1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18 /**
19 * \file
20 *
21 * \author Victor Julien <victor@inliniac.net>
22 */
23
24 #ifndef __FLOW_H__
25 #define __FLOW_H__
26
27 #include "decode.h"
28 #include "util-var.h"
29 #include "util-atomic.h"
30 #include "util-device.h"
31 #include "detect-tag.h"
32 #include "util-macset.h"
33 #include "util-optimize.h"
34
35 /* Part of the flow structure, so we declare it here.
36 * The actual declaration is in app-layer-parser.c */
37 typedef struct AppLayerParserState_ AppLayerParserState;
38
39 #define FLOW_QUIET TRUE
40 #define FLOW_VERBOSE FALSE
41
42 #define TOSERVER 0
43 #define TOCLIENT 1
44
45 /* per flow flags */
46
47 /** At least one packet from the source address was seen */
48 #define FLOW_TO_SRC_SEEN BIT_U32(0)
49 /** At least one packet from the destination address was seen */
50 #define FLOW_TO_DST_SEEN BIT_U32(1)
51 /** Don't return this from the flow hash. It has been replaced. */
52 #define FLOW_TCP_REUSED BIT_U32(2)
53
54 /** Flow was inspected against IP-Only sigs in the toserver direction */
55 #define FLOW_TOSERVER_IPONLY_SET BIT_U32(3)
56 /** Flow was inspected against IP-Only sigs in the toclient direction */
57 #define FLOW_TOCLIENT_IPONLY_SET BIT_U32(4)
58
59 /** Packet belonging to this flow should not be inspected at all */
60 #define FLOW_NOPACKET_INSPECTION BIT_U32(5)
61 /** Packet payloads belonging to this flow should not be inspected */
62 #define FLOW_NOPAYLOAD_INSPECTION BIT_U32(6)
63
64 /** All packets in this flow should be dropped */
65 #define FLOW_ACTION_DROP BIT_U32(7)
66
67 /** Sgh for toserver direction set (even if it's NULL) */
68 #define FLOW_SGH_TOSERVER BIT_U32(8)
69 /** Sgh for toclient direction set (even if it's NULL) */
70 #define FLOW_SGH_TOCLIENT BIT_U32(9)
71
72 /** packet to server direction has been logged in drop file (only in IPS mode) */
73 #define FLOW_TOSERVER_DROP_LOGGED BIT_U32(10)
74 /** packet to client direction has been logged in drop file (only in IPS mode) */
75 #define FLOW_TOCLIENT_DROP_LOGGED BIT_U32(11)
76
77 /** flow has alerts */
78 #define FLOW_HAS_ALERTS BIT_U32(12)
79
80 /** Pattern matcher alproto detection done */
81 #define FLOW_TS_PM_ALPROTO_DETECT_DONE BIT_U32(13)
82 /** Probing parser alproto detection done */
83 #define FLOW_TS_PP_ALPROTO_DETECT_DONE BIT_U32(14)
84 /** Expectation alproto detection done */
85 #define FLOW_TS_PE_ALPROTO_DETECT_DONE BIT_U32(15)
86 /** Pattern matcher alproto detection done */
87 #define FLOW_TC_PM_ALPROTO_DETECT_DONE BIT_U32(16)
88 /** Probing parser alproto detection done */
89 #define FLOW_TC_PP_ALPROTO_DETECT_DONE BIT_U32(17)
90 /** Expectation alproto detection done */
91 #define FLOW_TC_PE_ALPROTO_DETECT_DONE BIT_U32(18)
92 #define FLOW_TIMEOUT_REASSEMBLY_DONE BIT_U32(19)
93
94 /** flow is ipv4 */
95 #define FLOW_IPV4 BIT_U32(20)
