suricata
flow-util.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Flow utility functions
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 
29 #include "flow.h"
30 #include "flow-private.h"
31 #include "flow-util.h"
32 #include "flow-callbacks.h"
33 #include "flow-var.h"
34 #include "app-layer.h"
35 
36 #include "util-var.h"
37 #include "util-debug.h"
38 #include "util-macset.h"
39 #include "util-flow-rate.h"
40 #include "flow-storage.h"
41 
42 #include "detect.h"
43 #include "detect-engine-state.h"
44 
45 #include "decode-icmpv4.h"
46 
47 #include "util-device-private.h"
48 #include "util-validate.h"
49 
50 /** \brief allocate a flow
51  *
52  * We check against the memuse counter. If it passes that check we increment
53  * the counter first, then we try to alloc.
54  *
55  * \retval f the flow or NULL on out of memory
56  */
57 Flow *FlowAlloc(void)
58 {
59  Flow *f;
60  size_t size = sizeof(Flow) + SCFlowStorageSize();
61 
62  if (!(FLOW_CHECK_MEMCAP(size))) {
63  return NULL;
64  }
65 
66  (void) SC_ATOMIC_ADD(flow_memuse, size);
67 
68  f = SCCalloc(1, size);
69  if (unlikely(f == NULL)) {
70  (void)SC_ATOMIC_SUB(flow_memuse, size);
71  return NULL;
72  }
73 
74  /* coverity[missing_lock] */
75  FLOW_INITIALIZE(f);
76  return f;
77 }
78 
79 
80 /**
81  * \brief cleanup & free the memory of a flow
82  *
83  * \param f flow to clear & destroy
84  */
85 void FlowFree(Flow *f)
86 {
87  FLOW_DESTROY(f);
88  SCFree(f);
89 
90  size_t size = sizeof(Flow) + SCFlowStorageSize();
91  (void) SC_ATOMIC_SUB(flow_memuse, size);
92 }
93 
94 /**
95  * \brief Function to map the protocol to the defined FLOW_PROTO_* enumeration.
96  *
97  * \param proto protocol which is needed to be mapped
98  */
99 
100 uint8_t FlowGetProtoMapping(uint8_t proto)
101 {
102  switch (proto) {
103  case IPPROTO_TCP:
104  return FLOW_PROTO_TCP;
105  case IPPROTO_UDP:
106  return FLOW_PROTO_UDP;
107  case IPPROTO_ICMP:
108  return FLOW_PROTO_ICMP;
109  default:
110  return FLOW_PROTO_DEFAULT;
111  }
112 }
113 
114 uint8_t FlowGetReverseProtoMapping(uint8_t rproto)
115 {
116  switch (rproto) {
117  case FLOW_PROTO_TCP:
118  return IPPROTO_TCP;
119  case FLOW_PROTO_UDP:
120  return IPPROTO_UDP;
121  case FLOW_PROTO_ICMP:
122  return IPPROTO_ICMP;
123  default:
124  exit(EXIT_FAILURE);
125  }
126 }
127 
128 static inline void FlowSetICMPv4CounterPart(Flow *f)
129 {
130  int ctype = ICMPv4GetCounterpart(f->icmp_s.type);
131  if (ctype == -1)
132  return;
133 
134  f->icmp_d.type = (uint8_t)ctype;
135 }
136 
137 static inline void FlowSetICMPv6CounterPart(Flow *f)
138 {
139  int ctype = ICMPv6GetCounterpart(f->icmp_s.type);
140  if (ctype == -1)
141  return;
142 
143  f->icmp_d.type = (uint8_t)ctype;
144 }
145 
146 /* initialize the flow from the first packet
147  * we see from it. */
148 void FlowInit(ThreadVars *tv, Flow *f, const Packet *p)
149 {
150  SCEnter();
151  SCLogDebug("flow %p", f);
152 
153  f->proto = p->proto;
