suricata
defrag.h
Go to the documentation of this file.
1/* Copyright (C) 2007-2013 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Endace Technology Limited, Jason Ish <jason.ish@endace.com>
22 */
23
24#ifndef SURICATA_DEFRAG_H
25#define SURICATA_DEFRAG_H
26
27#include "threads.h"
28#include "util-pool.h"
29#include "threadvars.h"
30#include "decode.h"
31
32/**
33 * A context for an instance of a fragmentation re-assembler, in case
34 * we ever need more than one.
35 */
36typedef struct DefragContext_ {
37 Pool *frag_pool; /**< Pool of fragments. */
39
40 uint32_t timeout; /**< Default timeout. */
42
43/**
44 * Storage for an individual fragment.
45 */
46typedef struct Frag_ {
47 uint16_t offset; /**< The offset of this fragment, already
48 * multiplied by 8. */
49
50 uint32_t len; /**< The length of this fragment. */
51
52 uint8_t hlen; /**< The length of this fragments IP header. */
53
54 uint8_t more_frags:4; /**< More frags? */
55 uint8_t skip:4; /**< Skip this fragment during re-assembly. */
56
57 uint16_t frag_hdr_offset; /**< Offset in the packet where the frag
58 * header starts. */
59
60 uint16_t data_offset; /**< Offset to the packet data. */
61 uint16_t data_len; /**< Length of data. */
62
63 uint16_t ltrim; /**< Number of leading bytes to trim when
64 * re-assembling the packet. */
65
66 uint8_t *pkt; /**< The actual packet. */
67
68#ifdef DEBUG
69 uint64_t pcap_cnt; /**< pcap_cnt of original packet */
70#endif
71
74
75int DefragRbFragCompare(struct Frag_ *a, struct Frag_ *b);
76
77RB_HEAD(IP_FRAGMENTS, Frag_);
79
80/**
81 * A defragmentation tracker. Used to track fragments that make up a
82 * single packet.
83 */
84typedef struct DefragTracker_ {
85 SCMutex lock; /**< Mutex for locking list operations on
86 * this tracker. */
87
88 uint16_t vlan_id[VLAN_MAX_LAYERS]; /**< VLAN ID tracker applies to. */
89 uint16_t ip_hdr_offset; /**< Offset in the packet where the IP
90 * header starts. */
91
92 uint32_t id; /**< IP ID for this tracker. 32 bits for IPv6, 16
93 * for IPv4. */
94
95 uint8_t proto; /**< IP protocol for this tracker. */
96
97 uint8_t policy; /**< Reassembly policy this tracker will use. */
98
99 uint8_t af; /**< Address family for this tracker, AF_INET or
100 * AF_INET6. */
101
102 uint8_t seen_last; /**< Has this tracker seen the last fragment? */
103
104 uint8_t remove; /**< remove */
105
106 Address src_addr; /**< Source address for this tracker. */
107 Address dst_addr; /**< Destination address for this tracker. */
108
109 int datalink; /**< datalink for reassembled packet, set by first fragment */
110 SCTime_t timeout; /**< When this tracker will timeout. */
111 uint32_t host_timeout; /**< Host timeout, statically assigned from the yaml */
112
113 /** use cnt, reference counter */
114 SC_ATOMIC_DECLARE(unsigned int, use_cnt);
115
116 struct IP_FRAGMENTS fragment_tree;
117
118 /** hash pointer, protected by hash row mutex/spin */
120
121 /** stack pointer, protected by tracker-queue mutex/spin */
124
125void DefragInit(void);
126void DefragDestroy(void);
127
128uint8_t DefragGetOsPolicy(Packet *);
131void DefragRegisterTests(void);
132
133#endif /* SURICATA_DEFRAG_H */
#define VLAN_MAX_LAYERS
Definition decode-vlan.h:51
void DefragInit(void)
Definition defrag.c:1109
struct DefragTracker_ DefragTracker
uint8_t DefragGetOsPolicy(Packet *)
Get the defrag policy based on the destination address of the packet.
Definition defrag.c:985
struct Frag_ Frag
struct DefragContext_ DefragContext
void DefragTrackerFreeFrags(DefragTracker *)
Free all frags associated with a tracker.
Definition defrag.c:132
Packet * Defrag(ThreadVars *, DecodeThreadVars *, Packet *)
Entry point for IPv4 and IPv6 fragments.
Definition defrag.c:1063
int DefragRbFragCompare(struct Frag_ *a, struct Frag_ *b)
Definition defrag.c:537
void DefragRegisterTests(void)
Definition defrag.c:3111
void DefragDestroy(void)
Definition defrag.c:1129
Structure to hold thread specific data for all decode modules.
Definition decode.h:963
uint32_t timeout
Definition defrag.h:40
SCMutex frag_pool_lock
Definition defrag.h:38
Pool * frag_pool
Definition defrag.h:37
uint8_t remove
Definition defrag.h:104
uint16_t ip_hdr_offset
Definition defrag.h:89
SCMutex lock
Definition defrag.h:85
SC_ATOMIC_DECLARE(unsigned int, use_cnt)
uint8_t seen_last
Definition defrag.h:102
struct DefragTracker_ * hnext
Definition defrag.h:119
SCTime_t timeout
Definition defrag.h:110
uint8_t policy
Definition defrag.h:97
struct DefragTracker_ * lnext
Definition defrag.h:122
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition defrag.h:88
uint32_t id
Definition defrag.h:92
Address src_addr
Definition defrag.h:106
struct IP_FRAGMENTS fragment_tree
Definition defrag.h:116
Address dst_addr
Definition defrag.h:107
uint8_t af
Definition defrag.h:99
uint32_t host_timeout
Definition defrag.h:111
uint8_t proto
Definition defrag.h:95
Definition defrag.h:46
RB_ENTRY(Frag_) rb
uint16_t frag_hdr_offset
Definition defrag.h:57
uint16_t offset
Definition defrag.h:47
uint8_t more_frags
Definition defrag.h:54
uint16_t data_offset
Definition defrag.h:60
uint8_t skip
Definition defrag.h:55
uint16_t data_len
Definition defrag.h:61
uint32_t len
Definition defrag.h:50
uint8_t * pkt
Definition defrag.h:66
uint16_t ltrim
Definition defrag.h:63
uint8_t hlen
Definition defrag.h:52
Per thread variable structure.
Definition threadvars.h:58
#define SCMutex
#define RB_PROTOTYPE(name, type, field, cmp)
Definition tree.h:385
#define RB_HEAD(name, type)
Definition tree.h:300