96 /** flow is ipv6 */
97 #define FLOW_IPV6 BIT_U32(21)
98
99 #define FLOW_PROTO_DETECT_TS_DONE BIT_U32(22)
100 #define FLOW_PROTO_DETECT_TC_DONE BIT_U32(23)
101
102 /** Indicate that alproto detection for flow should be done again */
103 #define FLOW_CHANGE_PROTO BIT_U32(24)
104
105 #define FLOW_WRONG_THREAD BIT_U32(25)
106 /** Protocol detection told us flow is picked up in wrong direction (midstream) */
107 #define FLOW_DIR_REVERSED BIT_U32(26)
108 /** Indicate that the flow did trigger an expectation creation */
109 #define FLOW_HAS_EXPECTATION BIT_U32(27)
110
111 /** All packets in this flow should be passed */
112 #define FLOW_ACTION_PASS BIT_U32(28)
113
114 /* File flags */
115
116 #define FLOWFILE_INIT 0
117
118 /** no magic on files in this flow */
119 #define FLOWFILE_NO_MAGIC_TS BIT_U16(0)
120 #define FLOWFILE_NO_MAGIC_TC BIT_U16(1)
121
122 /** even if the flow has files, don't store 'm */
123 #define FLOWFILE_NO_STORE_TS BIT_U16(2)
124 #define FLOWFILE_NO_STORE_TC BIT_U16(3)
125 /** no md5 on files in this flow */
126 #define FLOWFILE_NO_MD5_TS BIT_U16(4)
127 #define FLOWFILE_NO_MD5_TC BIT_U16(5)
128
129 /** no sha1 on files in this flow */
130 #define FLOWFILE_NO_SHA1_TS BIT_U16(6)
131 #define FLOWFILE_NO_SHA1_TC BIT_U16(7)
132
133 /** no sha256 on files in this flow */
134 #define FLOWFILE_NO_SHA256_TS BIT_U16(8)
135 #define FLOWFILE_NO_SHA256_TC BIT_U16(9)
136
137 /** no size tracking of files in this flow */
138 #define FLOWFILE_NO_SIZE_TS BIT_U16(10)
139 #define FLOWFILE_NO_SIZE_TC BIT_U16(11)
140
141 #define FLOWFILE_NONE_TS (FLOWFILE_NO_MAGIC_TS | \
142 FLOWFILE_NO_STORE_TS | \
143 FLOWFILE_NO_MD5_TS | \
144 FLOWFILE_NO_SHA1_TS | \
145 FLOWFILE_NO_SHA256_TS| \
146 FLOWFILE_NO_SIZE_TS)
147 #define FLOWFILE_NONE_TC (FLOWFILE_NO_MAGIC_TC | \
148 FLOWFILE_NO_STORE_TC | \
149 FLOWFILE_NO_MD5_TC | \
150 FLOWFILE_NO_SHA1_TC | \
151 FLOWFILE_NO_SHA256_TC| \
152 FLOWFILE_NO_SIZE_TC)
153 #define FLOWFILE_NONE (FLOWFILE_NONE_TS|FLOWFILE_NONE_TC)
154
155 #define FLOW_IS_IPV4(f) \
156 (((f)->flags & FLOW_IPV4) == FLOW_IPV4)
157 #define FLOW_IS_IPV6(f) \
158 (((f)->flags & FLOW_IPV6) == FLOW_IPV6)
159
160 #define FLOW_GET_SP(f) \
161 ((f)->flags & FLOW_DIR_REVERSED) ? (f)->dp : (f)->sp;
162 #define FLOW_GET_DP(f) \
163 ((f)->flags & FLOW_DIR_REVERSED) ? (f)->sp : (f)->dp;
164
165 #define FLOW_COPY_IPV4_ADDR_TO_PACKET(fa, pa) do { \
166 (pa)->family = AF_INET; \
167 (pa)->addr_data32[0] = (fa)->addr_data32[0]; \
168 } while (0)
169
170 #define FLOW_COPY_IPV6_ADDR_TO_PACKET(fa, pa) do { \
171 (pa)->family = AF_INET6; \
172 (pa)->addr_data32[0] = (fa)->addr_data32[0]; \
173 (pa)->addr_data32[1] = (fa)->addr_data32[1]; \
174 (pa)->addr_data32[2] = (fa)->addr_data32[2]; \
175 (pa)->addr_data32[3] = (fa)->addr_data32[3]; \
176 } while (0)
177
178 /* Set the IPv4 addressesinto the Addrs of the Packet.
