Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pkt ptrs/v39 #10796

Closed
wants to merge 49 commits into from
Closed

Pkt ptrs/v39 #10796

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
86c363b
decode: implement IP_GET_IPPROTO as inline func
victorjulien Mar 22, 2024
4292700
decode: rename IP_GET_IPPROTO to PacketGetIPProto
victorjulien Mar 22, 2024
9811780
decode: turn PKT_IS_IPV4/PKT_IS_IPV6 into functions
victorjulien Mar 22, 2024
4231b6c
alert/syslog: only hold lock for syslog call
victorjulien Mar 22, 2024
c8e70c0
alert/syslog: minor code cleanups
victorjulien Mar 22, 2024
8a708c0
alert/syslog: stringify addresses outside alert loop
victorjulien Mar 22, 2024
3c3143b
alert/syslog: fetch ipproto once
victorjulien Mar 22, 2024
7639a69
flow: avoid direct IP header checks
victorjulien Mar 22, 2024
66ac3b5
decode: reduce macro use in IPv4/IPv6
victorjulien Mar 23, 2024
5ceae74
defrag: fix wrong datalink being logged
victorjulien Mar 23, 2024
15c2da9
defrag: track ip hdr offset in tracker
victorjulien Mar 24, 2024
a83dd16
validate: remove ip4h/ip6h check
victorjulien Mar 25, 2024
c665e7c
decode: clean up pointer list
victorjulien Mar 26, 2024
8df6246
decode/ipv4: prep for turning ip4h/ip6h into union
victorjulien Mar 25, 2024
1b83d87
decode/ipv6: prep for turning ip4h/ip6h into union
victorjulien Mar 26, 2024
8f7ff22
decode/ipv4: minor test cleanups
victorjulien Mar 28, 2024
f78b2ea
decode/tcp: optimize SACKOK storage
victorjulien Mar 27, 2024
11920c3
decode/tcp: reduce space needed for MSS tracking
victorjulien Mar 27, 2024
921bb80
decode/tcp: reduce space needed for tracking TFO
victorjulien Mar 27, 2024
cffea91
decode/tcp: reduce size needed for tracking WSCALE
victorjulien Mar 27, 2024
e80c56e
decode/tcp: minor struct layout optimization
victorjulien Mar 27, 2024
c25a810
decode/tcp: reduce size needed for SACK tracking
victorjulien Mar 27, 2024
a56fc57
decode/icmpv4: remove unused Packet members
victorjulien Mar 27, 2024
6d75008
decode/icmpv4: shrink icmpv4 packet vars
victorjulien Mar 27, 2024
9cf2606
decode/icmpv6: remove unused L4 header pointers from Packet
victorjulien Mar 27, 2024
7f132cb
decode/icmpv6: remove embedded address storage
victorjulien Mar 27, 2024
1234690
decode/icmpv6: remove unused error_ptr field
victorjulien Mar 27, 2024
5f9097b
decode/icmpv6: improve packet vars layout
victorjulien Mar 27, 2024
c93aaae
decode: use macro's instead of direct ptr checks
victorjulien Mar 28, 2024
5cb05d8
decode: refactor L3 checkum handling
victorjulien Apr 5, 2024
d329a70
decode/icmpv4: switch ptr checks to PKT_IS_ICMPV4
victorjulien Mar 28, 2024
1ba29c0
decode: start l4 packet area; convert csum handling
victorjulien Apr 5, 2024
1a83386
decode/tcp: add and use PacketIsTCP inline func
victorjulien Mar 28, 2024
6a881cc
decode/udp: add and use PacketIsUDP inline func
victorjulien Mar 28, 2024
2f51b16
decode/icmpv4: add and use PacketIsICMPv4 inline func
victorjulien Mar 28, 2024
e9fd096
decode/icmpv6: switch ptr checks to PKT_IS_ICMPV6
victorjulien Mar 28, 2024
b1c97f7
decode/icmpv6: add and use PacketIsICMPv6 inline func
victorjulien Mar 28, 2024
6a260e7
decode/sctp: move sctph into L4 packet data
victorjulien Mar 29, 2024
1f9db08
decode/gre: move greh into L4 packet data
victorjulien Mar 29, 2024
43bff2c
decode/esp: move esph into L4 packet data
victorjulien Mar 30, 2024
c5a707c
decode/icmpv6: move icmpv6h into L4 packet data
victorjulien Apr 5, 2024
4f8b673
decode/icmpv4: move icmpv4h into L4 packet data
victorjulien Mar 30, 2024
e8d7412
decode/pppoe: localize pppoesh header pointer
victorjulien Mar 29, 2024
41ff6fc
decode/pppoe: localize pppoedh pointer
victorjulien Mar 29, 2024
c556466
decode/ethernet: move ethh into L2 section
victorjulien Apr 2, 2024
ad27b10
decode/ppp: move ppph into L2 packet data
victorjulien Mar 29, 2024
6eef740
decode/udp: move udph into L4 packet data
victorjulien Apr 2, 2024
406bf33
decode/tcp: move tcph into L4 packet data
victorjulien Apr 3, 2024
2acf8df
af-packet: fix eBPF/XDP compilation
victorjulien Apr 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
21 changes: 11 additions & 10 deletions src/alert-debuglog.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,11 +173,11 @@ static TmEcode AlertDebugLogger(ThreadVars *tv, const Packet *p, void *thread_da
MemBufferWriteString(aft->buffer, "PKT SRC: %s\n", pkt_src_str);

