suricata
flow-util.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Flow utility functions
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 
29 #include "flow.h"
30 #include "flow-private.h"
31 #include "flow-util.h"
32 #include "flow-callbacks.h"
33 #include "flow-var.h"
34 #include "app-layer.h"
35 
36 #include "util-var.h"
37 #include "util-debug.h"
38 #include "util-macset.h"
39 #include "util-flow-rate.h"
40 #include "flow-storage.h"
41 
42 #include "detect.h"
43 #include "detect-engine-state.h"
44 
45 #include "decode-icmpv4.h"
46 
47 #include "util-validate.h"
48 
49 /** \brief allocate a flow
50  *
51  * We check against the memuse counter. If it passes that check we increment
52  * the counter first, then we try to alloc.
53  *
54  * \retval f the flow or NULL on out of memory
55  */
56 Flow *FlowAlloc(void)
57 {
58  Flow *f;
59  size_t size = sizeof(Flow) + SCFlowStorageSize();
60 
61  if (!(FLOW_CHECK_MEMCAP(size))) {
62  return NULL;
63  }
64 
65  (void) SC_ATOMIC_ADD(flow_memuse, size);
66 
67  f = SCCalloc(1, size);
68  if (unlikely(f == NULL)) {
69  (void)SC_ATOMIC_SUB(flow_memuse, size);
70  return NULL;
71  }
72 
73  /* coverity[missing_lock] */
74  FLOW_INITIALIZE(f);
75  return f;
76 }
77 
78 
79 /**
80  * \brief cleanup & free the memory of a flow
81  *
82  * \param f flow to clear & destroy
83  */
84 void FlowFree(Flow *f)
85 {
86  FLOW_DESTROY(f);
87  SCFree(f);
88 
89  size_t size = sizeof(Flow) + SCFlowStorageSize();
90  (void) SC_ATOMIC_SUB(flow_memuse, size);
91 }
92 
93 /**
94  * \brief Function to map the protocol to the defined FLOW_PROTO_* enumeration.
95  *
96  * \param proto protocol which is needed to be mapped
97  */
98 
99 uint8_t FlowGetProtoMapping(uint8_t proto)
100 {
101  switch (proto) {
102  case IPPROTO_TCP:
103  return FLOW_PROTO_TCP;
104  case IPPROTO_UDP:
105  return FLOW_PROTO_UDP;
106  case IPPROTO_ICMP:
107  return FLOW_PROTO_ICMP;
108  default:
109  return FLOW_PROTO_DEFAULT;
110  }
111 }
112 
113 uint8_t FlowGetReverseProtoMapping(uint8_t rproto)
114 {
115  switch (rproto) {
116  case FLOW_PROTO_TCP:
117  return IPPROTO_TCP;
118  case FLOW_PROTO_UDP:
119  return IPPROTO_UDP;
120  case FLOW_PROTO_ICMP:
121  return IPPROTO_ICMP;
122  default:
123  exit(EXIT_FAILURE);
124  }
125 }
126 
127 static inline void FlowSetICMPv4CounterPart(Flow *f)
128 {
129  int ctype = ICMPv4GetCounterpart(f->icmp_s.type);
130  if (ctype == -1)
131  return;
132 
133  f->icmp_d.type = (uint8_t)ctype;
134 }
135 
136 static inline void FlowSetICMPv6CounterPart(Flow *f)
137 {
138  int ctype = ICMPv6GetCounterpart(f->icmp_s.type);
139  if (ctype == -1)
140  return;
141 
142  f->icmp_d.type = (uint8_t)ctype;
143 }
144 
145 /* initialize the flow from the first packet
146  * we see from it. */
147 void FlowInit(ThreadVars *tv, Flow *f, const Packet *p)
148 {
149  SCEnter();
150  SCLogDebug("flow %p", f);
151 
152  f->proto = p->proto;
