/src/decode.h

https://github.com/decanio/suricata-tilera · C Header · 1286 lines · 890 code · 183 blank · 213 comment · 93 complexity · fc029a177ea80419c5a3a1fc29a2e9db MD5 · raw file

  1. /* Copyright (C) 2007-2012 Open Information Security Foundation
  2. *
  3. * You can copy, redistribute or modify this Program under the terms of
  4. * the GNU General Public License version 2 as published by the Free
  5. * Software Foundation.
  6. *
  7. * This program is distributed in the hope that it will be useful,
  8. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. * GNU General Public License for more details.
  11. *
  12. * You should have received a copy of the GNU General Public License
  13. * version 2 along with this program; if not, write to the Free Software
  14. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  15. * 02110-1301, USA.
  16. */
  17. /**
  18. * \file
  19. *
  20. * \author Victor Julien <victor@inliniac.net>
  21. */
  22. #ifndef __DECODE_H__
  23. #define __DECODE_H__
  24. //#define DBG_THREADS
  25. #define COUNTERS
  26. #include "suricata-common.h"
  27. #include "threadvars.h"
  28. typedef enum {
  29. CHECKSUM_VALIDATION_DISABLE,
  30. CHECKSUM_VALIDATION_ENABLE,
  31. CHECKSUM_VALIDATION_AUTO,
  32. CHECKSUM_VALIDATION_RXONLY,
  33. CHECKSUM_VALIDATION_KERNEL,
  34. } ChecksumValidationMode;
  35. enum {
  36. PKT_SRC_WIRE = 1,
  37. PKT_SRC_DECODER_GRE,
  38. PKT_SRC_DECODER_IPV4,
  39. PKT_SRC_DECODER_IPV6,
  40. PKT_SRC_DECODER_TEREDO,
  41. PKT_SRC_DEFRAG,
  42. PKT_SRC_STREAM_TCP_STREAM_END_PSEUDO,
  43. PKT_SRC_FFR_V2,
  44. PKT_SRC_FFR_SHUTDOWN,
  45. };
  46. #include "source-nfq.h"
  47. #include "source-ipfw.h"
  48. #include "source-pcap.h"
  49. #include "source-af-packet.h"
  50. #include "source-mpipe.h"
  51. #include "action-globals.h"
  52. #include "decode-ethernet.h"
  53. #include "decode-gre.h"
  54. #include "decode-ppp.h"
  55. #include "decode-pppoe.h"
  56. #include "decode-sll.h"
  57. #include "decode-ipv4.h"
  58. #include "decode-ipv6.h"
  59. #include "decode-icmpv4.h"
  60. #include "decode-icmpv6.h"
  61. #include "decode-tcp.h"
  62. #include "decode-udp.h"
  63. #include "decode-sctp.h"
  64. #include "decode-raw.h"
  65. #include "decode-vlan.h"
  66. #include "detect-reference.h"
  67. #include "app-layer-protos.h"
  68. #ifdef __tilegx__
  69. #include <gxio/mpipe.h>
  70. #elif defined(__tile__)
  71. #include <netio/netio.h>
  72. #endif
  73. #ifdef __SC_CUDA_SUPPORT__
  74. #define CUDA_MAX_PAYLOAD_SIZE 1500
  75. #endif
  76. /* forward declaration */
  77. struct DetectionEngineThreadCtx_;
  78. /* Address */
  79. typedef struct Address_ {
  80. char family;
  81. union {
  82. uint32_t address_un_data32[4]; /* type-specific field */
  83. uint16_t address_un_data16[8]; /* type-specific field */
  84. uint8_t address_un_data8[16]; /* type-specific field */
  85. } address;
  86. } Address;
  87. #define addr_data32 address.address_un_data32
  88. #define addr_data16 address.address_un_data16
  89. #define addr_data8 address.address_un_data8
  90. #define COPY_ADDRESS(a, b) do { \
  91. (b)->family = (a)->family; \
  92. (b)->addr_data32[0] = (a)->addr_data32[0]; \
  93. (b)->addr_data32[1] = (a)->addr_data32[1]; \
  94. (b)->addr_data32[2] = (a)->addr_data32[2]; \
  95. (b)->addr_data32[3] = (a)->addr_data32[3]; \
  96. } while (0)
  97. /* Set the IPv4 addressesinto the Addrs of the Packet.
  98. * Make sure p->ip4h is initialized and validated.
  99. *
  100. * We set the rest of the struct to 0 so we can
  101. * prevent using memset. */
  102. #define SET_IPV4_SRC_ADDR(p, a) do { \
  103. (a)->family = AF_INET; \
  104. (a)->addr_data32[0] = (uint32_t)(p)->ip4h->s_ip_src.s_addr; \
  105. (a)->addr_data32[1] = 0; \
  106. (a)->addr_data32[2] = 0; \
  107. (a)->addr_data32[3] = 0; \
  108. } while (0)
  109. #define SET_IPV4_DST_ADDR(p, a) do { \
  110. (a)->family = AF_INET; \
  111. (a)->addr_data32[0] = (uint32_t)(p)->ip4h->s_ip_dst.s_addr; \
  112. (a)->addr_data32[1] = 0; \
  113. (a)->addr_data32[2] = 0; \
  114. (a)->addr_data32[3] = 0; \
  115. } while (0)
  116. /* clear the address structure by setting all fields to 0 */
  117. #define CLEAR_ADDR(a) do { \
  118. (a)->family = 0; \
  119. (a)->addr_data32[0] = 0; \
  120. (a)->addr_data32[1] = 0; \
  121. (a)->addr_data32[2] = 0; \
  122. (a)->addr_data32[3] = 0; \
  123. } while (0)
  124. /* Set the IPv6 addressesinto the Addrs of the Packet.
  125. * Make sure p->ip6h is initialized and validated. */
  126. #define SET_IPV6_SRC_ADDR(p, a) do { \
  127. (a)->family = AF_INET6; \
  128. (a)->addr_data32[0] = (p)->ip6h->s_ip6_src[0]; \
  129. (a)->addr_data32[1] = (p)->ip6h->s_ip6_src[1]; \
  130. (a)->addr_data32[2] = (p)->ip6h->s_ip6_src[2]; \
  131. (a)->addr_data32[3] = (p)->ip6h->s_ip6_src[3]; \
  132. } while (0)
  133. #define SET_IPV6_DST_ADDR(p, a) do { \
  134. (a)->family = AF_INET6; \
  135. (a)->addr_data32[0] = (p)->ip6h->s_ip6_dst[0]; \
  136. (a)->addr_data32[1] = (p)->ip6h->s_ip6_dst[1]; \
  137. (a)->addr_data32[2] = (p)->ip6h->s_ip6_dst[2]; \
  138. (a)->addr_data32[3] = (p)->ip6h->s_ip6_dst[3]; \
  139. } while (0)
  140. /* Set the TCP ports into the Ports of the Packet.
