aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
main-7.0.x
main-8.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '37fa4a4876'
${ noResults }
suricata/src/flow-hash.c

852 lines
26 KiB
C
Raw Normal View History Unescape Escape

Support for Tile Gx atomic instructions Tilera's GCC supports the GCC __sync_ intrinsics. Increase the size of some atomic variables for better performance on Tile. The Tile-Gx architecture has native support for 32-bit and 64-bit atomic operations, but not 8-bit and 16-bit, which are emulated using 32-bit atomics, so changing some 16-bit and 8-bit atomic into ints improves performance. Increasing the size of the atomic variables modified in this change does not increase the total size of the structures in which they reside because of existing padding requirements. The one case that would increase the size of the structure (Flow_) was confitionalized to only change the size on Tile.
12 years ago
/* Copyright (C) 2007-2013 Open Information Security Foundation
Import of GPLv2 Header 050410
16 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
* \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
Import of GPLv2 Header 050410
16 years ago
*
* Flow Hashing functions.
*/
Initial add of the files.
18 years ago
Rename to Suricata.
16 years ago
#include "suricata-common.h"
Initial add of the files.
18 years ago
#include "threads.h"
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
Initial add of the files.
18 years ago
#include "decode.h"
Move flow use cnt to atomic and outside of the flow mutex protection.
16 years ago
#include "detect-engine-state.h"
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
Initial add of the files.
18 years ago
#include "flow.h"
#include "flow-hash.h"
#include "flow-util.h"
#include "flow-private.h"
Flow: use condition system instead of short sleep Short sleep can lead to some really annoying performance issue in some environnement like virtual systems. This technic was used in the flow manager. This patch uses an alternate approach based on a timed condition which is triggered each time a new flow has to be created. This avoid to run out of flow. A counter is also done to be able not to run the cleaning code at each new flow.
14 years ago
#include "flow-manager.h"
UDP support at AppLayer message handling
16 years ago
#include "app-layer-parser.h"
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
#include "util-time.h"
Another round of logging api usage updates.
16 years ago
#include "util-debug.h"
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
#include "util-hash-lookup3.h"
flow: prepare flow forced reuse logging Most flows are marked for clean up by the flow manager, which then passes them to the recycler. The recycler logs and cleans up. However, under resource stress conditions, the packet threads can recycle existing flow directly. So here the recycler has no role to play, as the flow is immediately used. For this reason, the packet threads need to be able to invoke the flow logger directly. The flow logging thread ctx will stored in the DecodeThreadVars stucture. Therefore, this patch makes the DecodeThreadVars an argument to FlowHandlePacket.
12 years ago
#include "conf.h"
#include "output.h"
#include "output-flow.h"
Adding some flow improvements and recovery on emergency mode
16 years ago
#define FLOW_DEFAULT_FLOW_PRUNE 5
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
SC_ATOMIC_EXTERN(unsigned int, flow_prune_idx);
Support for Tile Gx atomic instructions Tilera's GCC supports the GCC __sync_ intrinsics. Increase the size of some atomic variables for better performance on Tile. The Tile-Gx architecture has native support for 32-bit and 64-bit atomic operations, but not 8-bit and 16-bit, which are emulated using 32-bit atomics, so changing some 16-bit and 8-bit atomic into ints improves performance. Increasing the size of the atomic variables modified in this change does not increase the total size of the structures in which they reside because of existing padding requirements. The one case that would increase the size of the structure (Flow_) was confitionalized to only change the size on Tile.
12 years ago
SC_ATOMIC_EXTERN(unsigned int, flow_flags);
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
flow: prepare flow forced reuse logging Most flows are marked for clean up by the flow manager, which then passes them to the recycler. The recycler logs and cleans up. However, under resource stress conditions, the packet threads can recycle existing flow directly. So here the recycler has no role to play, as the flow is immediately used. For this reason, the packet threads need to be able to invoke the flow logger directly. The flow logging thread ctx will stored in the DecodeThreadVars stucture. Therefore, this patch makes the DecodeThreadVars an argument to FlowHandlePacket.
12 years ago
static Flow *FlowGetUsedFlow(ThreadVars *tv, DecodeThreadVars *dtv);
flow: make TCP reuse handling in flow engine optional In case of autofp (or more general, when flow and stream engine run in different threads) the flow engine should not trigger a flow reuse as this can lead to race conditions between the flow and the stream engine. In such cases, the flow engine can be far ahead of the stream engine as packets are in a queue between the threads. Observed: Flow engine tags packet 10 as start of new flow. Flow is tagged as 'reused'. Stream engine evaluates packet 5 which belongs to the old flow. It rejects the flow as it's tagged 'reused'. Attaches packet 5 to the new flow which is wrong. Solution: This patch connects the flow engines handling of reuse cases to the runmode. It hooks into the RunmodeSetFlowStreamAsync() call to notify the flow engine that it shouldn't handle the reuse.
11 years ago
static int handle_tcp_reuse = 1;
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
#ifdef FLOW_DEBUG_STATS
#define FLOW_DEBUG_STATS_PROTO_ALL 0
#define FLOW_DEBUG_STATS_PROTO_TCP 1
#define FLOW_DEBUG_STATS_PROTO_UDP 2
#define FLOW_DEBUG_STATS_PROTO_ICMP 3
#define FLOW_DEBUG_STATS_PROTO_OTHER 4
static uint64_t flow_hash_count[5] = { 0, 0, 0, 0, 0 }; /* how often are we looking for a hash */
static uint64_t flow_hash_loop_count[5] = { 0, 0, 0, 0, 0 }; /* how often do we loop through a hash bucket */
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
static FILE *flow_hash_count_fp = NULL;
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
static SCSpinlock flow_hash_count_lock;
#define FlowHashCountUpdate do { \
SCSpinLock(&flow_hash_count_lock); \
flow_hash_count[FLOW_DEBUG_STATS_PROTO_ALL]++; \
flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_ALL] += _flow_hash_counter; \
if (f != NULL) { \
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
if (p->proto == IPPROTO_TCP) { \
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
flow_hash_count[FLOW_DEBUG_STATS_PROTO_TCP]++; \
flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_TCP] += _flow_hash_counter; \
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
} else if (p->proto == IPPROTO_UDP) {\
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
flow_hash_count[FLOW_DEBUG_STATS_PROTO_UDP]++; \
flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_UDP] += _flow_hash_counter; \
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
} else if (p->proto == IPPROTO_ICMP) {\
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
flow_hash_count[FLOW_DEBUG_STATS_PROTO_ICMP]++; \
flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_ICMP] += _flow_hash_counter; \
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
} else {\
flow_hash_count[FLOW_DEBUG_STATS_PROTO_OTHER]++; \
flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_OTHER] += _flow_hash_counter; \
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
} \
} \
SCSpinUnlock(&flow_hash_count_lock); \
} while(0);
#define FlowHashCountInit uint64_t _flow_hash_counter = 0
#define FlowHashCountIncr _flow_hash_counter++;
Formatting and comment updates in flow files Some reformatting to meet coding standards. Added a few comments to make it more clear where p->flow gets set.
