/**
* \brief Get a new flow
*
* Get a new flow. We're checking memcap first and will try to make room
* if the memcap is reached.
*
* \param tv thread vars
* \param dtv decode thread vars (for flow log api thread data)
*
* \retval f *LOCKED* flow on succes, NULL on error.
*/
static Flow *FlowGetNew(ThreadVars *tv, DecodeThreadVars *dtv, const Packet *p)
{
Flow *f = NULL;
if (FlowCreateCheck(p) == 0) {
return NULL;
}
/* get a flow from the spare queue */
f = FlowDequeue(&flow_spare_q);
if (f == NULL) {
/* If we reached the max memcap, we get a used flow */
if (!(FLOW_CHECK_MEMCAP(sizeof(Flow) + FlowStorageSize()))) {
/* declare state of emergency */
if (!(SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY)) {
SC_ATOMIC_OR(flow_flags, FLOW_EMERGENCY);
FlowTimeoutsEmergency();
/* under high load, waking up the flow mgr each time leads
* to high cpu usage. Flows are not timed out much faster if
* we check a 1000 times a second. */
FlowWakeupFlowManagerThread();
}
f = FlowGetUsedFlow(tv, dtv);
if (f == NULL) {
/* max memcap reached, so increments the counter */
if (tv != NULL && dtv != NULL) {
StatsIncr(tv, dtv->counter_flow_memcap);
}
/* very rare, but we can fail. Just giving up */
return NULL;
}
/* freed a flow, but it's unlocked */
} else {
/* now see if we can alloc a new flow */
f = FlowAlloc();
if (f == NULL) {
if (tv != NULL && dtv != NULL) {
StatsIncr(tv, dtv->counter_flow_memcap);
}
return NULL;
}
/* flow is initialized but *unlocked* */
}
} else {
/* flow has been recycled before it went into the spare queue */
/* flow is initialized (recylced) but *unlocked* */
}
FLOWLOCK_WRLOCK(f);
FlowUpdateCounter(tv, dtv, p->proto);
return f;
}
void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p)
{
if (unlikely(PACKET_TEST_ACTION(p, (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)))) {
StatsIncr(tv, s->counter_ips_rejected);
} else if (unlikely(PACKET_TEST_ACTION(p, ACTION_DROP))) {
StatsIncr(tv, s->counter_ips_blocked);
} else if (unlikely(p->flags & PKT_STREAM_MODIFIED)) {
StatsIncr(tv, s->counter_ips_replaced);
} else {
StatsIncr(tv, s->counter_ips_accepted);
}
}
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
{
if (p->flags & PKT_IS_INVALID) {
StatsIncr(tv, dtv->counter_invalid);
int i = 0;
for (i = 0; i < p->events.cnt; i++) {
if (EVENT_IS_DECODER_PACKET_ERROR(p->events.events[i])) {
StatsIncr(tv, dtv->counter_invalid_events[p->events.events[i]]);
}
}
}
}
int DecodeRaw(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
{
StatsIncr(tv, dtv->counter_raw);
/* If it is ipv4 or ipv6 it should at least be the size of ipv4 */
if (unlikely(len < IPV4_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, IPV4_PKT_TOO_SMALL);
return TM_ECODE_FAILED;
}
if (IP_GET_RAW_VER(pkt) == 4) {
if (unlikely(GET_PKT_LEN(p) > USHRT_MAX)) {
return TM_ECODE_FAILED;
}
SCLogDebug("IPV4 Packet");
DecodeIPV4(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
} else if (IP_GET_RAW_VER(pkt) == 6) {
if (unlikely(GET_PKT_LEN(p) > USHRT_MAX)) {
return TM_ECODE_FAILED;
}
SCLogDebug("IPV6 Packet");
DecodeIPV6(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
} else {
SCLogDebug("Unknown ip version %" PRIu8 "", IP_GET_RAW_VER(pkt));
ENGINE_SET_EVENT(p,IPRAW_INVALID_IPV);
}
return TM_ECODE_OK;
}
void DecodeUpdatePacketCounters(ThreadVars *tv,
const DecodeThreadVars *dtv, const Packet *p)
{
StatsIncr(tv, dtv->counter_pkts);
//StatsIncr(tv, dtv->counter_pkts_per_sec);
StatsAddUI64(tv, dtv->counter_bytes, GET_PKT_LEN(p));
StatsAddUI64(tv, dtv->counter_avg_pkt_size, GET_PKT_LEN(p));
StatsSetUI64(tv, dtv->counter_max_pkt_size, GET_PKT_LEN(p));
}
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
{
if (p->flags & PKT_IS_INVALID) {
StatsIncr(tv, dtv->counter_invalid);
int i = 0;
for (i = 0; i < p->events.cnt; i++) {
if (EVENT_IS_DECODER_PACKET_ERROR(p->events.events[i])) {
StatsIncr(tv, dtv->counter_invalid_events[p->events.events[i]]);
}
}
}
#ifdef __SC_CUDA_SUPPORT__
if (dtv->cuda_vars.mpm_is_cuda)
CudaBufferPacket(&dtv->cuda_vars, p);
#endif
}
