suricata  5.0.3
About: Suricata is a high performance Network Intrusion Detection (IDS) and Prevention (IPS) and Network Security Monitoring engine.
  Fossies Dox: suricata-5.0.3.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

flow.h File Reference
#include "decode.h"
#include "util-var.h"
#include "util-atomic.h"
#include "util-device.h"
#include "detect-tag.h"
#include "util-optimize.h"
Include dependency graph for flow.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  FlowCnf_
 
struct  FlowKey_
 
struct  FlowAddress_
 
struct  Flow_
 Flow data structure. More...
 
struct  FlowProtoTimeout_
 
struct  FlowProtoFreeFunc_
 
struct  FlowBypassInfo_
 

Macros

#define FLOW_QUIET   TRUE
 
#define FLOW_VERBOSE   FALSE
 
#define TOSERVER   0
 
#define TOCLIENT   1
 
#define FLOW_TO_SRC_SEEN   BIT_U32(0)
 
#define FLOW_TO_DST_SEEN   BIT_U32(1)
 
#define FLOW_TCP_REUSED   BIT_U32(2)
 
#define FLOW_TOSERVER_IPONLY_SET   BIT_U32(3)
 
#define FLOW_TOCLIENT_IPONLY_SET   BIT_U32(4)
 
#define FLOW_NOPACKET_INSPECTION   BIT_U32(5)
 
#define FLOW_NOPAYLOAD_INSPECTION   BIT_U32(6)
 
#define FLOW_ACTION_DROP   BIT_U32(7)
 
#define FLOW_SGH_TOSERVER   BIT_U32(8)
 
#define FLOW_SGH_TOCLIENT   BIT_U32(9)
 
#define FLOW_TOSERVER_DROP_LOGGED   BIT_U32(10)
 
#define FLOW_TOCLIENT_DROP_LOGGED   BIT_U32(11)
 
#define FLOW_HAS_ALERTS   BIT_U32(12)
 
#define FLOW_TS_PM_ALPROTO_DETECT_DONE   BIT_U32(13)
 
#define FLOW_TS_PP_ALPROTO_DETECT_DONE   BIT_U32(14)
 
#define FLOW_TS_PE_ALPROTO_DETECT_DONE   BIT_U32(15)
 
#define FLOW_TC_PM_ALPROTO_DETECT_DONE   BIT_U32(16)
 
#define FLOW_TC_PP_ALPROTO_DETECT_DONE   BIT_U32(17)
 
#define FLOW_TC_PE_ALPROTO_DETECT_DONE   BIT_U32(18)
 
#define FLOW_TIMEOUT_REASSEMBLY_DONE   BIT_U32(19)
 
#define FLOW_IPV4   BIT_U32(20)
 
#define FLOW_IPV6   BIT_U32(21)
 
#define FLOW_PROTO_DETECT_TS_DONE   BIT_U32(22)
 
#define FLOW_PROTO_DETECT_TC_DONE   BIT_U32(23)
 
#define FLOW_CHANGE_PROTO   BIT_U32(24)
 
#define FLOW_WRONG_THREAD   BIT_U32(25)
 
#define FLOW_DIR_REVERSED   BIT_U32(26)
 
#define FLOW_HAS_EXPECTATION   BIT_U32(27)
 
#define FLOWFILE_NO_MAGIC_TS   BIT_U16(0)
 
#define FLOWFILE_NO_MAGIC_TC   BIT_U16(1)
 
#define FLOWFILE_NO_STORE_TS   BIT_U16(2)
 
#define FLOWFILE_NO_STORE_TC   BIT_U16(3)
 
#define FLOWFILE_NO_MD5_TS   BIT_U16(4)
 
#define FLOWFILE_NO_MD5_TC   BIT_U16(5)
 
#define FLOWFILE_NO_SHA1_TS   BIT_U16(6)
 
#define FLOWFILE_NO_SHA1_TC   BIT_U16(7)
 
#define FLOWFILE_NO_SHA256_TS   BIT_U16(8)
 
#define FLOWFILE_NO_SHA256_TC   BIT_U16(9)
 
#define FLOWFILE_NO_SIZE_TS   BIT_U16(10)
 
#define FLOWFILE_NO_SIZE_TC   BIT_U16(11)
 
#define FLOW_IS_IPV4(f)   (((f)->flags & FLOW_IPV4) == FLOW_IPV4)
 
#define FLOW_IS_IPV6(f)   (((f)->flags & FLOW_IPV6) == FLOW_IPV6)
 
#define FLOW_GET_SP(f)   ((f)->flags & FLOW_DIR_REVERSED) ? (f)->dp : (f)->sp;
 
#define FLOW_GET_DP(f)   ((f)->flags & FLOW_DIR_REVERSED) ? (f)->sp : (f)->dp;
 
#define FLOW_COPY_IPV4_ADDR_TO_PACKET(fa, pa)
 
#define FLOW_COPY_IPV6_ADDR_TO_PACKET(fa, pa)
 
#define FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(p, a)
 
#define FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(p, a)
 
#define FLOW_CLEAR_ADDR(a)
 
#define FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(p, a)
 
#define FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(p, a)
 
#define FLOW_PKT_TOSERVER   0x01
 
#define FLOW_PKT_TOCLIENT   0x02
 
#define FLOW_PKT_ESTABLISHED   0x04
 
#define FLOW_PKT_TOSERVER_IPONLY_SET   0x08
 
#define FLOW_PKT_TOCLIENT_IPONLY_SET   0x10
 
#define FLOW_PKT_TOSERVER_FIRST   0x20
 
#define FLOW_PKT_TOCLIENT_FIRST   0x40
 
#define FLOW_END_FLAG_STATE_NEW   0x01
 
#define FLOW_END_FLAG_STATE_ESTABLISHED   0x02
 
#define FLOW_END_FLAG_STATE_CLOSED   0x04
 
#define FLOW_END_FLAG_EMERGENCY   0x08
 
#define FLOW_END_FLAG_TIMEOUT   0x10
 
#define FLOW_END_FLAG_FORCED   0x20
 
#define FLOW_END_FLAG_SHUTDOWN   0x40
 
#define FLOW_END_FLAG_STATE_BYPASSED   0x80
 
#define FLOWLOCK_MUTEX
 
#define FLOWLOCK_INIT(fb)   SCMutexInit(&(fb)->m, NULL)
 