12 years ago
void FlowHashDebugInit(void)
{
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
#ifdef FLOW_DEBUG_STATS
SCSpinInit(&flow_hash_count_lock, 0);
#endif
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
flow_hash_count_fp = fopen("flow-debug.log", "w+");
Improve flow hash debugging, switch to csv output.
16 years ago
if (flow_hash_count_fp != NULL) {
fprintf(flow_hash_count_fp, "ts,all,tcp,udp,icmp,other\n");
}
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
}
Formatting and comment updates in flow files Some reformatting to meet coding standards. Added a few comments to make it more clear where p->flow gets set.
12 years ago
void FlowHashDebugPrint(uint32_t ts)
{
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
#ifdef FLOW_DEBUG_STATS
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
if (flow_hash_count_fp == NULL)
return;
float avg_all = 0, avg_tcp = 0, avg_udp = 0, avg_icmp = 0, avg_other = 0;
SCSpinLock(&flow_hash_count_lock);
if (flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_ALL] != 0)
avg_all = (float)(flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_ALL]/(float)(flow_hash_count[FLOW_DEBUG_STATS_PROTO_ALL]));
if (flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_TCP] != 0)
avg_tcp = (float)(flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_TCP]/(float)(flow_hash_count[FLOW_DEBUG_STATS_PROTO_TCP]));
if (flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_UDP] != 0)
avg_udp = (float)(flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_UDP]/(float)(flow_hash_count[FLOW_DEBUG_STATS_PROTO_UDP]));
if (flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_ICMP] != 0)
avg_icmp= (float)(flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_ICMP]/(float)(flow_hash_count[FLOW_DEBUG_STATS_PROTO_ICMP]));
if (flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_OTHER] != 0)
avg_other= (float)(flow_hash_loop_count[FLOW_DEBUG_STATS_PROTO_OTHER]/(float)(flow_hash_count[FLOW_DEBUG_STATS_PROTO_OTHER]));
Improve flow hash debugging, switch to csv output.
16 years ago
fprintf(flow_hash_count_fp, "%"PRIu32",%02.3f,%02.3f,%02.3f,%02.3f,%02.3f\n", ts, avg_all, avg_tcp, avg_udp, avg_icmp, avg_other);
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
fflush(flow_hash_count_fp);
memset(&flow_hash_count, 0, sizeof(flow_hash_count));
memset(&flow_hash_loop_count, 0, sizeof(flow_hash_loop_count));
SCSpinUnlock(&flow_hash_count_lock);
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
#endif
}
Formatting and comment updates in flow files Some reformatting to meet coding standards. Added a few comments to make it more clear where p->flow gets set.
12 years ago
void FlowHashDebugDeinit(void)
{
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
#ifdef FLOW_DEBUG_STATS
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
struct timeval ts;
memset(&ts, 0, sizeof(ts));
TimeGet(&ts);
FlowHashDebugPrint((uint32_t)ts.tv_sec);
if (flow_hash_count_fp != NULL)
fclose(flow_hash_count_fp);
SCSpinDestroy(&flow_hash_count_lock);
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
#endif
}
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
#else
#define FlowHashCountUpdate
#define FlowHashCountInit
#define FlowHashCountIncr
#endif /* FLOW_DEBUG_STATS */
flow: make TCP reuse handling in flow engine optional In case of autofp (or more general, when flow and stream engine run in different threads) the flow engine should not trigger a flow reuse as this can lead to race conditions between the flow and the stream engine. In such cases, the flow engine can be far ahead of the stream engine as packets are in a queue between the threads. Observed: Flow engine tags packet 10 as start of new flow. Flow is tagged as 'reused'. Stream engine evaluates packet 5 which belongs to the old flow. It rejects the flow as it's tagged 'reused'. Attaches packet 5 to the new flow which is wrong. Solution: This patch connects the flow engines handling of reuse cases to the runmode. It hooks into the RunmodeSetFlowStreamAsync() call to notify the flow engine that it shouldn't handle the reuse.
11 years ago
void FlowDisableTcpReuseHandling(void)
{
handle_tcp_reuse = 0;
}
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
/** \brief compare two raw ipv6 addrs
*
* \note we don't care about the real ipv6 ip's, this is just
* to consistently fill the FlowHashKey6 struct, without all
* the ntohl calls.
*
* \warning do not use elsewhere unless you know what you're doing.
* detect-engine-address-ipv6.c's AddressIPv6GtU32 is likely
* what you are looking for.
*/
Add const for Packet * in flow functions. By moving FlowReference() out of FlowGetFlowFromHash() and into the one function that calls it, all the flow functions take const Packet * instead of Packet *.
12 years ago
static inline int FlowHashRawAddressIPv6GtU32(const uint32_t *a, const uint32_t *b)
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
{
int i;
for (i = 0; i < 4; i++) {
if (a[i] > b[i])
return 1;
if (a[i] < b[i])
break;
}
return 0;
}
typedef struct FlowHashKey4_ {
union {
struct {
uint32_t src, dst;
uint16_t sp, dp;
uint16_t proto; /**< u16 so proto and recur add up to u32 */
uint16_t recur; /**< u16 so proto and recur add up to u32 */
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
uint16_t vlan_id[2];
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
};
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
const uint32_t u32[5];
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
};
} FlowHashKey4;
typedef struct FlowHashKey6_ {
union {
struct {
uint32_t src[4], dst[4];
uint16_t sp, dp;
uint16_t proto; /**< u16 so proto and recur add up to u32 */
uint16_t recur; /**< u16 so proto and recur add up to u32 */
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
uint16_t vlan_id[2];
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
};
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
const uint32_t u32[11];
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
};
} FlowHashKey6;
big update
17 years ago
/* calculate the hash key for this packet
*
* we're using:
* hash_rand -- set at init time
* source port
* destination port
* source address
* destination address
* recursion level -- for tunnels, make sure different tunnel layers can
* never get mixed up.
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
*
* For ICMP we only consider UNREACHABLE errors atm.
big update
17 years ago
*/
Add const for Packet * in flow functions. By moving FlowReference() out of FlowGetFlowFromHash() and into the one function that calls it, all the flow functions take const Packet * instead of Packet *.
12 years ago
static inline uint32_t FlowGetKey(const Packet *p)
Formatting and comment updates in flow files Some reformatting to meet coding standards. Added a few comments to make it more clear where p->flow gets set.
12 years ago
{
64 bit cleanup part2
17 years ago
uint32_t key;
Initial add of the files.
