#include "suricata-common.h"#include "suricata.h"#include "decode.h"#include "conf.h"#include "threadvars.h"#include "tm-threads.h"#include "runmodes.h"#include "util-random.h"#include "util-time.h"#include "flow.h"#include "flow-queue.h"#include "flow-hash.h"#include "flow-util.h"#include "flow-var.h"#include "flow-private.h"#include "flow-timeout.h"#include "flow-manager.h"#include "flow-storage.h"#include "flow-bypass.h"#include "flow-spare-pool.h"#include "stream-tcp-private.h"#include "stream-tcp-reassemble.h"#include "stream-tcp.h"#include "util-unittest.h"#include "util-unittest-helper.h"#include "util-byte.h"#include "util-misc.h"#include "util-macset.h"#include "util-debug.h"#include "util-privs.h"#include "util-validate.h"#include "detect.h"#include "detect-engine-state.h"#include "stream.h"#include "app-layer-parser.h"#include "app-layer-expectation.h"#include "threads.h"
Go to the source code of this file.
Macros | |
| #define | FLOW_DEFAULT_EMERGENCY_RECOVERY 30 |
| #define | FLOW_DEFAULT_HASHSIZE 65536 |
| #define | FLOW_DEFAULT_MEMCAP (32 * 1024 * 1024) /* 32 MB */ |
| #define | FLOW_DEFAULT_PREALLOC 10000 |
| #define | SET_DEFAULTS(p, n, e, c, b, ne, ee, ce, be) |
Functions | |
| SC_ATOMIC_DECLARE (FlowProtoTimeoutPtr, flow_timeouts) | |
| SC_ATOMIC_DECLARE (unsigned int, flow_prune_idx) | |
| SC_ATOMIC_DECLARE (unsigned int, flow_flags) | |
| SC_ATOMIC_DECLARE (uint64_t, flow_memuse) | |
| void | FlowRegisterTests (void) |
| Function to register the Flow Unitests. More... | |
| void | FlowInitFlowProto (void) |
| Function to set the default timeout, free function and flow state function for all supported flow_proto. More... | |
| int | FlowSetProtoFreeFunc (uint8_t proto, void(*Free)(void *)) |
| Function to set the function to get protocol specific flow state. More... | |
| int | FlowSetMemcap (uint64_t size) |
| Update memcap value. More... | |
| uint64_t | FlowGetMemcap (void) |
| Return memcap value. More... | |
| uint64_t | FlowGetMemuse (void) |
| void | FlowCleanupAppLayer (Flow *f) |
| void | FlowSetIPOnlyFlag (Flow *f, int direction) |
| Set the IPOnly scanned flag for 'direction'. More... | |
| void | FlowSetHasAlertsFlag (Flow *f) |
| Set flag to indicate that flow has alerts. More... | |
| int | FlowHasAlerts (const Flow *f) |
| Check if flow has alerts. More... | |
| void | FlowSetChangeProtoFlag (Flow *f) |
| Set flag to indicate to change proto for the flow. More... | |
| void | FlowUnsetChangeProtoFlag (Flow *f) |
| Unset flag to indicate to change proto for the flow. More... | |
| int | FlowChangeProto (Flow *f) |
| Check if change proto flag is set for flow. More... | |
| void | FlowSwap (Flow *f) |
| swap the flow's direction More... | |
| int | FlowGetPacketDirection (const Flow *f, const Packet *p) |
| determine the direction of the packet compared to the flow More... | |
| void | FlowHandlePacketUpdate (Flow *f, Packet *p, ThreadVars *tv, DecodeThreadVars *dtv) |
| Update Packet and Flow. More... | |
| void | FlowHandlePacket (ThreadVars *tv, FlowLookupStruct *fls, Packet *p) |
| Entry point for packet flow handling. More... | |
| void | FlowInitConfig (bool quiet) |
| initialize the configuration More... | |
| void | FlowReset (void) |
| void | FlowShutdown (void) |
| shutdown the flow engine More... | |
| int | FlowClearMemory (Flow *f, uint8_t proto_map) |
| Function clear the flow memory before queueing it to spare flow queue. More... | |
| AppProto | FlowGetAppProtocol (const Flow *f) |
| void * | FlowGetAppState (const Flow *f) |
| uint8_t | FlowGetDisruptionFlags (const Flow *f, uint8_t flags) |
| get 'disruption' flags: GAP/DEPTH/PASS More... | |
| void | FlowUpdateState (Flow *f, const enum FlowState s) |
| void | FlowGetLastTimeAsParts (Flow *flow, uint64_t *secs, uint64_t *usecs) |
| Get flow last time as individual values. More... | |
| uint16_t | FlowGetSourcePort (Flow *flow) |
| Get flow source port. More... | |
| uint16_t | FlowGetDestinationPort (Flow *flow) |
| Get flow destination port. More... | |
| uint32_t | FlowGetFlags (Flow *flow) |
| Get flow flags. More... | |
Detailed Description
Flow implementation.
