/**
* \brief select the queue to output in a round robin fashion.
*
* \param tv thread vars
* \param p packet
*/
void TmqhOutputFlowRoundRobin(ThreadVars *tv, Packet *p)
{
int32_t qid = 0;
TmqhFlowCtx *ctx = (TmqhFlowCtx *)tv->outctx;
/* if no flow we use the first queue,
* should be rare */
if (p->flow != NULL) {
qid = SC_ATOMIC_GET(p->flow->autofp_tmqh_flow_qid);
if (qid == -1) {
qid = SC_ATOMIC_ADD(ctx->round_robin_idx, 1);
if (qid >= ctx->size) {
SC_ATOMIC_RESET(ctx->round_robin_idx);
qid = 0;
}
(void) SC_ATOMIC_ADD(ctx->queues[qid].total_flows, 1);
(void) SC_ATOMIC_SET(p->flow->autofp_tmqh_flow_qid, qid);
}
} else {
qid = ctx->last++;
if (ctx->last == ctx->size)
ctx->last = 0;
}
(void) SC_ATOMIC_ADD(ctx->queues[qid].total_packets, 1);
PacketQueue *q = ctx->queues[qid].q;
SCMutexLock(&q->mutex_q);
PacketEnqueue(q, p);
SCCondSignal(&q->cond_q);
SCMutexUnlock(&q->mutex_q);
return;
}
void TmqhOutputVerdictNfq(ThreadVars *t, Packet *p)
{
/* XXX not scaling */
#if 0
PacketQueue *q = &trans_q[p->verdict_q_id];
SCMutexLock(&q->mutex_q);
PacketEnqueue(q, p);
SCCondSignal(&q->cond_q);
SCMutexUnlock(&q->mutex_q);
#endif
}
/**
* \brief select the queue to output to based on queue lengths.
*
* \param tv thread vars
* \param p packet
*/
void TmqhOutputFlowActivePackets(ThreadVars *tv, Packet *p)
{
int32_t qid = 0;
TmqhFlowCtx *ctx = (TmqhFlowCtx *)tv->outctx;
/* if no flow we use the first queue,
* should be rare */
if (p->flow != NULL) {
qid = SC_ATOMIC_GET(p->flow->autofp_tmqh_flow_qid);
if (qid == -1) {
uint16_t i = 0;
int lowest_id = 0;
TmqhFlowMode *queues = ctx->queues;
uint32_t lowest = queues[i].q->len;
for (i = 1; i < ctx->size; i++) {
if (queues[i].q->len < lowest) {
lowest = queues[i].q->len;
lowest_id = i;
}
}
qid = lowest_id;
(void) SC_ATOMIC_SET(p->flow->autofp_tmqh_flow_qid, lowest_id);
(void) SC_ATOMIC_ADD(ctx->queues[qid].total_flows, 1);
}
} else {
qid = ctx->last++;
if (ctx->last == ctx->size)
ctx->last = 0;
}
(void) SC_ATOMIC_ADD(ctx->queues[qid].total_packets, 1);
PacketQueue *q = ctx->queues[qid].q;
SCMutexLock(&q->mutex_q);
PacketEnqueue(q, p);
#ifdef __tile__
q->cond_q = 1;
#else
SCCondSignal(&q->cond_q);
#endif
SCMutexUnlock(&q->mutex_q);
return;
}
/**
* \brief Function to decode IPv4 in IPv6 packets
*
*/
static void DecodeIP6inIP6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t plen, PacketQueue *pq)
{
if (unlikely(plen < IPV6_HEADER_LEN)) {
ENGINE_SET_EVENT(p, IPV6_IN_IPV6_PKT_TOO_SMALL);
return;
}
if (IP_GET_RAW_VER(pkt) == 6) {
if (pq != NULL) {
Packet *tp = PacketPseudoPktSetup(p, pkt, plen, IPPROTO_IPV6);
if (tp != NULL) {
DecodeTunnel(tv, dtv, tp, pkt, plen, pq, IPPROTO_IPV6);
PacketEnqueue(pq,tp);
return;
}
}
} else {
ENGINE_SET_EVENT(p, IPV6_IN_IPV6_WRONG_IP_VER);
}
return;
}
/**
* \brief Function to decode IPv6 in IPv6 packets
*
*/
static int DecodeIP6inIP6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t plen, PacketQueue *pq)
{
if (unlikely(plen < IPV6_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, IPV6_IN_IPV6_PKT_TOO_SMALL);
return TM_ECODE_FAILED;
}
if (IP_GET_RAW_VER(pkt) == 6) {
if (unlikely(pq != NULL)) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt, plen, DECODE_TUNNEL_IPV6, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_IPV6);
PacketEnqueue(pq,tp);
StatsIncr(tv, dtv->counter_ipv6inipv6);
}
}
} else {
ENGINE_SET_EVENT(p, IPV6_IN_IPV6_WRONG_IP_VER);
}