18 years ago
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
if (p->ip4h != NULL) {
if (p->tcph != NULL || p->udph != NULL) {
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
FlowHashKey4 fhk;
if (p->src.addr_data32[0] > p->dst.addr_data32[0]) {
fhk.src = p->src.addr_data32[0];
fhk.dst = p->dst.addr_data32[0];
} else {
fhk.src = p->dst.addr_data32[0];
fhk.dst = p->src.addr_data32[0];
}
if (p->sp > p->dp) {
fhk.sp = p->sp;
fhk.dp = p->dp;
} else {
fhk.sp = p->dp;
fhk.dp = p->sp;
}
fhk.proto = (uint16_t)p->proto;
fhk.recur = (uint16_t)p->recursion_level;
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
fhk.vlan_id[0] = p->vlan_id[0];
fhk.vlan_id[1] = p->vlan_id[1];
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
uint32_t hash = hashword(fhk.u32, 5, flow_config.hash_rand);
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
key = hash % flow_config.hash_size;
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
} else if (ICMPV4_DEST_UNREACH_IS_VALID(p)) {
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
uint32_t psrc = IPV4_GET_RAW_IPSRC_U32(ICMPV4_GET_EMB_IPV4(p));
uint32_t pdst = IPV4_GET_RAW_IPDST_U32(ICMPV4_GET_EMB_IPV4(p));
FlowHashKey4 fhk;
if (psrc > pdst) {
fhk.src = psrc;
fhk.dst = pdst;
} else {
fhk.src = pdst;
fhk.dst = psrc;
}
if (p->icmpv4vars.emb_sport > p->icmpv4vars.emb_dport) {
fhk.sp = p->icmpv4vars.emb_sport;
fhk.dp = p->icmpv4vars.emb_dport;
} else {
fhk.sp = p->icmpv4vars.emb_dport;
fhk.dp = p->icmpv4vars.emb_sport;
}
fhk.proto = (uint16_t)ICMPV4_GET_EMB_PROTO(p);
fhk.recur = (uint16_t)p->recursion_level;
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
fhk.vlan_id[0] = p->vlan_id[0];
fhk.vlan_id[1] = p->vlan_id[1];
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
uint32_t hash = hashword(fhk.u32, 5, flow_config.hash_rand);
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
key = hash % flow_config.hash_size;
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
} else {
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
FlowHashKey4 fhk;
if (p->src.addr_data32[0] > p->dst.addr_data32[0]) {
fhk.src = p->src.addr_data32[0];
fhk.dst = p->dst.addr_data32[0];
} else {
fhk.src = p->dst.addr_data32[0];
fhk.dst = p->src.addr_data32[0];
}
fhk.sp = 0xfeed;
fhk.dp = 0xbeef;
fhk.proto = (uint16_t)p->proto;
fhk.recur = (uint16_t)p->recursion_level;
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
fhk.vlan_id[0] = p->vlan_id[0];
fhk.vlan_id[1] = p->vlan_id[1];
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
uint32_t hash = hashword(fhk.u32, 5, flow_config.hash_rand);
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
key = hash % flow_config.hash_size;
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
}
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
} else if (p->ip6h != NULL) {
FlowHashKey6 fhk;
if (FlowHashRawAddressIPv6GtU32(p->src.addr_data32, p->dst.addr_data32)) {
fhk.src[0] = p->src.addr_data32[0];
fhk.src[1] = p->src.addr_data32[1];
fhk.src[2] = p->src.addr_data32[2];
fhk.src[3] = p->src.addr_data32[3];
fhk.dst[0] = p->dst.addr_data32[0];
fhk.dst[1] = p->dst.addr_data32[1];
fhk.dst[2] = p->dst.addr_data32[2];
fhk.dst[3] = p->dst.addr_data32[3];
} else {
fhk.src[0] = p->dst.addr_data32[0];
fhk.src[1] = p->dst.addr_data32[1];
fhk.src[2] = p->dst.addr_data32[2];
fhk.src[3] = p->dst.addr_data32[3];
fhk.dst[0] = p->src.addr_data32[0];
fhk.dst[1] = p->src.addr_data32[1];
fhk.dst[2] = p->src.addr_data32[2];
fhk.dst[3] = p->src.addr_data32[3];
}
if (p->sp > p->dp) {
fhk.sp = p->sp;
fhk.dp = p->dp;
} else {
fhk.sp = p->dp;
fhk.dp = p->sp;
}
fhk.proto = (uint16_t)p->proto;
fhk.recur = (uint16_t)p->recursion_level;
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
fhk.vlan_id[0] = p->vlan_id[0];
fhk.vlan_id[1] = p->vlan_id[1];
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
uint32_t hash = hashword(fhk.u32, 11, flow_config.hash_rand);
flow: make flow use lookup3.c hashing algorithm. Improves hash table distribution.
14 years ago
key = hash % flow_config.hash_size;
} else
Initial add of the files.
18 years ago
key = 0;
return key;
}
/* Since two or more flows can have the same hash key, we need to compare
* the flow with the current flow key. */
#define CMP_FLOW(f1,f2) \
big update
17 years ago
(((CMP_ADDR(&(f1)->src, &(f2)->src) && \
CMP_ADDR(&(f1)->dst, &(f2)->dst) && \
CMP_PORT((f1)->sp, (f2)->sp) && CMP_PORT((f1)->dp, (f2)->dp)) || \
(CMP_ADDR(&(f1)->src, &(f2)->dst) && \
CMP_ADDR(&(f1)->dst, &(f2)->src) && \
CMP_PORT((f1)->sp, (f2)->dp) && CMP_PORT((f1)->dp, (f2)->sp))) && \
(f1)->proto == (f2)->proto && \
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
(f1)->recursion_level == (f2)->recursion_level && \
(f1)->vlan_id[0] == (f2)->vlan_id[0] && \
(f1)->vlan_id[1] == (f2)->vlan_id[1])
Initial add of the files.
18 years ago
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
/**
* \brief See if a ICMP packet belongs to a flow by comparing the embedded
* packet in the ICMP error packet to the flow.
*
* \param f flow
* \param p ICMP packet
*
* \retval 1 match
* \retval 0 no match
*/
Add const for Packet * in flow functions. By moving FlowReference() out of FlowGetFlowFromHash() and into the one function that calls it, all the flow functions take const Packet * instead of Packet *.
12 years ago
static inline int FlowCompareICMPv4(Flow *f, const Packet *p)
Formatting and comment updates in flow files Some reformatting to meet coding standards. Added a few comments to make it more clear where p->flow gets set.
12 years ago
{
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
if (ICMPV4_DEST_UNREACH_IS_VALID(p)) {
/* first check the direction of the flow, in other words, the client ->
* server direction as it's most likely the ICMP error will be a
* response to the clients traffic */
if ((f->src.addr_data32[0] == IPV4_GET_RAW_IPSRC_U32( ICMPV4_GET_EMB_IPV4(p) )) &&
(f->dst.addr_data32[0] == IPV4_GET_RAW_IPDST_U32( ICMPV4_GET_EMB_IPV4(p) )) &&
f->sp == p->icmpv4vars.emb_sport &&
f->dp == p->icmpv4vars.emb_dport &&
f->proto == ICMPV4_GET_EMB_PROTO(p) &&
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
f->recursion_level == p->recursion_level &&
f->vlan_id[0] == p->vlan_id[0] &&
f->vlan_id[1] == p->vlan_id[1])
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
{
return 1;
/* check the less likely case where the ICMP error was a response to
* a packet from the server. */
} else if ((f->dst.addr_data32[0] == IPV4_GET_RAW_IPSRC_U32( ICMPV4_GET_EMB_IPV4(p) )) &&
(f->src.addr_data32[0] == IPV4_GET_RAW_IPDST_U32( ICMPV4_GET_EMB_IPV4(p) )) &&
f->dp == p->icmpv4vars.emb_sport &&
f->sp == p->icmpv4vars.emb_dport &&
f->proto == ICMPV4_GET_EMB_PROTO(p) &&
flow: take vlan_id's into account in the flow hash In VLAN we can have 2 layers of encapsulation. In this patch both layers are used in the flow hash to distinguish between encapsulated traffic.
