flow: downgrade to local bypass if we see packets

If we see packets for a capture bypassed flow after some times, it means that the capture method is not handling correctly the bypass so it is better to switch to local bypass method.
9 years ago · 724069626d
parent 4cf887b4f7
commit 724069626d
3 changed files with 9 additions and 2 deletions
--- a/src/flow-manager.c
+++ b/src/flow-manager.c
@ -67,8 +67,6 @@

 #include "output-flow.h"

-#define FLOW_BYPASSED_TIMEOUT   6
-
 /* Run mode selected at suricata.c */
 extern int run_mode;

--- a/src/flow-private.h
+++ b/src/flow-private.h
@ -57,6 +57,8 @@
 #define FLOW_IPPROTO_ICMP_EMERG_NEW_TIMEOUT 10
 #define FLOW_IPPROTO_ICMP_EMERG_EST_TIMEOUT 100

+#define FLOW_BYPASSED_TIMEOUT   6
+
 enum {
    FLOW_PROTO_TCP = 0,
    FLOW_PROTO_UDP,
--- a/src/flow.c
+++ b/src/flow.c
@ -228,6 +228,13 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p)
    if (state != FLOW_STATE_CAPTURE_BYPASSED) {
        /* update the last seen timestamp of this flow */
        COPY_TIMESTAMP(&p->ts, &f->lastts);
+    } else {
+        /* still seeing packet, we downgrade to local bypass */
+        if (p->ts.tv_sec - f->lastts.tv_sec > FLOW_BYPASSED_TIMEOUT / 2) {
+            SCLogDebug("Downgrading flow to local bypass");
+            COPY_TIMESTAMP(&p->ts, &f->lastts);
+            FlowUpdateState(f, FLOW_STATE_LOCAL_BYPASSED);
+        }
    }

    /* update flags and counters */