  141. * Make sure p->tcph is initialized and validated. */
  142. #define SET_TCP_SRC_PORT(pkt, prt) do { \
  143. SET_PORT(TCP_GET_SRC_PORT((pkt)), *(prt)); \
  144. } while (0)
  145. #define SET_TCP_DST_PORT(pkt, prt) do { \
  146. SET_PORT(TCP_GET_DST_PORT((pkt)), *(prt)); \
  147. } while (0)
  148. /* Set the UDP ports into the Ports of the Packet.
  149. * Make sure p->udph is initialized and validated. */
  150. #define SET_UDP_SRC_PORT(pkt, prt) do { \
  151. SET_PORT(UDP_GET_SRC_PORT((pkt)), *(prt)); \
  152. } while (0)
  153. #define SET_UDP_DST_PORT(pkt, prt) do { \
  154. SET_PORT(UDP_GET_DST_PORT((pkt)), *(prt)); \
  155. } while (0)
  156. /* Set the SCTP ports into the Ports of the Packet.
  157. * Make sure p->sctph is initialized and validated. */
  158. #define SET_SCTP_SRC_PORT(pkt, prt) do { \
  159. SET_PORT(SCTP_GET_SRC_PORT((pkt)), *(prt)); \
  160. } while (0)
  161. #define SET_SCTP_DST_PORT(pkt, prt) do { \
  162. SET_PORT(SCTP_GET_DST_PORT((pkt)), *(prt)); \
  163. } while (0)
  164. #define GET_IPV4_SRC_ADDR_U32(p) ((p)->src.addr_data32[0])
  165. #define GET_IPV4_DST_ADDR_U32(p) ((p)->dst.addr_data32[0])
  166. #define GET_IPV4_SRC_ADDR_PTR(p) ((p)->src.addr_data32)
  167. #define GET_IPV4_DST_ADDR_PTR(p) ((p)->dst.addr_data32)
  168. #define GET_IPV6_SRC_ADDR(p) ((p)->src.addr_data32)
  169. #define GET_IPV6_DST_ADDR(p) ((p)->dst.addr_data32)
  170. #define GET_TCP_SRC_PORT(p) ((p)->sp)
  171. #define GET_TCP_DST_PORT(p) ((p)->dp)
  172. #define GET_PKT_LEN(p) ((p)->pktlen)
  173. #define GET_PKT_DATA(p) ((((p)->ext_pkt) == NULL ) ? (p)->pkt : (p)->ext_pkt)
  174. #define GET_PKT_DIRECT_DATA(p) ((p)->pkt)
  175. #define GET_PKT_DIRECT_MAX_SIZE(p) (default_packet_size)
  176. #define SET_PKT_LEN(p, len) do { \
  177. (p)->pktlen = (len); \
  178. } while (0)
  179. /* Port is just a uint16_t */
  180. typedef uint16_t Port;
  181. #define SET_PORT(v, p) ((p) = (v))
  182. #define COPY_PORT(a,b) ((b) = (a))
  183. #define CMP_ADDR(a1, a2) \
  184. (((a1)->addr_data32[3] == (a2)->addr_data32[3] && \
  185. (a1)->addr_data32[2] == (a2)->addr_data32[2] && \
  186. (a1)->addr_data32[1] == (a2)->addr_data32[1] && \
  187. (a1)->addr_data32[0] == (a2)->addr_data32[0]))
  188. #define CMP_PORT(p1, p2) \
  189. ((p1) == (p2))
  190. /*Given a packet pkt offset to the start of the ip header in a packet
  191. *We determine the ip version. */
  192. #define IP_GET_RAW_VER(pkt) ((((pkt)[0] & 0xf0) >> 4))
  193. #define PKT_IS_IPV4(p) (((p)->ip4h != NULL))
  194. #define PKT_IS_IPV6(p) (((p)->ip6h != NULL))
  195. #define PKT_IS_TCP(p) (((p)->tcph != NULL))
  196. #define PKT_IS_UDP(p) (((p)->udph != NULL))
  197. #define PKT_IS_ICMPV4(p) (((p)->icmpv4h != NULL))
  198. #define PKT_IS_ICMPV6(p) (((p)->icmpv6h != NULL))
  199. #define PKT_IS_TOSERVER(p) (((p)->flowflags & FLOW_PKT_TOSERVER))
  200. #define PKT_IS_TOCLIENT(p) (((p)->flowflags & FLOW_PKT_TOCLIENT))
  201. #define IPH_IS_VALID(p) (PKT_IS_IPV4((p)) || PKT_IS_IPV6((p)))
  202. /* Retrieve proto regardless of IP version */
  203. #define IP_GET_IPPROTO(p) \
  204. (p->proto ? p->proto : \
  205. (PKT_IS_IPV4((p))? IPV4_GET_IPPROTO((p)) : (PKT_IS_IPV6((p))? IPV6_GET_L4PROTO((p)) : 0)))
  206. /* structure to store the sids/gids/etc the detection engine
  207. * found in this packet */
  208. typedef struct PacketAlert_ {
  209. SigIntId num; /* Internal num, used for sorting */
  210. SigIntId order_id; /* Internal num, used for sorting */
  211. uint8_t action; /* Internal num, used for sorting */
  212. uint8_t flags;
  213. struct Signature_ *s;
  214. } PacketAlert;
  215. /** After processing an alert by the thresholding module, if at
  216. * last it gets triggered, we might want to stick the drop action to
  217. * the flow on IPS mode */
  218. #define PACKET_ALERT_FLAG_DROP_FLOW 0x01
  219. /** alert was generated based on state */
  220. #define PACKET_ALERT_FLAG_STATE_MATCH 0x02
  221. /** alert was generated based on stream */
  222. #define PACKET_ALERT_FLAG_STREAM_MATCH 0x04
  223. #define PACKET_ALERT_MAX 15
  224. typedef struct PacketAlerts_ {
  225. uint16_t cnt;
  226. PacketAlert alerts[PACKET_ALERT_MAX];
  227. } PacketAlerts;
  228. /** number of decoder events we support per packet. Power of 2 minus 1
  229. * for memory layout */
  230. #define PACKET_ENGINE_EVENT_MAX 15
  231. /** data structure to store decoder, defrag and stream events */
  232. typedef struct PacketEngineEvents_ {
  233. uint8_t cnt; /**< number of events */
  234. uint8_t events[PACKET_ENGINE_EVENT_MAX]; /**< array of events */
  235. } PacketEngineEvents;
  236. typedef struct PktVar_ {
  237. char *name;
  238. struct PktVar_ *next; /* right now just implement this as a list,
  239. * in the long run we have thing of something
  240. * faster. */
  241. uint8_t *value;
  242. uint16_t value_len;
  243. } PktVar;
  244. #ifdef PROFILING
  245. /** \brief Per TMM stats storage */
  246. typedef struct PktProfilingTmmData_ {
  247. uint64_t ticks_start;
  248. uint64_t ticks_end;
  249. #ifdef PROFILE_LOCKING
  250. uint64_t mutex_lock_cnt;
  251. uint64_t mutex_lock_wait_ticks;
  252. uint64_t mutex_lock_contention;
  253. uint64_t spin_lock_cnt;
  254. uint64_t spin_lock_wait_ticks;
  255. uint64_t spin_lock_contention;
  256. uint64_t rww_lock_cnt;