179 * Make sure p->ip4h is initialized and validated.
180 *
181 * We set the rest of the struct to 0 so we can
182 * prevent using memset. */
183 #define FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(p, a) do { \
184 (a)->addr_data32[0] = (uint32_t)(p)->ip4h->s_ip_src.s_addr; \
185 (a)->addr_data32[1] = 0; \
186 (a)->addr_data32[2] = 0; \
187 (a)->addr_data32[3] = 0; \
188 } while (0)
189
190 #define FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(p, a) do { \
191 (a)->addr_data32[0] = (uint32_t)(p)->ip4h->s_ip_dst.s_addr; \
192 (a)->addr_data32[1] = 0; \
193 (a)->addr_data32[2] = 0; \
194 (a)->addr_data32[3] = 0; \
195 } while (0)
196
197 /* clear the address structure by setting all fields to 0 */
198 #define FLOW_CLEAR_ADDR(a) do { \
199 (a)->addr_data32[0] = 0; \
200 (a)->addr_data32[1] = 0; \
201 (a)->addr_data32[2] = 0; \
202 (a)->addr_data32[3] = 0; \
203 } while (0)
204
205 /* Set the IPv6 addressesinto the Addrs of the Packet.
206 * Make sure p->ip6h is initialized and validated. */
207 #define FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(p, a) do { \
208 (a)->addr_data32[0] = (p)->ip6h->s_ip6_src[0]; \
209 (a)->addr_data32[1] = (p)->ip6h->s_ip6_src[1]; \
210 (a)->addr_data32[2] = (p)->ip6h->s_ip6_src[2]; \
211 (a)->addr_data32[3] = (p)->ip6h->s_ip6_src[3]; \
212 } while (0)
213
214 #define FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(p, a) do { \
215 (a)->addr_data32[0] = (p)->ip6h->s_ip6_dst[0]; \
216 (a)->addr_data32[1] = (p)->ip6h->s_ip6_dst[1]; \
217 (a)->addr_data32[2] = (p)->ip6h->s_ip6_dst[2]; \
218 (a)->addr_data32[3] = (p)->ip6h->s_ip6_dst[3]; \
219 } while (0)
220
221 /* pkt flow flags */
222 #define FLOW_PKT_TOSERVER 0x01
223 #define FLOW_PKT_TOCLIENT 0x02
224 #define FLOW_PKT_ESTABLISHED 0x04
225 #define FLOW_PKT_TOSERVER_IPONLY_SET 0x08
226 #define FLOW_PKT_TOCLIENT_IPONLY_SET 0x10
227 #define FLOW_PKT_TOSERVER_FIRST 0x20
228 #define FLOW_PKT_TOCLIENT_FIRST 0x40
229 /** last pseudo packet in the flow. Can be used to trigger final clean,
230 * logging, etc. */
231 #define FLOW_PKT_LAST_PSEUDO 0x80
232
233 #define FLOW_END_FLAG_STATE_NEW 0x01
234 #define FLOW_END_FLAG_STATE_ESTABLISHED 0x02
235 #define FLOW_END_FLAG_STATE_CLOSED 0x04
236 #define FLOW_END_FLAG_EMERGENCY 0x08
237 #define FLOW_END_FLAG_TIMEOUT 0x10
238 #define FLOW_END_FLAG_FORCED 0x20
239 #define FLOW_END_FLAG_SHUTDOWN 0x40
240 #define FLOW_END_FLAG_STATE_BYPASSED 0x80
241
242 /** Mutex or RWLocks for the flow. */
243 //#define FLOWLOCK_RWLOCK
244 #define FLOWLOCK_MUTEX
245
246 #ifdef FLOWLOCK_RWLOCK
247 #ifdef FLOWLOCK_MUTEX