#define FLOWLOCK_DESTROY(fb)   SCMutexDestroy(&(fb)->m)
 
#define FLOWLOCK_RDLOCK(fb)   SCMutexLock(&(fb)->m)
 
#define FLOWLOCK_WRLOCK(fb)   SCMutexLock(&(fb)->m)
 
#define FLOWLOCK_TRYRDLOCK(fb)   SCMutexTrylock(&(fb)->m)
 
#define FLOWLOCK_TRYWRLOCK(fb)   SCMutexTrylock(&(fb)->m)
 
#define FLOWLOCK_UNLOCK(fb)   SCMutexUnlock(&(fb)->m)
 
#define FLOW_IS_PM_DONE(f, dir)   (((dir) & STREAM_TOSERVER) ? ((f)->flags & FLOW_TS_PM_ALPROTO_DETECT_DONE) : ((f)->flags & FLOW_TC_PM_ALPROTO_DETECT_DONE))
 
#define FLOW_IS_PP_DONE(f, dir)   (((dir) & STREAM_TOSERVER) ? ((f)->flags & FLOW_TS_PP_ALPROTO_DETECT_DONE) : ((f)->flags & FLOW_TC_PP_ALPROTO_DETECT_DONE))
 
#define FLOW_IS_PE_DONE(f, dir)   (((dir) & STREAM_TOSERVER) ? ((f)->flags & FLOW_TS_PE_ALPROTO_DETECT_DONE) : ((f)->flags & FLOW_TC_PE_ALPROTO_DETECT_DONE))
 
#define FLOW_SET_PM_DONE(f, dir)   (((dir) & STREAM_TOSERVER) ? ((f)->flags |= FLOW_TS_PM_ALPROTO_DETECT_DONE) : ((f)->flags |= FLOW_TC_PM_ALPROTO_DETECT_DONE))
 
#define FLOW_SET_PP_DONE(f, dir)   (((dir) & STREAM_TOSERVER) ? ((f)->flags |= FLOW_TS_PP_ALPROTO_DETECT_DONE) : ((f)->flags |= FLOW_TC_PP_ALPROTO_DETECT_DONE))
 
#define FLOW_SET_PE_DONE(f, dir)   (((dir) & STREAM_TOSERVER) ? ((f)->flags |= FLOW_TS_PE_ALPROTO_DETECT_DONE) : ((f)->flags |= FLOW_TC_PE_ALPROTO_DETECT_DONE))
 
#define FLOW_RESET_PM_DONE(f, dir)   (((dir) & STREAM_TOSERVER) ? ((f)->flags &= ~FLOW_TS_PM_ALPROTO_DETECT_DONE) : ((f)->flags &= ~FLOW_TC_PM_ALPROTO_DETECT_DONE))
 
#define FLOW_RESET_PP_DONE(f, dir)   (((dir) & STREAM_TOSERVER) ? ((f)->flags &= ~FLOW_TS_PP_ALPROTO_DETECT_DONE) : ((f)->flags &= ~FLOW_TC_PP_ALPROTO_DETECT_DONE))
 
#define FLOW_RESET_PE_DONE(f, dir)   (((dir) & STREAM_TOSERVER) ? ((f)->flags &= ~FLOW_TS_PE_ALPROTO_DETECT_DONE) : ((f)->flags &= ~FLOW_TC_PE_ALPROTO_DETECT_DONE))
 
#define addr_data32   address.address_un_data32
 
#define addr_data16   address.address_un_data16
 
#define addr_data8   address.address_un_data8
 

Typedefs

typedef struct AppLayerParserState_ AppLayerParserState
 
typedef struct FlowCnf_ FlowConfig
 
typedef struct FlowKey_ FlowKey
 
typedef struct FlowAddress_ FlowAddress
 
typedef unsigned short FlowRefCount
 
typedef unsigned short FlowStateType
 
typedef uint16_t FlowThreadId
 
typedef struct Flow_ Flow
 Flow data structure. More...
 
typedef struct FlowProtoTimeout_ FlowProtoTimeout
 
typedef struct FlowProtoFreeFunc_ FlowProtoFreeFunc
 
typedef struct FlowBypassInfo_ FlowBypassInfo
 

Enumerations

enum  FlowState { FLOW_STATE_NEW = 0, FLOW_STATE_ESTABLISHED, FLOW_STATE_CLOSED, FLOW_STATE_LOCAL_BYPASSED }
 

Functions

void FlowSetupPacket (Packet *p)
 prepare packet for a life with flow Set PKT_WANTS_FLOW flag to incidate workers should do a flow lookup and calc the hash value to be used in the lookup and autofp flow balancing. More...
 
void FlowHandlePacket (ThreadVars *, DecodeThreadVars *, Packet *)
 Entry point for packet flow handling. More...
 
void FlowInitConfig (char)
 initialize the configuration More...
 
void FlowPrintQueueInfo (void)
 
void FlowShutdown (void)
 shutdown the flow engine More...
 
void FlowSetIPOnlyFlag (Flow *, int)
 Set the IPOnly scanned flag for 'direction'. More...
 
void FlowSetHasAlertsFlag (Flow *)
 Set flag to indicate that flow has alerts. More...
 
int FlowHasAlerts (const Flow *)
 Check if flow has alerts. More...
 
void FlowSetChangeProtoFlag (Flow *)
 Set flag to indicate to change proto for the flow. More...
 
void FlowUnsetChangeProtoFlag (Flow *)
 Unset flag to indicate to change proto for the flow. More...
 
int FlowChangeProto (Flow *)
 Check if change proto flag is set for flow. More...
 
void FlowSwap (Flow *)
 swap the flow's direction More...
 
void FlowRegisterTests (void)
 Function to register the Flow Unitests. More...
 
int FlowSetProtoTimeout (uint8_t, uint32_t, uint32_t, uint32_t)
 
int FlowSetProtoEmergencyTimeout (uint8_t, uint32_t, uint32_t, uint32_t)
 
int FlowSetProtoFreeFunc (uint8_t, void(*Free)(void *))
 Function to set the function to get protocol specific flow state. More...
 