char srcip[46], dstip[46];
if (PKT_IS_IPV4(p)) {
if (PacketIsIPv4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
} else {
DEBUG_VALIDATE_BUG_ON(!(PKT_IS_IPV6(p)));
DEBUG_VALIDATE_BUG_ON(!(PacketIsIPv6(p)));
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
}
Expand All @@ -186,14 +186,16 @@ static TmEcode AlertDebugLogger(ThreadVars *tv, const Packet *p, void *thread_da
"DST IP: %s\n"
"PROTO: %" PRIu32 "\n",
srcip, dstip, p->proto);
if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) {
if (PacketIsTCP(p) || PacketIsUDP(p)) {
MemBufferWriteString(aft->buffer, "SRC PORT: %" PRIu32 "\n"
"DST PORT: %" PRIu32 "\n",
p->sp, p->dp);
if (PKT_IS_TCP(p)) {
MemBufferWriteString(aft->buffer, "TCP SEQ: %"PRIu32"\n"
"TCP ACK: %"PRIu32"\n",
TCP_GET_SEQ(p), TCP_GET_ACK(p));
if (PacketIsTCP(p)) {
const TCPHdr *tcph = PacketGetTCP(p);
MemBufferWriteString(aft->buffer,
"TCP SEQ: %" PRIu32 "\n"
"TCP ACK: %" PRIu32 "\n",
TCP_GET_RAW_SEQ(tcph), TCP_GET_RAW_ACK(tcph));
}
}

Expand Down Expand Up @@ -286,8 +288,7 @@ static TmEcode AlertDebugLogger(ThreadVars *tv, const Packet *p, void *thread_da
/* This is an app layer or stream alert */
int ret;
uint8_t flag;
if (!(PKT_IS_TCP(p)) || p->flow == NULL ||
p->flow->protoctx == NULL) {
if (!(PacketIsTCP(p)) || p->flow == NULL || p->flow->protoctx == NULL) {
return TM_ECODE_OK;
}
/* IDS mode reverse the data */
Expand Down Expand Up @@ -473,7 +474,7 @@ static bool AlertDebugLogCondition(ThreadVars *tv, void *thread_data, const Pack

static int AlertDebugLogLogger(ThreadVars *tv, void *thread_data, const Packet *p)
{
if (PKT_IS_IPV4(p) || PKT_IS_IPV6(p)) {
if (PacketIsIPv4(p) || PacketIsIPv6(p)) {
return AlertDebugLogger(tv, p, thread_data);
} else if (p->events.cnt > 0) {
return AlertDebugLogDecoderEvent(tv, p, thread_data);
Expand Down
12 changes: 6 additions & 6 deletions src/alert-fastlog.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,10 +109,10 @@ int AlertFastLogger(ThreadVars *tv, void *data, const Packet *p)
CreateTimeString(p->ts, timebuf, sizeof(timebuf));

char srcip[46], dstip[46];
if (PKT_IS_IPV4(p)) {
if (PacketIsIPv4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
} else if (PacketIsIPv6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
} else {
Expand All @@ -129,15 +129,15 @@ int AlertFastLogger(ThreadVars *tv, void *data, const Packet *p)

char proto[16] = "";
const char *protoptr;
if (SCProtoNameValid(IP_GET_IPPROTO(p))) {
protoptr = known_proto[IP_GET_IPPROTO(p)];
if (SCProtoNameValid(PacketGetIPProto(p))) {
protoptr = known_proto[PacketGetIPProto(p)];
} else {
snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IP_GET_IPPROTO(p));
snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, PacketGetIPProto(p));
protoptr = proto;
}
uint16_t src_port_or_icmp = p->sp;
uint16_t dst_port_or_icmp = p->dp;
if (IP_GET_IPPROTO(p) == IPPROTO_ICMP || IP_GET_IPPROTO(p) == IPPROTO_ICMPV6) {
if (PacketGetIPProto(p) == IPPROTO_ICMP || PacketGetIPProto(p) == IPPROTO_ICMPV6) {
src_port_or_icmp = p->icmp_s.type;
dst_port_or_icmp = p->icmp_s.code;
}
Expand Down
60 changes: 27 additions & 33 deletions src/alert-syslog.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,48 +197,47 @@ static TmEcode AlertSyslogThreadDeinit(ThreadVars *t, void *data)
static TmEcode AlertSyslogIPv4(ThreadVars *tv, const Packet *p, void *data)
{
AlertSyslogThread *ast = (AlertSyslogThread *)data;
int i;
const char *action = "";

if (p->alerts.cnt == 0)
return TM_ECODE_OK;

char proto[16] = "";
const char *protoptr;
if (SCProtoNameValid(IPV4_GET_IPPROTO(p))) {
protoptr = known_proto[IPV4_GET_IPPROTO(p)];
const IPV4Hdr *ipv4h = PacketGetIPv4(p);
const uint8_t ipproto = IPV4_GET_RAW_IPPROTO(ipv4h);
if (SCProtoNameValid(ipproto)) {
protoptr = known_proto[ipproto];
} else {
snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IPV4_GET_IPPROTO(p));
snprintf(proto, sizeof(proto), "PROTO:%03" PRIu8, ipproto);
protoptr = proto;
}