return TM_ECODE_OK;
}
/**
* \brief Function to decode IPv4 in IPv6 packets
*
*/
static void DecodeIPv4inIPv6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t plen, PacketQueue *pq)
{
if (unlikely(plen < IPV4_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, IPV4_IN_IPV6_PKT_TOO_SMALL);
return;
}
if (IP_GET_RAW_VER(pkt) == 4) {
if (pq != NULL) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt, plen, DECODE_TUNNEL_IPV4, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_IPV6);
/* add the tp to the packet queue. */
PacketEnqueue(pq,tp);
StatsIncr(tv, dtv->counter_ipv4inipv6);
return;
}
}
} else {
ENGINE_SET_EVENT(p, IPV4_IN_IPV6_WRONG_IP_VER);
}
return;
}
/**
* \brief Function to decode IPv4 in IPv6 packets
*
*/
static void DecodeIPv4inIPv6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t plen, PacketQueue *pq)
{
if (unlikely(plen < IPV4_HEADER_LEN)) {
ENGINE_SET_EVENT(p, IPV4_IN_IPV6_PKT_TOO_SMALL);
return;
}
if (IP_GET_RAW_VER(pkt) == 4) {
if (pq != NULL) {
Packet *tp = PacketPseudoPktSetup(p, pkt, plen, IPPROTO_IP);
if (tp != NULL) {
DecodeTunnel(tv, dtv, tp, GET_PKT_DATA(tp),
GET_PKT_LEN(tp), pq, IPPROTO_IP);
PacketEnqueue(pq,tp);
SCPerfCounterIncr(dtv->counter_ipv4inipv6, tv->sc_perf_pca);
return;
}
}
} else {
ENGINE_SET_EVENT(p, IPV4_IN_IPV6_WRONG_IP_VER);
}
return;
}
static TmEcode FlowWorker(ThreadVars *tv, Packet *p, void *data, PacketQueue *preq, PacketQueue *unused)
{
FlowWorkerThreadData *fw = data;
void *detect_thread = SC_ATOMIC_GET(fw->detect_thread);
SCLogDebug("packet %"PRIu64, p->pcap_cnt);
/* update time */
if (!(PKT_IS_PSEUDOPKT(p))) {
TimeSetByThread(tv->id, &p->ts);
}
/* handle Flow */
if (p->flags & PKT_WANTS_FLOW) {
FLOWWORKER_PROFILING_START(p, PROFILE_FLOWWORKER_FLOW);
FlowHandlePacket(tv, fw->dtv, p);
if (likely(p->flow != NULL)) {
DEBUG_ASSERT_FLOW_LOCKED(p->flow);
if (FlowUpdate(p) == TM_ECODE_DONE) {
FLOWLOCK_UNLOCK(p->flow);
return TM_ECODE_OK;
}
}
/* Flow is now LOCKED */
FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_FLOW);
/* if PKT_WANTS_FLOW is not set, but PKT_HAS_FLOW is, then this is a
* pseudo packet created by the flow manager. */
} else if (p->flags & PKT_HAS_FLOW) {
FLOWLOCK_WRLOCK(p->flow);
}
SCLogDebug("packet %"PRIu64" has flow? %s", p->pcap_cnt, p->flow ? "yes" : "no");
/* handle TCP and app layer */
if (p->flow && PKT_IS_TCP(p)) {
SCLogDebug("packet %"PRIu64" is TCP. Direction %s", p->pcap_cnt, PKT_IS_TOSERVER(p) ? "TOSERVER" : "TOCLIENT");
DEBUG_ASSERT_FLOW_LOCKED(p->flow);
/* if detect is disabled, we need to apply file flags to the flow
* here on the first packet. */
if (detect_thread == NULL &&
((PKT_IS_TOSERVER(p) && (p->flowflags & FLOW_PKT_TOSERVER_FIRST)) ||
(PKT_IS_TOCLIENT(p) && (p->flowflags & FLOW_PKT_TOCLIENT_FIRST))))
{
DisableDetectFlowFileFlags(p->flow);
}
FLOWWORKER_PROFILING_START(p, PROFILE_FLOWWORKER_STREAM);
StreamTcp(tv, p, fw->stream_thread, &fw->pq, NULL);
FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_STREAM);
if (FlowChangeProto(p->flow)) {
StreamTcpDetectLogFlush(tv, fw->stream_thread, p->flow, p, &fw->pq);
}
/* Packets here can safely access p->flow as it's locked */
SCLogDebug("packet %"PRIu64": extra packets %u", p->pcap_cnt, fw->pq.len);
Packet *x;
while ((x = PacketDequeue(&fw->pq))) {
SCLogDebug("packet %"PRIu64" extra packet %p", p->pcap_cnt, x);
// TODO do we need to call StreamTcp on these pseudo packets or not?