Definition in file flow.c.
Macro Definition Documentation
◆ FLOW_DEFAULT_EMERGENCY_RECOVERY
◆ FLOW_DEFAULT_HASHSIZE
◆ FLOW_DEFAULT_MEMCAP
◆ FLOW_DEFAULT_PREALLOC
◆ SET_DEFAULTS
| #define SET_DEFAULTS | ( | p, | |
| n, | |||
| e, | |||
| c, | |||
| b, | |||
| ne, | |||
| ee, | |||
| ce, | |||
| be | |||
| ) |
Function Documentation
◆ FlowChangeProto()
| int FlowChangeProto | ( | Flow * | f | ) |
Check if change proto flag is set for flow.
- Parameters
-
f flow
- Return values
-
1 change proto flag is set 0 change proto flag is not set
Definition at line 213 of file flow.c.
References Flow_::flags, and FLOW_CHANGE_PROTO.
Referenced by AppLayerHandleTCPData(), AppLayerRequestProtocolChange(), and LLVMFuzzerTestOneInput().
◆ FlowCleanupAppLayer()
| void FlowCleanupAppLayer | ( | Flow * | f | ) |
Definition at line 143 of file flow.c.
References Flow_::alparser, Flow_::alstate, AppLayerParserStateCleanup(), and Flow_::proto.
◆ FlowClearMemory()
| int FlowClearMemory | ( | Flow * | f, |
| uint8_t | proto_map | ||
| ) |
Function clear the flow memory before queueing it to spare flow queue.
- Parameters
-
f pointer to the flow needed to be cleared. proto_map mapped value of the protocol to FLOW_PROTO's.
Definition at line 1087 of file flow.c.
References AppLayerExpectationClean(), Flow_::flags, flow_freefuncs, FLOW_HAS_EXPECTATION, FLOW_RECYCLE, FlowFreeStorage(), FlowProtoFreeFunc_::Freefunc, Flow_::protoctx, SCEnter, SCReturnInt, and unlikely.
Referenced by FlowReset(), and FlowShutdown().
◆ FlowGetAppProtocol()
Definition at line 1124 of file flow.c.
References Flow_::alproto.
Referenced by JsonBuildFileInfoRecord().
◆ FlowGetAppState()
| void* FlowGetAppState | ( | const Flow * | f | ) |
Definition at line 1129 of file flow.c.
References Flow_::alstate.
Referenced by DetectEngineStateResetTxs(), EveEmailAddMetadata(), EveHTTP2AddMetadata(), EveHttpAddMetadata(), EveHttpLogJSONBodyBase64(), EveHttpLogJSONBodyPrintable(), EveIKEAddMetadata(), EveNFSAddMetadata(), EveNFSAddMetadataRPC(), EveSMBAddMetadata(), EveSMTPAddMetadata(), HttpXFFGetIP(), HttpXFFGetIPFromTx(), JsonModbusAddMetadata(), JsonMQTTAddMetadata(), JsonQuicAddMetadata(), JsonRFBAddMetadata(), and JsonSIPAddMetadata().
