Properly lock flow before setting IP only action flags. Small alert api cleanups.

15 years ago · 42eeb84c9a
parent 9bae6a8628
commit 42eeb84c9a
3 changed files with 18 additions and 10 deletions
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@ -15,13 +15,18 @@
 * 02110-1301, USA.
 */

-#include "detect-engine-alert.h"
 #include "suricata-common.h"
+
 #include "detect.h"
+#include "detect-engine-alert.h"
+#include "detect-engine-threshold.h"
+
 #include "decode.h"
+
 #include "flow.h"
 #include "flow-private.h"

+
 /**
 * \brief Check if a certain sid alerted, this is used in the test functions
 *
@ -135,11 +140,13 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p)
 * \param de_ctx detection engine context
 * \param det_ctx detection engine thread context
 * \param p pointer to the packet
- * \retval 1 if at least one signature match on this packet, 0 if not
 */
-int PacketAlertReal(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p) {
+void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p) {
+    SCEnter();
+
    int i = 0;
    Signature *s = NULL;
+
    for (i = 0; i < p->alerts.cnt; i++) {
        SCLogDebug("Sig->num: %"PRIu16, p->alerts.alerts[i].num);
        s = de_ctx->sig_array[p->alerts.alerts[i].num];
@ -156,12 +163,13 @@ int PacketAlertReal(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Pac

                    /* save in the flow that we scanned this direction... locking is
                     * done in the FlowSetIPOnlyFlag function. */
+
+                    /** \todo locking overhead: locked/unlocked twice */
                    if (p->flow != NULL) {
                        FlowSetIPOnlyFlag(p->flow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
-                    }

-                    /* Update flow flags for iponly */
-                    if (p->flow != NULL) {
+                        /* Update flow flags for iponly */
+                        SCMutexLock(&p->flow->m);
                        if (s->action & ACTION_DROP)
                            p->flow->flags |= FLOW_ACTION_DROP;
                        if (s->action & ACTION_REJECT)
@ -172,6 +180,7 @@ int PacketAlertReal(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Pac
                            p->flow->flags |= FLOW_ACTION_DROP;
                        if (s->action & ACTION_PASS)
                            p->flow->flags |= FLOW_ACTION_PASS;
+                        SCMutexUnlock(&p->flow->m);
                    }
                }
            }
@ -189,6 +198,5 @@ int PacketAlertReal(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Pac
         * have compacted the array and decreased cnt by one, so
         * process again the same position (with different alert now) */
    }
-
 }

--- a/src/detect-engine-alert.h
+++ b/src/detect-engine-alert.h
@ -4,7 +4,7 @@
 #include "decode.h"
 #include "detect.h"

-int PacketAlertReal(DetectEngineCtx *, DetectEngineThreadCtx *, Packet *);
+void PacketAlertFinalize(DetectEngineCtx *, DetectEngineThreadCtx *, Packet *);
 int PacketAlertAppend(DetectEngineThreadCtx *, Signature *, Packet *);
 int PacketAlertCheck(Packet *, uint32_t);
 int PacketAlertRemove(Packet *, uint16_t);
--- a/src/detect.c
+++ b/src/detect.c
@ -804,8 +804,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh

 end:
    /* so now let's iterate the alerts and remove the ones after a pass rule
-     * matched (if any). This is done inside PacketAlertReal() */
-    PacketAlertReal(de_ctx, det_ctx, p);
+     * matched (if any). This is done inside PacketAlertFinalize() */
+    PacketAlertFinalize(de_ctx, det_ctx, p);

    /* cleanup pkt specific part of the patternmatcher */
    PacketPatternCleanup(th_v, det_ctx);