153  f->recursion_level = p->recursion_level;
154  memcpy(&f->vlan_id[0], &p->vlan_id[0], sizeof(f->vlan_id));
155  f->vlan_idx = p->vlan_idx;
156 
157  f->thread_id[0] = (FlowThreadId)tv->id;
158 
159  f->livedev = p->livedev;
160 
161  if (PacketIsIPv4(p)) {
162  const IPV4Hdr *ip4h = PacketGetIPv4(p);
163  FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(ip4h, &f->src);
164  FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(ip4h, &f->dst);
165  f->min_ttl_toserver = f->max_ttl_toserver = IPV4_GET_RAW_IPTTL(ip4h);
166  f->flags |= FLOW_IPV4;
167  } else if (PacketIsIPv6(p)) {
168  const IPV6Hdr *ip6h = PacketGetIPv6(p);
169  FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(ip6h, &f->src);
170  FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(ip6h, &f->dst);
171  f->min_ttl_toserver = f->max_ttl_toserver = IPV6_GET_RAW_HLIM(ip6h);
172  f->flags |= FLOW_IPV6;
173  } else {
174  SCLogDebug("neither IPv4 or IPv6, weird");
175  DEBUG_VALIDATE_BUG_ON(1);
176  }
177 
178  if (PacketIsTCP(p) || PacketIsUDP(p)) {
179  f->sp = p->sp;
180  f->dp = p->dp;
181  } else if (PacketIsICMPv4(p)) {
182  f->icmp_s.type = p->icmp_s.type;
183  f->icmp_s.code = p->icmp_s.code;
184  FlowSetICMPv4CounterPart(f);
185  } else if (PacketIsICMPv6(p)) {
186  f->icmp_s.type = p->icmp_s.type;
187  f->icmp_s.code = p->icmp_s.code;
188  FlowSetICMPv6CounterPart(f);
189  } else if (PacketIsSCTP(p)) {
190  f->sp = p->sp;
191  f->dp = p->dp;
192  } else if (PacketIsESP(p)) {
193  f->esp.spi = ESP_GET_SPI(PacketGetESP(p));
194  } else {
195  /* nothing to do for this IP proto. */
196  SCLogDebug("no special setup for IP proto %u", p->proto);
197  }
198  f->startts = p->ts;
199 
200  f->protomap = FlowGetProtoMapping(f->proto);
201  f->timeout_policy = FlowGetTimeoutPolicy(f);
202 
203  if (MacSetFlowStorageEnabled()) {
204  DEBUG_VALIDATE_BUG_ON(SCFlowGetStorageById(f, MacSetGetFlowStorageID()) != NULL);
205  MacSet *ms = MacSetInit(10);
206  SCFlowSetStorageById(f, MacSetGetFlowStorageID(), ms);
207  }
208 
209  if (FlowRateStorageEnabled()) {
210  DEBUG_VALIDATE_BUG_ON(SCFlowGetStorageById(f, FlowRateGetStorageID()) != NULL);
211  FlowRateStore *frs = FlowRateStoreInit();
212  SCFlowSetStorageById(f, FlowRateGetStorageID(), frs);
213  }
214 
215  SCFlowRunInitCallbacks(tv, f, p);
216 
217  SCReturn;
218 }
219 
220 SCFlowStorageId g_bypass_info_id = { .id = -1 };
221 
222 SCFlowStorageId GetFlowBypassInfoID(void)
223 {
224  return g_bypass_info_id;
225 }
226 
227 static void FlowBypassFree(void *x)
228 {
229  FlowBypassInfo *fb = (FlowBypassInfo *) x;
230 
231  if (fb == NULL)
232  return;
233 
234  if (fb->bypass_data && fb->BypassFree) {
235  fb->BypassFree(fb->bypass_data);
236  }
237  SCFree(fb);
238 }
239 
240 void RegisterFlowBypassInfo(void)
241 {
242  g_bypass_info_id = SCFlowStorageRegister("bypass_counters", FlowBypassFree);
243 }
244 
245 void FlowEndCountersRegister(ThreadVars *t, FlowEndCounters *fec)