◆ FlowGetDestinationPort()
| uint16_t FlowGetDestinationPort | ( | Flow * | flow | ) |
◆ FlowGetDisruptionFlags()
| uint8_t FlowGetDisruptionFlags | ( | const Flow * | f, |
| uint8_t | flags | ||
| ) |
get 'disruption' flags: GAP/DEPTH/PASS
- Parameters
-
f locked flow flags existing flags to be ammended
- Return values
-
flags original flags + disrupt flags (if any) \TODO handle UDP
Definition at line 1141 of file flow.c.
References TcpSession_::client, flags, TcpStream_::flags, Flow_::proto, Flow_::protoctx, TcpSession_::server, and STREAMTCP_STREAM_FLAG_DEPTH_REACHED.
◆ FlowGetFlags()
| uint32_t FlowGetFlags | ( | Flow * | flow | ) |
Get flow flags.
A function to get the flow flags useful when the caller only has an opaque pointer to the flow structure.
Definition at line 1231 of file flow.c.
References Flow_::flags.
◆ FlowGetLastTimeAsParts()
| void FlowGetLastTimeAsParts | ( | Flow * | flow, |
| uint64_t * | secs, | ||
| uint64_t * | usecs | ||
| ) |
Get flow last time as individual values.
Instead of returning a pointer to the timeval copy the timeval parts into output pointers to make it simpler to call from Rust over FFI using only basic data types.
Definition at line 1196 of file flow.c.
References Flow_::lastts.
◆ FlowGetMemcap()
| uint64_t FlowGetMemcap | ( | void | ) |
Return memcap value.
- Return values
-
memcap value
Definition at line 131 of file flow.c.
References flow_config, and SC_ATOMIC_GET.
◆ FlowGetMemuse()
| uint64_t FlowGetMemuse | ( | void | ) |
Definition at line 137 of file flow.c.
References SC_ATOMIC_GET.
◆ FlowGetPacketDirection()
determine the direction of the packet compared to the flow
- Return values
-
0 to_server 1 to_client
Definition at line 293 of file flow.c.
References CMP_ADDR, CMP_PORT, Packet_::dp, Flow_::flags, FLOW_DIR_REVERSED, Packet_::proto, Flow_::sp, Packet_::sp, Flow_::src, Packet_::src, TOCLIENT, and TOSERVER.
Referenced by FlowHandlePacketUpdate(), and StreamTcp().
◆ FlowGetSourcePort()
| uint16_t FlowGetSourcePort | ( | Flow * | flow | ) |
◆ FlowHandlePacket()
| void FlowHandlePacket | ( | ThreadVars * | tv, |
| FlowLookupStruct * | fls, | ||
| Packet * | p | ||
| ) |
Entry point for packet flow handling.
This is called for every packet.
- Parameters
-
tv threadvars dtv decode thread vars (for flow output api thread data) p packet to handle flow for
Definition at line 508 of file flow.c.
References Packet_::flags, Packet_::flow, FlowGetFlowFromHash(), PKT_HAS_FLOW, and tv.
Referenced by UTHBuildPacketOfFlows().
◆ FlowHandlePacketUpdate()
| void FlowHandlePacketUpdate | ( | Flow * | f, |
| Packet * | p, | ||
| ThreadVars * | tv, | ||
| DecodeThreadVars * | dtv | ||
| ) |
Update Packet and Flow.
Updates packet and flow based on the new packet.
- Parameters
-
f locked flow p packet
- Note
- overwrites p::flowflags
Definition at line 391 of file flow.c.