//StreamTcp(tv, x, fw->stream_thread, &fw->pq, NULL);
if (detect_thread != NULL) {
FLOWWORKER_PROFILING_START(x, PROFILE_FLOWWORKER_DETECT);
Detect(tv, x, detect_thread, NULL, NULL);
FLOWWORKER_PROFILING_END(x, PROFILE_FLOWWORKER_DETECT);
}
// Outputs
OutputLoggerLog(tv, x, fw->output_thread);
/* put these packets in the preq queue so that they are
* by the other thread modules before packet 'p'. */
PacketEnqueue(preq, x);
}
/* handle the app layer part of the UDP packet payload */
} else if (p->flow && p->proto == IPPROTO_UDP) {
FLOWWORKER_PROFILING_START(p, PROFILE_FLOWWORKER_APPLAYERUDP);
AppLayerHandleUdp(tv, fw->stream_thread->ra_ctx->app_tctx, p, p->flow);
FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_APPLAYERUDP);
}
/* handle Detect */
DEBUG_ASSERT_FLOW_LOCKED(p->flow);
SCLogDebug("packet %"PRIu64" calling Detect", p->pcap_cnt);
if (detect_thread != NULL) {
FLOWWORKER_PROFILING_START(p, PROFILE_FLOWWORKER_DETECT);
Detect(tv, p, detect_thread, NULL, NULL);
FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_DETECT);
}
// Outputs.
OutputLoggerLog(tv, p, fw->output_thread);
/* Release tcp segments. Done here after alerting can use them. */
if (p->flow != NULL && p->proto == IPPROTO_TCP) {
FLOWWORKER_PROFILING_START(p, PROFILE_FLOWWORKER_TCPPRUNE);
StreamTcpPruneSession(p->flow, p->flowflags & FLOW_PKT_TOSERVER ?
STREAM_TOSERVER : STREAM_TOCLIENT);
FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_TCPPRUNE);
}
if (p->flow) {
DEBUG_ASSERT_FLOW_LOCKED(p->flow);
FLOWLOCK_UNLOCK(p->flow);
}
return TM_ECODE_OK;
}
void DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
{
int ret;
SCPerfCounterIncr(dtv->counter_ipv6, tv->sc_perf_pca);
/* do the actual decoding */
ret = DecodeIPV6Packet (tv, dtv, p, pkt, len);
if (ret < 0) {
p->ip6h = NULL;
return;
}
#ifdef DEBUG
if (SCLogDebugEnabled()) { /* only convert the addresses if debug is really enabled */
/* debug print */
char s[46], d[46];
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), s, sizeof(s));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), d, sizeof(d));
SCLogDebug("IPV6 %s->%s - CLASS: %" PRIu32 " FLOW: %" PRIu32 " NH: %" PRIu32 " PLEN: %" PRIu32 " HLIM: %" PRIu32 "", s,d,
IPV6_GET_CLASS(p), IPV6_GET_FLOW(p), IPV6_GET_NH(p), IPV6_GET_PLEN(p),
IPV6_GET_HLIM(p));
}
#endif /* DEBUG */
/* now process the Ext headers and/or the L4 Layer */
switch(IPV6_GET_NH(p)) {
case IPPROTO_TCP:
IPV6_SET_L4PROTO (p, IPPROTO_TCP);
return DecodeTCP(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
case IPPROTO_UDP:
IPV6_SET_L4PROTO (p, IPPROTO_UDP);
return DecodeUDP(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
break;
case IPPROTO_ICMPV6:
IPV6_SET_L4PROTO (p, IPPROTO_ICMPV6);