void FlowUpdateQueue (Flow *)
 
int FlowUpdateSpareFlows (void)
 Make sure we have enough spare flows. More...
 
static void FlowSetNoPacketInspectionFlag (Flow *f)
 Set the No Packet Inspection Flag without locking the flow. More...
 
static void FlowSetNoPayloadInspectionFlag (Flow *f)
 Set the No payload inspection Flag without locking the flow. More...
 
int FlowGetPacketDirection (const Flow *, const Packet *)
 determine the direction of the packet compared to the flow More...
 
void FlowCleanupAppLayer (Flow *)
 
void FlowUpdateState (Flow *f, enum FlowState s)
 
int FlowSetMemcap (uint64_t size)
 Update memcap value. More...
 
uint64_t FlowGetMemcap (void)
 Return memcap value. More...
 
uint64_t FlowGetMemuse (void)
 
int GetFlowBypassInfoID (void)
 
void RegisterFlowBypassInfo (void)
 
void FlowGetLastTimeAsParts (Flow *flow, uint64_t *secs, uint64_t *usecs)
 Get flow last time as individual values. More...
 
static void FlowIncrUsecnt (Flow *f)
 increase the use count of a flow More...
 
static void FlowDecrUsecnt (Flow *f)
 decrease the use count of a flow More...
 
static void FlowReference (Flow **d, Flow *f)
 Reference the flow, bumping the flows use_cnt. More...
 
static void FlowDeReference (Flow **d)
 
static int64_t FlowGetId (const Flow *f)
 create a flow id that is as unique as possible More...
 
int FlowClearMemory (Flow *, uint8_t)
 Function clear the flow memory before queueing it to spare flow queue. More...
 
AppProto FlowGetAppProtocol (const Flow *f)
 
void * FlowGetAppState (const Flow *f)
 
uint8_t FlowGetDisruptionFlags (const Flow *f, uint8_t flags)
 get 'disruption' flags: GAP/DEPTH/PASS More...
 
void FlowHandlePacketUpdate (Flow *f, Packet *p)
 Update Packet and Flow. More...
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Definition in file flow.h.

Macro Definition Documentation

◆ addr_data16

#define addr_data16   address.address_un_data16

Definition at line 300 of file flow.h.

◆ addr_data32

#define addr_data32   address.address_un_data32

Definition at line 299 of file flow.h.

◆ addr_data8

#define addr_data8   address.address_un_data8

Definition at line 301 of file flow.h.

◆ FLOW_ACTION_DROP

#define FLOW_ACTION_DROP   BIT_U32(7)

All packets in this flow should be dropped

Definition at line 65 of file flow.h.

◆ FLOW_CHANGE_PROTO

#define FLOW_CHANGE_PROTO   BIT_U32(24)

Indicate that alproto detection for flow should be done again

Definition at line 103 of file flow.h.

◆ FLOW_CLEAR_ADDR

#define FLOW_CLEAR_ADDR (   a)
Value:
do { \
(a)->addr_data32[0] = 0; \
(a)->addr_data32[1] = 0; \
(a)->addr_data32[2] = 0; \
(a)->addr_data32[3] = 0; \
} while (0)

Definition at line 180 of file flow.h.

◆ FLOW_COPY_IPV4_ADDR_TO_PACKET

#define FLOW_COPY_IPV4_ADDR_TO_PACKET (   fa,
  pa 
)
Value:
do { \
(pa)->family = AF_INET; \
(pa)->addr_data32[0] = (fa)->addr_data32[0]; \
} while (0)

Definition at line 147 of file flow.h.

◆ FLOW_COPY_IPV6_ADDR_TO_PACKET

#define FLOW_COPY_IPV6_ADDR_TO_PACKET (   fa,
  pa 
)
Value:
do { \
(pa)->family = AF_INET6; \
(pa)->addr_data32[0] = (fa)->addr_data32[0]; \
(pa)->addr_data32[1] = (fa)->addr_data32[1]; \
(pa)->addr_data32[2] = (fa)->addr_data32[2]; \
(pa)->addr_data32[3] = (fa)->addr_data32[3]; \
} while (0)

Definition at line 152 of file flow.h.

◆ FLOW_DIR_REVERSED

#define FLOW_DIR_REVERSED   BIT_U32(26)

Protocol detection told us flow is picked up in wrong direction (midstream)

Definition at line 107 of file flow.h.

◆ FLOW_END_FLAG_EMERGENCY

#define FLOW_END_FLAG_EMERGENCY   0x08

Definition at line 215 of file flow.h.

◆ FLOW_END_FLAG_FORCED

#define FLOW_END_FLAG_FORCED   0x20

Definition at line 217 of file flow.h.

◆ FLOW_END_FLAG_SHUTDOWN

#define FLOW_END_FLAG_SHUTDOWN   0x40

Definition at line 218 of file flow.h.

◆ FLOW_END_FLAG_STATE_BYPASSED

#define FLOW_END_FLAG_STATE_BYPASSED   0x80

Definition at line 219 of file flow.h.

◆ FLOW_END_FLAG_STATE_CLOSED

#define FLOW_END_FLAG_STATE_CLOSED   0x04

Definition at line 214 of file flow.h.

◆ FLOW_END_FLAG_STATE_ESTABLISHED

#define FLOW_END_FLAG_STATE_ESTABLISHED   0x02

Definition at line 213 of file flow.h.

◆ FLOW_END_FLAG_STATE_NEW

#define FLOW_END_FLAG_STATE_NEW   0x01

Definition at line 212 of file flow.h.

◆ FLOW_END_FLAG_TIMEOUT

#define FLOW_END_FLAG_TIMEOUT   0x10

Definition at line 216 of file flow.h.

◆ FLOW_GET_DP

#define FLOW_GET_DP (   f)    ((f)->flags & FLOW_DIR_REVERSED) ? (f)->sp : (f)->dp;

Definition at line 144 of file flow.h.

◆ FLOW_GET_SP

#define FLOW_GET_SP (   f)    ((f)->flags & FLOW_DIR_REVERSED) ? (f)->dp : (f)->sp;

Definition at line 142 of file flow.h.

◆ FLOW_HAS_ALERTS

#define FLOW_HAS_ALERTS   BIT_U32(12)

flow has alerts

Definition at line 78 of file flow.h.