References BypassedFlowUpdate(), COPY_TIMESTAMP, EngineModeIsIPS(), Flow_::flags, FLOW_BYPASSED_TIMEOUT, FLOW_PKT_TOSERVER, Flow_::flow_state, FLOW_STATE_LOCAL_BYPASSED, FLOW_TO_DST_SEEN, Packet_::flowflags, FlowGetPacketDirection(), FlowUpdateState(), GET_PKT_LEN, Flow_::lastts, Packet_::pcap_cnt, SCLogDebug, Flow_::timeout_at, Flow_::timeout_policy, Flow_::todstbytecnt, Flow_::todstpktcnt, TOSERVER, and Packet_::ts.
◆ FlowHasAlerts()
| int FlowHasAlerts | ( | const Flow * | f | ) |
Check if flow has alerts.
- Parameters
-
f flow
- Return values
-
1 has alerts 0 has not alerts
Definition at line 181 of file flow.c.
References Flow_::flags, and FLOW_HAS_ALERTS.
◆ FlowInitConfig()
| void FlowInitConfig | ( | bool | quiet | ) |
initialize the configuration
- Warning
- Not thread safe
set config values for memcap, prealloc and hash_size
Definition at line 524 of file flow.c.
References CLS, ConfGet(), ConfGetInt(), FlowCnf_::emergency_recovery, ExceptionPolicyParse(), FatalError, FBLOCK_INIT, FLOW_CHECK_MEMCAP, flow_config, FLOW_DEFAULT_EMERGENCY_RECOVERY, FLOW_DEFAULT_HASHSIZE, FLOW_DEFAULT_MEMCAP, FLOW_DEFAULT_PREALLOC, flow_hash, flow_recycle_q, FlowInitFlowProto(), FlowQueueInit(), FlowSparePoolInit(), FlowStorageSize(), FlowCnf_::hash_rand, FlowCnf_::hash_size, FlowCnf_::memcap_policy, ParseSizeStringU64(), FlowCnf_::prealloc, RandomGet(), SC_ATOMIC_ADD, SC_ATOMIC_GET, SC_ATOMIC_INIT, SC_ATOMIC_SET, SC_ERR_FATAL, SC_ERR_FLOW_INIT, SC_ERR_INVALID_VALUE, SC_ERR_SIZE_PARSE, SCLogDebug, SCLogError, SCMallocAligned, StringParseUint32(), and unlikely.
Referenced by PreRunInit().
◆ FlowInitFlowProto()
| void FlowInitFlowProto | ( | void | ) |
Function to set the default timeout, free function and flow state function for all supported flow_proto.
Definition at line 717 of file flow.c.
References FlowProtoTimeout_::bypassed_timeout, FlowProtoTimeout_::closed_timeout, ConfGetNode(), ConfNodeLookupChild(), ConfNodeLookupChildValue(), FlowProtoTimeout_::est_timeout, FLOW_DEFAULT_BYPASSED_TIMEOUT, FLOW_DEFAULT_EMERG_BYPASSED_TIMEOUT, FLOW_DEFAULT_EMERG_EST_TIMEOUT, FLOW_DEFAULT_EMERG_NEW_TIMEOUT, FLOW_DEFAULT_EST_TIMEOUT, FLOW_DEFAULT_NEW_TIMEOUT, flow_freefuncs, FLOW_IPPROTO_ICMP_BYPASSED_TIMEOUT, FLOW_IPPROTO_ICMP_EMERG_EST_TIMEOUT, FLOW_IPPROTO_ICMP_EMERG_NEW_TIMEOUT, FLOW_IPPROTO_ICMP_EST_TIMEOUT, FLOW_IPPROTO_ICMP_NEW_TIMEOUT, FLOW_IPPROTO_TCP_BYPASSED_TIMEOUT, FLOW_IPPROTO_TCP_CLOSED_TIMEOUT, FLOW_IPPROTO_TCP_EMERG_CLOSED_TIMEOUT, FLOW_IPPROTO_TCP_EMERG_EST_TIMEOUT, FLOW_IPPROTO_TCP_EMERG_NEW_TIMEOUT, FLOW_IPPROTO_TCP_EST_TIMEOUT, FLOW_IPPROTO_TCP_NEW_TIMEOUT, FLOW_IPPROTO_UDP_BYPASSED_TIMEOUT, FLOW_IPPROTO_UDP_EMERG_EST_TIMEOUT, FLOW_IPPROTO_UDP_EMERG_NEW_TIMEOUT, FLOW_IPPROTO_UDP_EST_TIMEOUT, FLOW_IPPROTO_UDP_NEW_TIMEOUT, FLOW_PROTO_DEFAULT, FLOW_PROTO_ICMP, FLOW_PROTO_MAX, FLOW_PROTO_TCP, FLOW_PROTO_UDP, flow_timeouts_delta, flow_timeouts_emerg, flow_timeouts_normal, FlowTimeoutsInit(), FlowProtoFreeFunc_::Freefunc, FlowProtoTimeout_::new_timeout, proto, SC_WARN_FLOW_EMERGENCY, SCLogDebug, SCLogWarning, SET_DEFAULTS, and StringParseUint32().
