/**
* \internal
* \brief Pseudo packet setup for flow forced reassembly.
*
* \param direction Direction of the packet. 0 indicates toserver and 1
* indicates toclient.
* \param f Pointer to the flow.
* \param ssn Pointer to the tcp session.
* \param dummy Indicates to create a dummy pseudo packet. Not all pseudo
* packets need to force reassembly, in which case we just
* set dummy ack/seq values.
*/
static inline Packet *FlowForceReassemblyPseudoPacketSetup(Packet *p,
int direction,
Flow *f,
TcpSession *ssn,
int dummy)
{
p->datalink = DLT_RAW;
p->proto = IPPROTO_TCP;
FlowReference(&p->flow, f);
p->flags |= PKT_STREAM_EST;
p->flags |= PKT_STREAM_EOF;
p->flags |= PKT_HAS_FLOW;
p->flags |= PKT_PSEUDO_STREAM_END;
if (direction == 0)
p->flowflags |= FLOW_PKT_TOSERVER;
else
p->flowflags |= FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->payload = NULL;
p->payload_len = 0;
if (FLOW_IS_IPV4(f)) {
if (direction == 0) {
FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->src, &p->src);
FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->dst, &p->dst);
p->sp = f->sp;
p->dp = f->dp;
} else {
FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->src, &p->dst);
FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->dst, &p->src);
p->sp = f->dp;
p->dp = f->sp;
}
/* set the ip header */
p->ip4h = (IPV4Hdr *)GET_PKT_DATA(p);
/* version 4 and length 20 bytes for the tcp header */
p->ip4h->ip_verhl = 0x45;
p->ip4h->ip_tos = 0;
p->ip4h->ip_len = htons(40);
p->ip4h->ip_id = 0;
p->ip4h->ip_off = 0;
p->ip4h->ip_ttl = 64;
p->ip4h->ip_proto = IPPROTO_TCP;
//p->ip4h->ip_csum =
if (direction == 0) {
p->ip4h->s_ip_src.s_addr = f->src.addr_data32[0];
p->ip4h->s_ip_dst.s_addr = f->dst.addr_data32[0];
} else {
p->ip4h->s_ip_src.s_addr = f->dst.addr_data32[0];
p->ip4h->s_ip_dst.s_addr = f->src.addr_data32[0];
}
/* set the tcp header */
p->tcph = (TCPHdr *)((uint8_t *)GET_PKT_DATA(p) + 20);
SET_PKT_LEN(p, 40); /* ipv4 hdr + tcp hdr */
} else if (FLOW_IS_IPV6(f)) {
if (direction == 0) {
FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->src, &p->src);
FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->dst, &p->dst);
p->sp = f->sp;
p->dp = f->dp;
} else {
FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->src, &p->dst);
FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->dst, &p->src);
p->sp = f->dp;
p->dp = f->sp;
}
/* set the ip header */
p->ip6h = (IPV6Hdr *)GET_PKT_DATA(p);
/* version 6 */
p->ip6h->s_ip6_vfc = 0x60;
p->ip6h->s_ip6_flow = 0;
p->ip6h->s_ip6_nxt = IPPROTO_TCP;
p->ip6h->s_ip6_plen = htons(20);
p->ip6h->s_ip6_hlim = 64;
if (direction == 0) {
p->ip6h->s_ip6_src[0] = f->src.addr_data32[0];
p->ip6h->s_ip6_src[1] = f->src.addr_data32[1];
p->ip6h->s_ip6_src[2] = f->src.addr_data32[2];
p->ip6h->s_ip6_src[3] = f->src.addr_data32[3];
p->ip6h->s_ip6_dst[0] = f->dst.addr_data32[0];
p->ip6h->s_ip6_dst[1] = f->dst.addr_data32[1];
p->ip6h->s_ip6_dst[2] = f->dst.addr_data32[2];
p->ip6h->s_ip6_dst[3] = f->dst.addr_data32[3];
} else {
p->ip6h->s_ip6_src[0] = f->dst.addr_data32[0];
p->ip6h->s_ip6_src[1] = f->dst.addr_data32[1];
p->ip6h->s_ip6_src[2] = f->dst.addr_data32[2];
p->ip6h->s_ip6_src[3] = f->dst.addr_data32[3];
p->ip6h->s_ip6_dst[0] = f->src.addr_data32[0];
p->ip6h->s_ip6_dst[1] = f->src.addr_data32[1];
p->ip6h->s_ip6_dst[2] = f->src.addr_data32[2];
p->ip6h->s_ip6_dst[3] = f->src.addr_data32[3];