154  f->recursion_level = p->recursion_level;
155  memcpy(&f->vlan_id[0], &p->vlan_id[0], sizeof(f->vlan_id));
156  f->vlan_idx = p->vlan_idx;
157 
158  f->thread_id[0] = (FlowThreadId)tv->id;
159 
160  f->livedev_id = p->livedev_id;
161 
162  if (PacketIsIPv4(p)) {
163  const IPV4Hdr *ip4h = PacketGetIPv4(p);
164  FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(ip4h, &f->src);
165  FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(ip4h, &f->dst);
166  f->min_ttl_toserver = f->max_ttl_toserver = IPV4_GET_RAW_IPTTL(ip4h);
167  f->flags |= FLOW_IPV4;
168  } else if (PacketIsIPv6(p)) {
169  const IPV6Hdr *ip6h = PacketGetIPv6(p);
170  FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(ip6h, &f->src);
171  FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(ip6h, &f->dst);
172  f->min_ttl_toserver = f->max_ttl_toserver = IPV6_GET_RAW_HLIM(ip6h);
173  f->flags |= FLOW_IPV6;
174  } else {
175  SCLogDebug("neither IPv4 or IPv6, weird");
176  DEBUG_VALIDATE_BUG_ON(1);
177  }
178 
179  if (PacketIsTCP(p) || PacketIsUDP(p)) {
180  f->sp = p->sp;
181  f->dp = p->dp;
182  } else if (PacketIsICMPv4(p)) {
183  f->icmp_s.type = p->icmp_s.type;
184  f->icmp_s.code = p->icmp_s.code;
185  FlowSetICMPv4CounterPart(f);
186  } else if (PacketIsICMPv6(p)) {
187  f->icmp_s.type = p->icmp_s.type;
188  f->icmp_s.code = p->icmp_s.code;
189  FlowSetICMPv6CounterPart(f);
190  } else if (PacketIsSCTP(p)) {
191  f->sp = p->sp;
192  f->dp = p->dp;
193  } else if (PacketIsESP(p)) {
194  f->esp.spi = ESP_GET_SPI(PacketGetESP(p));
195  } else {
196  /* nothing to do for this IP proto. */
197  SCLogDebug("no special setup for IP proto %u", p->proto);
198  }
199  f->startts = p->ts;
200 
201  f->protomap = FlowGetProtoMapping(f->proto);
202  f->timeout_policy = FlowGetTimeoutPolicy(f);
203 
204  if (MacSetFlowStorageEnabled()) {
205  DEBUG_VALIDATE_BUG_ON(SCFlowGetStorageById(f, MacSetGetFlowStorageID()) != NULL);
206  MacSet *ms = MacSetInit(10);
207  SCFlowSetStorageById(f, MacSetGetFlowStorageID(), ms);
208  }
209 
210  if (FlowRateStorageEnabled()) {
211  DEBUG_VALIDATE_BUG_ON(SCFlowGetStorageById(f, FlowRateGetStorageID()) != NULL);
212  FlowRateStore *frs = FlowRateStoreInit();
213  SCFlowSetStorageById(f, FlowRateGetStorageID(), frs);
214  }
215 
216  SCFlowRunInitCallbacks(tv, f, p);
217 
218  SCReturn;
219 }
220 
221 SCFlowStorageId g_bypass_info_id = { .id = -1 };
222 
223 SCFlowStorageId GetFlowBypassInfoID(void)
224 {
225  return g_bypass_info_id;
226 }
227 
228 static void FlowBypassFree(void *x)
229 {
230  FlowBypassInfo *fb = (FlowBypassInfo *) x;
231 
232  if (fb == NULL)
233  return;
234 
235  if (fb->bypass_data && fb->BypassFree) {
236  fb->BypassFree(fb->bypass_data);
237  }
238  SCFree(fb);
239 }
240 
241 void RegisterFlowBypassInfo(void)
242 {
243  g_bypass_info_id = SCFlowStorageRegister("bypass_counters", FlowBypassFree);
244 }
245 
246 void FlowEndCountersRegister(ThreadVars *t, FlowEndCounters *fec)