return DecodeICMPV6(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
case IPPROTO_SCTP:
IPV6_SET_L4PROTO (p, IPPROTO_SCTP);
return DecodeSCTP(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
case IPPROTO_IPIP:
IPV6_SET_L4PROTO(p, IPPROTO_IPIP);
return DecodeIPv4inIPv6(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
case IPPROTO_IPV6:
return DecodeIP6inIP6(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
case IPPROTO_FRAGMENT:
case IPPROTO_HOPOPTS:
case IPPROTO_ROUTING:
case IPPROTO_NONE:
case IPPROTO_DSTOPTS:
case IPPROTO_AH:
case IPPROTO_ESP:
DecodeIPV6ExtHdrs(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
break;
default:
p->proto = IPV6_GET_NH(p);
break;
}
/* Pass to defragger if a fragment. */
if (IPV6_EXTHDR_ISSET_FH(p)) {
Packet *rp = Defrag(tv, dtv, NULL, p);
if (rp != NULL) {
DecodeIPV6(tv, dtv, rp, (uint8_t *)rp->ip6h, IPV6_GET_PLEN(rp) + IPV6_HEADER_LEN, pq);
PacketEnqueue(pq, rp);
/* Not really a tunnel packet, but we're piggybacking that
* functionality for now. */
SET_TUNNEL_PKT(p);
}
}
#ifdef DEBUG
if (IPV6_EXTHDR_ISSET_FH(p)) {
SCLogDebug("IPV6 FRAG - HDRLEN: %" PRIuMAX " NH: %" PRIu32 " OFFSET: %" PRIu32 " ID: %" PRIu32 "",
(uintmax_t)IPV6_EXTHDR_GET_FH_HDRLEN(p), IPV6_EXTHDR_GET_FH_NH(p),
IPV6_EXTHDR_GET_FH_OFFSET(p), IPV6_EXTHDR_GET_FH_ID(p));
}
if (IPV6_EXTHDR_ISSET_RH(p)) {
SCLogDebug("IPV6 ROUTE - HDRLEN: %" PRIu32 " NH: %" PRIu32 " TYPE: %" PRIu32 "",
IPV6_EXTHDR_GET_RH_HDRLEN(p), IPV6_EXTHDR_GET_RH_NH(p),
IPV6_EXTHDR_GET_RH_TYPE(p));
}
if (IPV6_EXTHDR_ISSET_HH(p)) {
SCLogDebug("IPV6 HOPOPT - HDRLEN: %" PRIu32 " NH: %" PRIu32 "",
IPV6_EXTHDR_GET_HH_HDRLEN(p), IPV6_EXTHDR_GET_HH_NH(p));
}
if (IPV6_EXTHDR_ISSET_DH1(p)) {
SCLogDebug("IPV6 DSTOPT1 - HDRLEN: %" PRIu32 " NH: %" PRIu32 "",
IPV6_EXTHDR_GET_DH1_HDRLEN(p), IPV6_EXTHDR_GET_DH1_NH(p));
}
if (IPV6_EXTHDR_ISSET_DH2(p)) {
SCLogDebug("IPV6 DSTOPT2 - HDRLEN: %" PRIu32 " NH: %" PRIu32 "",
IPV6_EXTHDR_GET_DH2_HDRLEN(p), IPV6_EXTHDR_GET_DH2_NH(p));
}
#endif
return;
}
int DecodeGRE(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
{
uint16_t header_len = GRE_HDR_LEN;
GRESreHdr *gsre = NULL;
StatsIncr(tv, dtv->counter_gre);
if(len < GRE_HDR_LEN) {
ENGINE_SET_INVALID_EVENT(p, GRE_PKT_TOO_SMALL);
return TM_ECODE_FAILED;
}
p->greh = (GREHdr *)pkt;
if(p->greh == NULL)
return TM_ECODE_FAILED;
SCLogDebug("p %p pkt %p GRE protocol %04x Len: %d GRE version %x",
p, pkt, GRE_GET_PROTO(p->greh), len,GRE_GET_VERSION(p->greh));
switch (GRE_GET_VERSION(p->greh))
{
case GRE_VERSION_0:
/* GRE version 0 doenst support the fields below RFC 1701 */
/**
* \todo We need to make sure this does not allow bypassing
* inspection. A server may just ignore these and
* continue processing the packet, but we will not look
* further into it.
