From efaa9a7302706ff9bb5970ce40be7bcbcf2f0d5c Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Tue, 11 Jun 2013 14:52:11 +0200 Subject: [PATCH] action handling: define and use macros The action field in Packet structure should not be accessed directly as the tunneled packet needs to update the root packet and not the initial packet. This patch is fixing issue #819 where suricata was not able to drop fragmented packets in AF_PACKET IPS mode. It also fixes drop capability for tunneled packets. --- src/decode.h | 11 +++++++++++ src/detect-engine-alert.c | 2 +- src/detect-engine-iponly.c | 2 +- src/detect-engine-state.c | 2 +- src/detect.c | 4 ++-- src/stream-tcp.c | 4 ++-- 6 files changed, 18 insertions(+), 7 deletions(-) diff --git a/src/decode.h b/src/decode.h index a8b38e0e71..5b4452d7a7 100644 --- a/src/decode.h +++ b/src/decode.h @@ -779,6 +779,17 @@ typedef struct DecodeThreadVars_ ((p)->action = ACTION_PASS)); \ } while (0) +#define TEST_PACKET_ACTION(p, a) \ + ((p)->root ? \ + ((p)->root->action & a) : \ + ((p)->action & a)) + +#define UPDATE_PACKET_ACTION(p, a) do { \ + ((p)->root ? \ + ((p)->root->action |= a) : \ + ((p)->action |= a)); \ +} while (0) + #define TUNNEL_INCR_PKT_RTV(p) do { \ SCMutexLock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex); \ ((p)->root ? (p)->root->tunnel_rtv_cnt++ : (p)->tunnel_rtv_cnt++); \ diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index e102daaa9c..0b08efb638 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -248,7 +248,7 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx } /* set verdict on packet */ - p->action |= p->alerts.alerts[i].action; + UPDATE_PACKET_ACTION(p, p->alerts.alerts[i].action); if (p->action & ACTION_PASS) { /* Ok, reset the alert cnt to end in the previous of pass diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c index fd520d84a2..0c60f00510 100644 --- a/src/detect-engine-iponly.c +++ b/src/detect-engine-iponly.c @@ -1076,7 +1076,7 @@ void IPOnlyMatchPacket(ThreadVars *tv, PacketAlertAppend(det_ctx, s, p, 0); } else { /* apply actions for noalert/rule suppressed as well */ - p->action |= s->action; + UPDATE_PACKET_ACTION(p, s->action); } } } diff --git a/src/detect-engine-state.c b/src/detect-engine-state.c index ae1875a8f2..4806d21670 100644 --- a/src/detect-engine-state.c +++ b/src/detect-engine-state.c @@ -614,7 +614,7 @@ void DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, if (!(s->flags & SIG_FLAG_NOALERT)) { PacketAlertAppend(det_ctx, s, p, 0); } else { - p->action |= s->action; + UPDATE_PACKET_ACTION(p, s->action); } } diff --git a/src/detect.c b/src/detect.c index 49e5d421f8..a06743e11b 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1342,7 +1342,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh if (p->flow->flags & FLOW_ACTION_DROP) { alert_flags = PACKET_ALERT_FLAG_DROP_FLOW; - p->action |= ACTION_DROP; + UPDATE_PACKET_ACTION(p, ACTION_DROP); } } @@ -1626,7 +1626,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh PacketAlertAppend(det_ctx, s, p, alert_flags); } else { /* apply actions even if not alerting */ - p->action |= s->action; + UPDATE_PACKET_ACTION(p, s->action); } next: DetectFlowvarProcessList(det_ctx, p->flow); diff --git a/src/stream-tcp.c b/src/stream-tcp.c index c6334b45cd..0eb25d5515 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -4006,7 +4006,7 @@ static int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt, FlowSetNoPacketInspectionFlag(p->flow); DecodeSetNoPacketInspectionFlag(p); FlowSetSessionNoApplayerInspectionFlag(p->flow); - p->action |= ACTION_DROP; + UPDATE_PACKET_ACTION(p, ACTION_DROP); /* return the segments to the pool */ StreamTcpSessionPktFree(p); SCReturnInt(0); @@ -4207,7 +4207,7 @@ error: } if (StreamTcpInlineMode()) { - p->action |= ACTION_DROP; + UPDATE_PACKET_ACTION(p, ACTION_DROP); } SCReturnInt(-1); }