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
uint8_t *pkt, uint16_t len, PacketQueue *pq)
{
StatsIncr(tv, dtv->counter_eth);
if (unlikely(len < ETHERNET_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, ETHERNET_PKT_TOO_SMALL);
return TM_ECODE_FAILED;
}
p->ethh = (EthernetHdr *)pkt;
if (unlikely(p->ethh == NULL))
return TM_ECODE_FAILED;
SCLogDebug("p %p pkt %p ether type %04x", p, pkt, ntohs(p->ethh->eth_type));
switch (ntohs(p->ethh->eth_type)) {
case ETHERNET_TYPE_IP:
//printf("DecodeEthernet ip4\n");
DecodeIPV4(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
len - ETHERNET_HEADER_LEN, pq);
break;
case ETHERNET_TYPE_IPV6:
//printf("DecodeEthernet ip6\n");
DecodeIPV6(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
len - ETHERNET_HEADER_LEN, pq);
break;
case ETHERNET_TYPE_PPPOE_SESS:
//printf("DecodeEthernet PPPOE Session\n");
DecodePPPOESession(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
len - ETHERNET_HEADER_LEN, pq);
break;
case ETHERNET_TYPE_PPPOE_DISC:
//printf("DecodeEthernet PPPOE Discovery\n");
DecodePPPOEDiscovery(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
len - ETHERNET_HEADER_LEN, pq);
break;
case ETHERNET_TYPE_VLAN:
case ETHERNET_TYPE_8021QINQ:
DecodeVLAN(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
len - ETHERNET_HEADER_LEN, pq);
break;
case ETHERNET_TYPE_MPLS_UNICAST:
case ETHERNET_TYPE_MPLS_MULTICAST:
DecodeMPLS(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
len - ETHERNET_HEADER_LEN, pq);
break;
default:
SCLogDebug("p %p pkt %p ether type %04x not supported", p,
pkt, ntohs(p->ethh->eth_type));
}
return TM_ECODE_OK;
}
static inline void FlowUpdateCounter(ThreadVars *tv, DecodeThreadVars *dtv,
uint8_t proto)
{
#ifdef UNITTESTS
if (tv && dtv) {
#endif
switch (proto){
case IPPROTO_UDP:
StatsIncr(tv, dtv->counter_flow_udp);
break;
case IPPROTO_TCP:
StatsIncr(tv, dtv->counter_flow_tcp);
break;
case IPPROTO_ICMP:
StatsIncr(tv, dtv->counter_flow_icmp4);
break;
case IPPROTO_ICMPV6:
StatsIncr(tv, dtv->counter_flow_icmp6);
break;
}
#ifdef UNITTESTS
}
#endif
}
int DecodeSCTP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
{
StatsIncr(tv, dtv->counter_sctp);
if (unlikely(DecodeSCTPPacket(tv, p,pkt,len) < 0)) {
p->sctph = NULL;
return TM_ECODE_FAILED;
}
#ifdef DEBUG
SCLogDebug("SCTP sp: %" PRIu32 " -> dp: %" PRIu32,
SCTP_GET_SRC_PORT(p), SCTP_GET_DST_PORT(p));
#endif
FlowSetupPacket(p);
return TM_ECODE_OK;
}
/**
* \brief Function to decode IPv6 in IPv6 packets
*
*/
static int DecodeIP6inIP6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t plen, PacketQueue *pq)
{
if (unlikely(plen < IPV6_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, IPV6_IN_IPV6_PKT_TOO_SMALL);
return TM_ECODE_FAILED;
}
if (IP_GET_RAW_VER(pkt) == 6) {
if (unlikely(pq != NULL)) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt, plen, DECODE_TUNNEL_IPV6, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_IPV6);
PacketEnqueue(pq,tp);
StatsIncr(tv, dtv->counter_ipv6inipv6);
}
}
} else {
ENGINE_SET_EVENT(p, IPV6_IN_IPV6_WRONG_IP_VER);
}
return TM_ECODE_OK;
}
int DecodeTCP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
{
StatsIncr(tv, dtv->counter_tcp);
if (unlikely(DecodeTCPPacket(tv, p,pkt,len) < 0)) {
SCLogDebug("invalid TCP packet");
p->tcph = NULL;
return TM_ECODE_FAILED;
}
#ifdef DEBUG
SCLogDebug("TCP sp: %" PRIu32 " -> dp: %" PRIu32 " - HLEN: %" PRIu32 " LEN: %" PRIu32 " %s%s%s%s%s",
GET_TCP_SRC_PORT(p), GET_TCP_DST_PORT(p), TCP_GET_HLEN(p), len,
TCP_HAS_SACKOK(p) ? "SACKOK " : "", TCP_HAS_SACK(p) ? "SACK " : "",
TCP_HAS_WSCALE(p) ? "WS " : "", TCP_HAS_TS(p) ? "TS " : "",
TCP_HAS_MSS(p) ? "MSS " : "");
#endif
/* Flow is an integral part of us */
FlowHandlePacket(tv, dtv, p);
return TM_ECODE_OK;
}
/**
* \brief Function to decode IPv4 in IPv6 packets
*
*/
static void DecodeIPv4inIPv6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t plen, PacketQueue *pq)
{
if (unlikely(plen < IPV4_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, IPV4_IN_IPV6_PKT_TOO_SMALL);
return;
}