Referenced by FlowInitConfig().
◆ FlowRegisterTests()
| void FlowRegisterTests | ( | void | ) |
Function to register the Flow Unitests.
Definition at line 1448 of file flow.c.
References UtRegisterTest().
◆ FlowReset()
| void FlowReset | ( | void | ) |
Definition at line 653 of file flow.c.
References flow_config, flow_hash, FlowClearMemory(), FlowFree(), FlowGetProtoMapping(), FlowCnf_::hash_size, Flow_::next, and Flow_::proto.
◆ FlowSetChangeProtoFlag()
| void FlowSetChangeProtoFlag | ( | Flow * | f | ) |
Set flag to indicate to change proto for the flow.
- Parameters
-
f flow
Definition at line 194 of file flow.c.
References Flow_::flags, and FLOW_CHANGE_PROTO.
Referenced by AppLayerRequestProtocolChange().
◆ FlowSetHasAlertsFlag()
| void FlowSetHasAlertsFlag | ( | Flow * | f | ) |
Set flag to indicate that flow has alerts.
- Parameters
-
f flow
Definition at line 170 of file flow.c.
References Flow_::flags, and FLOW_HAS_ALERTS.
◆ FlowSetIPOnlyFlag()
| void FlowSetIPOnlyFlag | ( | Flow * | f, |
| int | direction | ||
| ) |
Set the IPOnly scanned flag for 'direction'.
- Parameters
-
f Flow to set the flag in direction direction to set the flag in
Definition at line 159 of file flow.c.
References Flow_::flags, FLOW_TOCLIENT_IPONLY_SET, and FLOW_TOSERVER_IPONLY_SET.
◆ FlowSetMemcap()
| int FlowSetMemcap | ( | uint64_t | size | ) |
Update memcap value.
- Parameters
-
size new memcap value
Definition at line 116 of file flow.c.
References flow_config, SC_ATOMIC_GET, and SC_ATOMIC_SET.
◆ FlowSetProtoFreeFunc()
| int FlowSetProtoFreeFunc | ( | uint8_t | proto, |
| void(*)(void *) | Free | ||
| ) |
Function to set the function to get protocol specific flow state.
- Parameters
-
proto protocol of which function is needed to be set. Free Function pointer which will be called to free the protocol specific memory.
Definition at line 1115 of file flow.c.
References flow_freefuncs, FlowGetProtoMapping(), FlowProtoFreeFunc_::Freefunc, and proto.
◆ FlowShutdown()
| void FlowShutdown | ( | void | ) |
shutdown the flow engine
- Warning
- Not thread safe
Definition at line 671 of file flow.c.
References DEBUG_VALIDATE_BUG_ON, FBLOCK_DESTROY, flow_config, flow_hash, flow_recycle_q, FlowClearMemory(), FlowDequeue(), FlowFree(), FlowGetProtoMapping(), FlowQueueDestroy(), FlowSparePoolDestroy(), FlowCnf_::hash_size, Flow_::next, Flow_::proto, SC_ATOMIC_SUB, SCFreeAligned, and Flow_::use_cnt.