*/
if (GRE_FLAG_ISSET_RECUR(p->greh)) {
ENGINE_SET_INVALID_EVENT(p, GRE_VERSION0_RECUR);
return TM_ECODE_OK;
}
if (GREV1_FLAG_ISSET_FLAGS(p->greh)) {
ENGINE_SET_INVALID_EVENT(p, GRE_VERSION0_FLAGS);
return TM_ECODE_OK;
}
/* Adjust header length based on content */
if (GRE_FLAG_ISSET_KY(p->greh))
header_len += GRE_KEY_LEN;
if (GRE_FLAG_ISSET_SQ(p->greh))
header_len += GRE_SEQ_LEN;
if (GRE_FLAG_ISSET_CHKSUM(p->greh) || GRE_FLAG_ISSET_ROUTE(p->greh))
header_len += GRE_CHKSUM_LEN + GRE_OFFSET_LEN;
if (header_len > len) {
ENGINE_SET_INVALID_EVENT(p, GRE_VERSION0_HDR_TOO_BIG);
return TM_ECODE_OK;
}
if (GRE_FLAG_ISSET_ROUTE(p->greh))
{
while (1)
{
if ((header_len + GRE_SRE_HDR_LEN) > len) {
ENGINE_SET_INVALID_EVENT(p,
GRE_VERSION0_MALFORMED_SRE_HDR);
return TM_ECODE_OK;
}
gsre = (GRESreHdr *)(pkt + header_len);
header_len += GRE_SRE_HDR_LEN;
if ((ntohs(gsre->af) == 0) && (gsre->sre_length == 0))
break;
header_len += gsre->sre_length;
if (header_len > len) {
ENGINE_SET_INVALID_EVENT(p,
GRE_VERSION0_MALFORMED_SRE_HDR);
return TM_ECODE_OK;
}
}
}
break;
case GRE_VERSION_1:
/* GRE version 1 doenst support the fields below RFC 1701 */
/**
* \todo We need to make sure this does not allow bypassing
* inspection. A server may just ignore these and
* continue processing the packet, but we will not look
* further into it.
*/
if (GRE_FLAG_ISSET_CHKSUM(p->greh)) {
ENGINE_SET_INVALID_EVENT(p,GRE_VERSION1_CHKSUM);
return TM_ECODE_OK;
}
if (GRE_FLAG_ISSET_ROUTE(p->greh)) {
ENGINE_SET_INVALID_EVENT(p,GRE_VERSION1_ROUTE);
return TM_ECODE_OK;
}
if (GRE_FLAG_ISSET_SSR(p->greh)) {
ENGINE_SET_INVALID_EVENT(p,GRE_VERSION1_SSR);
return TM_ECODE_OK;
}
if (GRE_FLAG_ISSET_RECUR(p->greh)) {
ENGINE_SET_INVALID_EVENT(p,GRE_VERSION1_RECUR);
return TM_ECODE_OK;
}
if (GREV1_FLAG_ISSET_FLAGS(p->greh)) {
ENGINE_SET_INVALID_EVENT(p,GRE_VERSION1_FLAGS);
return TM_ECODE_OK;
}
if (GRE_GET_PROTO(p->greh) != GRE_PROTO_PPP) {
ENGINE_SET_INVALID_EVENT(p,GRE_VERSION1_WRONG_PROTOCOL);
return TM_ECODE_OK;
}
if (!(GRE_FLAG_ISSET_KY(p->greh))) {
ENGINE_SET_INVALID_EVENT(p,GRE_VERSION1_NO_KEY);
return TM_ECODE_OK;
}
header_len += GRE_KEY_LEN;
/* Adjust header length based on content */
if (GRE_FLAG_ISSET_SQ(p->greh))
header_len += GRE_SEQ_LEN;
if (GREV1_FLAG_ISSET_ACK(p->greh))
header_len += GREV1_ACK_LEN;
if (header_len > len) {
ENGINE_SET_INVALID_EVENT(p, GRE_VERSION1_HDR_TOO_BIG);
return TM_ECODE_OK;
}
break;
default:
ENGINE_SET_INVALID_EVENT(p, GRE_WRONG_VERSION);
return TM_ECODE_OK;
}
switch (GRE_GET_PROTO(p->greh))
{
case ETHERNET_TYPE_IP:
{
if (pq != NULL) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt + header_len,
len - header_len, DECODE_TUNNEL_IPV4, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE);
PacketEnqueue(pq,tp);
}
}
break;
}
case GRE_PROTO_PPP:
{
if (pq != NULL) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt + header_len,
len - header_len, DECODE_TUNNEL_PPP, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE);
PacketEnqueue(pq,tp);
}
}
break;
}
case ETHERNET_TYPE_IPV6:
{
if (pq != NULL) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt + header_len,
len - header_len, DECODE_TUNNEL_IPV6, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE);
PacketEnqueue(pq,tp);
}
}
break;
}
case ETHERNET_TYPE_VLAN:
{
if (pq != NULL) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt + header_len,
len - header_len, DECODE_TUNNEL_VLAN, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE);
PacketEnqueue(pq,tp);
}
}
break;
}
case ETHERNET_TYPE_ERSPAN:
{
if (pq != NULL) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt + header_len,
len - header_len, DECODE_TUNNEL_ERSPAN, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE);
PacketEnqueue(pq,tp);
}
}
break;
}
case ETHERNET_TYPE_BRIDGE:
{
if (pq != NULL) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt + header_len,
len - header_len, DECODE_TUNNEL_ETHERNET, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE);
PacketEnqueue(pq,tp);
}
}
break;
}
default:
return TM_ECODE_OK;
}
return TM_ECODE_OK;
}
/**
* \internal
* \brief Forces reassembly for flow if it needs it.