if (IP_GET_RAW_VER(pkt) == 4) {
if (pq != NULL) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt, plen, DECODE_TUNNEL_IPV4, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_IPV6);
/* add the tp to the packet queue. */
PacketEnqueue(pq,tp);
StatsIncr(tv, dtv->counter_ipv4inipv6);
return;
}
}
} else {
ENGINE_SET_EVENT(p, IPV4_IN_IPV6_WRONG_IP_VER);
}
return;
}
int DecodePPP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
{
StatsIncr(tv, dtv->counter_ppp);
if (unlikely(len < PPP_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, PPP_PKT_TOO_SMALL);
return TM_ECODE_FAILED;
}
p->ppph = (PPPHdr *)pkt;
if (unlikely(p->ppph == NULL))
return TM_ECODE_FAILED;
SCLogDebug("p %p pkt %p PPP protocol %04x Len: %" PRId32 "",
p, pkt, ntohs(p->ppph->protocol), len);
switch (ntohs(p->ppph->protocol))
{
case PPP_VJ_UCOMP:
if (unlikely(len < (PPP_HEADER_LEN + IPV4_HEADER_LEN))) {
ENGINE_SET_INVALID_EVENT(p,PPPVJU_PKT_TOO_SMALL);
p->ppph = NULL;
return TM_ECODE_FAILED;
}
if (likely(IPV4_GET_RAW_VER((IPV4Hdr *)(pkt + PPP_HEADER_LEN)) == 4)) {
return DecodeIPV4(tv, dtv, p, pkt + PPP_HEADER_LEN, len - PPP_HEADER_LEN, pq);
} else
return TM_ECODE_FAILED;
break;
case PPP_IP:
if (unlikely(len < (PPP_HEADER_LEN + IPV4_HEADER_LEN))) {
ENGINE_SET_INVALID_EVENT(p,PPPIPV4_PKT_TOO_SMALL);
p->ppph = NULL;
return TM_ECODE_FAILED;
}
return DecodeIPV4(tv, dtv, p, pkt + PPP_HEADER_LEN, len - PPP_HEADER_LEN, pq);
/* PPP IPv6 was not tested */
case PPP_IPV6:
if (unlikely(len < (PPP_HEADER_LEN + IPV6_HEADER_LEN))) {
ENGINE_SET_INVALID_EVENT(p,PPPIPV6_PKT_TOO_SMALL);
p->ppph = NULL;
return TM_ECODE_FAILED;
}
return DecodeIPV6(tv, dtv, p, pkt + PPP_HEADER_LEN, len - PPP_HEADER_LEN, pq);
case PPP_VJ_COMP:
case PPP_IPX:
case PPP_OSI:
case PPP_NS:
case PPP_DECNET:
case PPP_APPLE:
case PPP_BRPDU:
case PPP_STII:
case PPP_VINES:
case PPP_HELLO:
case PPP_LUXCOM:
case PPP_SNS:
case PPP_MPLS_UCAST:
case PPP_MPLS_MCAST:
case PPP_IPCP:
case PPP_OSICP:
case PPP_NSCP:
case PPP_DECNETCP:
case PPP_APPLECP:
case PPP_IPXCP:
case PPP_STIICP:
case PPP_VINESCP:
case PPP_IPV6CP:
case PPP_MPLSCP:
case PPP_LCP:
case PPP_PAP:
case PPP_LQM:
case PPP_CHAP:
ENGINE_SET_EVENT(p,PPP_UNSUP_PROTO);
return TM_ECODE_OK;
default:
SCLogDebug("unknown PPP protocol: %" PRIx32 "",ntohs(p->ppph->protocol));
ENGINE_SET_INVALID_EVENT(p, PPP_WRONG_TYPE);
return TM_ECODE_OK;
}
}
/** DecodeICMPV4
* \brief Main ICMPv4 decoding function
*/
int DecodeICMPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
{
StatsIncr(tv, dtv->counter_icmpv4);
if (len < ICMPV4_HEADER_LEN) {
ENGINE_SET_INVALID_EVENT(p, ICMPV4_PKT_TOO_SMALL);
return TM_ECODE_FAILED;
}
p->icmpv4h = (ICMPV4Hdr *)pkt;
SCLogDebug("ICMPV4 TYPE %" PRIu32 " CODE %" PRIu32 "", p->icmpv4h->type, p->icmpv4h->code);
p->proto = IPPROTO_ICMP;
p->type = p->icmpv4h->type;
p->code = p->icmpv4h->code;
p->payload = pkt + ICMPV4_HEADER_LEN;
p->payload_len = len - ICMPV4_HEADER_LEN;
ICMPV4ExtHdr* icmp4eh = (ICMPV4ExtHdr*) p->icmpv4h;
switch (p->icmpv4h->type)
{
case ICMP_ECHOREPLY:
p->icmpv4vars.id=icmp4eh->id;
p->icmpv4vars.seq=icmp4eh->seq;
if (p->icmpv4h->code!=0) {
ENGINE_SET_EVENT(p,ICMPV4_UNKNOWN_CODE);
}
break;
case ICMP_DEST_UNREACH:
if (p->icmpv4h->code > NR_ICMP_UNREACH) {
ENGINE_SET_EVENT(p,ICMPV4_UNKNOWN_CODE);
} else {
/* parse IP header plus 64 bytes */
if (len > ICMPV4_HEADER_PKT_OFFSET) {
if (DecodePartialIPV4(p, (uint8_t *)(pkt + ICMPV4_HEADER_PKT_OFFSET),
len - ICMPV4_HEADER_PKT_OFFSET ) == 0)
{
/* ICMP ICMP_DEST_UNREACH influence TCP/UDP flows */
if (ICMPV4_DEST_UNREACH_IS_VALID(p)) {
FlowHandlePacket(tv, dtv, p);
}
}
}
}
break;
case ICMP_SOURCE_QUENCH:
if (p->icmpv4h->code!=0) {
ENGINE_SET_EVENT(p,ICMPV4_UNKNOWN_CODE);
} else {
// parse IP header plus 64 bytes
if (len >= ICMPV4_HEADER_PKT_OFFSET)
DecodePartialIPV4( p, (uint8_t*) (pkt + ICMPV4_HEADER_PKT_OFFSET), len - ICMPV4_HEADER_PKT_OFFSET );
}
break;
case ICMP_REDIRECT:
if (p->icmpv4h->code>ICMP_REDIR_HOSTTOS) {
ENGINE_SET_EVENT(p,ICMPV4_UNKNOWN_CODE);
} else {
// parse IP header plus 64 bytes