246 {
247  for (int i = 0; i < FLOW_STATE_SIZE; i++) {
248  const char *name = NULL;
249  if (i == FLOW_STATE_NEW) {
250  name = "flow.end.state.new";
251  } else if (i == FLOW_STATE_ESTABLISHED) {
252  name = "flow.end.state.established";
253  } else if (i == FLOW_STATE_CLOSED) {
254  name = "flow.end.state.closed";
255  } else if (i == FLOW_STATE_LOCAL_BYPASSED) {
256  name = "flow.end.state.local_bypassed";
257 #ifdef CAPTURE_OFFLOAD
258  } else if (i == FLOW_STATE_CAPTURE_BYPASSED) {
259  name = "flow.end.state.capture_bypassed";
260 #endif
261  }
262  if (name) {
263  fec->flow_state[i] = StatsRegisterCounter(name, &t->stats);
264  }
265  }
266 
267  for (enum TcpState i = TCP_NONE; i <= TCP_CLOSED; i++) {
268  const char *name = NULL;
269  switch (i) {
270  case TCP_NONE:
271  name = "flow.end.tcp_state.none";
272  break;
273  case TCP_SYN_SENT:
274  name = "flow.end.tcp_state.syn_sent";
275  break;
276  case TCP_SYN_RECV:
277  name = "flow.end.tcp_state.syn_recv";
278  break;
279  case TCP_ESTABLISHED:
280  name = "flow.end.tcp_state.established";
281  break;
282  case TCP_FIN_WAIT1:
283  name = "flow.end.tcp_state.fin_wait1";
284  break;
285  case TCP_FIN_WAIT2:
286  name = "flow.end.tcp_state.fin_wait2";
287  break;
288  case TCP_TIME_WAIT:
289  name = "flow.end.tcp_state.time_wait";
290  break;
291  case TCP_LAST_ACK:
292  name = "flow.end.tcp_state.last_ack";
293  break;
294  case TCP_CLOSE_WAIT:
295  name = "flow.end.tcp_state.close_wait";
296  break;
297  case TCP_CLOSING:
298  name = "flow.end.tcp_state.closing";
299  break;
300  case TCP_CLOSED:
301  name = "flow.end.tcp_state.closed";
302  break;
303  }
304 
305  fec->flow_tcp_state[i] = StatsRegisterCounter(name, &t->stats);
306  }
307  fec->flow_tcp_liberal = StatsRegisterCounter("flow.end.tcp_liberal", &t->stats);
308 }
ESP_GET_SPI
#define ESP_GET_SPI(esph)
Get the spi field off a packet.
Definition: decode-esp.h:29
TCP_SYN_RECV
@ TCP_SYN_RECV
Definition: stream-tcp-private.h:154
Packet_::proto
uint8_t proto
Definition: decode.h:527
Flow_::recursion_level
uint8_t recursion_level
Definition: flow.h:370
Flow_::flags
uint64_t flags
Definition: flow.h:396
IPV6_GET_RAW_HLIM
#define IPV6_GET_RAW_HLIM(ip6h)
Definition: decode-ipv6.h:67
FLOW_STATE_ESTABLISHED
@ FLOW_STATE_ESTABLISHED
Definition: flow.h:498
TCP_SYN_SENT
@ TCP_SYN_SENT
Definition: stream-tcp-private.h:153
flow-util.h
Flow_::startts
SCTime_t startts
Definition: flow.h:486
FlowBypassInfo_
Definition: flow.h:522
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SCFlowGetStorageById
void * SCFlowGetStorageById(const Flow *f, SCFlowStorageId id)
Definition: flow-storage.c:40
ICMPv6GetCounterpart
int ICMPv6GetCounterpart(uint8_t type)
Definition: decode-icmpv6.c:145
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
StatsRegisterCounter
StatsCounterId StatsRegisterCounter(const char *name, StatsThreadContext *stats)
Registers a normal, unqualified counter.
