From e88555caf96feb0a78552f02c48a4a5f294cf196 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Sat, 17 Sep 2016 10:18:08 +0200 Subject: [PATCH] flow: add bypassed states This patch adds two new states to the flow: * local bypass: for suricata only bypass, packets belonging to a flow in this state will be discard fast * capture bypass: capture method is handling the bypass and suricata will discard packets that are currently queued A bypassed state to flow that will be set on flow when a bypass decision is taken. In the case of capture bypass this will allow to remove faster the flow entry from the flow table instead of waiting for the "established" timeout. --- src/flow-manager.c | 6 ++++++ src/flow.h | 2 ++ 2 files changed, 8 insertions(+) diff --git a/src/flow-manager.c b/src/flow-manager.c index 0deb0bc571..0455b90ef0 100644 --- a/src/flow-manager.c +++ b/src/flow-manager.c @@ -67,6 +67,8 @@ #include "output-flow.h" +#define FLOW_BYPASSED_TIMEOUT 6 + /* Run mode selected at suricata.c */ extern int run_mode; @@ -203,11 +205,15 @@ static inline uint32_t FlowGetFlowTimeout(const Flow *f, enum FlowState state) timeout = flow_timeouts[f->protomap].new_timeout; break; case FLOW_STATE_ESTABLISHED: + case FLOW_STATE_LOCAL_BYPASSED: timeout = flow_timeouts[f->protomap].est_timeout; break; case FLOW_STATE_CLOSED: timeout = flow_timeouts[f->protomap].closed_timeout; break; + case FLOW_STATE_CAPTURE_BYPASSED: + timeout = FLOW_BYPASSED_TIMEOUT; + break; } return timeout; } diff --git a/src/flow.h b/src/flow.h index df5d9a4ac4..ec05ec1765 100644 --- a/src/flow.h +++ b/src/flow.h @@ -425,6 +425,8 @@ enum FlowState { FLOW_STATE_NEW = 0, FLOW_STATE_ESTABLISHED, FLOW_STATE_CLOSED, + FLOW_STATE_LOCAL_BYPASSED, + FLOW_STATE_CAPTURE_BYPASSED, }; typedef struct FlowProtoTimeout_ {