13 years ago
f->recursion_level == p->recursion_level &&
f->vlan_id[0] == p->vlan_id[0] &&
f->vlan_id[1] == p->vlan_id[1])
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
{
return 1;
}
/* no match, fall through */
} else {
/* just treat ICMP as a normal proto for now */
return CMP_FLOW(f, p);
}
return 0;
}
tcp reuse: unify autofp and single/workers check
11 years ago
int TcpSessionPacketSsnReuse(const Packet *p, const Flow *f, void *tcp_ssn);
flow: handle TCP session reuse in flow engine Until now, TCP session reuse was handled in the TCP stream engine. If the state was TCP_CLOSED, a new SYN packet was received and a few other conditions were met, the flow was 'reset' and reused for the 'new' TCP session. There are a number of problems with this approach: - it breaks the normal flow lifecycle wrt timeout, detection, logging - new TCP sessions could come in on different threads due to mismatches in timeouts between suricata and flow balancing hw/nic/drivers - cleanup code was often causing problems - it complicated locking because of the possible thread mismatch This patch implements a different solution, where a new TCP session also gets a new flow. To do this 2 main things needed to be done: 1. the flow engine needed to be aware of when the TCP reuse case was happening 2. the flow engine needs to be able to 'skip' the old flow once it was replaced by a new one To handle (1), a new function TcpSessionPacketSsnReuse() is introduced to check for the TCP reuse conditions. It's called from 'FlowCompare()' for TCP packets / TCP flows that are candidates for reuse. FlowCompare returns FALSE for the 'old' flow in the case of TCP reuse. This in turn will lead to the flow engine not finding a flow for the TCP SYN packet, resulting in the creation of a new flow. To handle (2), FlowCompare flags the 'old' flow. This flag causes future FlowCompare calls to always return FALSE on it. In other words, the flow can't be found anymore. It can only be accessed by: 1. existing packets with a reference to it 2. flow timeout handling as this logic gets the flows from walking the hash directly 3. flow timeout pseudo packets, as they are set up by (2) The old flow will time out normally, as governed by the "tcp closed" flow timeout setting. At timeout, the normal detection, logging and cleanup code will process it. The flagging of a flow making it 'unfindable' in the flow hash is a bit of a hack. The reason for this approach over for example putting the old flow into a forced timeout queue where it could be timed out, is that such a queue could easily become a contention point. The TCP session reuse case can easily be created by an attacker. In case of multiple packet handlers, this could lead to contention on such a flow timeout queue.
11 years ago
Add const for Packet * in flow functions. By moving FlowReference() out of FlowGetFlowFromHash() and into the one function that calls it, all the flow functions take const Packet * instead of Packet *.
12 years ago
static inline int FlowCompare(Flow *f, const Packet *p)
Formatting and comment updates in flow files Some reformatting to meet coding standards. Added a few comments to make it more clear where p->flow gets set.
12 years ago
{
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
if (p->proto == IPPROTO_ICMP) {
return FlowCompareICMPv4(f, p);
flow: handle TCP session reuse in flow engine Until now, TCP session reuse was handled in the TCP stream engine. If the state was TCP_CLOSED, a new SYN packet was received and a few other conditions were met, the flow was 'reset' and reused for the 'new' TCP session. There are a number of problems with this approach: - it breaks the normal flow lifecycle wrt timeout, detection, logging - new TCP sessions could come in on different threads due to mismatches in timeouts between suricata and flow balancing hw/nic/drivers - cleanup code was often causing problems - it complicated locking because of the possible thread mismatch This patch implements a different solution, where a new TCP session also gets a new flow. To do this 2 main things needed to be done: 1. the flow engine needed to be aware of when the TCP reuse case was happening 2. the flow engine needs to be able to 'skip' the old flow once it was replaced by a new one To handle (1), a new function TcpSessionPacketSsnReuse() is introduced to check for the TCP reuse conditions. It's called from 'FlowCompare()' for TCP packets / TCP flows that are candidates for reuse. FlowCompare returns FALSE for the 'old' flow in the case of TCP reuse. This in turn will lead to the flow engine not finding a flow for the TCP SYN packet, resulting in the creation of a new flow. To handle (2), FlowCompare flags the 'old' flow. This flag causes future FlowCompare calls to always return FALSE on it. In other words, the flow can't be found anymore. It can only be accessed by: 1. existing packets with a reference to it 2. flow timeout handling as this logic gets the flows from walking the hash directly 3. flow timeout pseudo packets, as they are set up by (2) The old flow will time out normally, as governed by the "tcp closed" flow timeout setting. At timeout, the normal detection, logging and cleanup code will process it. The flagging of a flow making it 'unfindable' in the flow hash is a bit of a hack. The reason for this approach over for example putting the old flow into a forced timeout queue where it could be timed out, is that such a queue could easily become a contention point. The TCP session reuse case can easily be created by an attacker. In case of multiple packet handlers, this could lead to contention on such a flow timeout queue.
11 years ago
} else if (p->proto == IPPROTO_TCP) {
if (CMP_FLOW(f, p) == 0)
return 0;
/* if this session is 'reused', we don't return it anymore,
* so return false on the compare */
if (f->flags & FLOW_TCP_REUSED)
return 0;
flow: make TCP reuse handling in flow engine optional In case of autofp (or more general, when flow and stream engine run in different threads) the flow engine should not trigger a flow reuse as this can lead to race conditions between the flow and the stream engine. In such cases, the flow engine can be far ahead of the stream engine as packets are in a queue between the threads. Observed: Flow engine tags packet 10 as start of new flow. Flow is tagged as 'reused'. Stream engine evaluates packet 5 which belongs to the old flow. It rejects the flow as it's tagged 'reused'. Attaches packet 5 to the new flow which is wrong. Solution: This patch connects the flow engines handling of reuse cases to the runmode. It hooks into the RunmodeSetFlowStreamAsync() call to notify the flow engine that it shouldn't handle the reuse.
11 years ago
if (handle_tcp_reuse == 1) {
/* lets see if we need to consider the existing session reuse */
if (unlikely(TcpSessionPacketSsnReuse(p, f, f->protoctx) == 1)) {
/* okay, we need to setup a new flow for this packet.