if (len > ICMPV4_HEADER_PKT_OFFSET)
DecodePartialIPV4( p, (uint8_t*) (pkt + ICMPV4_HEADER_PKT_OFFSET), len - ICMPV4_HEADER_PKT_OFFSET );
}
break;
case ICMP_ECHO:
p->icmpv4vars.id=icmp4eh->id;
p->icmpv4vars.seq=icmp4eh->seq;
if (p->icmpv4h->code!=0) {
ENGINE_SET_EVENT(p,ICMPV4_UNKNOWN_CODE);
}
break;
case ICMP_TIME_EXCEEDED:
if (p->icmpv4h->code>ICMP_EXC_FRAGTIME) {
ENGINE_SET_EVENT(p,ICMPV4_UNKNOWN_CODE);
} else {
// parse IP header plus 64 bytes
if (len > ICMPV4_HEADER_PKT_OFFSET)
DecodePartialIPV4( p, (uint8_t*) (pkt + ICMPV4_HEADER_PKT_OFFSET), len - ICMPV4_HEADER_PKT_OFFSET );
}
break;
case ICMP_PARAMETERPROB:
if (p->icmpv4h->code!=0) {
ENGINE_SET_EVENT(p,ICMPV4_UNKNOWN_CODE);
} else {
// parse IP header plus 64 bytes
if (len > ICMPV4_HEADER_PKT_OFFSET)
DecodePartialIPV4( p, (uint8_t*) (pkt + ICMPV4_HEADER_PKT_OFFSET), len - ICMPV4_HEADER_PKT_OFFSET );
}
break;
case ICMP_TIMESTAMP:
p->icmpv4vars.id=icmp4eh->id;
p->icmpv4vars.seq=icmp4eh->seq;
if (p->icmpv4h->code!=0) {
ENGINE_SET_EVENT(p,ICMPV4_UNKNOWN_CODE);
}
break;
case ICMP_TIMESTAMPREPLY:
p->icmpv4vars.id=icmp4eh->id;
p->icmpv4vars.seq=icmp4eh->seq;
if (p->icmpv4h->code!=0) {
ENGINE_SET_EVENT(p,ICMPV4_UNKNOWN_CODE);
}
break;
case ICMP_INFO_REQUEST:
p->icmpv4vars.id=icmp4eh->id;
p->icmpv4vars.seq=icmp4eh->seq;
if (p->icmpv4h->code!=0) {
ENGINE_SET_EVENT(p,ICMPV4_UNKNOWN_CODE);
}
break;
case ICMP_INFO_REPLY:
p->icmpv4vars.id=icmp4eh->id;
p->icmpv4vars.seq=icmp4eh->seq;
if (p->icmpv4h->code!=0) {
ENGINE_SET_EVENT(p,ICMPV4_UNKNOWN_CODE);
}
break;
case ICMP_ADDRESS:
p->icmpv4vars.id=icmp4eh->id;
p->icmpv4vars.seq=icmp4eh->seq;
if (p->icmpv4h->code!=0) {
ENGINE_SET_EVENT(p,ICMPV4_UNKNOWN_CODE);
}
break;
case ICMP_ADDRESSREPLY:
p->icmpv4vars.id=icmp4eh->id;
p->icmpv4vars.seq=icmp4eh->seq;
if (p->icmpv4h->code!=0) {
ENGINE_SET_EVENT(p,ICMPV4_UNKNOWN_CODE);
}
break;
default:
ENGINE_SET_EVENT(p,ICMPV4_UNKNOWN_TYPE);
}
return TM_ECODE_OK;
}
int DecodeGRE(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
{
uint16_t header_len = GRE_HDR_LEN;
GRESreHdr *gsre = NULL;
StatsIncr(tv, dtv->counter_gre);
if(len < GRE_HDR_LEN) {
ENGINE_SET_INVALID_EVENT(p, GRE_PKT_TOO_SMALL);
return TM_ECODE_FAILED;
}
p->greh = (GREHdr *)pkt;
if(p->greh == NULL)
return TM_ECODE_FAILED;
SCLogDebug("p %p pkt %p GRE protocol %04x Len: %d GRE version %x",
p, pkt, GRE_GET_PROTO(p->greh), len,GRE_GET_VERSION(p->greh));
switch (GRE_GET_VERSION(p->greh))
{
case GRE_VERSION_0:
/* GRE version 0 doenst support the fields below RFC 1701 */
/**
* \todo We need to make sure this does not allow bypassing
* inspection. A server may just ignore these and
* continue processing the packet, but we will not look
* further into it.
*/
if (GRE_FLAG_ISSET_RECUR(p->greh)) {
ENGINE_SET_INVALID_EVENT(p, GRE_VERSION0_RECUR);
return TM_ECODE_OK;
}
if (GREV1_FLAG_ISSET_FLAGS(p->greh)) {
ENGINE_SET_INVALID_EVENT(p, GRE_VERSION0_FLAGS);
return TM_ECODE_OK;
}
/* Adjust header length based on content */
if (GRE_FLAG_ISSET_KY(p->greh))
header_len += GRE_KEY_LEN;
if (GRE_FLAG_ISSET_SQ(p->greh))
header_len += GRE_SEQ_LEN;
if (GRE_FLAG_ISSET_CHKSUM(p->greh) || GRE_FLAG_ISSET_ROUTE(p->greh))
header_len += GRE_CHKSUM_LEN + GRE_OFFSET_LEN;
if (header_len > len) {
ENGINE_SET_INVALID_EVENT(p, GRE_VERSION0_HDR_TOO_BIG);
return TM_ECODE_OK;
}
if (GRE_FLAG_ISSET_ROUTE(p->greh))
{
while (1)
{
if ((header_len + GRE_SRE_HDR_LEN) > len) {
ENGINE_SET_INVALID_EVENT(p,
GRE_VERSION0_MALFORMED_SRE_HDR);
return TM_ECODE_OK;
}
gsre = (GRESreHdr *)(pkt + header_len);
header_len += GRE_SRE_HDR_LEN;
if ((ntohs(gsre->af) == 0) && (gsre->sre_length == 0))
break;
header_len += gsre->sre_length;
if (header_len > len) {
ENGINE_SET_INVALID_EVENT(p,
GRE_VERSION0_MALFORMED_SRE_HDR);
return TM_ECODE_OK;
}
}
}
break;
case GRE_VERSION_1:
/* GRE version 1 doenst support the fields below RFC 1701 */
/**
* \todo We need to make sure this does not allow bypassing
* inspection. A server may just ignore these and
* continue processing the packet, but we will not look
* further into it.