}
/* set the tcp header */
p->tcph = (TCPHdr *)((uint8_t *)GET_PKT_DATA(p) + 40);
SET_PKT_LEN(p, 60); /* ipv6 hdr + tcp hdr */
}
p->tcph->th_offx2 = 0x50;
p->tcph->th_flags |= TH_ACK;
p->tcph->th_win = 10;
p->tcph->th_urp = 0;
/* to server */
if (direction == 0) {
p->tcph->th_sport = htons(f->sp);
p->tcph->th_dport = htons(f->dp);
if (dummy) {
p->tcph->th_seq = htonl(ssn->client.next_seq);
p->tcph->th_ack = htonl(ssn->server.last_ack);
} else {
p->tcph->th_seq = htonl(ssn->client.next_seq);
p->tcph->th_ack = htonl(ssn->server.seg_list_tail->seq +
ssn->server.seg_list_tail->payload_len);
}
/* to client */
} else {
p->tcph->th_sport = htons(f->dp);
p->tcph->th_dport = htons(f->sp);
if (dummy) {
p->tcph->th_seq = htonl(ssn->server.next_seq);
p->tcph->th_ack = htonl(ssn->client.last_ack);
} else {
p->tcph->th_seq = htonl(ssn->server.next_seq);
p->tcph->th_ack = htonl(ssn->client.seg_list_tail->seq +
ssn->client.seg_list_tail->payload_len);
}
}
if (FLOW_IS_IPV4(f)) {
p->tcph->th_sum = TCPCalculateChecksum(p->ip4h->s_ip_addrs,
(uint16_t *)p->tcph, 20);
/* calc ipv4 csum as we may log it and barnyard might reject
* a wrong checksum */
p->ip4h->ip_csum = IPV4CalculateChecksum((uint16_t *)p->ip4h,
IPV4_GET_RAW_HLEN(p->ip4h));
} else if (FLOW_IS_IPV6(f)) {
p->tcph->th_sum = TCPCalculateChecksum(p->ip6h->s_ip6_addrs,
(uint16_t *)p->tcph, 20);
}
memset(&p->ts, 0, sizeof(struct timeval));
TimeGet(&p->ts);
AppLayerSetEOF(f);
return p;
}
/** \brief Get Flow for packet
*
* Hash retrieval function for flows. Looks up the hash bucket containing the
* flow pointer. Then compares the packet with the found flow to see if it is
* the flow we need. If it isn't, walk the list until the right flow is found.
*
* If the flow is not found or the bucket was emtpy, a new flow is taken from
* the queue. FlowDequeue() will alloc new flows as long as we stay within our
* memcap limit.
*
* The p->flow pointer is updated to point to the flow.
*
* \param tv thread vars
* \param dtv decode thread vars (for flow log api thread data)
*
* \retval f *LOCKED* flow or NULL
*/
Flow *FlowGetFlowFromHash(ThreadVars *tv, DecodeThreadVars *dtv, const Packet *p, Flow **dest)
{
Flow *f = NULL;
/* get our hash bucket and lock it */
const uint32_t hash = p->flow_hash;
FlowBucket *fb = &flow_hash[hash % flow_config.hash_size];
FBLOCK_LOCK(fb);
SCLogDebug("fb %p fb->head %p", fb, fb->head);
/* see if the bucket already has a flow */
if (fb->head == NULL) {
f = FlowGetNew(tv, dtv, p);
if (f == NULL) {
FBLOCK_UNLOCK(fb);
return NULL;
}
/* flow is locked */
fb->head = f;
fb->tail = f;
/* got one, now lock, initialize and return */
FlowInit(f, p);
f->flow_hash = hash;
f->fb = fb;
FlowUpdateState(f, FLOW_STATE_NEW);
FlowReference(dest, f);
FBLOCK_UNLOCK(fb);
return f;
}
/* ok, we have a flow in the bucket. Let's find out if it is our flow */
f = fb->head;
/* see if this is the flow we are looking for */
if (FlowCompare(f, p) == 0) {
Flow *pf = NULL; /* previous flow */
while (f) {
pf = f;
f = f->hnext;
if (f == NULL) {
f = pf->hnext = FlowGetNew(tv, dtv, p);
if (f == NULL) {
FBLOCK_UNLOCK(fb);
return NULL;
}
fb->tail = f;
/* flow is locked */
f->hprev = pf;
/* initialize and return */
FlowInit(f, p);
f->flow_hash = hash;
f->fb = fb;
FlowUpdateState(f, FLOW_STATE_NEW);
FlowReference(dest, f);
FBLOCK_UNLOCK(fb);
return f;