◆ FlowSwap()
| void FlowSwap | ( | Flow * | f | ) |
swap the flow's direction
- Note
- leaves the 'header' untouched. Interpret that based on FLOW_DIR_REVERSED flag.
- Warning
- : only valid before applayer parsing started. This function doesn't swap anything in Flow::alparser, Flow::alstate
Definition at line 262 of file flow.c.
References Flow_::flags, FLOW_DIR_REVERSED, Flow_::probing_parser_toclient_alproto_masks, Flow_::probing_parser_toserver_alproto_masks, and SWAP_VARS.
◆ FlowUnsetChangeProtoFlag()
| void FlowUnsetChangeProtoFlag | ( | Flow * | f | ) |
Unset flag to indicate to change proto for the flow.
- Parameters
-
f flow
Definition at line 203 of file flow.c.
References Flow_::flags, and FLOW_CHANGE_PROTO.
Referenced by AppLayerHandleTCPData().
◆ FlowUpdateState()
Definition at line 1162 of file flow.c.
References Flow_::flow_state.
Referenced by FlowHandlePacketUpdate(), and PacketBypassCallback().
◆ SC_ATOMIC_DECLARE() [1/4]
| SC_ATOMIC_DECLARE | ( | FlowProtoTimeoutPtr | , |
| flow_timeouts | |||
| ) |
◆ SC_ATOMIC_DECLARE() [2/4]
| SC_ATOMIC_DECLARE | ( | uint64_t | , |
| flow_memuse | |||
| ) |
flow memuse counter (atomic), for enforcing memcap limit
◆ SC_ATOMIC_DECLARE() [3/4]
| SC_ATOMIC_DECLARE | ( | unsigned int | , |
| flow_flags | |||
| ) |
atomic flags
◆ SC_ATOMIC_DECLARE() [4/4]
| SC_ATOMIC_DECLARE | ( | unsigned int | , |
| flow_prune_idx | |||
| ) |
atomic int that is used when freeing a flow from the hash. In this case we walk the hash to find a flow to free. This var records where we left off in the hash. Without this only the top rows of the hash are freed. This isn't just about fairness. Under severe presure, the hash rows on top would be all freed and the time to find a flow to free increased with every run.
Variable Documentation
◆ flow_config
| FlowConfig flow_config |
Definition at line 99 of file flow.c.
Referenced by FlowGetExistingFlowFromHash(), FlowGetFlowFromHash(), FlowGetFromFlowKey(), FlowGetMemcap(), FlowInitConfig(), FlowKeyGetHash(), FlowReset(), FlowSetMemcap(), FlowShutdown(), and FlowSparePoolUpdate().
◆ flow_freefuncs
| FlowProtoFreeFunc flow_freefuncs[FLOW_PROTO_MAX] |
Definition at line 97 of file flow.c.
Referenced by FlowClearMemory(), FlowInitFlowProto(), and FlowSetProtoFreeFunc().
◆ flow_timeouts_delta
| FlowProtoTimeout flow_timeouts_delta[FLOW_PROTO_MAX] |
Definition at line 96 of file flow.c.
Referenced by FlowInitFlowProto().
◆ flow_timeouts_emerg
| FlowProtoTimeout flow_timeouts_emerg[FLOW_PROTO_MAX] |
Definition at line 95 of file flow.c.
Referenced by FlowInitFlowProto(), and FlowTimeoutsEmergency().
◆ flow_timeouts_normal
| FlowProtoTimeout flow_timeouts_normal[FLOW_PROTO_MAX] |
FlowProto specific timeouts and free/state functions
Definition at line 94 of file flow.c.
Referenced by FlowInitFlowProto(), and FlowTimeoutsInit().
◆ run_mode
| int run_mode |
Run mode selected
Definition at line 211 of file suricata.c.