  257. uint64_t rww_lock_wait_ticks;
  258. uint64_t rww_lock_contention;
  259. uint64_t rwr_lock_cnt;
  260. uint64_t rwr_lock_wait_ticks;
  261. uint64_t rwr_lock_contention;
  262. #endif
  263. } PktProfilingTmmData;
  264. typedef struct PktProfilingDetectData_ {
  265. uint64_t ticks_start;
  266. uint64_t ticks_end;
  267. uint64_t ticks_spent;
  268. } PktProfilingDetectData;
  269. typedef struct PktProfilingAppData_ {
  270. uint64_t ticks_spent;
  271. } PktProfilingAppData;
  272. /** \brief Per pkt stats storage */
  273. typedef struct PktProfiling_ {
  274. uint64_t ticks_start;
  275. uint64_t ticks_end;
  276. PktProfilingTmmData tmm[TMM_SIZE];
  277. PktProfilingAppData app[ALPROTO_MAX];
  278. PktProfilingDetectData detect[PROF_DETECT_SIZE];
  279. uint64_t proto_detect;
  280. } PktProfiling;
  281. #endif /* PROFILING */
  282. /* forward declartion since Packet struct definition requires this */
  283. struct PacketQueue_;
  284. /* sizes of the members:
  285. * src: 17 bytes
  286. * dst: 17 bytes
  287. * sp/type: 1 byte
  288. * dp/code: 1 byte
  289. * proto: 1 byte
  290. * recurs: 1 byte
  291. *
  292. * sum of above: 38 bytes
  293. *
  294. * flow ptr: 4/8 bytes
  295. * flags: 1 byte
  296. * flowflags: 1 byte
  297. *
  298. * sum of above 44/48 bytes
  299. */
  300. #ifndef __tile__
  301. typedef struct Packet_
  302. {
  303. /* Addresses, Ports and protocol
  304. * these are on top so we can use
  305. * the Packet as a hash key */
  306. Address src;
  307. Address dst;
  308. union {
  309. Port sp;
  310. uint8_t type;
  311. };
  312. union {
  313. Port dp;
  314. uint8_t code;
  315. };
  316. uint8_t proto;
  317. /* make sure we can't be attacked on when the tunneled packet
  318. * has the exact same tuple as the lower levels */
  319. uint8_t recursion_level;
  320. /* Pkt Flags */
  321. uint32_t flags;
  322. /* flow */
  323. uint8_t flowflags;
  324. uint8_t pkt_src;
  325. struct Flow_ *flow;
  326. struct timeval ts;
  327. union {
  328. /* nfq stuff */
  329. #ifdef NFQ
  330. NFQPacketVars nfq_v;
  331. #endif /* NFQ */
  332. #ifdef IPFW
  333. IPFWPacketVars ipfw_v;
  334. #endif /* IPFW */
  335. #ifdef AF_PACKET
  336. AFPPacketVars afp_v;
  337. #endif
  338. /** libpcap vars: shared by Pcap Live mode and Pcap File mode */
  339. PcapPacketVars pcap_v;
  340. };
  341. /** data linktype in host order */
  342. int datalink;
  343. /* IPS action to take */
  344. uint8_t action;
  345. /* used to hold flowbits only if debuglog is enabled */
  346. int debuglog_flowbits_names_len;
  347. const char **debuglog_flowbits_names;
  348. /** The release function for packet data */
  349. TmEcode (*ReleaseData)(ThreadVars *, struct Packet_ *);
  350. /* pkt vars */
  351. PktVar *pktvar;
  352. /* header pointers */
  353. EthernetHdr *ethh;
  354. IPV4Hdr *ip4h;
  355. IPV4Vars ip4vars;
  356. IPV6Hdr *ip6h;
  357. IPV6Vars ip6vars;
  358. IPV6ExtHdrs ip6eh;
  359. TCPHdr *tcph;
  360. TCPVars tcpvars;
  361. UDPHdr *udph;
  362. UDPVars udpvars;
  363. SCTPHdr *sctph;
  364. ICMPV4Hdr *icmpv4h;
  365. ICMPV4Vars icmpv4vars;
  366. ICMPV6Hdr *icmpv6h;
  367. ICMPV6Vars icmpv6vars;
  368. PPPHdr *ppph;
  369. PPPOESessionHdr *pppoesh;
  370. PPPOEDiscoveryHdr *pppoedh;
  371. GREHdr *greh;
  372. VLANHdr *vlanh;
  373. /* ptr to the payload of the packet
  374. * with it's length. */
  375. uint8_t *payload;
  376. uint16_t payload_len;
  377. /* storage: set to pointer to heap and extended via allocation if necessary */
  378. uint8_t *pkt;
  379. uint8_t *ext_pkt;
  380. uint32_t pktlen;
  381. /* Incoming interface */
  382. struct LiveDevice_ *livedev;
  383. PacketAlerts alerts;
  384. struct Host_ *host_src;
  385. struct Host_ *host_dst;
  386. /** packet number in the pcap file, matches wireshark */
  387. uint64_t pcap_cnt;
  388. /** mutex to protect access to:
  389. * - tunnel_rtv_cnt
  390. * - tunnel_tpr_cnt
  391. */
  392. SCMutex tunnel_mutex;
  393. /* ready to set verdict counter, only set in root */
  394. uint16_t tunnel_rtv_cnt;
  395. /* tunnel packet ref count */
  396. uint16_t tunnel_tpr_cnt;
  397. /* engine events */
  398. PacketEngineEvents events;
  399. /* double linked list ptrs */
  400. struct Packet_ *next;
  401. struct Packet_ *prev;
  402. /* tunnel/encapsulation handling */
  403. struct Packet_ *root; /* in case of tunnel this is a ptr
  404. * to the 'real' packet, the one we
  405. * need to set the verdict on --
  406. * It should always point to the lowest
  407. * packet in a encapsulated packet */
  408. /* required for cuda support */
  409. #ifdef __SC_CUDA_SUPPORT__
  410. /* indicates if the cuda mpm would be conducted or a normal cpu mpm would
  411. * be conduced on this packet. If it is set to 0, the cpu mpm; else cuda mpm */
  412. uint8_t cuda_mpm_enabled;
  413. /* indicates if the cuda mpm has finished running the mpm and processed the
  414. * results for this packet, assuming if cuda_mpm_enabled has been set for this
  415. * packet */
  416. uint16_t cuda_done;
  417. /* used by the detect thread and the cuda mpm dispatcher thread. The detect
  418. * thread would wait on this cond var, if the cuda mpm dispatcher thread
  419. * still hasn't processed the packet. The dispatcher would use this cond