248 #error Cannot enable both FLOWLOCK_RWLOCK and FLOWLOCK_MUTEX
249 #endif
250 #endif
251
252 #ifdef FLOWLOCK_RWLOCK
253 #define FLOWLOCK_INIT(fb) SCRWLockInit(&(fb)->r, NULL)
254 #define FLOWLOCK_DESTROY(fb) SCRWLockDestroy(&(fb)->r)
255 #define FLOWLOCK_RDLOCK(fb) SCRWLockRDLock(&(fb)->r)
256 #define FLOWLOCK_WRLOCK(fb) SCRWLockWRLock(&(fb)->r)
257 #define FLOWLOCK_TRYRDLOCK(fb) SCRWLockTryRDLock(&(fb)->r)
258 #define FLOWLOCK_TRYWRLOCK(fb) SCRWLockTryWRLock(&(fb)->r)
259 #define FLOWLOCK_UNLOCK(fb) SCRWLockUnlock(&(fb)->r)
260 #elif defined FLOWLOCK_MUTEX
261 #define FLOWLOCK_INIT(fb) SCMutexInit(&(fb)->m, NULL)
262 #define FLOWLOCK_DESTROY(fb) SCMutexDestroy(&(fb)->m)
263 #define FLOWLOCK_RDLOCK(fb) SCMutexLock(&(fb)->m)
264 #define FLOWLOCK_WRLOCK(fb) SCMutexLock(&(fb)->m)
265 #define FLOWLOCK_TRYRDLOCK(fb) SCMutexTrylock(&(fb)->m)
266 #define FLOWLOCK_TRYWRLOCK(fb) SCMutexTrylock(&(fb)->m)
267 #define FLOWLOCK_UNLOCK(fb) SCMutexUnlock(&(fb)->m)
268 #else
269 #error Enable FLOWLOCK_RWLOCK or FLOWLOCK_MUTEX
270 #endif
271
272 #define FLOW_IS_PM_DONE(f, dir) (((dir) & STREAM_TOSERVER) ? ((f)->flags & FLOW_TS_PM_ALPROTO_DETECT_DONE) : ((f)->flags & FLOW_TC_PM_ALPROTO_DETECT_DONE))
273 #define FLOW_IS_PP_DONE(f, dir) (((dir) & STREAM_TOSERVER) ? ((f)->flags & FLOW_TS_PP_ALPROTO_DETECT_DONE) : ((f)->flags & FLOW_TC_PP_ALPROTO_DETECT_DONE))
274 #define FLOW_IS_PE_DONE(f, dir) (((dir) & STREAM_TOSERVER) ? ((f)->flags & FLOW_TS_PE_ALPROTO_DETECT_DONE) : ((f)->flags & FLOW_TC_PE_ALPROTO_DETECT_DONE))
275
276 #define FLOW_SET_PM_DONE(f, dir) (((dir) & STREAM_TOSERVER) ? ((f)->flags |= FLOW_TS_PM_ALPROTO_DETECT_DONE) : ((f)->flags |= FLOW_TC_PM_ALPROTO_DETECT_DONE))
277 #define FLOW_SET_PP_DONE(f, dir) (((dir) & STREAM_TOSERVER) ? ((f)->flags |= FLOW_TS_PP_ALPROTO_DETECT_DONE) : ((f)->flags |= FLOW_TC_PP_ALPROTO_DETECT_DONE))
278 #define FLOW_SET_PE_DONE(f, dir) (((dir) & STREAM_TOSERVER) ? ((f)->flags |= FLOW_TS_PE_ALPROTO_DETECT_DONE) : ((f)->flags |= FLOW_TC_PE_ALPROTO_DETECT_DONE))
279
280 #define FLOW_RESET_PM_DONE(f, dir) (((dir) & STREAM_TOSERVER) ? ((f)->flags &= ~FLOW_TS_PM_ALPROTO_DETECT_DONE) : ((f)->flags &= ~FLOW_TC_PM_ALPROTO_DETECT_DONE))
281 #define FLOW_RESET_PP_DONE(f, dir) (((dir) & STREAM_TOSERVER) ? ((f)->flags &= ~FLOW_TS_PP_ALPROTO_DETECT_DONE) : ((f)->flags &= ~FLOW_TC_PP_ALPROTO_DETECT_DONE))
282 #define FLOW_RESET_PE_DONE(f, dir) (((dir) & STREAM_TOSERVER) ? ((f)->flags &= ~FLOW_TS_PE_ALPROTO_DETECT_DONE) : ((f)->flags &= ~FLOW_TC_PE_ALPROTO_DETECT_DONE))
283
284 /* global flow config */
285 typedef struct FlowCnf_
286 {