* Flag the flow that it's been replaced by a new one */
f->flags |= FLOW_TCP_REUSED;
SCLogDebug("flow obsolete: TCP reuse will use a new flow "
"starting with packet %"PRIu64, p->pcap_cnt);
return 0;
}
flow: handle TCP session reuse in flow engine Until now, TCP session reuse was handled in the TCP stream engine. If the state was TCP_CLOSED, a new SYN packet was received and a few other conditions were met, the flow was 'reset' and reused for the 'new' TCP session. There are a number of problems with this approach: - it breaks the normal flow lifecycle wrt timeout, detection, logging - new TCP sessions could come in on different threads due to mismatches in timeouts between suricata and flow balancing hw/nic/drivers - cleanup code was often causing problems - it complicated locking because of the possible thread mismatch This patch implements a different solution, where a new TCP session also gets a new flow. To do this 2 main things needed to be done: 1. the flow engine needed to be aware of when the TCP reuse case was happening 2. the flow engine needs to be able to 'skip' the old flow once it was replaced by a new one To handle (1), a new function TcpSessionPacketSsnReuse() is introduced to check for the TCP reuse conditions. It's called from 'FlowCompare()' for TCP packets / TCP flows that are candidates for reuse. FlowCompare returns FALSE for the 'old' flow in the case of TCP reuse. This in turn will lead to the flow engine not finding a flow for the TCP SYN packet, resulting in the creation of a new flow. To handle (2), FlowCompare flags the 'old' flow. This flag causes future FlowCompare calls to always return FALSE on it. In other words, the flow can't be found anymore. It can only be accessed by: 1. existing packets with a reference to it 2. flow timeout handling as this logic gets the flows from walking the hash directly 3. flow timeout pseudo packets, as they are set up by (2) The old flow will time out normally, as governed by the "tcp closed" flow timeout setting. At timeout, the normal detection, logging and cleanup code will process it. The flagging of a flow making it 'unfindable' in the flow hash is a bit of a hack. The reason for this approach over for example putting the old flow into a forced timeout queue where it could be timed out, is that such a queue could easily become a contention point. The TCP session reuse case can easily be created by an attacker. In case of multiple packet handlers, this could lead to contention on such a flow timeout queue.
11 years ago
}
return 1;
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
} else {
return CMP_FLOW(f, p);
}
}
/**
* \brief Check if we should create a flow based on a packet
*
* We use this check to filter out flow creation based on:
* - ICMP error messages
*
* \param p packet
* \retval 1 true
* \retval 0 false
*/
Add const for Packet * in flow functions. By moving FlowReference() out of FlowGetFlowFromHash() and into the one function that calls it, all the flow functions take const Packet * instead of Packet *.
12 years ago
static inline int FlowCreateCheck(const Packet *p)
Formatting and comment updates in flow files Some reformatting to meet coding standards. Added a few comments to make it more clear where p->flow gets set.
12 years ago
{
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
if (PKT_IS_ICMPV4(p)) {
if (ICMPV4_IS_ERROR_MSG(p)) {
return 0;
}
}
return 1;
}
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
/**
* \brief Get a new flow
*
* Get a new flow. We're checking memcap first and will try to make room
* if the memcap is reached.
*
flow: prepare flow forced reuse logging Most flows are marked for clean up by the flow manager, which then passes them to the recycler. The recycler logs and cleans up. However, under resource stress conditions, the packet threads can recycle existing flow directly. So here the recycler has no role to play, as the flow is immediately used. For this reason, the packet threads need to be able to invoke the flow logger directly. The flow logging thread ctx will stored in the DecodeThreadVars stucture. Therefore, this patch makes the DecodeThreadVars an argument to FlowHandlePacket.
12 years ago
* \param tv thread vars
* \param dtv decode thread vars (for flow log api thread data)
*
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
* \retval f *LOCKED* flow on succes, NULL on error.
*/
flow: prepare flow forced reuse logging Most flows are marked for clean up by the flow manager, which then passes them to the recycler. The recycler logs and cleans up. However, under resource stress conditions, the packet threads can recycle existing flow directly. So here the recycler has no role to play, as the flow is immediately used. For this reason, the packet threads need to be able to invoke the flow logger directly. The flow logging thread ctx will stored in the DecodeThreadVars stucture. Therefore, this patch makes the DecodeThreadVars an argument to FlowHandlePacket.
12 years ago
static Flow *FlowGetNew(ThreadVars *tv, DecodeThreadVars *dtv, const Packet *p)
Formatting and comment updates in flow files Some reformatting to meet coding standards. Added a few comments to make it more clear where p->flow gets set.
12 years ago
{
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
Flow *f = NULL;
if (FlowCreateCheck(p) == 0) {
return NULL;
}
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
/* get a flow from the spare queue */
Undo changes from 88b8f15663076560b2237e6d8b8cae7e23d92bb6. Atomic stack implementation had a-b-a problem.
14 years ago
f = FlowDequeue(&flow_spare_q);
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
if (f == NULL) {
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
/* If we reached the max memcap, we get a used flow */
Various small flow and host table fixes.
14 years ago
if (!(FLOW_CHECK_MEMCAP(sizeof(Flow)))) {
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
/* declare state of emergency */
if (!(SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY)) {
SC_ATOMIC_OR(flow_flags, FLOW_EMERGENCY);
/* under high load, waking up the flow mgr each time leads
* to high cpu usage. Flows are not timed out much faster if
* we check a 1000 times a second. */
FlowWakeupFlowManagerThread();
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
}
flow: prepare flow forced reuse logging Most flows are marked for clean up by the flow manager, which then passes them to the recycler. The recycler logs and cleans up. However, under resource stress conditions, the packet threads can recycle existing flow directly. So here the recycler has no role to play, as the flow is immediately used. For this reason, the packet threads need to be able to invoke the flow logger directly. The flow logging thread ctx will stored in the DecodeThreadVars stucture. Therefore, this patch makes the DecodeThreadVars an argument to FlowHandlePacket.
12 years ago
f = FlowGetUsedFlow(tv, dtv);
flow: fix crash when flow engine under extreme stress, and unable to force free any existing flow
13 years ago
if (f == NULL) {
/* very rare, but we can fail. Just giving up */
return NULL;
}
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
/* freed a flow, but it's unlocked */
} else {
/* now see if we can alloc a new flow */
f = FlowAlloc();
if (f == NULL) {
return NULL;
}
/* flow is initialized but *unlocked* */
}
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
} else {
Fix segv conditions caused by broken flow cleanup code.
16 years ago
/* flow has been recycled before it went into the spare queue */
Move flow use cnt to atomic and outside of the flow mutex protection.
16 years ago
/* flow is initialized (recylced) but *unlocked* */
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
}
flow: create a flow lock macro API, implement it for mutex and rwlocks. Mutex remains the default.
14 years ago
FLOWLOCK_WRLOCK(f);
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
return f;
}
tcp reuse: handle reuse in stream engine For the autofp case, handling TCP reuse in the flow engine didn't work. The problem is the mismatch between the moment the flow engine looks at packets and the stream, and the moment the stream engine runs. Flow engine is invoked in the packet capture thread(s), while the stream engine runs as part of the stream/detect thread(s). Because of the queues between those threads the flow manager may already inspect a new SYN while the stream engine still has to process the previous session. Moving the flow engine to the stream/detect thread(s) wasn't an option as the 'autofp' load balancing depends on the flow already being available in the packet. The solution here is to add a check for this condition to the stream engine. At this point the TCP state is up to date. If a TCP reuse case is encountered, this is the global logic: - detach packet for old flow - get a new flow and attach it to the packet - flag the old flow that it is now obsolete Additional logic makes sure that the packets already in the queue between the flow thread(s) and the stream thread are reassigned the new flow. Some special handling: Apply previous 'reuse' before checking for a new reuse. Otherwise we're tagging the wrong flow in some cases (multiple reuses in the same tuple). When in a flow/ssn reuse condition, properly remove the packet from the flow. Don't 'reuse' if packet is a SYN retransmission. The old flow is timed out normally by the flow manager.