◆ FLOW_HAS_EXPECTATION

#define FLOW_HAS_EXPECTATION   BIT_U32(27)

Indicate that the flow did trigger an expectation creation

Definition at line 109 of file flow.h.

◆ FLOW_IPV4

#define FLOW_IPV4   BIT_U32(20)

flow is ipv4

Definition at line 95 of file flow.h.

◆ FLOW_IPV6

#define FLOW_IPV6   BIT_U32(21)

flow is ipv6

Definition at line 97 of file flow.h.

◆ FLOW_IS_IPV4

#define FLOW_IS_IPV4 (   f)    (((f)->flags & FLOW_IPV4) == FLOW_IPV4)

Definition at line 137 of file flow.h.

◆ FLOW_IS_IPV6

#define FLOW_IS_IPV6 (   f)    (((f)->flags & FLOW_IPV6) == FLOW_IPV6)

Definition at line 139 of file flow.h.

◆ FLOW_IS_PE_DONE

#define FLOW_IS_PE_DONE (   f,
  dir 
)    (((dir) & STREAM_TOSERVER) ? ((f)->flags & FLOW_TS_PE_ALPROTO_DETECT_DONE) : ((f)->flags & FLOW_TC_PE_ALPROTO_DETECT_DONE))

Definition at line 253 of file flow.h.

◆ FLOW_IS_PM_DONE

#define FLOW_IS_PM_DONE (   f,
  dir 
)    (((dir) & STREAM_TOSERVER) ? ((f)->flags & FLOW_TS_PM_ALPROTO_DETECT_DONE) : ((f)->flags & FLOW_TC_PM_ALPROTO_DETECT_DONE))

Definition at line 251 of file flow.h.

◆ FLOW_IS_PP_DONE

#define FLOW_IS_PP_DONE (   f,
  dir 
)    (((dir) & STREAM_TOSERVER) ? ((f)->flags & FLOW_TS_PP_ALPROTO_DETECT_DONE) : ((f)->flags & FLOW_TC_PP_ALPROTO_DETECT_DONE))

Definition at line 252 of file flow.h.

◆ FLOW_NOPACKET_INSPECTION

#define FLOW_NOPACKET_INSPECTION   BIT_U32(5)

Packet belonging to this flow should not be inspected at all

Definition at line 60 of file flow.h.

◆ FLOW_NOPAYLOAD_INSPECTION

#define FLOW_NOPAYLOAD_INSPECTION   BIT_U32(6)

Packet payloads belonging to this flow should not be inspected

Definition at line 62 of file flow.h.

◆ FLOW_PKT_ESTABLISHED

#define FLOW_PKT_ESTABLISHED   0x04

Definition at line 206 of file flow.h.

◆ FLOW_PKT_TOCLIENT

#define FLOW_PKT_TOCLIENT   0x02

Definition at line 205 of file flow.h.

◆ FLOW_PKT_TOCLIENT_FIRST

#define FLOW_PKT_TOCLIENT_FIRST   0x40

Definition at line 210 of file flow.h.

◆ FLOW_PKT_TOCLIENT_IPONLY_SET

#define FLOW_PKT_TOCLIENT_IPONLY_SET   0x10

Definition at line 208 of file flow.h.

◆ FLOW_PKT_TOSERVER

#define FLOW_PKT_TOSERVER   0x01

Definition at line 204 of file flow.h.

◆ FLOW_PKT_TOSERVER_FIRST

#define FLOW_PKT_TOSERVER_FIRST   0x20

Definition at line 209 of file flow.h.

◆ FLOW_PKT_TOSERVER_IPONLY_SET

#define FLOW_PKT_TOSERVER_IPONLY_SET   0x08

Definition at line 207 of file flow.h.

◆ FLOW_PROTO_DETECT_TC_DONE

#define FLOW_PROTO_DETECT_TC_DONE   BIT_U32(23)

Definition at line 100 of file flow.h.

◆ FLOW_PROTO_DETECT_TS_DONE

#define FLOW_PROTO_DETECT_TS_DONE   BIT_U32(22)

Definition at line 99 of file flow.h.

◆ FLOW_QUIET

#define FLOW_QUIET   TRUE

Definition at line 39 of file flow.h.

◆ FLOW_RESET_PE_DONE

#define FLOW_RESET_PE_DONE (   f,
  dir 
)    (((dir) & STREAM_TOSERVER) ? ((f)->flags &= ~FLOW_TS_PE_ALPROTO_DETECT_DONE) : ((f)->flags &= ~FLOW_TC_PE_ALPROTO_DETECT_DONE))

Definition at line 261 of file flow.h.

◆ FLOW_RESET_PM_DONE

#define FLOW_RESET_PM_DONE (   f,
  dir 
)    (((dir) & STREAM_TOSERVER) ? ((f)->flags &= ~FLOW_TS_PM_ALPROTO_DETECT_DONE) : ((f)->flags &= ~FLOW_TC_PM_ALPROTO_DETECT_DONE))

Definition at line 259 of file flow.h.

◆ FLOW_RESET_PP_DONE

#define FLOW_RESET_PP_DONE (   f,
  dir 
)    (((dir) & STREAM_TOSERVER) ? ((f)->flags &= ~FLOW_TS_PP_ALPROTO_DETECT_DONE) : ((f)->flags &= ~FLOW_TC_PP_ALPROTO_DETECT_DONE))

Definition at line 260 of file flow.h.

◆ FLOW_SET_IPV4_DST_ADDR_FROM_PACKET

#define FLOW_SET_IPV4_DST_ADDR_FROM_PACKET (   p,
 
)
Value:
do { \
(a)->addr_data32[0] = (uint32_t)(p)->ip4h->s_ip_dst.s_addr; \
(a)->addr_data32[1] = 0; \
(a)->addr_data32[2] = 0; \
(a)->addr_data32[3] = 0; \
} while (0)

Definition at line 172 of file flow.h.

◆ FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET

#define FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET (   p,
 
)
Value:
do { \
(a)->addr_data32[0] = (uint32_t)(p)->ip4h->s_ip_src.s_addr; \
(a)->addr_data32[1] = 0; \
(a)->addr_data32[2] = 0; \
(a)->addr_data32[3] = 0; \
} while (0)

Definition at line 165 of file flow.h.