Definition: counters.c:1037
Flow_::esp
struct Flow_::@121::@128 esp
TCP_FIN_WAIT2
@ TCP_FIN_WAIT2
Definition: stream-tcp-private.h:157
name
const char * name
Definition: detect-engine-proto.c:48
Flow_::proto
uint8_t proto
Definition: flow.h:369
threads.h
FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET
#define FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(ip6h, a)
Definition: flow.h:207
util-macset.h
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:533
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:347
RegisterFlowBypassInfo
void RegisterFlowBypassInfo(void)
Definition: flow-util.c:240
SCFlowStorageSize
unsigned int SCFlowStorageSize(void)
Definition: flow-storage.c:35
Flow_::protomap
uint8_t protomap
Definition: flow.h:438
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
SCFlowStorageId
Definition: flow-storage.h:31
TCP_FIN_WAIT1
@ TCP_FIN_WAIT1
Definition: stream-tcp-private.h:156
TCP_LAST_ACK
@ TCP_LAST_ACK
Definition: stream-tcp-private.h:159
FlowRateGetStorageID
SCFlowStorageId FlowRateGetStorageID(void)
Definition: util-flow-rate.c:133
TCP_ESTABLISHED
@ TCP_ESTABLISHED
Definition: stream-tcp-private.h:155
Flow_::max_ttl_toserver
uint8_t max_ttl_toserver
Definition: flow.h:461
proto
uint8_t proto
Definition: decode-template.h:0
Flow_::dp
Port dp
Definition: flow.h:363
g_bypass_info_id
SCFlowStorageId g_bypass_info_id
Definition: flow-util.c:220
FLOW_SET_IPV6_DST_ADDR_FROM_PACKET
#define FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(ip6h, a)
Definition: flow.h:215
FLOW_PROTO_UDP
@ FLOW_PROTO_UDP
Definition: flow-private.h:67
util-var.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
GetFlowBypassInfoID
SCFlowStorageId GetFlowBypassInfoID(void)
Definition: flow-util.c:222
FlowEndCounters_::flow_tcp_state
StatsCounterId flow_tcp_state[TCP_CLOSED+1]
Definition: flow-util.h:148
FlowGetReverseProtoMapping
uint8_t FlowGetReverseProtoMapping(uint8_t rproto)
Definition: flow-util.c:113
TcpState
TcpState
Definition: stream-tcp-private.h:150
SCFlowStorageRegister
SCFlowStorageId SCFlowStorageRegister(const char *name, void(*Free)(void *))
Definition: flow-storage.c:61
Packet_::icmp_s
struct Packet_::@32::@39 icmp_s
FLOW_CHECK_MEMCAP
#define FLOW_CHECK_MEMCAP(size)
check if a memory alloc would fit in the memcap
Definition: flow-util.h:134
Flow_::dst
FlowAddress dst
Definition: flow.h:350
TCP_NONE
@ TCP_NONE
Definition: stream-tcp-private.h:151
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
util-flow-rate.h
FLOW_STATE_LOCAL_BYPASSED
@ FLOW_STATE_LOCAL_BYPASSED
Definition: flow.h:500
Flow_::min_ttl_toserver
uint8_t min_ttl_toserver
Definition: flow.h:460
TCP_CLOSE_WAIT
@ TCP_CLOSE_WAIT
Definition: stream-tcp-private.h:160
util-debug.h
FlowBypassInfo_::BypassFree
void(* BypassFree)(void *data)
Definition: flow.h:524
Packet_::ts
SCTime_t ts
Definition: decode.h:559
FlowEndCounters_::flow_tcp_liberal
StatsCounterId flow_tcp_liberal
Definition: flow-util.h:149
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SCFlowSetStorageById
int SCFlowSetStorageById(Flow *f, SCFlowStorageId id, void *ptr)
Definition: flow-storage.c:45
Packet_::sp
Port sp
Definition: decode.h:512
FlowBypassInfo_::bypass_data
void * bypass_data
Definition: flow.h:525
FLOW_PROTO_DEFAULT
@ FLOW_PROTO_DEFAULT
Definition: flow-private.h:69
FLOW_PROTO_ICMP
@ FLOW_PROTO_ICMP
Definition: flow-private.h:68
ThreadVars_::id
int id
Definition: threadvars.h:86
MacSetFlowStorageEnabled
bool MacSetFlowStorageEnabled(void)