11 years ago
Flow *FlowGetFlowFromHashByPacket(const Packet *p)
{
Flow *f = NULL;
/* get the key to our bucket */
uint32_t key = FlowGetKey(p);
/* get our hash bucket and lock it */
FlowBucket *fb = &flow_hash[key];
FBLOCK_LOCK(fb);
SCLogDebug("fb %p fb->head %p", fb, fb->head);
f = FlowGetNew(NULL, NULL, p);
if (f != NULL) {
/* flow is locked */
if (fb->head == NULL) {
fb->head = f;
fb->tail = f;
} else {
f->hprev = fb->tail;
fb->tail->hnext = f;
fb->tail = f;
}
/* got one, now lock, initialize and return */
FlowInit(f, p);
f->fb = fb;
/* update the last seen timestamp of this flow */
COPY_TIMESTAMP(&p->ts,&f->lastts);
}
FBLOCK_UNLOCK(fb);
return f;
}
/** \brief Lookup flow based on packet
*
* Find the flow belonging to this packet. If not found, no new flow
* is set up.
*
* \param p packet to lookup the flow for
*
* \retval f flow or NULL if not found
*/
Flow *FlowLookupFlowFromHash(const Packet *p)
{
Flow *f = NULL;
/* get the key to our bucket */
uint32_t key = FlowGetKey(p);
/* get our hash bucket and lock it */
FlowBucket *fb = &flow_hash[key];
FBLOCK_LOCK(fb);
SCLogDebug("fb %p fb->head %p", fb, fb->head);
/* see if the bucket already has a flow */
if (fb->head == NULL) {
FBLOCK_UNLOCK(fb);
return NULL;
}
/* ok, we have a flow in the bucket. Let's find out if it is our flow */
f = fb->head;
/* see if this is the flow we are looking for */
if (FlowCompare(f, p) == 0) {
while (f) {
FlowHashCountIncr;
f = f->hnext;
if (f == NULL) {
FBLOCK_UNLOCK(fb);
return NULL;
}
if (FlowCompare(f, p) != 0) {
/* we found our flow, lets put it on top of the
* hash list -- this rewards active flows */
if (f->hnext) {
f->hnext->hprev = f->hprev;
}
if (f->hprev) {
f->hprev->hnext = f->hnext;
}
if (f == fb->tail) {
fb->tail = f->hprev;
}
f->hnext = fb->head;
f->hprev = NULL;
fb->head->hprev = f;
fb->head = f;
/* found our flow, lock & return */
FLOWLOCK_WRLOCK(f);
/* update the last seen timestamp of this flow */
COPY_TIMESTAMP(&p->ts,&f->lastts);
FBLOCK_UNLOCK(fb);
return f;
}
}
}
/* lock & return */
FLOWLOCK_WRLOCK(f);
/* update the last seen timestamp of this flow */
COPY_TIMESTAMP(&p->ts,&f->lastts);
FBLOCK_UNLOCK(fb);
return f;
}
flow: prepare flow forced reuse logging Most flows are marked for clean up by the flow manager, which then passes them to the recycler. The recycler logs and cleans up. However, under resource stress conditions, the packet threads can recycle existing flow directly. So here the recycler has no role to play, as the flow is immediately used. For this reason, the packet threads need to be able to invoke the flow logger directly. The flow logging thread ctx will stored in the DecodeThreadVars stucture. Therefore, this patch makes the DecodeThreadVars an argument to FlowHandlePacket.
12 years ago
/** \brief Get Flow for packet
Initial add of the files.
18 years ago
*
* Hash retrieval function for flows. Looks up the hash bucket containing the
* flow pointer. Then compares the packet with the found flow to see if it is
* the flow we need. If it isn't, walk the list until the right flow is found.
*
* If the flow is not found or the bucket was emtpy, a new flow is taken from
* the queue. FlowDequeue() will alloc new flows as long as we stay within our
* memcap limit.
*
Formatting and comment updates in flow files Some reformatting to meet coding standards. Added a few comments to make it more clear where p->flow gets set.
12 years ago
* The p->flow pointer is updated to point to the flow.
*
flow: prepare flow forced reuse logging Most flows are marked for clean up by the flow manager, which then passes them to the recycler. The recycler logs and cleans up. However, under resource stress conditions, the packet threads can recycle existing flow directly. So here the recycler has no role to play, as the flow is immediately used. For this reason, the packet threads need to be able to invoke the flow logger directly. The flow logging thread ctx will stored in the DecodeThreadVars stucture. Therefore, this patch makes the DecodeThreadVars an argument to FlowHandlePacket.
12 years ago
* \param tv thread vars
* \param dtv decode thread vars (for flow log api thread data)
*
* \retval f *LOCKED* flow or NULL
Initial add of the files.
18 years ago
*/
flow: prepare flow forced reuse logging Most flows are marked for clean up by the flow manager, which then passes them to the recycler. The recycler logs and cleans up. However, under resource stress conditions, the packet threads can recycle existing flow directly. So here the recycler has no role to play, as the flow is immediately used. For this reason, the packet threads need to be able to invoke the flow logger directly. The flow logging thread ctx will stored in the DecodeThreadVars stucture. Therefore, this patch makes the DecodeThreadVars an argument to FlowHandlePacket.
12 years ago
Flow *FlowGetFlowFromHash(ThreadVars *tv, DecodeThreadVars *dtv, const Packet *p)
Initial add of the files.
18 years ago
{
Flow *f = NULL;
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
FlowHashCountInit;
Initial add of the files.
18 years ago
/* get the key to our bucket */
64 bit cleanup part2
17 years ago
uint32_t key = FlowGetKey(p);
Initial add of the files.
18 years ago
/* get our hash bucket and lock it */
FlowBucket *fb = &flow_hash[key];
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
FBLOCK_LOCK(fb);
Initial add of the files.
18 years ago
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
SCLogDebug("fb %p fb->head %p", fb, fb->head);
Initial add of the files.
18 years ago
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
FlowHashCountIncr;
Initial add of the files.
18 years ago
/* see if the bucket already has a flow */
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
if (fb->head == NULL) {
flow: prepare flow forced reuse logging Most flows are marked for clean up by the flow manager, which then passes them to the recycler. The recycler logs and cleans up. However, under resource stress conditions, the packet threads can recycle existing flow directly. So here the recycler has no role to play, as the flow is immediately used. For this reason, the packet threads need to be able to invoke the flow logger directly. The flow logging thread ctx will stored in the DecodeThreadVars stucture. Therefore, this patch makes the DecodeThreadVars an argument to FlowHandlePacket.
