dcerpc: convert transaction list to vecdeque for UDP

[catenacyber]

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5518

Describe changes:

• dcerpc: use VecDeque for the UDP parser (as was already done for the TCP one)

[codecov]

Codecov Report

Merging #7756 (86ee4d7) into master (9353b07) will increase coverage by 0.10%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #7756      +/-   ##
==========================================
+ Coverage   75.98%   76.08%   +0.10%     
==========================================
  Files         661      661              
  Lines      185764   185766       +2     
==========================================
+ Hits       141152   141340     +188     
+ Misses      44612    44426     -186     

Flag	Coverage Δ
fuzzcorpus	61.01% <ø> (+0.18%)	⬆️
suricata-verify	52.54% <ø> (+0.02%)	⬆️
unittests	60.70% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[inashivb]

From what I understand, Deque because of it's structure, is good to be used in cases that require pushing and popping from the front. That's what I saw in one of Jason's commit messages as well. However, all I see are too many push_back calls in the code and just one pop_front call (in dns).
So, I'm interested in learning why using Deque helps in all the other protos where it exists (including dcerpc) in terms of efficiency.

[catenacyber]

VecDeque is good for use when pushing in the back and popping from the front (first in first out)

I think the implementation kind of transforms remove(0) into pop_front that is why we do not see pop_front

This is especially used by AppLayerParserTransactionsCleanup which uses get_tx_iterator

Is it clearer ?

[inashivb]

I think the implementation kind of transforms remove(0) into pop_front that is why we do not see pop_front

I see. Could you please point to the part of code where this is happening?

This is especially used by AppLayerParserTransactionsCleanup which uses get_tx_iterator

Is it clearer ?

Not really. Tried to see this part and it was too magical FFI, I suppose. But, I do get the concept. Thank you. :)

[catenacyber]

I think the implementation kind of transforms remove(0) into pop_front that is why we do not see pop_front

I see. Could you please point to the part of code where this is happening?

Line 104 :

suricata/rust/src/dcerpc/dcerpc_udp.rs

Line 104 in 86ee4d7

self.transactions.remove(index);

self.transactions.remove(index);

[suricata-qa]

WARNING:

field	test	baseline	%
	tlpw2_autofp_stats_chk
.flow.spare	1985105	1812994	109.49%
.flow.memuse	582377728	550537728	105.78%
	tlpw1_stats_chk
.tcp.rst	131628	105279	125.03%
	generic_stats_chk
.capture.kernel_drops	6148222	5654519	108.73%
.flow.end.state.new	18648	14867	125.43%
.flow.end.tcp_state.syn_sent	1207	183	659.56%
.flow.end.tcp_state.syn_recv	73	52	140.38%
.flow.end.tcp_liberal	100800	90436	111.46%
.tcp.segment_memcap_drop	2882	11729	24.57%
.tcp.reassembly_gap	159626	114099	139.9%
.tcp.insert_data_normal_fail	2736	11358	24.09%
.app_layer.error.http.parser	106	55	192.73%
.app_layer.error.smtp.gap	109	61	178.69%
.app_layer.error.tls.gap	70385	60833	115.7%

Pipeline 8725
WARNING: THERE IS A KNOWN BAD BASELINE WITH PACKET DROPS. bE MINDFUL OF ANY RESULTS.

[jasonish]

Looks good!

[victorjulien]

Merged in #7839, thanks!