◆ FLOW_SET_IPV6_DST_ADDR_FROM_PACKET

#define FLOW_SET_IPV6_DST_ADDR_FROM_PACKET (   p,
 
)
Value:
do { \
(a)->addr_data32[0] = (p)->ip6h->s_ip6_dst[0]; \
(a)->addr_data32[1] = (p)->ip6h->s_ip6_dst[1]; \
(a)->addr_data32[2] = (p)->ip6h->s_ip6_dst[2]; \
(a)->addr_data32[3] = (p)->ip6h->s_ip6_dst[3]; \
} while (0)

Definition at line 196 of file flow.h.

◆ FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET

#define FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET (   p,
 
)
Value:
do { \
(a)->addr_data32[0] = (p)->ip6h->s_ip6_src[0]; \
(a)->addr_data32[1] = (p)->ip6h->s_ip6_src[1]; \
(a)->addr_data32[2] = (p)->ip6h->s_ip6_src[2]; \
(a)->addr_data32[3] = (p)->ip6h->s_ip6_src[3]; \
} while (0)

Definition at line 189 of file flow.h.

◆ FLOW_SET_PE_DONE

#define FLOW_SET_PE_DONE (   f,
  dir 
)    (((dir) & STREAM_TOSERVER) ? ((f)->flags |= FLOW_TS_PE_ALPROTO_DETECT_DONE) : ((f)->flags |= FLOW_TC_PE_ALPROTO_DETECT_DONE))

Definition at line 257 of file flow.h.

◆ FLOW_SET_PM_DONE

#define FLOW_SET_PM_DONE (   f,
  dir 
)    (((dir) & STREAM_TOSERVER) ? ((f)->flags |= FLOW_TS_PM_ALPROTO_DETECT_DONE) : ((f)->flags |= FLOW_TC_PM_ALPROTO_DETECT_DONE))

Definition at line 255 of file flow.h.

◆ FLOW_SET_PP_DONE

#define FLOW_SET_PP_DONE (   f,
  dir 
)    (((dir) & STREAM_TOSERVER) ? ((f)->flags |= FLOW_TS_PP_ALPROTO_DETECT_DONE) : ((f)->flags |= FLOW_TC_PP_ALPROTO_DETECT_DONE))

Definition at line 256 of file flow.h.

◆ FLOW_SGH_TOCLIENT

#define FLOW_SGH_TOCLIENT   BIT_U32(9)

Sgh for toclient direction set (even if it's NULL)

Definition at line 70 of file flow.h.

◆ FLOW_SGH_TOSERVER

#define FLOW_SGH_TOSERVER   BIT_U32(8)

Sgh for toserver direction set (even if it's NULL)

Definition at line 68 of file flow.h.

◆ FLOW_TC_PE_ALPROTO_DETECT_DONE

#define FLOW_TC_PE_ALPROTO_DETECT_DONE   BIT_U32(18)

Expectation alproto detection done

Definition at line 91 of file flow.h.

◆ FLOW_TC_PM_ALPROTO_DETECT_DONE

#define FLOW_TC_PM_ALPROTO_DETECT_DONE   BIT_U32(16)

Pattern matcher alproto detection done

Definition at line 87 of file flow.h.

◆ FLOW_TC_PP_ALPROTO_DETECT_DONE

#define FLOW_TC_PP_ALPROTO_DETECT_DONE   BIT_U32(17)

Probing parser alproto detection done

Definition at line 89 of file flow.h.

◆ FLOW_TCP_REUSED

#define FLOW_TCP_REUSED   BIT_U32(2)

Don't return this from the flow hash. It has been replaced.

Definition at line 52 of file flow.h.

◆ FLOW_TIMEOUT_REASSEMBLY_DONE

#define FLOW_TIMEOUT_REASSEMBLY_DONE   BIT_U32(19)

Definition at line 92 of file flow.h.

◆ FLOW_TO_DST_SEEN

#define FLOW_TO_DST_SEEN   BIT_U32(1)

At least one packet from the destination address was seen

Definition at line 50 of file flow.h.

◆ FLOW_TO_SRC_SEEN

#define FLOW_TO_SRC_SEEN   BIT_U32(0)

At least one packet from the source address was seen

Definition at line 48 of file flow.h.

◆ FLOW_TOCLIENT_DROP_LOGGED

#define FLOW_TOCLIENT_DROP_LOGGED   BIT_U32(11)

packet to client direction has been logged in drop file (only in IPS mode)

Definition at line 75 of file flow.h.

◆ FLOW_TOCLIENT_IPONLY_SET

#define FLOW_TOCLIENT_IPONLY_SET   BIT_U32(4)

Flow was inspected against IP-Only sigs in the toclient direction

Definition at line 57 of file flow.h.

◆ FLOW_TOSERVER_DROP_LOGGED

#define FLOW_TOSERVER_DROP_LOGGED   BIT_U32(10)

packet to server direction has been logged in drop file (only in IPS mode)

Definition at line 73 of file flow.h.

◆ FLOW_TOSERVER_IPONLY_SET

#define FLOW_TOSERVER_IPONLY_SET   BIT_U32(3)

Flow was inspected against IP-Only sigs in the toserver direction

Definition at line 55 of file flow.h.

◆ FLOW_TS_PE_ALPROTO_DETECT_DONE

#define FLOW_TS_PE_ALPROTO_DETECT_DONE   BIT_U32(15)

Expectation alproto detection done

Definition at line 85 of file flow.h.

◆ FLOW_TS_PM_ALPROTO_DETECT_DONE

#define FLOW_TS_PM_ALPROTO_DETECT_DONE   BIT_U32(13)

Pattern matcher alproto detection done

Definition at line 81 of file flow.h.

◆ FLOW_TS_PP_ALPROTO_DETECT_DONE

#define FLOW_TS_PP_ALPROTO_DETECT_DONE   BIT_U32(14)

Probing parser alproto detection done

Definition at line 83 of file flow.h.

◆ FLOW_VERBOSE

#define FLOW_VERBOSE   FALSE

Definition at line 40 of file flow.h.

◆ FLOW_WRONG_THREAD

#define FLOW_WRONG_THREAD   BIT_U32(25)

Definition at line 105 of file flow.h.

