug("no special setup for IP proto %u", p->proto);
193  }
194  f->startts = p->ts;
195 
196  f->protomap = FlowGetProtoMapping(f->proto);
197  f->timeout_policy = FlowGetTimeoutPolicy(f);
198 
199  if (MacSetFlowStorageEnabled()) {
200  DEBUG_VALIDATE_BUG_ON(FlowGetStorageById(f, MacSetGetFlowStorageID()) != NULL);
201  MacSet *ms = MacSetInit(10);
202  FlowSetStorageById(f, MacSetGetFlowStorageID(), ms);
203  }
204 
205  SCFlowRunInitCallbacks(tv, f, p);
206 
207  SCReturn;
208 }
209 
210 FlowStorageId g_bypass_info_id = { .id = -1 };
211 
212 FlowStorageId GetFlowBypassInfoID(void)
213 {
214  return g_bypass_info_id;
215 }
216 
217 static void FlowBypassFree(void *x)
218 {
219  FlowBypassInfo *fb = (FlowBypassInfo *) x;
220 
221  if (fb == NULL)
222  return;
223 
224  if (fb->bypass_data && fb->BypassFree) {
225  fb->BypassFree(fb->bypass_data);
226  }
227  SCFree(fb);
228 }
229 
230 void RegisterFlowBypassInfo(void)
231 {
232  g_bypass_info_id = FlowStorageRegister("bypass_counters", sizeof(void *),
233  NULL, FlowBypassFree);
234 }
235 
236 void FlowEndCountersRegister(ThreadVars *t, FlowEndCounters *fec)
237 {
238  for (int i = 0; i < FLOW_STATE_SIZE; i++) {
239  const char *name = NULL;
240  if (i == FLOW_STATE_NEW) {
241  name = "flow.end.state.new";
242  } else if (i == FLOW_STATE_ESTABLISHED) {
243  name = "flow.end.state.established";
244  } else if (i == FLOW_STATE_CLOSED) {
245  name = "flow.end.state.closed";
246  } else if (i == FLOW_STATE_LOCAL_BYPASSED) {
247  name = "flow.end.state.local_bypassed";
248 #ifdef CAPTURE_OFFLOAD
249  } else if (i == FLOW_STATE_CAPTURE_BYPASSED) {
250  name = "flow.end.state.capture_bypassed";
251 #endif
252  }
253  if (name) {
254  fec->flow_state[i] = StatsRegisterCounter(name, t);
255  }
256  }
257 
258  for (enum TcpState i = TCP_NONE; i <= TCP_CLOSED; i++) {
259  const char *name = NULL;
260  switch (i) {
261  case TCP_NONE:
262  name = "flow.end.tcp_state.none";
263  break;
264  case TCP_SYN_SENT:
265  name = "flow.end.tcp_state.syn_sent";
266  break;
267  case TCP_SYN_RECV:
268  name = "flow.end.tcp_state.syn_recv";
269  break;
270  case TCP_ESTABLISHED:
271  name = "flow.end.tcp_state.established";
272  break;
273  case TCP_FIN_WAIT1:
274  name = "flow.end.tcp_state.fin_wait1";
275  break;
276  case TCP_FIN_WAIT2:
277  name = "flow.end.tcp_state.fin_wait2";
278  break;
279  case TCP_TIME_WAIT:
280  name = "flow.end.tcp_state.time_wait";
281  break;
282  case TCP_LAST_ACK:
283  name = "flow.end.tcp_state.last_ack";
284  break;
285  case TCP_CLOSE_WAIT:
286  name = "flow.end.tcp_state.close_wait";
287  break;
288  case TCP_CLOSING:
289  name = "flow.end.tcp_state.closing";
290  break;
291  case TCP_CLOSED:
292  name = "flow.end.tcp_state.closed";
293  break;
294  }
295 
296  fec->flow_tcp_state[i] = StatsRegisterCounter(name, t);
297  }
298  fec->flow_tcp_liberal = StatsRegisterCounter("flow.end.tcp_liberal", t);
299 }
ESP_GET_SPI
#define ESP_GET_SPI(esph)
Get the spi field off a packet.