}
if (FlowCompare(f, p) != 0) {
/* we found our flow, lets put it on top of the
* hash list -- this rewards active flows */
if (f->hnext) {
f->hnext->hprev = f->hprev;
}
if (f->hprev) {
f->hprev->hnext = f->hnext;
}
if (f == fb->tail) {
fb->tail = f->hprev;
}
f->hnext = fb->head;
f->hprev = NULL;
fb->head->hprev = f;
fb->head = f;
/* found our flow, lock & return */
FLOWLOCK_WRLOCK(f);
if (unlikely(TcpSessionPacketSsnReuse(p, f, f->protoctx) == 1)) {
f = TcpReuseReplace(tv, dtv, fb, f, hash, p);
if (f == NULL) {
FBLOCK_UNLOCK(fb);
return NULL;
}
}
FlowReference(dest, f);
FBLOCK_UNLOCK(fb);
return f;
}
}
}
/* lock & return */
FLOWLOCK_WRLOCK(f);
if (unlikely(TcpSessionPacketSsnReuse(p, f, f->protoctx) == 1)) {
f = TcpReuseReplace(tv, dtv, fb, f, hash, p);
if (f == NULL) {
FBLOCK_UNLOCK(fb);
return NULL;
}
}
FlowReference(dest, f);
FBLOCK_UNLOCK(fb);
return f;
}
/* FlowGetFlowFromHash
*
* Hash retrieval function for flows. Looks up the hash bucket containing the
* flow pointer. Then compares the packet with the found flow to see if it is
* the flow we need. If it isn't, walk the list until the right flow is found.
*
* If the flow is not found or the bucket was emtpy, a new flow is taken from
* the queue. FlowDequeue() will alloc new flows as long as we stay within our
* memcap limit.
*
* The p->flow pointer is updated to point to the flow.
*
* returns a *LOCKED* flow or NULL
*/
Flow *FlowGetFlowFromHash(Packet *p)
{
Flow *f = NULL;
FlowHashCountInit;
/* get the key to our bucket */
uint32_t key = FlowGetKey(p);
/* get our hash bucket and lock it */
FlowBucket *fb = &flow_hash[key];
FBLOCK_LOCK(fb);
SCLogDebug("fb %p fb->head %p", fb, fb->head);
FlowHashCountIncr;
/* see if the bucket already has a flow */
if (fb->head == NULL) {
f = FlowGetNew(p);
if (f == NULL) {
FBLOCK_UNLOCK(fb);
FlowHashCountUpdate;
return NULL;
}
/* flow is locked */
fb->head = f;
fb->tail = f;
/* Point the Packet at the Flow */
FlowReference(&p->flow, f);
/* got one, now lock, initialize and return */
FlowInit(f, p);
f->fb = fb;
FBLOCK_UNLOCK(fb);
FlowHashCountUpdate;
return f;
}
/* ok, we have a flow in the bucket. Let's find out if it is our flow */
f = fb->head;
/* see if this is the flow we are looking for */
if (FlowCompare(f, p) == 0) {
Flow *pf = NULL; /* previous flow */
while (f) {
FlowHashCountIncr;
pf = f;
f = f->hnext;
if (f == NULL) {
f = pf->hnext = FlowGetNew(p);
if (f == NULL) {
FBLOCK_UNLOCK(fb);
FlowHashCountUpdate;
return NULL;
}
fb->tail = f;
/* flow is locked */
f->hprev = pf;
/* Point the Packet at the Flow */
FlowReference(&p->flow, f);
/* initialize and return */
FlowInit(f, p);
f->fb = fb;
FBLOCK_UNLOCK(fb);
FlowHashCountUpdate;
return f;
}
if (FlowCompare(f, p) != 0) {
/* we found our flow, lets put it on top of the
* hash list -- this rewards active flows */
if (f->hnext) {
f->hnext->hprev = f->hprev;
}
if (f->hprev) {
f->hprev->hnext = f->hnext;
}
if (f == fb->tail) {
fb->tail = f->hprev;
}
f->hnext = fb->head;
f->hprev = NULL;
fb->head->hprev = f;
fb->head = f;
/* Point the Packet at the Flow */
FlowReference(&p->flow, f);
/* found our flow, lock & return */
FLOWLOCK_WRLOCK(f);
FBLOCK_UNLOCK(fb);
FlowHashCountUpdate;
return f;
}
}
}
/* Point the Packet at the Flow */
FlowReference(&p->flow, f);
/* lock & return */
FLOWLOCK_WRLOCK(f);
FBLOCK_UNLOCK(fb);
FlowHashCountUpdate;
return f;
}