◆ FLOWFILE_NO_MAGIC_TC

#define FLOWFILE_NO_MAGIC_TC   BIT_U16(1)

Definition at line 115 of file flow.h.

◆ FLOWFILE_NO_MAGIC_TS

#define FLOWFILE_NO_MAGIC_TS   BIT_U16(0)

no magic on files in this flow

Definition at line 114 of file flow.h.

◆ FLOWFILE_NO_MD5_TC

#define FLOWFILE_NO_MD5_TC   BIT_U16(5)

Definition at line 122 of file flow.h.

◆ FLOWFILE_NO_MD5_TS

#define FLOWFILE_NO_MD5_TS   BIT_U16(4)

no md5 on files in this flow

Definition at line 121 of file flow.h.

◆ FLOWFILE_NO_SHA1_TC

#define FLOWFILE_NO_SHA1_TC   BIT_U16(7)

Definition at line 126 of file flow.h.

◆ FLOWFILE_NO_SHA1_TS

#define FLOWFILE_NO_SHA1_TS   BIT_U16(6)

no sha1 on files in this flow

Definition at line 125 of file flow.h.

◆ FLOWFILE_NO_SHA256_TC

#define FLOWFILE_NO_SHA256_TC   BIT_U16(9)

Definition at line 130 of file flow.h.

◆ FLOWFILE_NO_SHA256_TS

#define FLOWFILE_NO_SHA256_TS   BIT_U16(8)

no sha256 on files in this flow

Definition at line 129 of file flow.h.

◆ FLOWFILE_NO_SIZE_TC

#define FLOWFILE_NO_SIZE_TC   BIT_U16(11)

Definition at line 134 of file flow.h.

◆ FLOWFILE_NO_SIZE_TS

#define FLOWFILE_NO_SIZE_TS   BIT_U16(10)

no size tracking of files in this flow

Definition at line 133 of file flow.h.

◆ FLOWFILE_NO_STORE_TC

#define FLOWFILE_NO_STORE_TC   BIT_U16(3)

Definition at line 119 of file flow.h.

◆ FLOWFILE_NO_STORE_TS

#define FLOWFILE_NO_STORE_TS   BIT_U16(2)

even if the flow has files, don't store 'm

Definition at line 118 of file flow.h.

◆ FLOWLOCK_DESTROY

#define FLOWLOCK_DESTROY (   fb)    SCMutexDestroy(&(fb)->m)

Definition at line 241 of file flow.h.

◆ FLOWLOCK_INIT

#define FLOWLOCK_INIT (   fb)    SCMutexInit(&(fb)->m, NULL)

Definition at line 240 of file flow.h.

◆ FLOWLOCK_MUTEX

#define FLOWLOCK_MUTEX

Mutex or RWLocks for the flow.

Definition at line 223 of file flow.h.

◆ FLOWLOCK_RDLOCK

#define FLOWLOCK_RDLOCK (   fb)    SCMutexLock(&(fb)->m)

Definition at line 242 of file flow.h.

◆ FLOWLOCK_TRYRDLOCK

#define FLOWLOCK_TRYRDLOCK (   fb)    SCMutexTrylock(&(fb)->m)

Definition at line 244 of file flow.h.

◆ FLOWLOCK_TRYWRLOCK

#define FLOWLOCK_TRYWRLOCK (   fb)    SCMutexTrylock(&(fb)->m)

Definition at line 245 of file flow.h.

◆ FLOWLOCK_UNLOCK

#define FLOWLOCK_UNLOCK (   fb)    SCMutexUnlock(&(fb)->m)

Definition at line 246 of file flow.h.

◆ FLOWLOCK_WRLOCK

#define FLOWLOCK_WRLOCK (   fb)    SCMutexLock(&(fb)->m)

Definition at line 243 of file flow.h.

◆ TOCLIENT

#define TOCLIENT   1

Definition at line 43 of file flow.h.

◆ TOSERVER

#define TOSERVER   0

Definition at line 42 of file flow.h.

Typedef Documentation

◆ AppLayerParserState

Definition at line 1 of file flow.h.

◆ Flow

typedef struct Flow_ Flow

Flow data structure.

The flow is a global data structure that is created for new packets of a flow and then looked up for the following packets of a flow.

Locking

The flow is updated/used by multiple packets at the same time. This is why there is a flow-mutex. It's a mutex and not a spinlock because some operations on the flow can be quite expensive, thus spinning would be too expensive.

The flow "header" (addresses, ports, proto, recursion level) are static after the initialization and remain read-only throughout the entire live of a flow. This is why we can access those without protection of the lock.

◆ FlowAddress

typedef struct FlowAddress_ FlowAddress

◆ FlowBypassInfo

◆ FlowConfig

typedef struct FlowCnf_ FlowConfig

◆ FlowKey

typedef struct FlowKey_ FlowKey

◆ FlowProtoFreeFunc

◆ FlowProtoTimeout

◆ FlowRefCount

typedef unsigned short FlowRefCount

Definition at line 302 of file flow.h.

◆ FlowStateType

typedef unsigned short FlowStateType

Definition at line 304 of file flow.h.

◆ FlowThreadId

typedef uint16_t FlowThreadId

Local Thread ID

Definition at line 307 of file flow.h.

Enumeration Type Documentation

◆ FlowState

enum FlowState
Enumerator
FLOW_STATE_NEW 
FLOW_STATE_ESTABLISHED 
FLOW_STATE_CLOSED 
FLOW_STATE_LOCAL_BYPASSED 

Definition at line 468 of file flow.h.

Function Documentation

◆ FlowChangeProto()

int FlowChangeProto ( Flow f)

Check if change proto flag is set for flow.

Parameters
fflow
Return values
1change proto flag is set
0change proto flag is not set

Definition at line 255 of file flow.c.

References sock_to_gzip_file::f, and FLOW_CHANGE_PROTO.

Referenced by AppLayerHandleTCPData(), and FlowWorker().

◆ FlowCleanupAppLayer()

void FlowCleanupAppLayer ( Flow )

Definition at line 140 of file flow.c.

References AppLayerParserStateCleanup(), and sock_to_gzip_file::f.

Referenced by DisableAppLayer(), and TCPProtoDetect().