Definition: decode-esp.h:29
FlowStorageId
Definition: flow-storage.h:31
TCP_SYN_RECV
@ TCP_SYN_RECV
Definition: stream-tcp-private.h:154
Packet_::proto
uint8_t proto
Definition: decode.h:498
Flow_::recursion_level
uint8_t recursion_level
Definition: flow.h:380
IPV6_GET_RAW_HLIM
#define IPV6_GET_RAW_HLIM(ip6h)
Definition: decode-ipv6.h:67
FLOW_STATE_ESTABLISHED
@ FLOW_STATE_ESTABLISHED
Definition: flow.h:503
TCP_SYN_SENT
@ TCP_SYN_SENT
Definition: stream-tcp-private.h:153
flow-util.h
Flow_::startts
SCTime_t startts
Definition: flow.h:491
GetFlowBypassInfoID
FlowStorageId GetFlowBypassInfoID(void)
Definition: flow-util.c:212
FlowBypassInfo_
Definition: flow.h:527
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ICMPv6GetCounterpart
int ICMPv6GetCounterpart(uint8_t type)
Definition: decode-icmpv6.c:145
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
TCP_FIN_WAIT2
@ TCP_FIN_WAIT2
Definition: stream-tcp-private.h:157
g_bypass_info_id
FlowStorageId g_bypass_info_id
Definition: flow-util.c:210
Flow_::proto
uint8_t proto
Definition: flow.h:379
threads.h
FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET
#define FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(ip6h, a)
Definition: flow.h:215
util-macset.h
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:504
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:357
RegisterFlowBypassInfo
void RegisterFlowBypassInfo(void)
Definition: flow-util.c:230
Flow_::protomap
uint8_t protomap
Definition: flow.h:446
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
TCP_FIN_WAIT1
@ TCP_FIN_WAIT1
Definition: stream-tcp-private.h:156
TCP_LAST_ACK
@ TCP_LAST_ACK
Definition: stream-tcp-private.h:159
Flow
struct Flow_ Flow
Flow data structure.
FlowEndCounters_::flow_tcp_liberal
uint16_t flow_tcp_liberal
Definition: flow-util.h:149
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:155
FlowEndCounters_::flow_state
uint16_t flow_state[FLOW_STATE_SIZE]
Definition: flow-util.h:147
Flow_::icmp_d
struct Flow_::@116::@122 icmp_d
Flow_::max_ttl_toserver
uint8_t max_ttl_toserver
Definition: flow.h:469
Packet_::icmp_s
struct Packet_::@29::@36 icmp_s
proto
uint8_t proto
Definition: decode-template.h:0
Flow_::dp
Port dp
Definition: flow.h:373
FLOW_PROTO_UDP
@ FLOW_PROTO_UDP
Definition: flow-private.h:69
FLOW_SET_IPV6_DST_ADDR_FROM_PACKET
#define FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(ip6h, a)
Definition: flow.h:223
FLOW_PROTO_ICMP
@ FLOW_PROTO_ICMP
Definition: flow-private.h:70
Flow_::icmp_s
struct Flow_::@114::@120 icmp_s
util-var.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
FlowGetReverseProtoMapping
uint8_t FlowGetReverseProtoMapping(uint8_t rproto)
Definition: flow-util.c:112
TcpState
TcpState
Definition: stream-tcp-private.h:150
FLOW_CHECK_MEMCAP
#define FLOW_CHECK_MEMCAP(size)
check if a memory alloc would fit in the memcap
Definition: flow-util.h:134
Flow_::dst
FlowAddress dst
Definition: flow.h:360
FlowEndCounters_::flow_tcp_state
uint16_t flow_tcp_state[TCP_CLOSED+1]
Definition: flow-util.h:148
TCP_NONE
@ TCP_NONE
Definition: stream-tcp-private.h:151
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
Flow_::esp
struct Flow_::@114::@121 esp
FLOW_STATE_LOCAL_BYPASSED
@ FLOW_STATE_LOCAL_BYPASSED
Definition: flow.h:505
Flow_::min_ttl_toserver
uint8_t min_ttl_toserver
Definition: flow.h:468
TCP_CLOSE_WAIT
@ TCP_CLOSE_WAIT
Definition: stream-tcp-private.h:160
util-debug.h
FlowBypassInfo_::BypassFree
void(* BypassFree)(void *data)
Definition: flow.h:529
Packet_::ts
SCTime_t ts
Definition: decode.h:524
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
FlowStorageSize
unsigned int FlowStorageSize(void)
Definition: flow-storage.c:35
Packet_::sp
Port sp
Definition: decode.h:483