287 uint32_t hash_rand;
288 uint32_t hash_size;
289 uint32_t max_flows;
290 uint32_t prealloc;
291
292 uint32_t timeout_new;
293 uint32_t timeout_est;
294
295 uint32_t emerg_timeout_new;
296 uint32_t emerg_timeout_est;
297 uint32_t emergency_recovery;
298
299 SC_ATOMIC_DECLARE(uint64_t, memcap);
300 } FlowConfig;
301
302 /* Hash key for the flow hash */
303 typedef struct FlowKey_
304 {
305 Address src, dst;
306 Port sp, dp;
307 uint8_t proto;
308 uint8_t recursion_level;
309 uint16_t vlan_id[2];
310 } FlowKey;
311
312 typedef struct FlowAddress_ {
313 union {
314 uint32_t address_un_data32[4]; /* type-specific field */
315 uint16_t address_un_data16[8]; /* type-specific field */
316 uint8_t address_un_data8[16]; /* type-specific field */
317 } address;
318 } FlowAddress;
319
320 #define addr_data32 address.address_un_data32
321 #define addr_data16 address.address_un_data16
322 #define addr_data8 address.address_un_data8
323
324 typedef unsigned short FlowRefCount;
325
326 typedef unsigned short FlowStateType;
327
328 /** Local Thread ID */
329 typedef uint16_t FlowThreadId;
330
331 /**
332 * \brief Flow data structure.
333 *
334 * The flow is a global data structure that is created for new packets of a
335 * flow and then looked up for the following packets of a flow.
336 *
337 * Locking
338 *
339 * The flow is updated/used by multiple packets at the same time. This is why
340 * there is a flow-mutex. It's a mutex and not a spinlock because some
341 * operations on the flow can be quite expensive, thus spinning would be
342 * too expensive.
343 *
344 * The flow "header" (addresses, ports, proto, recursion level) are static
345 * after the initialization and remain read-only throughout the entire live
346 * of a flow. This is why we can access those without protection of the lock.
347 */
348
349 typedef struct Flow_
350 {
351 /* flow "header", used for hashing and flow lookup. Static after init,
352 * so safe to look at without lock */
353 FlowAddress src, dst;
354 union {
355 Port sp; /**< tcp/udp source port */
356 struct {
357 uint8_t type; /**< icmp type */
358 uint8_t code; /**< icmp code */
359 } icmp_s;
360 };
361 union {
362 Port dp; /**< tcp/udp destination port */
363 struct {
364 uint8_t type; /**< icmp type */
365 uint8_t code; /**< icmp code */
366 } icmp_d;
367 };
368 uint8_t proto;
369 uint8_t recursion_level;
370 uint16_t vlan_id[2];
371 /** how many references exist to this flow *right now*
372 *
373 * On receiving a packet the counter is incremented while the flow
374 * bucked is locked, which is also the case on timeout pruning.
