diff --git a/src/decode.c b/src/decode.c index aa6068bbc0..0dd9fa86fa 100644 --- a/src/decode.c +++ b/src/decode.c @@ -274,6 +274,7 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare p->ts.tv_sec = parent->ts.tv_sec; p->ts.tv_usec = parent->ts.tv_usec; p->datalink = DLT_RAW; + p->tenant_id = parent->tenant_id; /* set the root ptr to the lowest layer */ if (parent->root != NULL) @@ -345,6 +346,7 @@ Packet *PacketDefragPktSetup(Packet *parent, uint8_t *pkt, uint16_t len, uint8_t p->ts.tv_sec = parent->ts.tv_sec; p->ts.tv_usec = parent->ts.tv_usec; p->datalink = DLT_RAW; + p->tenant_id = parent->tenant_id; /* tell new packet it's part of a tunnel */ SET_TUNNEL_PKT(p); p->vlan_id[0] = parent->vlan_id[0]; diff --git a/src/detect.c b/src/detect.c index 7d608a0a24..e420f5e392 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1279,6 +1279,12 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh FLOWLOCK_WRLOCK(pflow); { + /* store tenant_id in the flow so that we can use it + * for creating pseudo packets */ + if (p->tenant_id > 0 && pflow->tenant_id == 0) { + pflow->tenant_id = p->tenant_id; + } + /* live ruleswap check for flow updates */ if (pflow->de_ctx_id == 0) { /* first time this flow is inspected, set id */ @@ -1991,7 +1997,9 @@ TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQue return TM_ECODE_OK; } - uint32_t tenant_id = det_ctx->TenantGetId(det_ctx, p); + uint32_t tenant_id = p->tenant_id; + if (tenant_id == 0) + tenant_id = det_ctx->TenantGetId(det_ctx, p); if (tenant_id > 0 && tenant_id < det_ctx->mt_det_ctxs_cnt) { p->tenant_id = tenant_id; det_ctx = GetTenantById(det_ctx->mt_det_ctxs_hash, tenant_id); diff --git a/src/flow-timeout.c b/src/flow-timeout.c index 534875c68b..8df85cddcd 100644 --- a/src/flow-timeout.c +++ b/src/flow-timeout.c @@ -80,6 +80,7 @@ static inline Packet *FlowForceReassemblyPseudoPacketSetup(Packet *p, TcpSession *ssn, int dummy) { + p->tenant_id = f->tenant_id; p->datalink = DLT_RAW; p->proto = IPPROTO_TCP; FlowReference(&p->flow, f); diff --git a/src/flow-util.h b/src/flow-util.h index 38257b1289..ca6a49cccb 100644 --- a/src/flow-util.h +++ b/src/flow-util.h @@ -42,6 +42,7 @@ (f)->proto = 0; \ SC_ATOMIC_INIT((f)->flow_state); \ SC_ATOMIC_INIT((f)->use_cnt); \ + (f)->tenant_id = 0; \ (f)->probing_parser_toserver_alproto_masks = 0; \ (f)->probing_parser_toclient_alproto_masks = 0; \ (f)->flags = 0; \ @@ -86,6 +87,7 @@ (f)->proto = 0; \ SC_ATOMIC_RESET((f)->flow_state); \ SC_ATOMIC_RESET((f)->use_cnt); \ + (f)->tenant_id = 0; \ (f)->probing_parser_toserver_alproto_masks = 0; \ (f)->probing_parser_toclient_alproto_masks = 0; \ (f)->flags = 0; \ diff --git a/src/flow.h b/src/flow.h index caa34c6fc8..eab7377609 100644 --- a/src/flow.h +++ b/src/flow.h @@ -329,6 +329,10 @@ typedef struct Flow_ /** flow queue id, used with autofp */ SC_ATOMIC_DECLARE(int16_t, autofp_tmqh_flow_qid); + /** flow tenant id, used to setup flow timeout and stream pseudo + * packets with the correct tenant id set */ + uint32_t tenant_id; + uint32_t probing_parser_toserver_alproto_masks; uint32_t probing_parser_toclient_alproto_masks; diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 88fe40d4be..6cde865138 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -5829,6 +5829,8 @@ void StreamTcpPseudoPacketCreateStreamEndPacket(ThreadVars *tv, StreamTcpThread /* Setup the IP and TCP headers */ StreamTcpPseudoPacketSetupHeader(np,p); + np->tenant_id = p->flow->tenant_id; + np->flowflags = p->flowflags; np->flags |= PKT_STREAM_EST;