Definition: util-macset.c:85
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:341
FlowThreadId
uint16_t FlowThreadId
Definition: flow.h:324
SCReturn
#define SCReturn
Definition: util-debug.h:286
IPV6Hdr_
Definition: decode-ipv6.h:32
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:99
Packet_
Definition: decode.h:505
IPV4_GET_RAW_IPTTL
#define IPV4_GET_RAW_IPTTL(ip4h)
Definition: decode-ipv4.h:102
decode-icmpv4.h
MacSet_
Definition: util-macset.c:45
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:622
Flow_::vlan_idx
uint8_t vlan_idx
Definition: flow.h:373
ICMPv4GetCounterpart
int ICMPv4GetCounterpart(uint8_t type)
Definition: decode-icmpv4.c:345
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET
#define FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(ip4h, a)
Definition: flow.h:189
FLOW_STATE_SIZE
#define FLOW_STATE_SIZE
Definition: flow.h:508
Flow_::src
FlowAddress src
Definition: flow.h:350
IPV4Hdr_
Definition: decode-ipv4.h:72
TCP_CLOSED
@ TCP_CLOSED
Definition: stream-tcp-private.h:162
flow-storage.h
FLOW_STATE_NEW
@ FLOW_STATE_NEW
Definition: flow.h:497
SCFlowRunInitCallbacks
void SCFlowRunInitCallbacks(ThreadVars *tv, Flow *f, const Packet *p)
Definition: flow-callbacks.c:64
suricata-common.h
FlowFree
void FlowFree(Flow *f)
cleanup & free the memory of a flow
Definition: flow-util.c:84
FLOW_IPV6
#define FLOW_IPV6
Definition: flow.h:101
Flow_::icmp_d
struct Flow_::@123::@129 icmp_d
FlowRateStoreInit
FlowRateStore * FlowRateStoreInit(void)
Definition: util-flow-rate.c:101
Flow
struct Flow_ Flow
Definition: app-layer-detect-proto.h:29
MacSetInit
MacSet * MacSetInit(int size)
Definition: util-macset.c:90
Flow_::timeout_policy
uint32_t timeout_policy
Definition: flow.h:406
TCP_CLOSING
@ TCP_CLOSING
Definition: stream-tcp-private.h:161
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:33
Flow_::livedev
struct LiveDevice_ * livedev
Definition: flow.h:392
util-validate.h
FLOW_STATE_CLOSED
@ FLOW_STATE_CLOSED
Definition: flow.h:499
flow-callbacks.h
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:530
FlowInit
void FlowInit(ThreadVars *tv, Flow *f, const Packet *p)
Definition: flow-util.c:147
TCP_TIME_WAIT
@ TCP_TIME_WAIT
Definition: stream-tcp-private.h:158
FlowRateStorageEnabled
bool FlowRateStorageEnabled(void)
Definition: util-flow-rate.c:96
Flow_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: flow.h:371
FLOW_SET_IPV4_DST_ADDR_FROM_PACKET
#define FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(ip4h, a)
Definition: flow.h:197
FlowEndCounters_::flow_state
StatsCounterId flow_state[FLOW_STATE_SIZE]
Definition: flow-util.h:147
SCFlowStorageId::id
int id
Definition: flow-storage.h:32
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:532
Flow_::icmp_s
struct Flow_::@121::@127 icmp_s
Flow_::sp
Port sp
Definition: flow.h:352
flow.h
FlowAlloc
Flow * FlowAlloc(void)
allocate a flow
Definition: flow-util.c:56
FlowEndCountersRegister
void FlowEndCountersRegister(ThreadVars *t, FlowEndCounters *fec)
Definition: flow-util.c:245
Packet_::dp
Port dp
Definition: decode.h:520
FLOW_PROTO_TCP
@ FLOW_PROTO_TCP
Definition: flow-private.h:66
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
FlowEndCounters_
Definition: flow-util.h:146
flow-var.h
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
FlowRateStore_
Definition: util-flow-rate.h:47
Flow_::thread_id
FlowThreadId thread_id[2]
Definition: flow.h:385
app-layer.h
MacSetGetFlowStorageID
SCFlowStorageId MacSetGetFlowStorageID(void)
Definition: util-macset.c:113