◆ FlowClearMemory()

int FlowClearMemory ( Flow f,
uint8_t  proto_map 
)

Function clear the flow memory before queueing it to spare flow queue.

Parameters
fpointer to the flow needed to be cleared.
proto_mapmapped value of the protocol to FLOW_PROTO's.

Definition at line 1045 of file flow.c.

References AppLayerExpectationClean(), sock_to_gzip_file::f, flow_freefuncs, FLOW_HAS_EXPECTATION, FLOW_RECYCLE, FlowFreeStorage(), FlowProtoFreeFunc_::Freefunc, SCEnter, SCReturnInt, and unlikely.

Referenced by FlowGetUsedFlow(), FlowRecycler(), and FlowShutdown().

◆ FlowDecrUsecnt()

static void FlowDecrUsecnt ( Flow f)
inlinestatic

decrease the use count of a flow

Parameters
fflow to decrease use count for

Definition at line 592 of file flow.h.

References sock_to_gzip_file::f, and SC_ATOMIC_SUB.

Referenced by FlowDeReference().

◆ FlowDeReference()

static void FlowDeReference ( Flow **  d)
inlinestatic

◆ FlowGetAppProtocol()

◆ FlowGetAppState()

◆ FlowGetDisruptionFlags()

uint8_t FlowGetDisruptionFlags ( const Flow f,
uint8_t  flags 
)

get 'disruption' flags: GAP/DEPTH/PASS

Parameters
flocked flow
flagsexisting flags to be ammended
Return values
flagsoriginal flags + disrupt flags (if any) \TODO handle UDP

< depth reached

< data gap encountered

Definition at line 1099 of file flow.c.

References TcpSession_::client, sock_to_gzip_file::f, flags, TcpStream_::flags, TcpSession_::server, STREAM_DEPTH, STREAM_GAP, STREAM_TOSERVER, STREAMTCP_STREAM_FLAG_DEPTH_REACHED, and STREAMTCP_STREAM_FLAG_GAP.

Referenced by DetectFlow(), DetectRunSetup(), HttpBodyIterator(), and OutputTxLog().

◆ FlowGetId()

static int64_t FlowGetId ( const Flow f)
inlinestatic

create a flow id that is as unique as possible

Return values
flow_idsigned 64bit id
Note
signed because of the signedness of json_integer_t in the json output

Definition at line 630 of file flow.h.

References sock_to_gzip_file::f, and extract-iana-ciphers::id.

Referenced by CreateJSONFlowId(), FlowBypassedTimeout(), and FTPParseRequest().

◆ FlowGetLastTimeAsParts()

void FlowGetLastTimeAsParts ( Flow flow,
uint64_t *  secs,
uint64_t *  usecs 
)

Get flow last time as individual values.

Instead of returning a pointer to the timeval copy the timeval parts into output pointers to make it simpler to call from Rust over FFI using only basic data types.

Definition at line 1142 of file flow.c.

References Flow_::lastts.

◆ FlowGetMemcap()

uint64_t FlowGetMemcap ( void  )

Return memcap value.

Return values
memcapvalue

Definition at line 128 of file flow.c.

References flow_config, and SC_ATOMIC_GET.

◆ FlowGetMemuse()

uint64_t FlowGetMemuse ( void  )

Definition at line 134 of file flow.c.

References SC_ATOMIC_GET.

Referenced by FlowManagerThreadSpawn().

◆ FlowGetPacketDirection()

int FlowGetPacketDirection ( const Flow f,
const Packet p 
)

determine the direction of the packet compared to the flow

Return values
0to_server
1to_client

Definition at line 335 of file flow.c.

References CMP_ADDR, CMP_PORT, Packet_::dp, sock_to_gzip_file::f, FLOW_DIR_REVERSED, Packet_::proto, Packet_::sp, Packet_::src, TOCLIENT, and TOSERVER.

Referenced by FlowHandlePacketUpdate(), FlowUpdateTTL(), TcpSessionReuseDoneEnoughSyn(), and TcpSessionReuseDoneEnoughSynAck().

◆ FlowHandlePacket()

void FlowHandlePacket ( ThreadVars tv,
DecodeThreadVars dtv,
Packet p 
)

Entry point for packet flow handling.

This is called for every packet.

Parameters
tvthreadvars
dtvdecode thread vars (for flow output api thread data)
ppacket to handle flow for

Definition at line 514 of file flow.c.

References sock_to_gzip_file::f, Packet_::flags, Packet_::flow, FlowGetFlowFromHash(), and PKT_HAS_FLOW.

Referenced by FlowWorker().

◆ FlowHandlePacketUpdate()

◆ FlowHasAlerts()

int FlowHasAlerts ( const Flow f)

Check if flow has alerts.

Parameters
fflow
Return values
1has alerts
0has not alerts

Definition at line 223 of file flow.c.

References sock_to_gzip_file::f, and FLOW_HAS_ALERTS.

Referenced by JsonFlowLogJSON().

◆ FlowIncrUsecnt()

static void FlowIncrUsecnt ( Flow f)
inlinestatic

increase the use count of a flow

Parameters
fflow to decrease use count for

Definition at line 579 of file flow.h.

References sock_to_gzip_file::f, and SC_ATOMIC_ADD.

Referenced by FlowReference().

◆ FlowInitConfig()

◆ FlowPrintQueueInfo()

void FlowPrintQueueInfo ( void  )

◆ FlowReference()

static void FlowReference ( Flow **  d,
Flow f 
)
inlinestatic

Reference the flow, bumping the flows use_cnt.

Note
This should only be called once for a destination pointer

Definition at line 603 of file flow.h.

References BUG_ON, sock_to_gzip_file::f, FlowIncrUsecnt(), and likely.

Referenced by FlowForceReassemblyPseudoPacketSetup(), FlowGetFlowFromHash(), StreamTcpPseudoPacketCreateDetectLogFlush(), and StreamTcpPseudoSetup().

◆ FlowRegisterTests()

void FlowRegisterTests ( void  )

Function to register the Flow Unitests.

Definition at line 1362 of file flow.c.

References FlowMgrRegisterTests(), and RegisterFlowStorageTests().

◆ FlowSetChangeProtoFlag()

void FlowSetChangeProtoFlag ( Flow f)

Set flag to indicate to change proto for the flow.

Parameters
fflow

Definition at line 236 of file flow.c.