  420. * to inform the detect thread(in case it is waiting on this packet), once
  421. * the dispatcher is done processing the packet results */
  422. SCMutex cuda_mutex;
  423. SCCondT cuda_cond;
  424. /* the extra 1 in the 1481, is to hold the no_of_matches from the mpm run */
  425. uint16_t mpm_offsets[CUDA_MAX_PAYLOAD_SIZE + 1];
  426. #endif
  427. #ifdef PROFILING
  428. PktProfiling profile;
  429. #endif
  430. } Packet;
  431. #else
  432. /* __tile__ */
  433. typedef struct Packet_
  434. {
  435. /* Addresses, Ports and protocol
  436. * these are on top so we can use
  437. * the Packet as a hash key */
  438. Address src;
  439. Address dst;
  440. union {
  441. Port sp;
  442. uint8_t type;
  443. };
  444. union {
  445. Port dp;
  446. uint8_t code;
  447. };
  448. uint8_t proto;
  449. /* make sure we can't be attacked on when the tunneled packet
  450. * has the exact same tuple as the lower levels */
  451. uint8_t recursion_level;
  452. /* Pkt Flags */
  453. uint32_t flags;
  454. /* flow */
  455. uint8_t flowflags;
  456. uint8_t pkt_src;
  457. struct Flow_ *flow;
  458. /* data linktype in host order */
  459. uint16_t datalink;
  460. /* IPS action to take */
  461. uint8_t action;
  462. /* double linked list ptrs */
  463. struct Packet_ *next;
  464. struct Packet_ *prev;
  465. union {
  466. struct timespec ts_nsec; /* time from mpipe */
  467. struct timeval ts;
  468. };
  469. /* used to hold flowbits only if debuglog is enabled */
  470. int debuglog_flowbits_names_len;
  471. const char **debuglog_flowbits_names;
  472. /** The release function for packet data */
  473. TmEcode (*ReleaseData)(ThreadVars *, struct Packet_ *);
  474. EthernetHdr *ethh;
  475. /* pkt vars */
  476. PktVar *pktvar;
  477. /* header pointers */
  478. IPV4Hdr *ip4h;
  479. IPV6Hdr *ip6h;
  480. TCPHdr *tcph;
  481. UDPHdr *udph;
  482. SCTPHdr *sctph;
  483. ICMPV4Hdr *icmpv4h;
  484. ICMPV6Hdr *icmpv6h;
  485. PPPHdr *ppph;
  486. PPPOESessionHdr *pppoesh;
  487. PPPOEDiscoveryHdr *pppoedh;
  488. GREHdr *greh;
  489. VLANHdr *vlanh;
  490. /* ptr to the payload of the packet
  491. * with it's length. */
  492. uint8_t *payload;
  493. uint16_t payload_len;
  494. /* storage: set to pointer to heap and extended via allocation if necessary */
  495. uint8_t *pkt;
  496. uint8_t *ext_pkt;
  497. uint32_t pktlen;
  498. /* Incoming interface */
  499. struct LiveDevice_ *livedev;
  500. #if 1
  501. union {
  502. IPV4Vars ip4vars;
  503. struct {
  504. IPV6Vars ip6vars;
  505. IPV6ExtHdrs ip6eh;
  506. };
  507. };
  508. union {
  509. TCPVars tcpvars;
  510. UDPVars udpvars;
  511. ICMPV4Vars icmpv4vars;
  512. ICMPV6Vars icmpv6vars;
  513. };
  514. #else
  515. IPV4Vars ip4vars /*__attribute__((aligned(64)))*/;
  516. IPV6Vars ip6vars /*__attribute__((aligned(64)))*/;
  517. IPV6ExtHdrs ip6eh /*__attribute__((aligned(64)))*/;
  518. TCPVars tcpvars /*__attribute__((aligned(64)))*/;
  519. UDPVars udpvars /*__attribute__((aligned(64)))*/;
  520. ICMPV4Vars icmpv4vars /*__attribute__((aligned(64)))*/;
  521. ICMPV6Vars icmpv6vars /*__attribute__((aligned(64)))*/;
  522. #endif
  523. /** packet number in the pcap file, matches wireshark */
  524. uint64_t pcap_cnt;
  525. /** mutex to protect access to:
  526. * - tunnel_rtv_cnt
  527. * - tunnel_tpr_cnt
  528. */
  529. SCMutex tunnel_mutex;
  530. /* ready to set verdict counter, only set in root */
  531. uint16_t tunnel_rtv_cnt;
  532. /* tunnel packet ref count */
  533. uint16_t tunnel_tpr_cnt;
  534. /* tunnel/encapsulation handling */
  535. struct Packet_ *root; /* in case of tunnel this is a ptr
  536. * to the 'real' packet, the one we
  537. * need to set the verdict on --
  538. * It should always point to the lowest
  539. * packet in a encapsulated packet */
  540. /* engine events */
  541. PacketEngineEvents events;
  542. PacketAlerts alerts;
  543. struct Host_ *host_src;
  544. struct Host_ *host_dst;
  545. /* required for cuda support */
  546. #ifdef __SC_CUDA_SUPPORT__
  547. /* indicates if the cuda mpm would be conducted or a normal cpu mpm would
  548. * be conduced on this packet. If it is set to 0, the cpu mpm; else cuda mpm */
  549. uint8_t cuda_mpm_enabled;
  550. /* indicates if the cuda mpm has finished running the mpm and processed the
  551. * results for this packet, assuming if cuda_mpm_enabled has been set for this
  552. * packet */
  553. uint16_t cuda_done;
  554. /* used by the detect thread and the cuda mpm dispatcher thread. The detect
  555. * thread would wait on this cond var, if the cuda mpm dispatcher thread
  556. * still hasn't processed the packet. The dispatcher would use this cond
  557. * to inform the detect thread(in case it is waiting on this packet), once
  558. * the dispatcher is done processing the packet results */
  559. SCMutex cuda_mutex;
  560. SCCondT cuda_cond;
  561. /* the extra 1 in the 1481, is to hold the no_of_matches from the mpm run */
  562. uint16_t mpm_offsets[CUDA_MAX_PAYLOAD_SIZE + 1];
  563. #endif
  564. #ifdef PROFILING
  565. PktProfiling profile;
  566. #endif
  567. union {
  568. /* nfq stuff */
  569. #ifdef NFQ
  570. NFQPacketVars nfq_v;
  571. #endif /* NFQ */
  572. #ifdef IPFW
  573. IPFWPacketVars ipfw_v;
  574. #endif /* IPFW */