*/
if (GRE_FLAG_ISSET_CHKSUM(p->greh)) {
ENGINE_SET_INVALID_EVENT(p,GRE_VERSION1_CHKSUM);
return TM_ECODE_OK;
}
if (GRE_FLAG_ISSET_ROUTE(p->greh)) {
ENGINE_SET_INVALID_EVENT(p,GRE_VERSION1_ROUTE);
return TM_ECODE_OK;
}
if (GRE_FLAG_ISSET_SSR(p->greh)) {
ENGINE_SET_INVALID_EVENT(p,GRE_VERSION1_SSR);
return TM_ECODE_OK;
}
if (GRE_FLAG_ISSET_RECUR(p->greh)) {
ENGINE_SET_INVALID_EVENT(p,GRE_VERSION1_RECUR);
return TM_ECODE_OK;
}
if (GREV1_FLAG_ISSET_FLAGS(p->greh)) {
ENGINE_SET_INVALID_EVENT(p,GRE_VERSION1_FLAGS);
return TM_ECODE_OK;
}
if (GRE_GET_PROTO(p->greh) != GRE_PROTO_PPP) {
ENGINE_SET_INVALID_EVENT(p,GRE_VERSION1_WRONG_PROTOCOL);
return TM_ECODE_OK;
}
if (!(GRE_FLAG_ISSET_KY(p->greh))) {
ENGINE_SET_INVALID_EVENT(p,GRE_VERSION1_NO_KEY);
return TM_ECODE_OK;
}
header_len += GRE_KEY_LEN;
/* Adjust header length based on content */
if (GRE_FLAG_ISSET_SQ(p->greh))
header_len += GRE_SEQ_LEN;
if (GREV1_FLAG_ISSET_ACK(p->greh))
header_len += GREV1_ACK_LEN;
if (header_len > len) {
ENGINE_SET_INVALID_EVENT(p, GRE_VERSION1_HDR_TOO_BIG);
return TM_ECODE_OK;
}
break;
default:
ENGINE_SET_INVALID_EVENT(p, GRE_WRONG_VERSION);
return TM_ECODE_OK;
}
switch (GRE_GET_PROTO(p->greh))
{
case ETHERNET_TYPE_IP:
{
if (pq != NULL) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt + header_len,
len - header_len, DECODE_TUNNEL_IPV4, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE);
PacketEnqueue(pq,tp);
}
}
break;
}
case GRE_PROTO_PPP:
{
if (pq != NULL) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt + header_len,
len - header_len, DECODE_TUNNEL_PPP, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE);
PacketEnqueue(pq,tp);
}
}
break;
}
case ETHERNET_TYPE_IPV6:
{
if (pq != NULL) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt + header_len,
len - header_len, DECODE_TUNNEL_IPV6, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE);
PacketEnqueue(pq,tp);
}
}
break;
}
case ETHERNET_TYPE_VLAN:
{
if (pq != NULL) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt + header_len,
len - header_len, DECODE_TUNNEL_VLAN, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE);
PacketEnqueue(pq,tp);
}
}
break;
}
case ETHERNET_TYPE_ERSPAN:
{
if (pq != NULL) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt + header_len,
len - header_len, DECODE_TUNNEL_ERSPAN, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE);
PacketEnqueue(pq,tp);
}
}
break;
}
case ETHERNET_TYPE_BRIDGE:
{
if (pq != NULL) {
Packet *tp = PacketTunnelPktSetup(tv, dtv, p, pkt + header_len,
len - header_len, DECODE_TUNNEL_ETHERNET, pq);
if (tp != NULL) {
PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE);
PacketEnqueue(pq,tp);
}
}
break;
}
default:
return TM_ECODE_OK;
}
return TM_ECODE_OK;
}
int DecodeMPLS(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
uint32_t len, PacketQueue *pq)
{
uint32_t shim;
int label;
int event = 0;
StatsIncr(tv, dtv->counter_mpls);
do {
if (len < MPLS_HEADER_LEN) {
ENGINE_SET_INVALID_EVENT(p, MPLS_HEADER_TOO_SMALL);
return TM_ECODE_FAILED;
}
memcpy(&shim, pkt, sizeof(shim));
pkt += MPLS_HEADER_LEN;
len -= MPLS_HEADER_LEN;
} while (MPLS_BOTTOM(shim) == 0);
label = MPLS_LABEL(shim);
if (label == MPLS_LABEL_IPV4) {
if (len > USHRT_MAX) {
return TM_ECODE_FAILED;
}
return DecodeIPV4(tv, dtv, p, pkt, len, pq);
}
else if (label == MPLS_LABEL_ROUTER_ALERT) {
/* Not valid at the bottom of the stack. */
event = MPLS_BAD_LABEL_ROUTER_ALERT;
}
else if (label == MPLS_LABEL_IPV6) {
if (len > USHRT_MAX) {
return TM_ECODE_FAILED;
}
return DecodeIPV6(tv, dtv, p, pkt, len, pq);
}
else if (label == MPLS_LABEL_NULL) {
/* Shouldn't appear on the wire. */
event = MPLS_BAD_LABEL_IMPLICIT_NULL;
}
else if (label < MPLS_MAX_RESERVED_LABEL) {
event = MPLS_BAD_LABEL_RESERVED;
}
if (event) {
goto end;
}
// Make sure we still have enough data. While we only need 1 byte to test
// for IPv4 and IPv4, we need for to check for ethernet.