*
* The function requires flow to be locked beforehand.
*
* \param f Pointer to the flow.
* \param server action required for server: 1 or 2
* \param client action required for client: 1 or 2
*
* \retval 0 This flow doesn't need any reassembly processing; 1 otherwise.
*/
int FlowForceReassemblyForFlowV2(Flow *f, int server, int client)
{
Packet *p1 = NULL, *p2 = NULL, *p3 = NULL;
TcpSession *ssn;
/* looks like we have no flows in this queue */
if (f == NULL) {
return 0;
}
/* Get the tcp session for the flow */
ssn = (TcpSession *)f->protoctx;
if (ssn == NULL) {
return 0;
}
/* The packets we use are based on what segments in what direction are
* unprocessed.
* p1 if we have client segments for reassembly purpose only. If we
* have no server segments p2 can be a toserver packet with dummy
* seq/ack, and if we have server segments p2 has to carry out reassembly
* for server segment as well, in which case we will also need a p3 in the
* toclient which is now dummy since all we need it for is detection */
/* insert a pseudo packet in the toserver direction */
if (client == 1) {
p1 = FlowForceReassemblyPseudoPacketGet(1, f, ssn, 0);
if (p1 == NULL) {
return 1;
}
PKT_SET_SRC(p1, PKT_SRC_FFR_V2);
if (server == 1) {
p2 = FlowForceReassemblyPseudoPacketGet(0, f, ssn, 0);
if (p2 == NULL) {
FlowDeReference(&p1->flow);
TmqhOutputPacketpool(NULL, p1);
return 1;
}
PKT_SET_SRC(p2, PKT_SRC_FFR_V2);
p3 = FlowForceReassemblyPseudoPacketGet(1, f, ssn, 1);
if (p3 == NULL) {
FlowDeReference(&p1->flow);
TmqhOutputPacketpool(NULL, p1);
FlowDeReference(&p2->flow);
TmqhOutputPacketpool(NULL, p2);
return 1;
}
PKT_SET_SRC(p3, PKT_SRC_FFR_V2);
} else {
p2 = FlowForceReassemblyPseudoPacketGet(0, f, ssn, 1);
if (p2 == NULL) {
FlowDeReference(&p1->flow);
TmqhOutputPacketpool(NULL, p1);
return 1;
}
PKT_SET_SRC(p2, PKT_SRC_FFR_V2);
}
} else if (client == 2) {
if (server == 1) {
p1 = FlowForceReassemblyPseudoPacketGet(0, f, ssn, 0);
if (p1 == NULL) {
return 1;
}
PKT_SET_SRC(p1, PKT_SRC_FFR_V2);
p2 = FlowForceReassemblyPseudoPacketGet(1, f, ssn, 1);
if (p2 == NULL) {
FlowDeReference(&p1->flow);
TmqhOutputPacketpool(NULL, p1);
return 1;
}
PKT_SET_SRC(p2, PKT_SRC_FFR_V2);
} else {
p1 = FlowForceReassemblyPseudoPacketGet(0, f, ssn, 1);
if (p1 == NULL) {
return 1;
}
PKT_SET_SRC(p1, PKT_SRC_FFR_V2);
if (server == 2) {
p2 = FlowForceReassemblyPseudoPacketGet(1, f, ssn, 1);
if (p2 == NULL) {
FlowDeReference(&p1->flow);
TmqhOutputPacketpool(NULL, p1);
return 1;
}
PKT_SET_SRC(p2, PKT_SRC_FFR_V2);
}
}
} else {
if (server == 1) {
p1 = FlowForceReassemblyPseudoPacketGet(0, f, ssn, 0);
if (p1 == NULL) {
return 1;
}
PKT_SET_SRC(p1, PKT_SRC_FFR_V2);
p2 = FlowForceReassemblyPseudoPacketGet(1, f, ssn, 1);
if (p2 == NULL) {
FlowDeReference(&p1->flow);
TmqhOutputPacketpool(NULL, p1);
return 1;
}
PKT_SET_SRC(p2, PKT_SRC_FFR_V2);
} else if (server == 2) {
p1 = FlowForceReassemblyPseudoPacketGet(1, f, ssn, 1);
if (p1 == NULL) {
return 1;
}
PKT_SET_SRC(p1, PKT_SRC_FFR_V2);
} else {
/* impossible */
BUG_ON(1);
}
}
f->flags |= FLOW_TIMEOUT_REASSEMBLY_DONE;