  575. /** libpcap vars: shared by Pcap Live mode and Pcap File mode */
  576. PcapPacketVars pcap_v;
  577. #ifdef __tilegx__
  578. /* tilegx mpipe stuff */
  579. MpipePacketVars mpipe_v;
  580. #else
  581. /* Tile64 netio stuff */
  582. netio_pkt_t netio_packet;
  583. #endif
  584. };
  585. } __attribute__((aligned(128))) Packet;
  586. #endif
  587. #define DEFAULT_PACKET_SIZE (1500 + ETHERNET_HEADER_LEN)
  588. /* storage: maximum ip packet size + link header */
  589. #define MAX_PAYLOAD_SIZE (IPV6_HEADER_LEN + 65536 + 28)
  590. uint32_t default_packet_size;
  591. #define SIZE_OF_PACKET (default_packet_size + sizeof(Packet))
  592. typedef struct PacketQueue_ {
  593. Packet *top;
  594. Packet *bot;
  595. #ifdef __tile__
  596. int32_t len; /* -1 signals termination */
  597. #else
  598. uint32_t len;
  599. #endif
  600. #ifdef DBG_PERF
  601. uint32_t dbg_maxlen;
  602. #endif /* DBG_PERF */
  603. #ifdef __tile__
  604. volatile uint32_t cond_q;
  605. SCMutex mutex_q /*__attribute__((aligned(64)))*/;
  606. } __attribute__((aligned(64))) PacketQueue;
  607. #else
  608. SCMutex mutex_q;
  609. SCCondT cond_q;
  610. } PacketQueue;
  611. #endif
  612. /** \brief Specific ctx for AL proto detection */
  613. typedef struct AlpProtoDetectDirectionThread_ {
  614. MpmThreadCtx mpm_ctx;
  615. PatternMatcherQueue pmq;
  616. } AlpProtoDetectDirectionThread;
  617. /** \brief Specific ctx for AL proto detection */
  618. typedef struct AlpProtoDetectThreadCtx_ {
  619. AlpProtoDetectDirectionThread toserver;
  620. AlpProtoDetectDirectionThread toclient;
  621. void *alproto_local_storage[ALPROTO_MAX];
  622. #ifdef PROFILING
  623. uint64_t ticks_start;
  624. uint64_t ticks_end;
  625. uint64_t ticks_spent;
  626. uint16_t alproto;
  627. uint64_t proto_detect_ticks_start;
  628. uint64_t proto_detect_ticks_end;
  629. uint64_t proto_detect_ticks_spent;
  630. #endif
  631. } AlpProtoDetectThreadCtx;
  632. /** \brief Structure to hold thread specific data for all decode modules */
  633. typedef struct DecodeThreadVars_
  634. {
  635. /** Specific context for udp protocol detection (here atm) */
  636. AlpProtoDetectThreadCtx udp_dp_ctx;
  637. /** stats/counters */
  638. uint16_t counter_pkts;
  639. uint16_t counter_pkts_per_sec;
  640. uint16_t counter_bytes;
  641. uint16_t counter_bytes_per_sec;
  642. uint16_t counter_mbit_per_sec;
  643. uint16_t counter_ipv4;
  644. uint16_t counter_ipv6;
  645. uint16_t counter_eth;
  646. uint16_t counter_sll;
  647. uint16_t counter_raw;
  648. uint16_t counter_tcp;
  649. uint16_t counter_udp;
  650. uint16_t counter_sctp;
  651. uint16_t counter_icmpv4;
  652. uint16_t counter_icmpv6;
  653. uint16_t counter_ppp;
  654. uint16_t counter_gre;
  655. uint16_t counter_vlan;
  656. uint16_t counter_pppoe;
  657. uint16_t counter_teredo;
  658. uint16_t counter_ipv4inipv6;
  659. uint16_t counter_ipv6inipv6;
  660. uint16_t counter_avg_pkt_size;
  661. uint16_t counter_max_pkt_size;
  662. /** frag stats - defrag runs in the context of the decoder. */
  663. uint16_t counter_defrag_ipv4_fragments;
  664. uint16_t counter_defrag_ipv4_reassembled;
  665. uint16_t counter_defrag_ipv4_timeouts;
  666. uint16_t counter_defrag_ipv6_fragments;
  667. uint16_t counter_defrag_ipv6_reassembled;
  668. uint16_t counter_defrag_ipv6_timeouts;
  669. uint16_t counter_defrag_max_hit;
  670. } DecodeThreadVars;
  671. /**
  672. * \brief reset these to -1(indicates that the packet is fresh from the queue)
  673. */
  674. #define PACKET_RESET_CHECKSUMS(p) do { \
  675. (p)->ip4vars.comp_csum = -1; \
  676. (p)->tcpvars.comp_csum = -1; \
  677. (p)->udpvars.comp_csum = -1; \
  678. (p)->icmpv4vars.comp_csum = -1; \
  679. (p)->icmpv6vars.comp_csum = -1; \
  680. } while (0)
  681. /**
  682. * \brief Initialize a packet structure for use.
  683. */
  684. #ifndef __SC_CUDA_SUPPORT__
  685. #ifdef __tile__
  686. #define PACKET_INITIALIZE(p) { \
  687. memset((p), 0x00, sizeof(Packet)); \
  688. SCMutexInit(&(p)->tunnel_mutex, NULL); \
  689. PACKET_RESET_CHECKSUMS((p)); \
  690. (p)->pkt = ((uint8_t *)(p)) + sizeof(Packet); \
  691. (p)->livedev = NULL; \
  692. }
  693. #else
  694. #define PACKET_INITIALIZE(p) { \
  695. memset((p), 0x00, SIZE_OF_PACKET); \
  696. SCMutexInit(&(p)->tunnel_mutex, NULL); \
  697. PACKET_RESET_CHECKSUMS((p)); \
  698. (p)->pkt = ((uint8_t *)(p)) + sizeof(Packet); \
  699. (p)->livedev = NULL; \
  700. }
  701. #endif
  702. #else
  703. #ifdef __tile__
  704. #define PACKET_INITIALIZE(p) { \
  705. memset((p), 0x00, sizeof(Packet)); \
  706. SCMutexInit(&(p)->tunnel_mutex, NULL); \
  707. PACKET_RESET_CHECKSUMS((p)); \
  708. SCMutexInit(&(p)->cuda_mutex, NULL); \
  709. SCCondInit(&(p)->cuda_cond, NULL); \
  710. (p)->pkt = ((uint8_t *)(p)) + sizeof(Packet); \
  711. (p)->livedev = NULL; \
  712. }
  713. #else
  714. #define PACKET_INITIALIZE(p) { \
  715. memset((p), 0x00, SIZE_OF_PACKET); \
  716. SCMutexInit(&(p)->tunnel_mutex, NULL); \
  717. PACKET_RESET_CHECKSUMS((p)); \
  718. SCMutexInit(&(p)->cuda_mutex, NULL); \
  719. SCCondInit(&(p)->cuda_cond, NULL); \
  720. (p)->pkt = ((uint8_t *)(p)) + sizeof(Packet); \
  721. (p)->livedev = NULL; \
  722. }
  723. #endif
  724. #endif
  725. /**
  726. * \brief Recycle a packet structure for reuse.