if (len < MPLS_PW_LEN) {
ENGINE_SET_INVALID_EVENT(p, MPLS_PKT_TOO_SMALL);
return TM_ECODE_FAILED;
}
/* Best guess at inner packet. */
switch (pkt[0] >> 4) {
case MPLS_PROTO_IPV4:
if (len > USHRT_MAX) {
return TM_ECODE_FAILED;
}
DecodeIPV4(tv, dtv, p, pkt, len, pq);
break;
case MPLS_PROTO_IPV6:
if (len > USHRT_MAX) {
return TM_ECODE_FAILED;
}
DecodeIPV6(tv, dtv, p, pkt, len, pq);
break;
case MPLS_PROTO_ETHERNET_PW:
DecodeEthernet(tv, dtv, p, pkt + MPLS_PW_LEN, len - MPLS_PW_LEN,
pq);
break;
default:
ENGINE_SET_INVALID_EVENT(p, MPLS_UNKNOWN_PAYLOAD_TYPE);
return TM_ECODE_OK;
}
end:
if (event) {
ENGINE_SET_EVENT(p, event);
}
return TM_ECODE_OK;
}
int DecodeMPLS(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
uint16_t len, PacketQueue *pq)
{
uint32_t shim;
int label;
int event = 0;
StatsIncr(tv, dtv->counter_mpls);
do {
if (len < MPLS_HEADER_LEN) {
ENGINE_SET_INVALID_EVENT(p, MPLS_HEADER_TOO_SMALL);
return TM_ECODE_FAILED;
}
shim = *(uint32_t *)pkt;
pkt += MPLS_HEADER_LEN;
len -= MPLS_HEADER_LEN;
} while (MPLS_BOTTOM(shim) == 0);
label = MPLS_LABEL(shim);
if (label == MPLS_LABEL_IPV4) {
return DecodeIPV4(tv, dtv, p, pkt, len, pq);
}
else if (label == MPLS_LABEL_ROUTER_ALERT) {
/* Not valid at the bottom of the stack. */
event = MPLS_BAD_LABEL_ROUTER_ALERT;
}
else if (label == MPLS_LABEL_IPV6) {
return DecodeIPV6(tv, dtv, p, pkt, len, pq);
}
else if (label == MPLS_LABEL_NULL) {
/* Shouldn't appear on the wire. */
event = MPLS_BAD_LABEL_IMPLICIT_NULL;
}
else if (label < MPLS_MAX_RESERVED_LABEL) {
event = MPLS_BAD_LABEL_RESERVED;
}
if (event) {
goto end;
}
/* Best guess at inner packet. */
switch (pkt[0] >> 4) {
case MPLS_PROTO_IPV4:
DecodeIPV4(tv, dtv, p, pkt, len, pq);
break;
case MPLS_PROTO_IPV6:
DecodeIPV6(tv, dtv, p, pkt, len, pq);
break;
case MPLS_PROTO_ETHERNET_PW:
DecodeEthernet(tv, dtv, p, pkt + MPLS_PW_LEN, len - MPLS_PW_LEN,
pq);
break;
default:
ENGINE_SET_INVALID_EVENT(p, MPLS_UNKNOWN_PAYLOAD_TYPE);
return TM_ECODE_OK;
}
end:
if (event) {
ENGINE_SET_EVENT(p, event);
}
return TM_ECODE_OK;
}
/**
* \brief Main decoding function for PPPOE Discovery packets
*/
int DecodePPPOEDiscovery(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
{
StatsIncr(tv, dtv->counter_pppoe);
if (len < PPPOE_DISCOVERY_HEADER_MIN_LEN) {
ENGINE_SET_INVALID_EVENT(p, PPPOE_PKT_TOO_SMALL);
return TM_ECODE_FAILED;
}
p->pppoedh = (PPPOEDiscoveryHdr *)pkt;
if (p->pppoedh == NULL)
return TM_ECODE_FAILED;
/* parse the PPPOE code */
switch (p->pppoedh->pppoe_code)
{
case PPPOE_CODE_PADI:
break;
case PPPOE_CODE_PADO:
break;
case PPPOE_CODE_PADR:
break;
case PPPOE_CODE_PADS:
break;
case PPPOE_CODE_PADT:
break;
default:
SCLogDebug("unknown PPPOE code: 0x%0"PRIX8"", p->pppoedh->pppoe_code);
ENGINE_SET_INVALID_EVENT(p, PPPOE_WRONG_CODE);
return TM_ECODE_OK;
}
/* parse any tags we have in the packet */
uint16_t tag_length = 0;
PPPOEDiscoveryTag* pppoedt = (PPPOEDiscoveryTag*) (p->pppoedh + PPPOE_DISCOVERY_HEADER_MIN_LEN);
uint16_t pppoe_length = ntohs(p->pppoedh->pppoe_length);
uint16_t packet_length = len - PPPOE_DISCOVERY_HEADER_MIN_LEN ;
SCLogDebug("pppoe_length %"PRIu16", packet_length %"PRIu16"",
pppoe_length, packet_length);
if (pppoe_length > packet_length) {
SCLogDebug("malformed PPPOE tags");
ENGINE_SET_INVALID_EVENT(p, PPPOE_MALFORMED_TAGS);
return TM_ECODE_OK;
}
while (pppoedt < (PPPOEDiscoveryTag*) (pkt + (len - sizeof(PPPOEDiscoveryTag))) && pppoe_length >=4 && packet_length >=4)
{
#ifdef DEBUG
uint16_t tag_type = ntohs(pppoedt->pppoe_tag_type);
#endif
tag_length = ntohs(pppoedt->pppoe_tag_length);
SCLogDebug ("PPPoE Tag type %x, length %u", tag_type, tag_length);
if (pppoe_length >= (4 + tag_length)) {
pppoe_length -= (4 + tag_length);
} else {
pppoe_length = 0; // don't want an underflow
}
if (packet_length >= 4 + tag_length) {
packet_length -= (4 + tag_length);
} else {
packet_length = 0; // don't want an underflow
}
pppoedt = pppoedt + (4 + tag_length);
}
return TM_ECODE_OK;
}
/**
* \brief Main decoding function for PPPOE Session packets
*/
int DecodePPPOESession(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
{
StatsIncr(tv, dtv->counter_pppoe);
if (len < PPPOE_SESSION_HEADER_LEN) {
ENGINE_SET_INVALID_EVENT(p, PPPOE_PKT_TOO_SMALL);
return TM_ECODE_FAILED;
}
p->pppoesh = (PPPOESessionHdr *)pkt;
if (p->pppoesh == NULL)
return TM_ECODE_FAILED;
SCLogDebug("PPPOE VERSION %" PRIu32 " TYPE %" PRIu32 " CODE %" PRIu32 " SESSIONID %" PRIu32 " LENGTH %" PRIu32 "",