375 */
376 FlowRefCount use_cnt;
377
378 uint8_t vlan_idx;
379
380 /* track toserver/toclient flow timeout needs */
381 union {
382 struct {
383 uint8_t ffr_ts:4;
384 uint8_t ffr_tc:4;
385 };
386 uint8_t ffr;
387 };
388
389 /** timestamp in seconds of the moment this flow will timeout
390 * according to the timeout policy. Does *not* take emergency
391 * mode into account. */
392 uint32_t timeout_at;
393
394 /** Thread ID for the stream/detect portion of this flow */
395 FlowThreadId thread_id[2];
396
397 struct Flow_ *next; /* (hash) list next */
398 /** Incoming interface */
399 struct LiveDevice_ *livedev;
400
401 /** flow hash - the flow hash before hash table size mod. */
402 uint32_t flow_hash;
403
404 /* time stamp of last update (last packet). Set/updated under the
405 * flow and flow hash row locks, safe to read under either the
406 * flow lock or flow hash row lock. */
407 struct timeval lastts;
408
409 /* end of flow "header" */
410
411 /** timeout policy value in seconds to add to the lastts.tv_sec
412 * when a packet has been received. */
413 uint32_t timeout_policy;
414
415 FlowStateType flow_state;
416
417 /** flow tenant id, used to setup flow timeout and stream pseudo
418 * packets with the correct tenant id set */
419 uint32_t tenant_id;
420
421 uint32_t probing_parser_toserver_alproto_masks;
422 uint32_t probing_parser_toclient_alproto_masks;
423
424 uint32_t flags; /**< generic flags */
425
426 uint16_t file_flags; /**< file tracking/extraction flags */
427
428 /** destination port to be used in protocol detection. This is meant
429 * for use with STARTTLS and HTTP CONNECT detection */
430 uint16_t protodetect_dp; /**< 0 if not used */
431
432 /* Parent flow id for protocol like ftp */
433 int64_t parent_id;
434
435 #ifdef FLOWLOCK_RWLOCK
436 SCRWLock r;
437 #elif defined FLOWLOCK_MUTEX
438 SCMutex m;
439 #else
440 #error Enable FLOWLOCK_RWLOCK or FLOWLOCK_MUTEX
441 #endif
442
443 /** protocol specific data pointer, e.g. for TcpSession */
444 void *protoctx;
445
446 /** mapping to Flow's protocol specific protocols for timeouts
447 and state and free functions. */
448 uint8_t protomap;
449
450 uint8_t flow_end_flags;
451 /* coccinelle: Flow:flow_end_flags:FLOW_END_FLAG_ */
452
453 AppProto alproto; /**< \brief application level protocol */
454 AppProto alproto_ts;
455 AppProto alproto_tc;
456
457 /** original application level protocol. Used to indicate the previous
458 protocol when changing to another protocol , e.g. with STARTTLS. */
459 AppProto alproto_orig;
460 /** expected app protocol: used in protocol change/upgrade like in
461 * STARTTLS. */
462 AppProto alproto_expect;
463
464 /** detection engine ctx version used to inspect this flow. Set at initial
465 * inspection. If it doesn't match the currently in use de_ctx, the
466 * stored sgh ptrs are reset. */
467 uint32_t de_ctx_version;
468
469 /** ttl tracking */
470 uint8_t min_ttl_toserver;
471 uint8_t max_ttl_toserver;
472 uint8_t min_ttl_toclient;
473 uint8_t max_ttl_toclient;
474
475 /** application level storage ptrs.