SCMutexLock(&stream_pseudo_pkt_decode_tm_slot->slot_post_pq.mutex_q);
PacketEnqueue(&stream_pseudo_pkt_decode_tm_slot->slot_post_pq, p1);
if (p2 != NULL)
PacketEnqueue(&stream_pseudo_pkt_decode_tm_slot->slot_post_pq, p2);
if (p3 != NULL)
PacketEnqueue(&stream_pseudo_pkt_decode_tm_slot->slot_post_pq, p3);
SCMutexUnlock(&stream_pseudo_pkt_decode_tm_slot->slot_post_pq.mutex_q);
if (stream_pseudo_pkt_decode_TV->inq != NULL) {
SCCondSignal(&trans_q[stream_pseudo_pkt_decode_TV->inq->id].cond_q);
}
return 1;
}
/**
* \brief Function to decode Teredo packets
*
* \retval 0 if packet is not a Teredo packet, 1 if it is
*/
int DecodeTeredo(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
{
uint8_t *start = pkt;
/* Is this packet to short to contain an IPv6 packet ? */
if (len < IPV6_HEADER_LEN)
return 0;
/* Teredo encapsulate IPv6 in UDP and can add some custom message
* part before the IPv6 packet. In our case, we just want to get
* over an ORIGIN indication. So we just make one offset if needed. */
if (start[0] == 0x0) {
switch (start[1]) {
/* origin indication: compatible with tunnel */
case 0x0:
/* offset is coherent with len and presence of an IPv6 header */
if (len >= TEREDO_ORIG_INDICATION_LENGTH + IPV6_HEADER_LEN)
start += TEREDO_ORIG_INDICATION_LENGTH;
else
return 0;
break;
/* authentication: negotiation not real tunnel */
case 0x1:
return 0;
/* this case is not possible in Teredo: not that protocol */
default:
return 0;
}
}
/* There is no specific field that we can check to prove that the packet
* is a Teredo packet. We've zapped here all the possible Teredo header
* and we should have an IPv6 packet at the start pointer.
* We then can only do two checks before sending the encapsulated packets
* to decoding:
* - The packet has a protocol version which is IPv6.
* - The IPv6 length of the packet matches what remains in buffer.
*/
if (IP_GET_RAW_VER(start) == 6) {
IPV6Hdr *thdr = (IPV6Hdr *)start;
if (len == IPV6_HEADER_LEN +
IPV6_GET_RAW_PLEN(thdr) + (start - pkt)) {
if (pq != NULL) {
int blen = len - (start - pkt);
/* spawn off tunnel packet */
Packet *tp = PacketPseudoPktSetup(p, start, blen,
IPPROTO_IPV6);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_TEREDO);
/* send that to the Tunnel decoder */
DecodeTunnel(tv, dtv, tp, GET_PKT_DATA(tp), GET_PKT_LEN(tp),
pq, IPPROTO_IPV6);
/* add the tp to the packet queue. */
PacketEnqueue(pq,tp);
SCPerfCounterIncr(dtv->counter_teredo, tv->sc_perf_pca);
return 1;
}
}
}
return 0;
}
return 0;
}
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
{
int ret;
StatsIncr(tv, dtv->counter_ipv6);
/* do the actual decoding */
ret = DecodeIPV6Packet (tv, dtv, p, pkt, len);
if (unlikely(ret < 0)) {
p->ip6h = NULL;
return TM_ECODE_FAILED;
}
#ifdef DEBUG
if (SCLogDebugEnabled()) { /* only convert the addresses if debug is really enabled */
/* debug print */
char s[46], d[46];
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), s, sizeof(s));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), d, sizeof(d));
SCLogDebug("IPV6 %s->%s - CLASS: %" PRIu32 " FLOW: %" PRIu32 " NH: %" PRIu32 " PLEN: %" PRIu32 " HLIM: %" PRIu32 "", s,d,