PPPOE_SESSION_GET_VERSION(p->pppoesh), PPPOE_SESSION_GET_TYPE(p->pppoesh), p->pppoesh->pppoe_code, ntohs(p->pppoesh->session_id), ntohs(p->pppoesh->pppoe_length));
/* can't use DecodePPP() here because we only get a single 2-byte word to indicate protocol instead of the full PPP header */
if (ntohs(p->pppoesh->pppoe_length) > 0) {
/* decode contained PPP packet */
switch (ntohs(p->pppoesh->protocol))
{
case PPP_VJ_COMP:
case PPP_IPX:
case PPP_OSI:
case PPP_NS:
case PPP_DECNET:
case PPP_APPLE:
case PPP_BRPDU:
case PPP_STII:
case PPP_VINES:
case PPP_HELLO:
case PPP_LUXCOM:
case PPP_SNS:
case PPP_MPLS_UCAST:
case PPP_MPLS_MCAST:
case PPP_IPCP:
case PPP_OSICP:
case PPP_NSCP:
case PPP_DECNETCP:
case PPP_APPLECP:
case PPP_IPXCP:
case PPP_STIICP:
case PPP_VINESCP:
case PPP_IPV6CP:
case PPP_MPLSCP:
case PPP_LCP:
case PPP_PAP:
case PPP_LQM:
case PPP_CHAP:
ENGINE_SET_EVENT(p,PPP_UNSUP_PROTO);
break;
case PPP_VJ_UCOMP:
if(len < (PPPOE_SESSION_HEADER_LEN + IPV4_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, PPPVJU_PKT_TOO_SMALL);
return TM_ECODE_OK;
}
if(IPV4_GET_RAW_VER((IPV4Hdr *)(pkt + PPPOE_SESSION_HEADER_LEN)) == 4) {
DecodeIPV4(tv, dtv, p, pkt + PPPOE_SESSION_HEADER_LEN, len - PPPOE_SESSION_HEADER_LEN, pq );
}
break;
case PPP_IP:
if(len < (PPPOE_SESSION_HEADER_LEN + IPV4_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, PPPIPV4_PKT_TOO_SMALL);
return TM_ECODE_OK;
}
DecodeIPV4(tv, dtv, p, pkt + PPPOE_SESSION_HEADER_LEN, len - PPPOE_SESSION_HEADER_LEN, pq );
break;
/* PPP IPv6 was not tested */
case PPP_IPV6:
if(len < (PPPOE_SESSION_HEADER_LEN + IPV6_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, PPPIPV6_PKT_TOO_SMALL);
return TM_ECODE_OK;
}
DecodeIPV6(tv, dtv, p, pkt + PPPOE_SESSION_HEADER_LEN, len - PPPOE_SESSION_HEADER_LEN, pq );
break;
default:
SCLogDebug("unknown PPP protocol: %" PRIx32 "",ntohs(p->ppph->protocol));
ENGINE_SET_INVALID_EVENT(p, PPP_WRONG_TYPE);
return TM_ECODE_OK;
}
}
return TM_ECODE_OK;
}
static int LogFilestoreLogger(ThreadVars *tv, void *thread_data, const Packet *p,
File *ff, const uint8_t *data, uint32_t data_len, uint8_t flags, uint8_t dir)
{
SCEnter();
LogFilestoreLogThread *aft = (LogFilestoreLogThread *)thread_data;
char filename[PATH_MAX] = "";
int file_fd = -1;
int ipver = -1;
/* no flow, no htp state */
if (p->flow == NULL) {
SCReturnInt(TM_ECODE_OK);
}
if (PKT_IS_IPV4(p)) {
ipver = AF_INET;
} else if (PKT_IS_IPV6(p)) {
ipver = AF_INET6;
} else {
return 0;
}
SCLogDebug("ff %p, data %p, data_len %u", ff, data, data_len);
char pid_expression[PATH_MAX] = "";
if (FileIncludePid())
snprintf(pid_expression, sizeof(pid_expression), ".%d", getpid());
char base_filename[PATH_MAX] = "";
if (snprintf(base_filename, sizeof(base_filename), "%s/file%s.%u",
g_logfile_base_dir, pid_expression, ff->file_store_id) == sizeof(base_filename))
return -1;
if (snprintf(filename, sizeof(filename), "%s%s", base_filename,
g_working_file_suffix) == sizeof(filename))
return -1;
if (flags & OUTPUT_FILEDATA_FLAG_OPEN) {
aft->file_cnt++;
/* create a .meta file that contains time, src/dst/sp/dp/proto */
LogFilestoreLogCreateMetaFile(p, ff, base_filename, ipver);
if (SC_ATOMIC_GET(filestore_open_file_cnt) < FileGetMaxOpenFiles()) {
SC_ATOMIC_ADD(filestore_open_file_cnt, 1);
ff->fd = open(filename, O_CREAT | O_TRUNC | O_NOFOLLOW | O_WRONLY, 0644);
if (ff->fd == -1) {
SCLogDebug("failed to create file");
return -1;
}
file_fd = ff->fd;
} else {
file_fd = open(filename, O_CREAT | O_TRUNC | O_NOFOLLOW | O_WRONLY, 0644);
if (file_fd == -1) {
SCLogDebug("failed to create file");
return -1;
}
if (FileGetMaxOpenFiles() > 0) {
StatsIncr(tv, aft->counter_max_hits);
}
ff->fd = -1;
}
/* we can get called with a NULL ffd when we need to close */
} else if (data != NULL) {
if (ff->fd == -1) {
file_fd = open(filename, O_APPEND | O_NOFOLLOW | O_WRONLY);
if (file_fd == -1) {
SCLogDebug("failed to open file %s: %s", filename, strerror(errno));
return -1;
}
} else {
file_fd = ff->fd;
}
}
if (file_fd != -1) {
ssize_t r = write(file_fd, (const void *)data, (size_t)data_len);
if (r == -1) {
SCLogDebug("write failed: %s", strerror(errno));
if (ff->fd != -1) {
SC_ATOMIC_SUB(filestore_open_file_cnt, 1);
}
ff->fd = -1;
}
if (ff->fd == -1) {
close(file_fd);
}
}
if (flags & OUTPUT_FILEDATA_FLAG_CLOSE) {
if (ff->fd != -1) {
close(ff->fd);
ff->fd = -1;
SC_ATOMIC_SUB(filestore_open_file_cnt, 1);
}
LogFilestoreFinalizeFiles(ff);
}
return 0;
}
/**
* \brief Process a DAG record into a TM packet buffer.
* \param prec pointer to a DAG record.