247 {
248  for (int i = 0; i < FLOW_STATE_SIZE; i++) {
249  const char *name = NULL;
250  if (i == FLOW_STATE_NEW) {
251  name = "flow.end.state.new";
252  } else if (i == FLOW_STATE_ESTABLISHED) {
253  name = "flow.end.state.established";
254  } else if (i == FLOW_STATE_CLOSED) {
255  name = "flow.end.state.closed";
256  } else if (i == FLOW_STATE_LOCAL_BYPASSED) {
257  name = "flow.end.state.local_bypassed";
258 #ifdef CAPTURE_OFFLOAD
259  } else if (i == FLOW_STATE_CAPTURE_BYPASSED) {
260  name = "flow.end.state.capture_bypassed";
261 #endif
262  }
263  if (name) {
264  fec->flow_state[i] = StatsRegisterCounter(name, &t->stats);
265  }
266  }
267 
268  for (enum TcpState i = TCP_NONE; i <= TCP_CLOSED; i++) {
269  const char *name = NULL;
270  switch (i) {
271  case TCP_NONE:
272  name = "flow.end.tcp_state.none";
273  break;
274  case TCP_SYN_SENT:
275  name = "flow.end.tcp_state.syn_sent";
276  break;
277  case TCP_SYN_RECV:
278  name = "flow.end.tcp_state.syn_recv";
279  break;
280  case TCP_ESTABLISHED:
281  name = "flow.end.tcp_state.established";
282  break;
283  case TCP_FIN_WAIT1:
284  name = "flow.end.tcp_state.fin_wait1";
285  break;
286  case TCP_FIN_WAIT2:
287  name = "flow.end.tcp_state.fin_wait2";
288  break;
289  case TCP_TIME_WAIT:
290  name = "flow.end.tcp_state.time_wait";
291  break;
292  case TCP_LAST_ACK:
293  name = "flow.end.tcp_state.last_ack";
294  break;
295  case TCP_CLOSE_WAIT:
296  name = "flow.end.tcp_state.close_wait";
297  break;
298  case TCP_CLOSING:
299  name = "flow.end.tcp_state.closing";
300  break;
301  case TCP_CLOSED:
302  name = "flow.end.tcp_state.closed";
303  break;
304  }
305 
306  fec->flow_tcp_state[i] = StatsRegisterCounter(name, &t->stats);
307  }
308  fec->flow_tcp_liberal = StatsRegisterCounter("flow.end.tcp_liberal", &t->stats);
309 }
ESP_GET_SPI
#define ESP_GET_SPI(esph)
Get the spi field off a packet.
Definition: decode-esp.h:29
util-device-private.h
TCP_SYN_RECV
@ TCP_SYN_RECV
Definition: stream-tcp-private.h:154
Packet_::proto
uint8_t proto
Definition: decode.h:536
Flow_::recursion_level
uint8_t recursion_level
Definition: flow.h:377
Flow_::flags
uint64_t flags
Definition: flow.h:403
IPV6_GET_RAW_HLIM
#define IPV6_GET_RAW_HLIM(ip6h)
Definition: decode-ipv6.h:67
FLOW_STATE_ESTABLISHED
@ FLOW_STATE_ESTABLISHED
Definition: flow.h:505
TCP_SYN_SENT
@ TCP_SYN_SENT
Definition: stream-tcp-private.h:153
flow-util.h
Flow_::startts
SCTime_t startts
Definition: flow.h:493
FlowBypassInfo_
Definition: flow.h:529
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SCFlowGetStorageById
void * SCFlowGetStorageById(const Flow *f, SCFlowStorageId id)
Definition: flow-storage.c:40
ICMPv6GetCounterpart
int ICMPv6GetCounterpart(uint8_t type)
Definition: decode-icmpv6.c:145
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
StatsRegisterCounter
StatsCounterId StatsRegisterCounter(const char *name, StatsThreadContext *stats)
Registers a normal, unqualified counter.
