action handling: define and use macros

The action field in Packet structure should not be accessed directly as the tunneled packet needs to update the root packet and not the initial packet. This patch is fixing issue #819 where suricata was not able to drop fragmented packets in AF_PACKET IPS mode. It also fixes drop capability for tunneled packets.
12 years ago · efaa9a7302
parent 429b5cec10
commit efaa9a7302
6 changed files with 18 additions and 7 deletions
--- a/src/decode.h
+++ b/src/decode.h
@ -779,6 +779,17 @@ typedef struct DecodeThreadVars_
     ((p)->action = ACTION_PASS)); \
 } while (0)

+#define TEST_PACKET_ACTION(p, a) \
+    ((p)->root ? \
+     ((p)->root->action & a) : \
+     ((p)->action & a))
+
+#define UPDATE_PACKET_ACTION(p, a) do { \
+    ((p)->root ? \
+     ((p)->root->action |= a) : \
+     ((p)->action |= a)); \
+} while (0)
+
 #define TUNNEL_INCR_PKT_RTV(p) do {                                                 \
        SCMutexLock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex);     \
        ((p)->root ? (p)->root->tunnel_rtv_cnt++ : (p)->tunnel_rtv_cnt++);          \
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@ -248,7 +248,7 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
            }

            /* set verdict on packet */
-            p->action |= p->alerts.alerts[i].action;
+            UPDATE_PACKET_ACTION(p, p->alerts.alerts[i].action);

            if (p->action & ACTION_PASS) {
                /* Ok, reset the alert cnt to end in the previous of pass
--- a/src/detect-engine-iponly.c
+++ b/src/detect-engine-iponly.c
@ -1076,7 +1076,7 @@ void IPOnlyMatchPacket(ThreadVars *tv,
                            PacketAlertAppend(det_ctx, s, p, 0);
                    } else {
                        /* apply actions for noalert/rule suppressed as well */
-                        p->action |= s->action;
+                        UPDATE_PACKET_ACTION(p, s->action);
                    }
                }
            }
--- a/src/detect-engine-state.c
+++ b/src/detect-engine-state.c
@ -614,7 +614,7 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
                if (!(s->flags & SIG_FLAG_NOALERT)) {
                    PacketAlertAppend(det_ctx, s, p, 0);
                } else {
-                    p->action |= s->action;
+                    UPDATE_PACKET_ACTION(p, s->action);
                }
            }

--- a/src/detect.c
+++ b/src/detect.c
@ -1342,7 +1342,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
            if (p->flow->flags & FLOW_ACTION_DROP)
            {
                alert_flags = PACKET_ALERT_FLAG_DROP_FLOW;
-                p->action |= ACTION_DROP;
+                UPDATE_PACKET_ACTION(p, ACTION_DROP);
            }
        }

@ -1626,7 +1626,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                PacketAlertAppend(det_ctx, s, p, alert_flags);
        } else {
            /* apply actions even if not alerting */
-            p->action |= s->action;
+            UPDATE_PACKET_ACTION(p, s->action);
        }
 next:
        DetectFlowvarProcessList(det_ctx, p->flow);
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@ -4006,7 +4006,7 @@ static int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
        FlowSetNoPacketInspectionFlag(p->flow);
        DecodeSetNoPacketInspectionFlag(p);
        FlowSetSessionNoApplayerInspectionFlag(p->flow);
-        p->action |= ACTION_DROP;
+        UPDATE_PACKET_ACTION(p, ACTION_DROP);
        /* return the segments to the pool */
        StreamTcpSessionPktFree(p);
        SCReturnInt(0);
@ -4207,7 +4207,7 @@ error:
    }

    if (StreamTcpInlineMode()) {
-        p->action |= ACTION_DROP;
+        UPDATE_PACKET_ACTION(p, ACTION_DROP);
    }
    SCReturnInt(-1);
 }