From c19cd12620b8d5ce90f37f8c6b52681bb06eb3d3 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Thu, 28 Jan 2016 21:41:24 +0100
Subject: [PATCH] flow: bypass encrypted and after stream depth flow

This patch activates bypass for encrypted flow and for flow
that have reached stream depth on both side.

For encrypted flow , suricata is stopping the inspection so
we can just get it out via bypass. The same logic apply
for flow that have reached the stream depth.

For a basic test of feature, use the following ruleset:

```
table ip filter {
	chain output {
		type filter hook output priority 0; policy accept;
		ct mark 0x1 counter accept
		oif lo counter queue num 0
	}

	chain connmark_save {
		type filter hook output priority 1; policy accept;
		mark 0x1 ct mark set mark counter
		ct mark 0x1 counter
	}
}
```

And use bypass mark and mask of 1 in nfq configuration. Then you
can test the system by scp big file to 127.0.0.1. You can also
use iperf to measure the performance on localhost. It is recommended
to lower the MTU to 1500 to get something more realistic by increasing
the number of packets..
---
 src/stream-tcp.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 3bc8b5088d..062b44e12e 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -4635,6 +4635,15 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
         /* check for conditions that may make us not want to log this packet */
 
         /* streams that hit depth */
+        if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_DEPTH_REACHED) &&
+             (ssn->server.flags & STREAMTCP_STREAM_FLAG_DEPTH_REACHED))
+        {
+            /* we can call bypass callback, if enabled */
+            if (StreamTcpBypassEnabled()) {
+                PacketBypassCallback(p);
+            }
+        }
+
         if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_DEPTH_REACHED) ||
              (ssn->server.flags & STREAMTCP_STREAM_FLAG_DEPTH_REACHED))
         {
@@ -4646,6 +4655,10 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
             (PKT_IS_TOCLIENT(p) && (ssn->server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)))
         {
             p->flags |= PKT_STREAM_NOPCAPLOG;
+            /* we can call bypass callback, if enabled */
+            if (StreamTcpBypassEnabled()) {
+                PacketBypassCallback(p);
+            }
         }
     }