/* Not sure if this mutex is needed around calls to syslog. */
SCMutexLock(&ast->file_ctx->fp_mutex);
char srcip[16], dstip[16];
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));

for (i = 0; i < p->alerts.cnt; i++) {
for (int i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}

char srcip[16], dstip[16];

PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));

if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
action = "[Drop] ";
} else if (pa->action & ACTION_DROP) {
action = "[wDrop] ";
}

/* Not sure if this mutex is needed around calls to syslog. */
SCMutexLock(&ast->file_ctx->fp_mutex);
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]"
" {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", action, pa->s->gid,
pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,
protoptr, srcip, p->sp, dstip, p->dp);
SCMutexUnlock(&ast->file_ctx->fp_mutex);
}
SCMutexUnlock(&ast->file_ctx->fp_mutex);

return TM_ECODE_OK;
}
Expand All @@ -255,49 +254,46 @@ static TmEcode AlertSyslogIPv4(ThreadVars *tv, const Packet *p, void *data)
static TmEcode AlertSyslogIPv6(ThreadVars *tv, const Packet *p, void *data)
{
AlertSyslogThread *ast = (AlertSyslogThread *)data;
int i;
const char *action = "";

if (p->alerts.cnt == 0)
return TM_ECODE_OK;

char proto[16] = "";
const char *protoptr;
if (SCProtoNameValid(IPV6_GET_L4PROTO(p))) {
protoptr = known_proto[IPV6_GET_L4PROTO(p)];
const uint8_t ipproto = IPV6_GET_L4PROTO(p);
if (SCProtoNameValid(ipproto)) {
protoptr = known_proto[ipproto];
} else {
snprintf(proto, sizeof(proto), "PROTO:03%" PRIu32, IPV6_GET_L4PROTO(p));
snprintf(proto, sizeof(proto), "PROTO:03%" PRIu8, ipproto);
protoptr = proto;
}

SCMutexLock(&ast->file_ctx->fp_mutex);
char srcip[46], dstip[46];
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));

for (i = 0; i < p->alerts.cnt; i++) {
for (int i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}

char srcip[46], dstip[46];

PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));

if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
action = "[Drop] ";
} else if (pa->action & ACTION_DROP) {
action = "[wDrop] ";
}

SCMutexLock(&ast->file_ctx->fp_mutex);
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [Classification: %s] [Priority: %"
"" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "",
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, protoptr, srcip, p->sp,
dstip, p->dp);

SCMutexUnlock(&ast->file_ctx->fp_mutex);
}
SCMutexUnlock(&ast->file_ctx->fp_mutex);

return TM_ECODE_OK;
}
Expand All @@ -314,20 +310,17 @@ static TmEcode AlertSyslogIPv6(ThreadVars *tv, const Packet *p, void *data)
static TmEcode AlertSyslogDecoderEvent(ThreadVars *tv, const Packet *p, void *data)
{
AlertSyslogThread *ast = (AlertSyslogThread *)data;
int i;
const char *action = "";

if (p->alerts.cnt == 0)
return TM_ECODE_OK;

SCMutexLock(&ast->file_ctx->fp_mutex);

char temp_buf_hdr[512];
char temp_buf_pkt[65] = "";
char temp_buf_tail[64];
char alert[2048] = "";

for (i = 0; i < p->alerts.cnt; i++) {
for (int i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
Expand Down Expand Up @@ -357,9 +350,10 @@ static TmEcode AlertSyslogDecoderEvent(ThreadVars *tv, const Packet *p, void *da
}
strlcat(alert, temp_buf_tail, sizeof(alert));

SCMutexLock(&ast->file_ctx->fp_mutex);
syslog(alert_syslog_level, "%s", alert);
SCMutexUnlock(&ast->file_ctx->fp_mutex);
}
SCMutexUnlock(&ast->file_ctx->fp_mutex);

return TM_ECODE_OK;
}
Expand All @@ -371,9 +365,9 @@ static bool AlertSyslogCondition(ThreadVars *tv, void *thread_data, const Packet

static int AlertSyslogLogger(ThreadVars *tv, void *thread_data, const Packet *p)
{
if (PKT_IS_IPV4(p)) {
if (PacketIsIPv4(p)) {
return AlertSyslogIPv4(tv, p, thread_data);
} else if (PKT_IS_IPV6(p)) {
} else if (PacketIsIPv6(p)) {
return AlertSyslogIPv6(tv, p, thread_data);
} else if (p->events.cnt > 0) {
return AlertSyslogDecoderEvent(tv, p, thread_data);
Expand Down