IPV6_GET_CLASS(p), IPV6_GET_FLOW(p), IPV6_GET_NH(p), IPV6_GET_PLEN(p),
IPV6_GET_HLIM(p));
}
#endif /* DEBUG */
/* now process the Ext headers and/or the L4 Layer */
switch(IPV6_GET_NH(p)) {
case IPPROTO_TCP:
IPV6_SET_L4PROTO (p, IPPROTO_TCP);
DecodeTCP(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
return TM_ECODE_OK;
case IPPROTO_UDP:
IPV6_SET_L4PROTO (p, IPPROTO_UDP);
DecodeUDP(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
return TM_ECODE_OK;
case IPPROTO_ICMPV6:
IPV6_SET_L4PROTO (p, IPPROTO_ICMPV6);
DecodeICMPV6(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
return TM_ECODE_OK;
case IPPROTO_SCTP:
IPV6_SET_L4PROTO (p, IPPROTO_SCTP);
DecodeSCTP(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
return TM_ECODE_OK;
case IPPROTO_IPIP:
IPV6_SET_L4PROTO(p, IPPROTO_IPIP);
DecodeIPv4inIPv6(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
return TM_ECODE_OK;
case IPPROTO_IPV6:
DecodeIP6inIP6(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
return TM_ECODE_OK;
case IPPROTO_FRAGMENT:
case IPPROTO_HOPOPTS:
case IPPROTO_ROUTING:
case IPPROTO_NONE:
case IPPROTO_DSTOPTS:
case IPPROTO_AH:
case IPPROTO_ESP:
case IPPROTO_MH:
case IPPROTO_HIP:
case IPPROTO_SHIM6:
DecodeIPV6ExtHdrs(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
break;
case IPPROTO_ICMP:
ENGINE_SET_EVENT(p,IPV6_WITH_ICMPV4);
break;
default:
ENGINE_SET_EVENT(p, IPV6_UNKNOWN_NEXT_HEADER);
IPV6_SET_L4PROTO (p, IPV6_GET_NH(p));
break;
}
p->proto = IPV6_GET_L4PROTO (p);
/* Pass to defragger if a fragment. */
if (IPV6_EXTHDR_ISSET_FH(p)) {
Packet *rp = Defrag(tv, dtv, p, pq);
if (rp != NULL) {
PacketEnqueue(pq,rp);
}
}
return TM_ECODE_OK;
}
TmEcode ProcessErfDagRecords(ErfDagThreadVars *ewtn,
Packet *p,
uint8_t* top,
PacketQueue *postpq,
uint32_t *pkts_read)
{
SCEnter();
int err = 0;
dag_record_t* dr = NULL;
char *prec = NULL;
int rlen;
*pkts_read = 0;
while(((top-(ewtn->btm))>=dag_record_size) &&
((*pkts_read)<(ewtn->dag_max_read_packets)))
{
prec = (char*)ewtn->btm;
dr = (dag_record_t*)prec;
rlen = ntohs(dr->rlen);
if (rlen == 20) {
rlen = 28;
SCLogWarning(SC_WARN_ERF_DAG_REC_LEN_CHANGED,
"Warning, adjusted the length of ERF from 20 to 28 on stream: %d, DAG: %s",
ewtn->dagstream, ewtn->dagname);
}
/* If we don't have enough data to finsih processing this ERF record
* return and maybe next time we will.
*/
if ((top-(ewtn->btm)) < rlen)
SCReturnInt(TM_ECODE_OK);
p = p ? p : PacketGetFromQueueOrAlloc();
if (p == NULL) {
SCLogError(SC_ERR_MEM_ALLOC,
"Failed to allocate a Packet on stream: %d, DAG: %s",
ewtn->dagstream, ewtn->dagname);
SCReturnInt(TM_ECODE_FAILED);
}
err = ProcessErfDagRecord(ewtn, prec, p);
if (err != TM_ECODE_OK)
SCReturnInt(err);
ewtn->btm += rlen;
/* XXX/JNM: Hack to get around the fact that the first Packet from
* Suricata is added explicitly by the Slot code and shouldn't go
* onto the post queue -- else it is added twice to the next queue.
*/
if (*pkts_read) {
PacketEnqueue(postpq, p);
}
(*pkts_read)++;
p = NULL;
}
SCReturnInt(TM_ECODE_OK);
}