12 years ago
f = FlowGetNew(tv, dtv, p);
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
if (f == NULL) {
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
FBLOCK_UNLOCK(fb);
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
FlowHashCountUpdate;
return NULL;
}
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
/* flow is locked */
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
fb->head = f;
fb->tail = f;
Adding some flow improvements and recovery on emergency mode
16 years ago
Initial add of the files.
18 years ago
/* got one, now lock, initialize and return */
Formatting and comment updates in flow files Some reformatting to meet coding standards. Added a few comments to make it more clear where p->flow gets set.
12 years ago
FlowInit(f, p);
Initial add of the files.
18 years ago
f->fb = fb;
flow: modify lastts update logic In the lastts timeval struct field in the flow the timestamp of the last packet to update is recorded. This allows for tracking the timeout of the flow. So far, this value was updated under the flow lock and also read under the flow lock. This patch moves the updating of this field to the FlowGetFlowFromHash function, where it updated at the point where both the Flow and the Flow Hash Row lock are held. This guarantees that the field is only updated when both locks are held. This makes reading the field safe when either lock is held, which is the purpose of this patch. The flow manager, while holding the flow hash row lock, can now safely read the lastts value. This allows it to do the flow timeout check without actually locking the flow.
11 years ago
/* update the last seen timestamp of this flow */
COPY_TIMESTAMP(&p->ts,&f->lastts);
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
FBLOCK_UNLOCK(fb);
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
FlowHashCountUpdate;
Initial add of the files.
18 years ago
return f;
}
/* ok, we have a flow in the bucket. Let's find out if it is our flow */
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
f = fb->head;
Initial add of the files.
18 years ago
/* see if this is the flow we are looking for */
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
if (FlowCompare(f, p) == 0) {
Initial add of the files.
18 years ago
Flow *pf = NULL; /* previous flow */
while (f) {
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
FlowHashCountIncr;
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
pf = f;
Initial add of the files.
18 years ago
f = f->hnext;
if (f == NULL) {
flow: prepare flow forced reuse logging Most flows are marked for clean up by the flow manager, which then passes them to the recycler. The recycler logs and cleans up. However, under resource stress conditions, the packet threads can recycle existing flow directly. So here the recycler has no role to play, as the flow is immediately used. For this reason, the packet threads need to be able to invoke the flow logger directly. The flow logging thread ctx will stored in the DecodeThreadVars stucture. Therefore, this patch makes the DecodeThreadVars an argument to FlowHandlePacket.
12 years ago
f = pf->hnext = FlowGetNew(tv, dtv, p);
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
if (f == NULL) {
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
FBLOCK_UNLOCK(fb);
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
FlowHashCountUpdate;
return NULL;
}
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
fb->tail = f;
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
/* flow is locked */
Initial add of the files.
18 years ago
f->hprev = pf;
Exclude parts of a flow that are not changing after init from the flow mutex. Cleanup flow-hash function.
16 years ago
/* initialize and return */
Formatting and comment updates in flow files Some reformatting to meet coding standards. Added a few comments to make it more clear where p->flow gets set.
12 years ago
FlowInit(f, p);
Initial add of the files.
18 years ago
f->fb = fb;
flow: modify lastts update logic In the lastts timeval struct field in the flow the timestamp of the last packet to update is recorded. This allows for tracking the timeout of the flow. So far, this value was updated under the flow lock and also read under the flow lock. This patch moves the updating of this field to the FlowGetFlowFromHash function, where it updated at the point where both the Flow and the Flow Hash Row lock are held. This guarantees that the field is only updated when both locks are held. This makes reading the field safe when either lock is held, which is the purpose of this patch. The flow manager, while holding the flow hash row lock, can now safely read the lastts value. This allows it to do the flow timeout check without actually locking the flow.
11 years ago
/* update the last seen timestamp of this flow */
COPY_TIMESTAMP(&p->ts,&f->lastts);
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
FBLOCK_UNLOCK(fb);
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
FlowHashCountUpdate;
Initial add of the files.
18 years ago
return f;
Big update: - Implement "closing" state in flow. - Add protocol specific timeouts. - Lots of stream tracking updates, fixing a lot of out of window issues. - Stream reassembly fixes. - Implement a new IDS runmode with 4 stream and detect threads. - Added a BUG_ON macro that aborts the engine if the expression is true. - Better balance the flow queue handler for traffic that doesn't have flow (like icmp currently). - Simplify application level protocol in the Tcp Session. - Add some debugging memory counters.
16 years ago
}
Initial add of the files.
18 years ago
Improve flow hash debugging functions. Make sure ICMP errors don't create flows. Handle ICMP DEST UNREACH errors in the flow they are sending the error about.
16 years ago
if (FlowCompare(f, p) != 0) {
Initial add of the files.
18 years ago
/* we found our flow, lets put it on top of the
* hash list -- this rewards active flows */
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
if (f->hnext) {
f->hnext->hprev = f->hprev;
}
if (f->hprev) {
f->hprev->hnext = f->hnext;
}
if (f == fb->tail) {
fb->tail = f->hprev;
}
Initial add of the files.
18 years ago
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
f->hnext = fb->head;
Initial add of the files.
18 years ago
f->hprev = NULL;
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
fb->head->hprev = f;
fb->head = f;
Initial add of the files.
18 years ago
Move flow use cnt to atomic and outside of the flow mutex protection.
16 years ago
/* found our flow, lock & return */
flow: create a flow lock macro API, implement it for mutex and rwlocks. Mutex remains the default.
14 years ago
FLOWLOCK_WRLOCK(f);
flow: modify lastts update logic In the lastts timeval struct field in the flow the timestamp of the last packet to update is recorded. This allows for tracking the timeout of the flow. So far, this value was updated under the flow lock and also read under the flow lock. This patch moves the updating of this field to the FlowGetFlowFromHash function, where it updated at the point where both the Flow and the Flow Hash Row lock are held. This guarantees that the field is only updated when both locks are held. This makes reading the field safe when either lock is held, which is the purpose of this patch. The flow manager, while holding the flow hash row lock, can now safely read the lastts value. This allows it to do the flow timeout check without actually locking the flow.
11 years ago
/* update the last seen timestamp of this flow */
COPY_TIMESTAMP(&p->ts,&f->lastts);
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
FBLOCK_UNLOCK(fb);
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
FlowHashCountUpdate;
Initial add of the files.
18 years ago
return f;
}
}
}
Formatting and comment updates in flow files Some reformatting to meet coding standards. Added a few comments to make it more clear where p->flow gets set.
12 years ago
/* lock & return */
flow: create a flow lock macro API, implement it for mutex and rwlocks. Mutex remains the default.
14 years ago
FLOWLOCK_WRLOCK(f);
flow: modify lastts update logic In the lastts timeval struct field in the flow the timestamp of the last packet to update is recorded. This allows for tracking the timeout of the flow. So far, this value was updated under the flow lock and also read under the flow lock. This patch moves the updating of this field to the FlowGetFlowFromHash function, where it updated at the point where both the Flow and the Flow Hash Row lock are held. This guarantees that the field is only updated when both locks are held. This makes reading the field safe when either lock is held, which is the purpose of this patch. The flow manager, while holding the flow hash row lock, can now safely read the lastts value. This allows it to do the flow timeout check without actually locking the flow.