  727. * \todo the mutex destroy & init is necessary because of the memset, reconsider
  728. */
  729. #ifndef __tile__
  730. #define PACKET_DO_RECYCLE(p) do { \
  731. CLEAR_ADDR(&(p)->src); \
  732. CLEAR_ADDR(&(p)->dst); \
  733. (p)->sp = 0; \
  734. (p)->dp = 0; \
  735. (p)->proto = 0; \
  736. (p)->recursion_level = 0; \
  737. (p)->flags = 0; \
  738. (p)->flowflags = 0; \
  739. (p)->pkt_src = 0; \
  740. FlowDeReference(&((p)->flow)); \
  741. (p)->ts.tv_sec = 0; \
  742. (p)->ts.tv_usec = 0; \
  743. (p)->datalink = 0; \
  744. (p)->action = 0; \
  745. if ((p)->pktvar != NULL) { \
  746. PktVarFree((p)->pktvar); \
  747. (p)->pktvar = NULL; \
  748. } \
  749. (p)->ethh = NULL; \
  750. if ((p)->ip4h != NULL) { \
  751. CLEAR_IPV4_PACKET((p)); \
  752. } \
  753. if ((p)->ip6h != NULL) { \
  754. CLEAR_IPV6_PACKET((p)); \
  755. } \
  756. if ((p)->tcph != NULL) { \
  757. CLEAR_TCP_PACKET((p)); \
  758. } \
  759. if ((p)->udph != NULL) { \
  760. CLEAR_UDP_PACKET((p)); \
  761. } \
  762. if ((p)->sctph != NULL) { \
  763. CLEAR_SCTP_PACKET((p)); \
  764. } \
  765. if ((p)->icmpv4h != NULL) { \
  766. CLEAR_ICMPV4_PACKET((p)); \
  767. } \
  768. if ((p)->icmpv6h != NULL) { \
  769. CLEAR_ICMPV6_PACKET((p)); \
  770. } \
  771. (p)->ppph = NULL; \
  772. (p)->pppoesh = NULL; \
  773. (p)->pppoedh = NULL; \
  774. (p)->greh = NULL; \
  775. (p)->vlanh = NULL; \
  776. (p)->payload = NULL; \
  777. (p)->payload_len = 0; \
  778. (p)->pktlen = 0; \
  779. (p)->alerts.cnt = 0; \
  780. HostDeReference(&((p)->host_src)); \
  781. HostDeReference(&((p)->host_dst)); \
  782. (p)->pcap_cnt = 0; \
  783. (p)->tunnel_rtv_cnt = 0; \
  784. (p)->tunnel_tpr_cnt = 0; \
  785. SCMutexDestroy(&(p)->tunnel_mutex); \
  786. SCMutexInit(&(p)->tunnel_mutex, NULL); \
  787. (p)->events.cnt = 0; \
  788. (p)->next = NULL; \
  789. (p)->prev = NULL; \
  790. (p)->root = NULL; \
  791. (p)->livedev = NULL; \
  792. (p)->ReleaseData = NULL; \
  793. PACKET_RESET_CHECKSUMS((p)); \
  794. PACKET_PROFILING_RESET((p)); \
  795. } while (0)
  796. #else
  797. /* __tile__ */
  798. #define PACKET_DO_RECYCLE(p) do { \
  799. __insn_prefetch(&(p)->pktvar); \
  800. __insn_prefetch(&(p)->alerts.cnt); \
  801. __insn_prefetch(&(p)->events.cnt); \
  802. uint64_t *llp = (uint64_t *)(p); \
  803. __insn_wh64(llp); \
  804. __insn_wh64(&llp[8]); \
  805. llp[0] = 0; \
  806. llp[1] = 0; \
  807. llp[2] = 0; \
  808. llp[3] = 0; \
  809. llp[4] = 0; \
  810. llp[5] = 0; \
  811. llp[6] = 0; \
  812. llp[7] = 0; \
  813. llp[8] = 0; \
  814. llp[9] = 0; \
  815. llp[10] = 0; \
  816. llp[11] = 0; \
  817. llp[12] = 0; \
  818. llp[13] = 0; \
  819. llp[14] = 0; \
  820. llp[15] = 0; \
  821. /*CLEAR_ADDR(&(p)->src);*/ \
  822. /*CLEAR_ADDR(&(p)->dst);*/ \
  823. /*(p)->sp = 0;*/ \
  824. /*(p)->dp = 0;*/ \
  825. /*(p)->proto = 0;*/ \
  826. /*(p)->recursion_level = 0;*/ \
  827. /*(p)->flags = 0;*/ \
  828. /*(p)->flowflags = 0;*/ \
  829. /* (p)->pkt_src = 0; */ \
  830. /*(p)->flow = NULL;*/ \
  831. /*(p)->ts.tv_sec = 0;*/ \
  832. /*(p)->ts.tv_usec = 0;*/ \
  833. /*(p)->datalink = 0;*/ \
  834. /*(p)->action = 0;*/ \
  835. FlowDeReference(&((p)->flow)); \
  836. if ((p)->pktvar != NULL) { \
  837. PktVarFree((p)->pktvar); \
  838. (p)->pktvar = NULL; \
  839. } \
  840. /*(p)->ethh = NULL;*/ \
  841. if ((p)->ip4h != NULL) { \
  842. CLEAR_IPV4_PACKET((p)); \
  843. } \
  844. if ((p)->ip6h != NULL) { \
  845. CLEAR_IPV6_PACKET((p)); \
  846. } \
  847. if ((p)->tcph != NULL) { \
  848. CLEAR_TCP_PACKET((p)); \
  849. } \
  850. if ((p)->udph != NULL) { \
  851. CLEAR_UDP_PACKET((p)); \
  852. } \
  853. if ((p)->sctph != NULL) { \
  854. CLEAR_SCTP_PACKET((p)); \
  855. } \
  856. if ((p)->icmpv4h != NULL) { \
  857. CLEAR_ICMPV4_PACKET((p)); \
  858. } \
  859. if ((p)->icmpv6h != NULL) { \
  860. CLEAR_ICMPV6_PACKET((p)); \
  861. } \
  862. (p)->ppph = NULL; \
  863. (p)->pppoesh = NULL; \
  864. (p)->pppoedh = NULL; \
  865. (p)->greh = NULL; \
  866. (p)->vlanh = NULL; \
  867. (p)->payload = NULL; \
  868. (p)->payload_len = 0; \
  869. (p)->pktlen = 0; \
  870. if (unlikely((p)->alerts.cnt)) (p)->alerts.cnt = 0; \
  871. HostDeReference(&((p)->host_src)); \
  872. HostDeReference(&((p)->host_dst)); \
  873. (p)->pcap_cnt = 0; \
  874. (p)->tunnel_rtv_cnt = 0; \
  875. (p)->tunnel_tpr_cnt = 0; \
  876. SCMutexDestroy(&(p)->tunnel_mutex); \
  877. SCMutexInit(&(p)->tunnel_mutex, NULL); \
  878. if ((p)->events.cnt) (p)->events.cnt = 0; \
  879. /*(p)->next = NULL;*/ \
  880. /*(p)->prev = NULL;*/ \
  881. (p)->root = NULL; \
  882. (p)->livedev = NULL; \
  883. PACKET_RESET_CHECKSUMS((p)); \
  884. PACKET_PROFILING_RESET((p)); \
  885. } while (0)
  886. #endif
  887. #ifndef __SC_CUDA_SUPPORT__
  888. #define PACKET_RECYCLE(p) PACKET_DO_RECYCLE((p))
  889. #else
  890. #define PACKET_RECYCLE(p) do { \
  891. PACKET_DO_RECYCLE((p)); \
  892. SCMutexDestroy(&(p)->cuda_mutex); \
  893. SCCondDestroy(&(p)->cuda_cond); \
  894. SCMutexInit(&(p)->cuda_mutex, NULL); \
  895. SCCondInit(&(p)->cuda_cond, NULL); \
  896. PACKET_RESET_CHECKSUMS((p)); \
  897. } while(0)
  898. #endif
  899. /**
  900. * \brief Cleanup a packet so that we can free it. No memset needed..