476 *
477 */
478 AppLayerParserState *alparser; /**< parser internal state */
479 void *alstate; /**< application layer state */
480
481 /** toclient sgh for this flow. Only use when FLOW_SGH_TOCLIENT flow flag
482 * has been set. */
483 const struct SigGroupHead_ *sgh_toclient;
484 /** toserver sgh for this flow. Only use when FLOW_SGH_TOSERVER flow flag
485 * has been set. */
486 const struct SigGroupHead_ *sgh_toserver;
487
488 /* pointer to the var list */
489 GenericVar *flowvar;
490
491 struct FlowBucket_ *fb;
492
493 struct timeval startts;
494
495 uint32_t todstpktcnt;
496 uint32_t tosrcpktcnt;
497 uint64_t todstbytecnt;
498 uint64_t tosrcbytecnt;
499 } Flow;
500
501 enum FlowState {
502 FLOW_STATE_NEW = 0,
503 FLOW_STATE_ESTABLISHED,
504 FLOW_STATE_CLOSED,
505 FLOW_STATE_LOCAL_BYPASSED,
506 #ifdef CAPTURE_OFFLOAD
507 FLOW_STATE_CAPTURE_BYPASSED,
508 #endif
509 };
510
511 typedef struct FlowProtoTimeout_ {
512 uint32_t new_timeout;
513 uint32_t est_timeout;
514 uint32_t closed_timeout;
515 uint32_t bypassed_timeout;
516 } FlowProtoTimeout;
517
518 typedef struct FlowProtoFreeFunc_ {
519 void (*Freefunc)(void *);
520 } FlowProtoFreeFunc;
521
522 typedef struct FlowBypassInfo_ {
523 bool (* BypassUpdate)(Flow *f, void *data, time_t tsec);
524 void (* BypassFree)(void *data);
525 void *bypass_data;
526 uint64_t tosrcpktcnt;
527 uint64_t tosrcbytecnt;
528 uint64_t todstpktcnt;
529 uint64_t todstbytecnt;
530 } FlowBypassInfo;
531
532 #include "flow-queue.h"
533
534 typedef struct FlowLookupStruct_ // TODO name
535 {
536 /** thread store of spare queues */
537 FlowQueuePrivate spare_queue;
538 DecodeThreadVars *dtv;
539 FlowQueuePrivate work_queue;
540 uint32_t emerg_spare_sync_stamp;
541 } FlowLookupStruct;
542
543 /** \brief prepare packet for a life with flow
544 * Set PKT_WANTS_FLOW flag to incidate workers should do a flow lookup
545 * and calc the hash value to be used in the lookup and autofp flow
546 * balancing. */
547 void FlowSetupPacket(Packet *p);
548 void FlowHandlePacket (ThreadVars *, FlowLookupStruct *, Packet *);
549 void FlowInitConfig (char);
550 void FlowPrintQueueInfo (void);
551 void FlowShutdown(void);
552 void FlowSetIPOnlyFlag(Flow *, int);
553 void FlowSetHasAlertsFlag(Flow *);
554 int FlowHasAlerts(const Flow *);
555 void FlowSetChangeProtoFlag(Flow *);
556 void FlowUnsetChangeProtoFlag(Flow *);
557 int FlowChangeProto(Flow *);
558 void FlowSwap(Flow *);
559
560 void FlowRegisterTests (void);
561 int FlowSetProtoTimeout(uint8_t ,uint32_t ,uint32_t ,uint32_t);
562 int FlowSetProtoEmergencyTimeout(uint8_t ,uint32_t ,uint32_t ,uint32_t);
563 int FlowSetProtoFreeFunc (uint8_t , void (*Free)(void *));
564 void FlowUpdateQueue(Flow *);
565
566 int FlowUpdateSpareFlows(void);
567
568 static inline void FlowSetNoPacketInspectionFlag(Flow *);
569 static inline void FlowSetNoPayloadInspectionFlag(Flow *);
570
571 int FlowGetPacketDirection(const Flow *, const Packet *);
572
573 void FlowCleanupAppLayer(Flow *);
574
575 void FlowUpdateState(Flow *f, enum FlowState s);
576
577 int FlowSetMemcap(uint64_t size);
578 uint64_t FlowGetMemcap(void);
579 uint64_t FlowGetMemuse(void);
580
581 int GetFlowBypassInfoID(void);
582 void RegisterFlowBypassInfo(void);
583
584 void FlowGetLastTimeAsParts(Flow *flow, uint64_t *secs, uint64_t *usecs);
585
586 /** ----- Inline functions ----- */
587
588 /** \brief Set the No Packet Inspection Flag without locking the flow.
589 *
590 * \param f Flow to set the flag in
591 */
FlowSetNoPacketInspectionFlag(Flow * f)592 static inline void FlowSetNoPacketInspectionFlag(Flow *f)
593 {
594 SCEnter();
595
596 SCLogDebug("flow %p", f);
597 f->flags |= FLOW_NOPACKET_INSPECTION;
598
599 SCReturn;
600 }
601
602 /** \brief Set the No payload inspection Flag without locking the flow.