Definition: counters.c:1039
Flow_::esp
struct Flow_::@121::@128 esp
TCP_FIN_WAIT2
@ TCP_FIN_WAIT2
Definition: stream-tcp-private.h:157
name
const char * name
Definition: detect-engine-proto.c:48
Flow_::proto
uint8_t proto
Definition: flow.h:376
threads.h
FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET
#define FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(ip6h, a)
Definition: flow.h:214
util-macset.h
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:542
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:354
RegisterFlowBypassInfo
void RegisterFlowBypassInfo(void)
Definition: flow-util.c:241
SCFlowStorageSize
unsigned int SCFlowStorageSize(void)
Definition: flow-storage.c:35
Flow_::protomap
uint8_t protomap
Definition: flow.h:445
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
SCFlowStorageId
Definition: flow-storage.h:31
TCP_FIN_WAIT1
@ TCP_FIN_WAIT1
Definition: stream-tcp-private.h:156
TCP_LAST_ACK
@ TCP_LAST_ACK
Definition: stream-tcp-private.h:159
FlowRateGetStorageID
SCFlowStorageId FlowRateGetStorageID(void)
Definition: util-flow-rate.c:133
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:155
Flow_::max_ttl_toserver
uint8_t max_ttl_toserver
Definition: flow.h:468
proto
uint8_t proto
Definition: decode-template.h:0
Flow_::livedev_id
uint16_t livedev_id
Definition: flow.h:399
p
Packet * p
Definition: fuzz_iprep.c:21
Flow_::dp
Port dp
Definition: flow.h:370
g_bypass_info_id
SCFlowStorageId g_bypass_info_id
Definition: flow-util.c:221
FLOW_SET_IPV6_DST_ADDR_FROM_PACKET
#define FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(ip6h, a)
Definition: flow.h:222
FLOW_PROTO_UDP
@ FLOW_PROTO_UDP
Definition: flow-private.h:67
util-var.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
GetFlowBypassInfoID
SCFlowStorageId GetFlowBypassInfoID(void)
Definition: flow-util.c:223
FlowEndCounters_::flow_tcp_state
StatsCounterId flow_tcp_state[TCP_CLOSED+1]
Definition: flow-util.h:148
FlowGetReverseProtoMapping
uint8_t FlowGetReverseProtoMapping(uint8_t rproto)
Definition: flow-util.c:114
TcpState
TcpState
Definition: stream-tcp-private.h:150
SCFlowStorageRegister
SCFlowStorageId SCFlowStorageRegister(const char *name, void(*Free)(void *))
Definition: flow-storage.c:61
Packet_::icmp_s
struct Packet_::@32::@39 icmp_s
FLOW_CHECK_MEMCAP
#define FLOW_CHECK_MEMCAP(size)
check if a memory alloc would fit in the memcap
Definition: flow-util.h:134
Flow_::dst
FlowAddress dst
Definition: flow.h:357
TCP_NONE
@ TCP_NONE
Definition: stream-tcp-private.h:151
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
util-flow-rate.h
FLOW_STATE_LOCAL_BYPASSED
@ FLOW_STATE_LOCAL_BYPASSED
Definition: flow.h:507
Flow_::min_ttl_toserver
uint8_t min_ttl_toserver
Definition: flow.h:467
TCP_CLOSE_WAIT
@ TCP_CLOSE_WAIT
Definition: stream-tcp-private.h:160
util-debug.h
FlowBypassInfo_::BypassFree
void(* BypassFree)(void *data)
Definition: flow.h:531
Packet_::ts
SCTime_t ts
Definition: decode.h:568
FlowEndCounters_::flow_tcp_liberal
StatsCounterId flow_tcp_liberal
Definition: flow-util.h:149
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SCFlowSetStorageById
int SCFlowSetStorageById(Flow *f, SCFlowStorageId id, void *ptr)
Definition: flow-storage.c:45
Packet_::sp
Port sp
Definition: decode.h:521
FlowBypassInfo_::bypass_data
void * bypass_data
Definition: flow.h:532
FLOW_PROTO_DEFAULT
@ FLOW_PROTO_DEFAULT
Definition: flow-private.h:69
FLOW_PROTO_ICMP
@ FLOW_PROTO_ICMP
Definition: flow-private.h:68
ThreadVars_::id
int id
Definition: threadvars.h:86
MacSetFlowStorageEnabled