  901. */
  902. #ifndef __SC_CUDA_SUPPORT__
  903. #define PACKET_CLEANUP(p) do { \
  904. if ((p)->pktvar != NULL) { \
  905. PktVarFree((p)->pktvar); \
  906. } \
  907. SCMutexDestroy(&(p)->tunnel_mutex); \
  908. } while (0)
  909. #else
  910. #define PACKET_CLEANUP(p) do { \
  911. if ((p)->pktvar != NULL) { \
  912. PktVarFree((p)->pktvar); \
  913. } \
  914. SCMutexDestroy(&(p)->tunnel_mutex); \
  915. SCMutexDestroy(&(p)->cuda_mutex); \
  916. SCCondDestroy(&(p)->cuda_cond); \
  917. } while(0)
  918. #endif
  919. /* macro's for setting the action
  920. * handle the case of a root packet
  921. * for tunnels */
  922. #define ALERT_PACKET(p) do { \
  923. ((p)->root ? \
  924. ((p)->root->action = ACTION_ALERT) : \
  925. ((p)->action = ACTION_ALERT)); \
  926. } while (0)
  927. #define ACCEPT_PACKET(p) do { \
  928. ((p)->root ? \
  929. ((p)->root->action = ACTION_ACCEPT) : \
  930. ((p)->action = ACTION_ACCEPT)); \
  931. } while (0)
  932. #define DROP_PACKET(p) do { \
  933. ((p)->root ? \
  934. ((p)->root->action = ACTION_DROP) : \
  935. ((p)->action = ACTION_DROP)); \
  936. } while (0)
  937. #define REJECT_PACKET(p) do { \
  938. ((p)->root ? \
  939. ((p)->root->action = (ACTION_REJECT|ACTION_DROP)) : \
  940. ((p)->action = (ACTION_REJECT|ACTION_DROP))); \
  941. } while (0)
  942. #define REJECT_PACKET_DST(p) do { \
  943. ((p)->root ? \
  944. ((p)->root->action = (ACTION_REJECT_DST|ACTION_DROP)) : \
  945. ((p)->action = (ACTION_REJECT_DST|ACTION_DROP))); \
  946. } while (0)
  947. #define REJECT_PACKET_BOTH(p) do { \
  948. ((p)->root ? \
  949. ((p)->root->action = (ACTION_REJECT_BOTH|ACTION_DROP)) : \
  950. ((p)->action = (ACTION_REJECT_BOTH|ACTION_DROP))); \
  951. } while (0)
  952. #define PASS_PACKET(p) do { \
  953. ((p)->root ? \
  954. ((p)->root->action = ACTION_PASS) : \
  955. ((p)->action = ACTION_PASS)); \
  956. } while (0)
  957. #define TUNNEL_INCR_PKT_RTV(p) do { \
  958. SCMutexLock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex); \
  959. ((p)->root ? (p)->root->tunnel_rtv_cnt++ : (p)->tunnel_rtv_cnt++); \
  960. SCMutexUnlock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex); \
  961. } while (0)
  962. #define TUNNEL_INCR_PKT_TPR(p) do { \
  963. SCMutexLock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex); \
  964. ((p)->root ? (p)->root->tunnel_tpr_cnt++ : (p)->tunnel_tpr_cnt++); \
  965. SCMutexUnlock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex); \
  966. } while (0)
  967. #define TUNNEL_DECR_PKT_TPR(p) do { \
  968. SCMutexLock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex); \
  969. ((p)->root ? (p)->root->tunnel_tpr_cnt-- : (p)->tunnel_tpr_cnt--); \
  970. SCMutexUnlock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex); \
  971. } while (0)
  972. #define TUNNEL_DECR_PKT_TPR_NOLOCK(p) do { \
  973. ((p)->root ? (p)->root->tunnel_tpr_cnt-- : (p)->tunnel_tpr_cnt--); \
  974. } while (0)
  975. #define TUNNEL_PKT_RTV(p) ((p)->root ? (p)->root->tunnel_rtv_cnt : (p)->tunnel_rtv_cnt)
  976. #define TUNNEL_PKT_TPR(p) ((p)->root ? (p)->root->tunnel_tpr_cnt : (p)->tunnel_tpr_cnt)
  977. #define IS_TUNNEL_PKT(p) (((p)->flags & PKT_TUNNEL))
  978. #define SET_TUNNEL_PKT(p) ((p)->flags |= PKT_TUNNEL)
  979. #define IS_TUNNEL_ROOT_PKT(p) (IS_TUNNEL_PKT(p) && (p)->root == NULL)
  980. #define IS_TUNNEL_PKT_VERDICTED(p) (((p)->flags & PKT_TUNNEL_VERDICTED))
  981. #define SET_TUNNEL_PKT_VERDICTED(p) ((p)->flags |= PKT_TUNNEL_VERDICTED)
  982. void DecodeRegisterPerfCounters(DecodeThreadVars *, ThreadVars *);
  983. Packet *PacketPseudoPktSetup(Packet *parent, uint8_t *pkt, uint16_t len, uint8_t proto);
  984. Packet *PacketDefragPktSetup(Packet *parent, uint8_t *pkt, uint16_t len, uint8_t proto);
  985. #ifdef __tile__
  986. Packet *PacketGetFromQueueOrAlloc(int pool);
  987. #else
  988. Packet *PacketGetFromQueueOrAlloc(void);
  989. #endif
  990. Packet *PacketGetFromAlloc(void);
  991. int PacketCopyData(Packet *p, uint8_t *pktdata, int pktlen);
  992. int PacketSetData(Packet *p, uint8_t *pktdata, int pktlen);
  993. int PacketCopyDataOffset(Packet *p, int offset, uint8_t *data, int datalen);
  994. DecodeThreadVars *DecodeThreadVarsAlloc(ThreadVars *tv);
  995. /* decoder functions */
  996. void DecodeEthernet(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  997. void DecodeSll(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  998. void DecodePPP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  999. void DecodePPPOESession(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  1000. void DecodePPPOEDiscovery(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  1001. void DecodeTunnel(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *, uint8_t);
  1002. void DecodeRaw(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  1003. void DecodeIPV4(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  1004. void DecodeIPV6(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  1005. void DecodeICMPV4(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  1006. void DecodeICMPV6(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  1007. void DecodeTCP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  1008. void DecodeUDP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  1009. void DecodeSCTP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  1010. void DecodeGRE(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  1011. void DecodeVLAN(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
  1012. void AddressDebugPrint(Address *);
  1013. /** \brief Set the No payload inspection Flag for the packet.