References sock_to_gzip_file::f, and FLOW_CHANGE_PROTO.

Referenced by AppLayerRequestProtocolChange().

◆ FlowSetHasAlertsFlag()

void FlowSetHasAlertsFlag ( Flow f)

Set flag to indicate that flow has alerts.

Parameters
fflow

Definition at line 212 of file flow.c.

References sock_to_gzip_file::f, and FLOW_HAS_ALERTS.

Referenced by PacketAlertFinalize().

◆ FlowSetIPOnlyFlag()

void FlowSetIPOnlyFlag ( Flow f,
int  direction 
)

Set the IPOnly scanned flag for 'direction'.

Parameters
fFlow to set the flag in
directiondirection to set the flag in

Definition at line 201 of file flow.c.

References sock_to_gzip_file::f, FLOW_TOCLIENT_IPONLY_SET, and FLOW_TOSERVER_IPONLY_SET.

Referenced by DetectRunInspectIPOnly(), and PacketAlertFinalize().

◆ FlowSetMemcap()

int FlowSetMemcap ( uint64_t  size)

Update memcap value.

Parameters
sizenew memcap value

Definition at line 113 of file flow.c.

References flow_config, SC_ATOMIC_GET, and SC_ATOMIC_SET.

◆ FlowSetNoPacketInspectionFlag()

static void FlowSetNoPacketInspectionFlag ( Flow f)
inlinestatic

Set the No Packet Inspection Flag without locking the flow.

--— Inline functions --—

Parameters
fFlow to set the flag in

Definition at line 550 of file flow.h.

References sock_to_gzip_file::f, FLOW_NOPACKET_INSPECTION, SCEnter, SCLogDebug, and SCReturn.

Referenced by DetectSignatureApplyActions(), PacketAlertFinalize(), and StreamTcpPacket().

◆ FlowSetNoPayloadInspectionFlag()

static void FlowSetNoPayloadInspectionFlag ( Flow f)
inlinestatic

Set the No payload inspection Flag without locking the flow.

Parameters
fFlow to set the flag in

Definition at line 564 of file flow.h.

References sock_to_gzip_file::f, FLOW_NOPAYLOAD_INSPECTION, SCEnter, SCLogDebug, and SCReturn.

Referenced by AppLayerParserParse().

◆ FlowSetProtoEmergencyTimeout()

int FlowSetProtoEmergencyTimeout ( uint8_t  ,
uint32_t  ,
uint32_t  ,
uint32_t   
)

◆ FlowSetProtoFreeFunc()

int FlowSetProtoFreeFunc ( uint8_t  proto,
void(*)(void *)  Free 
)

Function to set the function to get protocol specific flow state.

Parameters
protoprotocol of which function is needed to be set.
FreeFunction pointer which will be called to free the protocol specific memory.

Definition at line 1073 of file flow.c.

References flow_freefuncs, FlowGetProtoMapping(), and FlowProtoFreeFunc_::Freefunc.

Referenced by StreamTcpInitConfig().

◆ FlowSetProtoTimeout()

int FlowSetProtoTimeout ( uint8_t  ,
uint32_t  ,
uint32_t  ,
uint32_t   
)

◆ FlowSetupPacket()

void FlowSetupPacket ( Packet p)

prepare packet for a life with flow Set PKT_WANTS_FLOW flag to incidate workers should do a flow lookup and calc the hash value to be used in the lookup and autofp flow balancing.

Definition at line 408 of file flow-hash.c.

References Packet_::flags, Packet_::flow_hash, FlowGetHash(), and PKT_WANTS_FLOW.

Referenced by DecodeICMPV4(), DecodeICMPV6(), DecodeIPV4(), DecodeSCTP(), DecodeTCP(), and DecodeUDP().

◆ FlowShutdown()

◆ FlowSwap()

void FlowSwap ( Flow f)

swap the flow's direction

Note
leaves the 'header' untouched. Interpret that based on FLOW_DIR_REVERSED flag.
Warning
: only valid before applayer parsing started. This function doesn't swap anything in Flow::alparser, Flow::alstate

Definition at line 304 of file flow.c.

References sock_to_gzip_file::f, FLOW_DIR_REVERSED, FlowSwapFileFlags(), FlowSwapFlags(), SWAP_VARS, and TcpStreamFlowSwap().

Referenced by AppLayerHandleUdp(), StreamTcpPacketStateNone(), and TCPProtoDetect().

◆ FlowUnsetChangeProtoFlag()

void FlowUnsetChangeProtoFlag ( Flow f)

Unset flag to indicate to change proto for the flow.

Parameters
fflow

Definition at line 245 of file flow.c.

References sock_to_gzip_file::f, and FLOW_CHANGE_PROTO.

Referenced by AppLayerProtoDetectReset().

◆ FlowUpdateQueue()

void FlowUpdateQueue ( Flow )

◆ FlowUpdateSpareFlows()

int FlowUpdateSpareFlows ( void  )

Make sure we have enough spare flows.

Enforce the prealloc parameter, so keep at least prealloc flows in the spare queue and free flows going over the limit.

Return values
1if the queue was properly updated (or if it already was in good shape)
0otherwise.

Definition at line 159 of file flow.c.

References sock_to_gzip_file::f, flow_config, flow_spare_q, FlowAlloc(), FlowDequeue(), FlowEnqueue(), FlowFree(), FQLOCK_LOCK, FQLOCK_UNLOCK, struct-flags::i, FlowQueue_::len, FlowCnf_::prealloc, and SCEnter.

Referenced by FlowManager().

◆ FlowUpdateState()

void FlowUpdateState ( Flow f,
enum FlowState  s 
)

◆ GetFlowBypassInfoID()

int GetFlowBypassInfoID ( void  )

Definition at line 209 of file flow-util.c.

References g_bypass_info_id.

Referenced by FlowBypassedTimeout(), JsonAddFlow(), and PacketBypassCallback().

◆ RegisterFlowBypassInfo()

void RegisterFlowBypassInfo ( void  )

Definition at line 227 of file flow-util.c.

References FlowBypassFree(), FlowStorageRegister(), and g_bypass_info_id.

Referenced by PostConfLoadedSetup().

addr_data32
#define addr_data32
Definition: flow.h:298