11 years ago
/* update the last seen timestamp of this flow */
COPY_TIMESTAMP(&p->ts,&f->lastts);
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
FBLOCK_UNLOCK(fb);
Add debug code for tracking flow hash distribution. Only add ICMP DEST_UNREACH packets to the flow engine.
16 years ago
FlowHashCountUpdate;
Initial add of the files.
18 years ago
return f;
}
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
/** \internal
* \brief Get a flow from the hash directly.
*
* Called in conditions where the spare queue is empty and memcap is reached.
*
* Walks the hash until a flow can be freed. Timeouts are disregarded, use_cnt
* is adhered to. "flow_prune_idx" atomic int makes sure we don't start at the
* top each time since that would clear the top of the hash leading to longer
* and longer search times under high pressure (observed).
*
flow: prepare flow forced reuse logging Most flows are marked for clean up by the flow manager, which then passes them to the recycler. The recycler logs and cleans up. However, under resource stress conditions, the packet threads can recycle existing flow directly. So here the recycler has no role to play, as the flow is immediately used. For this reason, the packet threads need to be able to invoke the flow logger directly. The flow logging thread ctx will stored in the DecodeThreadVars stucture. Therefore, this patch makes the DecodeThreadVars an argument to FlowHandlePacket.
12 years ago
* \param tv thread vars
* \param dtv decode thread vars (for flow log api thread data)
*
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
* \retval f flow or NULL
*/
flow: prepare flow forced reuse logging Most flows are marked for clean up by the flow manager, which then passes them to the recycler. The recycler logs and cleans up. However, under resource stress conditions, the packet threads can recycle existing flow directly. So here the recycler has no role to play, as the flow is immediately used. For this reason, the packet threads need to be able to invoke the flow logger directly. The flow logging thread ctx will stored in the DecodeThreadVars stucture. Therefore, this patch makes the DecodeThreadVars an argument to FlowHandlePacket.
12 years ago
static Flow *FlowGetUsedFlow(ThreadVars *tv, DecodeThreadVars *dtv)
Formatting and comment updates in flow files Some reformatting to meet coding standards. Added a few comments to make it more clear where p->flow gets set.
12 years ago
{
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
uint32_t idx = SC_ATOMIC_GET(flow_prune_idx) % flow_config.hash_size;
uint32_t cnt = flow_config.hash_size;
while (cnt--) {
Fix GetUsed functions for Host, Flow and Defrag.
13 years ago
if (++idx >= flow_config.hash_size)
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
idx = 0;
FlowBucket *fb = &flow_hash[idx];
if (FBLOCK_TRYLOCK(fb) != 0)
continue;
Flow *f = fb->tail;
if (f == NULL) {
FBLOCK_UNLOCK(fb);
continue;
}
flow: create a flow lock macro API, implement it for mutex and rwlocks. Mutex remains the default.
14 years ago
if (FLOWLOCK_TRYWRLOCK(f) != 0) {
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
FBLOCK_UNLOCK(fb);
continue;
}
/** never prune a flow that is used by a packet or stream msg
* we are currently processing in one of the threads */
if (SC_ATOMIC_GET(f->use_cnt) > 0) {
FBLOCK_UNLOCK(fb);
flow: create a flow lock macro API, implement it for mutex and rwlocks. Mutex remains the default.
14 years ago
FLOWLOCK_UNLOCK(f);
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
continue;
}
/* remove from the hash */
if (f->hprev != NULL)
f->hprev->hnext = f->hnext;
if (f->hnext != NULL)
f->hnext->hprev = f->hprev;
if (fb->head == f)
fb->head = f->hnext;
if (fb->tail == f)
fb->tail = f->hprev;
f->hnext = NULL;
f->hprev = NULL;
f->fb = NULL;
FBLOCK_UNLOCK(fb);
flow: change flow state logic A flow has 3 states: NEW, ESTABLISHED and CLOSED. For all protocols except TCP, a flow is in state NEW as long as just one side of the conversation has been seen. When both sides have been observed the state is moved to ESTABLISHED. TCP has a different logic, controlled by the stream engine. Here the TCP state is leading. Until now, when parts of the engine needed to know the flow state, it would invoke a per protocol callback 'GetProtoState'. For TCP this would return the state based on the TcpSession. This patch changes this logic. It introduces an atomic variable in the flow 'flow_state'. It defaults to NEW and is set to ESTABLISHED for non- TCP protocols when we've seen both sides of the conversation. For TCP, the state is updated from the TCP engine directly. The goal is to allow for access to the state without holding the Flow's main mutex lock. This will later allow the Flow Manager(s) to evaluate the Flow w/o interupting it.
11 years ago
int state = SC_ATOMIC_GET(f->flow_state);
flow: add flow_end_flags field, add logging The flow end flags field is filled by the flow manager or the flow hash (in case of forced timeout of a flow) to record the timeout conditions in the flow: - emergency mode - state - reason (timed out or forced) Add logging to the flow logger.
12 years ago
if (state == FLOW_STATE_NEW)
f->flow_end_flags |= FLOW_END_FLAG_STATE_NEW;
else if (state == FLOW_STATE_ESTABLISHED)
f->flow_end_flags |= FLOW_END_FLAG_STATE_ESTABLISHED;
else if (state == FLOW_STATE_CLOSED)
f->flow_end_flags |= FLOW_END_FLAG_STATE_CLOSED;
f->flow_end_flags |= FLOW_END_FLAG_FORCED;
if (SC_ATOMIC_GET(flow_flags) & FLOW_EMERGENCY)
f->flow_end_flags |= FLOW_END_FLAG_EMERGENCY;
flow: prepare flow forced reuse logging Most flows are marked for clean up by the flow manager, which then passes them to the recycler. The recycler logs and cleans up. However, under resource stress conditions, the packet threads can recycle existing flow directly. So here the recycler has no role to play, as the flow is immediately used. For this reason, the packet threads need to be able to invoke the flow logger directly. The flow logging thread ctx will stored in the DecodeThreadVars stucture. Therefore, this patch makes the DecodeThreadVars an argument to FlowHandlePacket.
12 years ago
/* invoke flow log api */
if (dtv && dtv->output_flow_thread_data)
(void)OutputFlowLog(tv, dtv->output_flow_thread_data, f);
Formatting and comment updates in flow files Some reformatting to meet coding standards. Added a few comments to make it more clear where p->flow gets set.
12 years ago
FlowClearMemory(f, f->protomap);
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
flow: create a flow lock macro API, implement it for mutex and rwlocks. Mutex remains the default.
14 years ago
FLOWLOCK_UNLOCK(f);
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
cleaning: fix warning when building with clang. clang was issuing some warnings related to unused return in function. This patch adds some needed error treatment and ignore the rest of the warnings by adding a cast to void.
14 years ago
(void) SC_ATOMIC_ADD(flow_prune_idx, (flow_config.hash_size - cnt));
flow engine: improve scalability Major redesign of the flow engine. Remove the flow queues that turned out to be major choke points when using many threads. Flow manager now walks the hash table directly. Simplify the way we get a new flow in case of emergency.
14 years ago
return f;
}
return NULL;
}