bool MacSetFlowStorageEnabled(void)
Definition: util-macset.c:85
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:341
FlowThreadId
uint16_t FlowThreadId
Definition: flow.h:331
SCReturn
#define SCReturn
Definition: util-debug.h:286
IPV6Hdr_
Definition: decode-ipv6.h:32
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:100
Packet_
Definition: decode.h:514
IPV4_GET_RAW_IPTTL
#define IPV4_GET_RAW_IPTTL(ip4h)
Definition: decode-ipv4.h:102
decode-icmpv4.h
MacSet_
Definition: util-macset.c:45
Flow_::vlan_idx
uint8_t vlan_idx
Definition: flow.h:380
ICMPv4GetCounterpart
int ICMPv4GetCounterpart(uint8_t type)
Definition: decode-icmpv4.c:345
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET
#define FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(ip4h, a)
Definition: flow.h:196
FLOW_STATE_SIZE
#define FLOW_STATE_SIZE
Definition: flow.h:515
Flow_::src
FlowAddress src
Definition: flow.h:357
IPV4Hdr_
Definition: decode-ipv4.h:72
TCP_CLOSED
@ TCP_CLOSED
Definition: stream-tcp-private.h:162
flow-storage.h
FLOW_STATE_NEW
@ FLOW_STATE_NEW
Definition: flow.h:504
SCFlowRunInitCallbacks
void SCFlowRunInitCallbacks(ThreadVars *tv, Flow *f, const Packet *p)
Definition: flow-callbacks.c:64
suricata-common.h
FlowFree
void FlowFree(Flow *f)
cleanup & free the memory of a flow
Definition: flow-util.c:85
FLOW_IPV6
#define FLOW_IPV6
Definition: flow.h:101
Flow_::icmp_d
struct Flow_::@123::@129 icmp_d
FlowRateStoreInit
FlowRateStore * FlowRateStoreInit(void)
Definition: util-flow-rate.c:101
Packet_::livedev_id
uint16_t livedev_id
Definition: decode.h:631
Flow
struct Flow_ Flow
Definition: app-layer-detect-proto.h:29
MacSetInit
MacSet * MacSetInit(int size)
Definition: util-macset.c:90
Flow_::timeout_policy
uint32_t timeout_policy
Definition: flow.h:413
TCP_CLOSING
@ TCP_CLOSING
Definition: stream-tcp-private.h:161
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:33
util-validate.h
FLOW_STATE_CLOSED
@ FLOW_STATE_CLOSED
Definition: flow.h:506
flow-callbacks.h
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:539
FlowInit
void FlowInit(ThreadVars *tv, Flow *f, const Packet *p)
Definition: flow-util.c:148
TCP_TIME_WAIT
@ TCP_TIME_WAIT
Definition: stream-tcp-private.h:158
FlowRateStorageEnabled
bool FlowRateStorageEnabled(void)
Definition: util-flow-rate.c:96
Flow_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: flow.h:378
FLOW_SET_IPV4_DST_ADDR_FROM_PACKET
#define FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(ip4h, a)
Definition: flow.h:204
FlowEndCounters_::flow_state
StatsCounterId flow_state[FLOW_STATE_SIZE]
Definition: flow-util.h:147
SCFlowStorageId::id
int id
Definition: flow-storage.h:32
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:541
Flow_::icmp_s
struct Flow_::@121::@127 icmp_s
Flow_::sp
Port sp
Definition: flow.h:359
flow.h
FlowAlloc
Flow * FlowAlloc(void)
allocate a flow
Definition: flow-util.c:57
FlowEndCountersRegister
void FlowEndCountersRegister(ThreadVars *t, FlowEndCounters *fec)
Definition: flow-util.c:246
Packet_::dp
Port dp
Definition: decode.h:529
FLOW_PROTO_TCP
@ FLOW_PROTO_TCP
Definition: flow-private.h:66
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
FlowEndCounters_
Definition: flow-util.h:146
flow-var.h
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:109
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
FlowRateStore_
Definition: util-flow-rate.h:47
Flow_::thread_id
FlowThreadId thread_id[2]
Definition: flow.h:392
app-layer.h
MacSetGetFlowStorageID
SCFlowStorageId MacSetGetFlowStorageID(void)
Definition: util-macset.c:113