  1014. *
  1015. * \param p Packet to set the flag in
  1016. */
  1017. #define DecodeSetNoPayloadInspectionFlag(p) do { \
  1018. (p)->flags |= PKT_NOPAYLOAD_INSPECTION; \
  1019. } while (0)
  1020. /** \brief Set the No packet inspection Flag for the packet.
  1021. *
  1022. * \param p Packet to set the flag in
  1023. */
  1024. #define DecodeSetNoPacketInspectionFlag(p) do { \
  1025. (p)->flags |= PKT_NOPACKET_INSPECTION; \
  1026. } while (0)
  1027. #define ENGINE_SET_EVENT(p, e) do { \
  1028. SCLogDebug("p %p event %d", (p), e); \
  1029. if ((p)->events.cnt < PACKET_ENGINE_EVENT_MAX) { \
  1030. (p)->events.events[(p)->events.cnt] = e; \
  1031. (p)->events.cnt++; \
  1032. } \
  1033. } while(0)
  1034. #define ENGINE_ISSET_EVENT(p, e) ({ \
  1035. int r = 0; \
  1036. uint8_t u; \
  1037. for (u = 0; u < (p)->events.cnt; u++) { \
  1038. if ((p)->events.events[u] == (e)) { \
  1039. r = 1; \
  1040. break; \
  1041. } \
  1042. } \
  1043. r; \
  1044. })
  1045. /* older libcs don't contain a def for IPPROTO_DCCP
  1046. * inside of <netinet/in.h>
  1047. * if it isn't defined let's define it here.
  1048. */
  1049. #ifndef IPPROTO_DCCP
  1050. #define IPPROTO_DCCP 33
  1051. #endif
  1052. /* older libcs don't contain a def for IPPROTO_SCTP
  1053. * inside of <netinet/in.h>
  1054. * if it isn't defined let's define it here.
  1055. */
  1056. #ifndef IPPROTO_SCTP
  1057. #define IPPROTO_SCTP 132
  1058. #endif
  1059. /* pcap provides this, but we don't want to depend on libpcap */
  1060. #ifndef DLT_EN10MB
  1061. #define DLT_EN10MB 1
  1062. #endif
  1063. /* taken from pcap's bpf.h */
  1064. #ifndef DLT_RAW
  1065. #ifdef __OpenBSD__
  1066. #define DLT_RAW 14 /* raw IP */
  1067. #else
  1068. #define DLT_RAW 12 /* raw IP */
  1069. #endif
  1070. #endif
  1071. /** libpcap shows us the way to linktype codes
  1072. * \todo we need more & maybe put them in a separate file? */
  1073. #define LINKTYPE_ETHERNET DLT_EN10MB
  1074. #define LINKTYPE_LINUX_SLL 113
  1075. #define LINKTYPE_PPP 9
  1076. #define LINKTYPE_RAW DLT_RAW
  1077. #define PPP_OVER_GRE 11
  1078. #define VLAN_OVER_GRE 13
  1079. /*Packet Flags*/
  1080. #define PKT_NOPACKET_INSPECTION (1) /**< Flag to indicate that packet header or contents should not be inspected*/
  1081. #define PKT_NOPAYLOAD_INSPECTION (1<<2) /**< Flag to indicate that packet contents should not be inspected*/
  1082. #define PKT_ALLOC (1<<3) /**< Packet was alloc'd this run, needs to be freed */
  1083. #define PKT_HAS_TAG (1<<4) /**< Packet has matched a tag */
  1084. #define PKT_STREAM_ADD (1<<5) /**< Packet payload was added to reassembled stream */
  1085. #define PKT_STREAM_EST (1<<6) /**< Packet is part of establised stream */
  1086. #define PKT_STREAM_EOF (1<<7) /**< Stream is in eof state */
  1087. #define PKT_HAS_FLOW (1<<8)
  1088. #define PKT_PSEUDO_STREAM_END (1<<9) /**< Pseudo packet to end the stream */
  1089. #define PKT_STREAM_MODIFIED (1<<10) /**< Packet is modified by the stream engine, we need to recalc the csum and reinject/replace */
  1090. #define PKT_MARK_MODIFIED (1<<11) /**< Packet mark is modified */
  1091. #define PKT_STREAM_NOPCAPLOG (1<<12) /**< Exclude packet from pcap logging as it's part of a stream that has reassembly depth reached. */
  1092. #define PKT_TUNNEL (1<<13)
  1093. #define PKT_TUNNEL_VERDICTED (1<<14)
  1094. #define PKT_IGNORE_CHECKSUM (1<<15) /**< Packet checksum is not computed (TX packet for example) */
  1095. #define PKT_ZERO_COPY (1<<16) /**< Packet comes from zero copy (ext_pkt must not be freed) */
  1096. #define PKT_NETIO (1<<17) /**< Packet payload from netio */
  1097. #define PKT_MPIPE (1<<18) /**< Packet payload from mpipe */
  1098. #define PKT_HOST_SRC_LOOKED_UP (1<<19)
  1099. #define PKT_HOST_DST_LOOKED_UP (1<<20)
  1100. /** \brief return 1 if the packet is a pseudo packet */
  1101. #define PKT_IS_PSEUDOPKT(p) ((p)->flags & PKT_PSEUDO_STREAM_END)
  1102. #define PKT_SET_SRC(p, src_val) ((p)->pkt_src = src_val)
  1103. #endif /* __DECODE_H__ */