603 *
604 * \param f Flow to set the flag in
605 */
FlowSetNoPayloadInspectionFlag(Flow * f)606 static inline void FlowSetNoPayloadInspectionFlag(Flow *f)
607 {
608 SCEnter();
609
610 SCLogDebug("flow %p", f);
611 f->flags |= FLOW_NOPAYLOAD_INSPECTION;
612
613 SCReturn;
614 }
615
616 /**
617 * \brief increase the use count of a flow
618 *
619 * \param f flow to decrease use count for
620 */
FlowIncrUsecnt(Flow * f)621 static inline void FlowIncrUsecnt(Flow *f)
622 {
623 if (f == NULL)
624 return;
625
626 f->use_cnt++;
627 }
628
629 /**
630 * \brief decrease the use count of a flow
631 *
632 * \param f flow to decrease use count for
633 */
FlowDecrUsecnt(Flow * f)634 static inline void FlowDecrUsecnt(Flow *f)
635 {
636 if (f == NULL)
637 return;
638
639 f->use_cnt--;
640 }
641
642 /** \brief Reference the flow, bumping the flows use_cnt
643 * \note This should only be called once for a destination
644 * pointer */
FlowReference(Flow ** d,Flow * f)645 static inline void FlowReference(Flow **d, Flow *f)
646 {
647 if (likely(f != NULL)) {
648 #ifdef DEBUG_VALIDATION
649 BUG_ON(*d == f);
650 #else
651 if (*d == f)
652 return;
653 #endif
654 FlowIncrUsecnt(f);
655 *d = f;
656 }
657 }
658
FlowDeReference(Flow ** d)659 static inline void FlowDeReference(Flow **d)
660 {
661 if (likely(*d != NULL)) {
662 FlowDecrUsecnt(*d);
663 *d = NULL;
664 }
665 }
666
667 /** \brief create a flow id that is as unique as possible
668 * \retval flow_id signed 64bit id
669 * \note signed because of the signedness of json_integer_t in
670 * the json output
671 */
FlowGetId(const Flow * f)672 static inline int64_t FlowGetId(const Flow *f)
673 {
674 int64_t id = (int64_t)f->flow_hash << 31 |
675 (int64_t)(f->startts.tv_sec & 0x0000FFFF) << 16 |
676 (int64_t)(f->startts.tv_usec & 0x0000FFFF);
677 /* reduce to 51 bits as Javascript and even JSON often seem to
678 * max out there. */
679 id &= 0x7ffffffffffffLL;
680 return id;
681 }
682
FlowSetEndFlags(Flow * f)683 static inline void FlowSetEndFlags(Flow *f)
684 {
685 const int state = f->flow_state;
686 if (state == FLOW_STATE_NEW)
687 f->flow_end_flags |= FLOW_END_FLAG_STATE_NEW;
688 else if (state == FLOW_STATE_ESTABLISHED)
689 f->flow_end_flags |= FLOW_END_FLAG_STATE_ESTABLISHED;
690 else if (state == FLOW_STATE_CLOSED)
691 f->flow_end_flags |= FLOW_END_FLAG_STATE_CLOSED;
692 else if (state == FLOW_STATE_LOCAL_BYPASSED)
693 f->flow_end_flags |= FLOW_END_FLAG_STATE_BYPASSED;
694 #ifdef CAPTURE_OFFLOAD
695 else if (state == FLOW_STATE_CAPTURE_BYPASSED)
696 f->flow_end_flags = FLOW_END_FLAG_STATE_BYPASSED;
697 #endif
698 }
699
700 int FlowClearMemory(Flow *,uint8_t );
701
702 AppProto FlowGetAppProtocol(const Flow *f);
703 void *FlowGetAppState(const Flow *f);
704 uint8_t FlowGetDisruptionFlags(const Flow *f, uint8_t flags);
705
706 void FlowHandlePacketUpdate(Flow *f, Packet *p, ThreadVars *tv, DecodeThreadVars *dtv);
707
708 #endif /* __FLOW_H__ */
709