* \param
*/
static inline TmEcode
ProcessErfDagRecord(ErfDagThreadVars *ewtn, char *prec)
{
SCEnter();
int wlen = 0;
int rlen = 0;
int hdr_num = 0;
char hdr_type = 0;
dag_record_t *dr = (dag_record_t*)prec;
erf_payload_t *pload;
Packet *p;
hdr_type = dr->type;
wlen = ntohs(dr->wlen);
rlen = ntohs(dr->rlen);
/* count extension headers */
while (hdr_type & 0x80) {
if (rlen < (dag_record_size + (hdr_num * 8))) {
SCLogError(SC_ERR_UNIMPLEMENTED,
"Insufficient captured packet length.");
SCReturnInt(TM_ECODE_FAILED);
}
hdr_type = prec[(dag_record_size + (hdr_num * 8))];
hdr_num++;
}
/* Check that the whole frame was captured */
if (rlen < (dag_record_size + (8 * hdr_num) + 2 + wlen)) {
SCLogInfo("Incomplete frame captured.");
SCReturnInt(TM_ECODE_OK);
}
/* skip over extension headers */
pload = (erf_payload_t *)(prec + dag_record_size + (8 * hdr_num));
p = PacketGetFromQueueOrAlloc();
if (p == NULL) {
SCLogError(SC_ERR_MEM_ALLOC,
"Failed to allocate a Packet on stream: %d, DAG: %s",
ewtn->dagstream, ewtn->dagname);
SCReturnInt(TM_ECODE_FAILED);
}
PKT_SET_SRC(p, PKT_SRC_WIRE);
SET_PKT_LEN(p, wlen);
p->datalink = LINKTYPE_ETHERNET;
/* Take into account for link type Ethernet ETH frame starts
* after ther ERF header + pad.
*/
if (unlikely(PacketCopyData(p, pload->eth.dst, GET_PKT_LEN(p)))) {
TmqhOutputPacketpool(ewtn->tv, p);
SCReturnInt(TM_ECODE_FAILED);
}
/* Convert ERF time to timeval - from libpcap. */
uint64_t ts = dr->ts;
p->ts.tv_sec = ts >> 32;
ts = (ts & 0xffffffffULL) * 1000000;
ts += 0x80000000; /* rounding */
p->ts.tv_usec = ts >> 32;
if (p->ts.tv_usec >= 1000000) {
p->ts.tv_usec -= 1000000;
p->ts.tv_sec++;
}
StatsIncr(ewtn->tv, ewtn->packets);
ewtn->bytes += wlen;
if (TmThreadsSlotProcessPkt(ewtn->tv, ewtn->slot, p) != TM_ECODE_OK) {
TmqhOutputPacketpool(ewtn->tv, p);
SCReturnInt(TM_ECODE_FAILED);
}
SCReturnInt(TM_ECODE_OK);
}
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
{
int ret;
StatsIncr(tv, dtv->counter_ipv6);
/* do the actual decoding */
ret = DecodeIPV6Packet (tv, dtv, p, pkt, len);
if (unlikely(ret < 0)) {
p->ip6h = NULL;
return TM_ECODE_FAILED;
}
#ifdef DEBUG
if (SCLogDebugEnabled()) { /* only convert the addresses if debug is really enabled */
/* debug print */
char s[46], d[46];
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), s, sizeof(s));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), d, sizeof(d));
SCLogDebug("IPV6 %s->%s - CLASS: %" PRIu32 " FLOW: %" PRIu32 " NH: %" PRIu32 " PLEN: %" PRIu32 " HLIM: %" PRIu32 "", s,d,
IPV6_GET_CLASS(p), IPV6_GET_FLOW(p), IPV6_GET_NH(p), IPV6_GET_PLEN(p),
IPV6_GET_HLIM(p));
}
#endif /* DEBUG */
/* now process the Ext headers and/or the L4 Layer */
switch(IPV6_GET_NH(p)) {
case IPPROTO_TCP:
IPV6_SET_L4PROTO (p, IPPROTO_TCP);
DecodeTCP(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
return TM_ECODE_OK;
case IPPROTO_UDP:
IPV6_SET_L4PROTO (p, IPPROTO_UDP);
DecodeUDP(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
return TM_ECODE_OK;
case IPPROTO_ICMPV6:
IPV6_SET_L4PROTO (p, IPPROTO_ICMPV6);
DecodeICMPV6(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
return TM_ECODE_OK;
case IPPROTO_SCTP:
IPV6_SET_L4PROTO (p, IPPROTO_SCTP);
DecodeSCTP(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
return TM_ECODE_OK;
case IPPROTO_IPIP:
IPV6_SET_L4PROTO(p, IPPROTO_IPIP);
DecodeIPv4inIPv6(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
return TM_ECODE_OK;
case IPPROTO_IPV6:
DecodeIP6inIP6(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
return TM_ECODE_OK;
case IPPROTO_FRAGMENT:
case IPPROTO_HOPOPTS:
case IPPROTO_ROUTING:
case IPPROTO_NONE:
case IPPROTO_DSTOPTS:
case IPPROTO_AH:
case IPPROTO_ESP:
case IPPROTO_MH:
case IPPROTO_HIP:
case IPPROTO_SHIM6:
DecodeIPV6ExtHdrs(tv, dtv, p, pkt + IPV6_HEADER_LEN, IPV6_GET_PLEN(p), pq);
break;
case IPPROTO_ICMP:
ENGINE_SET_EVENT(p,IPV6_WITH_ICMPV4);
break;
default:
ENGINE_SET_EVENT(p, IPV6_UNKNOWN_NEXT_HEADER);
IPV6_SET_L4PROTO (p, IPV6_GET_NH(p));
break;
}
p->proto = IPV6_GET_L4PROTO (p);
/* Pass to defragger if a fragment. */
if (IPV6_EXTHDR_ISSET_FH(p)) {
Packet *rp = Defrag(tv, dtv, p, pq);
if (rp != NULL) {
PacketEnqueue(pq,rp);
}
}
return TM_ECODE_OK;
}
