From c880b79f45b0ddc269e5710a45549b23da748743 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 15 Oct 2015 15:22:44 +0200 Subject: [PATCH] detect: shrink sgh Turn list of mpm_ctx pointers into a union so that we don't waste space. The sgh's for tcp and udp are in one direction only, so the ts and tc ones are now in the union. --- src/detect-engine-mpm.c | 56 ++++++++++++++++++++++----------- src/detect.h | 68 ++++++++++++++++++++++------------------- 2 files changed, 74 insertions(+), 50 deletions(-) diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index e861e0ba5d..9a8a8bd6f9 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -1619,37 +1619,57 @@ MpmStore *MpmStorePrepareBuffer2(DetectEngineCtx *de_ctx, SigGroupHead *sgh, App /** \todo fixup old mpm ptrs. We could use the array directly later */ void MpmStoreFixup(SigGroupHead *sgh) { + if (!(SGH_PROTO(sgh, IPPROTO_TCP) || SGH_PROTO(sgh, IPPROTO_UDP))) + return; + +#define SET_TS(sgh, ptr) do { \ + if (SGH_DIRECTION_TS((sgh))) \ + (ptr) = (sgh)->init->app_mpms[i++]; \ + else \ + i++; \ + } while(0) + +#define SET_TC(sgh, ptr) do { \ + if (SGH_DIRECTION_TC((sgh))) \ + (ptr) = (sgh)->init->app_mpms[i++]; \ + else \ + i++; \ + } while(0) + int i = 0; - sgh->mpm_uri_ctx_ts = sgh->init->app_mpms[i++]; - sgh->mpm_hrud_ctx_ts = sgh->init->app_mpms[i++]; + SET_TS(sgh, sgh->mpm_uri_ctx_ts); + SET_TS(sgh, sgh->mpm_hrud_ctx_ts); - sgh->mpm_hhd_ctx_ts = sgh->init->app_mpms[i++]; - sgh->mpm_hhd_ctx_tc = sgh->init->app_mpms[i++]; + SET_TS(sgh, sgh->mpm_hhd_ctx_ts); + SET_TC(sgh, sgh->mpm_hhd_ctx_tc); - sgh->mpm_huad_ctx_ts = sgh->init->app_mpms[i++]; + SET_TS(sgh, sgh->mpm_huad_ctx_ts); - sgh->mpm_hrhd_ctx_ts = sgh->init->app_mpms[i++]; - sgh->mpm_hrhd_ctx_tc = sgh->init->app_mpms[i++]; + SET_TS(sgh, sgh->mpm_hrhd_ctx_ts); + SET_TC(sgh, sgh->mpm_hrhd_ctx_tc); - sgh->mpm_hmd_ctx_ts = sgh->init->app_mpms[i++]; + SET_TS(sgh, sgh->mpm_hmd_ctx_ts); - sgh->mpm_smtp_filedata_ctx_ts = sgh->init->app_mpms[i++]; - sgh->mpm_hsbd_ctx_tc = sgh->init->app_mpms[i++]; + SET_TS(sgh, sgh->mpm_smtp_filedata_ctx_ts); + SET_TC(sgh, sgh->mpm_hsbd_ctx_tc); - sgh->mpm_hsmd_ctx_tc = sgh->init->app_mpms[i++]; - sgh->mpm_hscd_ctx_tc = sgh->init->app_mpms[i++]; + SET_TC(sgh, sgh->mpm_hsmd_ctx_tc); + SET_TC(sgh, sgh->mpm_hscd_ctx_tc); - sgh->mpm_hcbd_ctx_ts = sgh->init->app_mpms[i++]; + SET_TS(sgh, sgh->mpm_hcbd_ctx_ts); - sgh->mpm_hhhd_ctx_ts = sgh->init->app_mpms[i++]; - sgh->mpm_hrhhd_ctx_ts = sgh->init->app_mpms[i++]; + SET_TS(sgh, sgh->mpm_hhhd_ctx_ts); + SET_TS(sgh, sgh->mpm_hrhhd_ctx_ts); - sgh->mpm_hcd_ctx_ts = sgh->init->app_mpms[i++]; - sgh->mpm_hcd_ctx_tc = sgh->init->app_mpms[i++]; + SET_TS(sgh, sgh->mpm_hcd_ctx_ts); + SET_TC(sgh, sgh->mpm_hcd_ctx_tc); - sgh->mpm_dnsquery_ctx_ts = sgh->init->app_mpms[i++]; + SET_TS(sgh, sgh->mpm_dnsquery_ctx_ts); BUG_ON(APP_MPMS_MAX != 18 || i != 18); + +#undef SET_TS +#undef SET_TC } /** \brief Prepare the pattern matcher ctx in a