FlowSetStorageById
int FlowSetStorageById(Flow *f, FlowStorageId id, void *ptr)
Definition: flow-storage.c:45
FlowStorageRegister
FlowStorageId FlowStorageRegister(const char *name, const unsigned int size, void *(*Alloc)(unsigned int), void(*Free)(void *))
Definition: flow-storage.c:66
FLOW_PROTO_DEFAULT
@ FLOW_PROTO_DEFAULT
Definition: flow-private.h:71
FlowBypassInfo_::bypass_data
void * bypass_data
Definition: flow.h:530
MacSetFlowStorageEnabled
bool MacSetFlowStorageEnabled(void)
Definition: util-macset.c:85
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:341
SCReturn
#define SCReturn
Definition: util-debug.h:273
IPV6Hdr_
Definition: decode-ipv6.h:32
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:98
Packet_
Definition: decode.h:476
FLOW_PROTO_TCP
@ FLOW_PROTO_TCP
Definition: flow-private.h:68
IPV4_GET_RAW_IPTTL
#define IPV4_GET_RAW_IPTTL(ip4h)
Definition: decode-ipv4.h:102
decode-icmpv4.h
MacSet_
Definition: util-macset.c:45
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:587
name
const char * name
Definition: tm-threads.c:2081
Flow_::vlan_idx
uint8_t vlan_idx
Definition: flow.h:383
ICMPv4GetCounterpart
int ICMPv4GetCounterpart(uint8_t type)
Definition: decode-icmpv4.c:345
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET
#define FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(ip4h, a)
Definition: flow.h:197
MacSetGetFlowStorageID
FlowStorageId MacSetGetFlowStorageID(void)
Definition: util-macset.c:114
FLOW_STATE_SIZE
#define FLOW_STATE_SIZE
Definition: flow.h:513
FlowGetStorageById
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
Definition: flow-storage.c:40
Flow_::src
FlowAddress src
Definition: flow.h:360
IPV4Hdr_
Definition: decode-ipv4.h:72
TCP_CLOSED
@ TCP_CLOSED
Definition: stream-tcp-private.h:162
flow-storage.h
FLOW_STATE_NEW
@ FLOW_STATE_NEW
Definition: flow.h:502
SCFlowRunInitCallbacks
void SCFlowRunInitCallbacks(ThreadVars *tv, Flow *f, const Packet *p)
Definition: flow-callbacks.c:64
suricata-common.h
FlowFree
void FlowFree(Flow *f)
cleanup & free the memory of a flow
Definition: flow-util.c:83
FLOW_IPV6
#define FLOW_IPV6
Definition: flow.h:101
MacSetInit
MacSet * MacSetInit(int size)
Definition: util-macset.c:91
Flow_::timeout_policy
uint32_t timeout_policy
Definition: flow.h:406
TCP_CLOSING
@ TCP_CLOSING
Definition: stream-tcp-private.h:161
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
Flow_::livedev
struct LiveDevice_ * livedev
Definition: flow.h:399
util-validate.h
FLOW_STATE_CLOSED
@ FLOW_STATE_CLOSED
Definition: flow.h:504
flow-callbacks.h
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::flags
uint32_t flags
Definition: flow.h:422
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:501
FlowInit
void FlowInit(ThreadVars *tv, Flow *f, const Packet *p)
Definition: flow-util.c:146
TCP_TIME_WAIT
@ TCP_TIME_WAIT
Definition: stream-tcp-private.h:158
FlowStorageId::id
int id
Definition: flow-storage.h:32
Flow_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: flow.h:381
FLOW_SET_IPV4_DST_ADDR_FROM_PACKET
#define FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(ip4h, a)
Definition: flow.h:205
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:503
Flow_::sp
Port sp
Definition: flow.h:362
flow.h
FlowAlloc
Flow * FlowAlloc(void)
allocate a flow
Definition: flow-util.c:55
FlowEndCountersRegister
void FlowEndCountersRegister(ThreadVars *t, FlowEndCounters *fec)
Definition: flow-util.c:236
Packet_::dp
Port dp
Definition: decode.h:491
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:951
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
FlowEndCounters_
Definition: flow-util.h:146
flow-var.h
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
app-layer.h