sig group head. diff --git a/src/detect.h b/src/detect.h index cad6f7c6bb..6535be6d2a 100644 --- a/src/detect.h +++ b/src/detect.h @@ -976,49 +976,53 @@ typedef struct SigGroupHead_ { /* track min pattern length for content. Used in grouping */ uint16_t mpm_content_minlen; + uint16_t mpm_uricontent_minlen; /**< len of shortest mpm pattern in sgh */ /* non mpm list excluding SYN rules */ - SignatureNonMpmStore *non_mpm_other_store_array; // size is non_mpm_store_cnt * sizeof(SignatureNonMpmStore) uint32_t non_mpm_other_store_cnt; + SignatureNonMpmStore *non_mpm_other_store_array; // size is non_mpm_store_cnt * sizeof(SignatureNonMpmStore) /* non mpm list including SYN rules */ SignatureNonMpmStore *non_mpm_syn_store_array; // size is non_mpm_syn_store_cnt * sizeof(SignatureNonMpmStore) uint32_t non_mpm_syn_store_cnt; - /* pattern matcher instances */ - const MpmCtx *mpm_proto_other_ctx; - - const MpmCtx *mpm_proto_tcp_ctx_ts; - const MpmCtx *mpm_proto_udp_ctx_ts; - const MpmCtx *mpm_stream_ctx_ts; - const MpmCtx *mpm_uri_ctx_ts; - const MpmCtx *mpm_hcbd_ctx_ts; - const MpmCtx *mpm_hhd_ctx_ts; - const MpmCtx *mpm_hrhd_ctx_ts; - const MpmCtx *mpm_hmd_ctx_ts; - const MpmCtx *mpm_hcd_ctx_ts; - const MpmCtx *mpm_hrud_ctx_ts; - const MpmCtx *mpm_huad_ctx_ts; - const MpmCtx *mpm_hhhd_ctx_ts; - const MpmCtx *mpm_hrhhd_ctx_ts; - const MpmCtx *mpm_dnsquery_ctx_ts; - const MpmCtx *mpm_smtp_filedata_ctx_ts; - - const MpmCtx *mpm_proto_tcp_ctx_tc; - const MpmCtx *mpm_proto_udp_ctx_tc; - const MpmCtx *mpm_stream_ctx_tc; - const MpmCtx *mpm_hsbd_ctx_tc; - const MpmCtx *mpm_hhd_ctx_tc; - const MpmCtx *mpm_hrhd_ctx_tc; - const MpmCtx *mpm_hcd_ctx_tc; - const MpmCtx *mpm_hsmd_ctx_tc; - const MpmCtx *mpm_hscd_ctx_tc; - - uint16_t mpm_uricontent_minlen; /**< len of shortest mpm pattern in sgh */ - /** the number of signatures in this sgh that have the filestore keyword * set. */ uint16_t filestore_cnt; + /* pattern matcher instances */ + const MpmCtx *mpm_proto_other_ctx; + + union { + struct { + const MpmCtx *mpm_proto_tcp_ctx_ts; + const MpmCtx *mpm_proto_udp_ctx_ts; + const MpmCtx *mpm_stream_ctx_ts; + const MpmCtx *mpm_uri_ctx_ts; + const MpmCtx *mpm_hcbd_ctx_ts; + const MpmCtx *mpm_hhd_ctx_ts; + const MpmCtx *mpm_hrhd_ctx_ts; + const MpmCtx *mpm_hmd_ctx_ts; + const MpmCtx *mpm_hcd_ctx_ts; + const MpmCtx *mpm_hrud_ctx_ts; + const MpmCtx *mpm_huad_ctx_ts; + const MpmCtx *mpm_hhhd_ctx_ts; + const MpmCtx *mpm_hrhhd_ctx_ts; + const MpmCtx *mpm_dnsquery_ctx_ts; + const MpmCtx *mpm_smtp_filedata_ctx_ts; + }; + struct { + const MpmCtx *mpm_proto_tcp_ctx_tc; + const MpmCtx *mpm_proto_udp_ctx_tc; + const MpmCtx *mpm_stream_ctx_tc; + const MpmCtx *mpm_hsbd_ctx_tc; + const MpmCtx *mpm_hhd_ctx_tc; + const MpmCtx *mpm_hrhd_ctx_tc; + const MpmCtx *mpm_hcd_ctx_tc; + const MpmCtx *mpm_hsmd_ctx_tc; + const MpmCtx *mpm_hscd_ctx_tc; + }; + }; + /** Array with sig ptrs... size is sig_cnt * sizeof(Signature *) */ Signature **match_array;