source-windivert.c

Go to the documentation of this file.

/* Copyright (C) 2018 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */
 
/**
 * \file
 *
 * \author Jacob Masen-Smith <jacob@evengx.com>
 *
 * WinDivert emulation of netfilter_queue functionality to hook into Suricata's
 * IPS mode. Supported solely on Windows.
 *
 */
 
#include "suricata-common.h"
#include "suricata.h"
#include "tm-threads.h"
#include "packet.h"
#include "util-byte.h"
#include "util-debug.h"
#include "util-device-private.h"
#include "util-error.h"
#include "util-ioctl.h"
#include "util-privs.h"
#include "util-unittest.h"
 
#include "runmodes.h"
 
#include "queue.h"
 
#include "source-windivert-prototypes.h"
#include "source-windivert.h"
 
#ifdef WINDIVERT
// clang-format off
#include <winsock2.h>
#include <windows.h>
#include <iptypes.h>
#include <winerror.h>
// clang-format on
#endif
 
#ifndef WINDIVERT
/* Gracefully handle the case where no WinDivert support is compiled in */
 
TmEcode NoWinDivertSupportExit(ThreadVars *, const void *, void **);
 
void TmModuleReceiveWinDivertRegister(void)
{
    tmm_modules[TMM_RECEIVEWINDIVERT].name = "ReceiveWinDivert";
    tmm_modules[TMM_RECEIVEWINDIVERT].ThreadInit = NoWinDivertSupportExit;
    tmm_modules[TMM_RECEIVEWINDIVERT].flags = TM_FLAG_RECEIVE_TM;
}
 
void TmModuleVerdictWinDivertRegister(void)
{
    tmm_modules[TMM_VERDICTWINDIVERT].name = "VerdictWinDivert";
    tmm_modules[TMM_VERDICTWINDIVERT].ThreadInit = NoWinDivertSupportExit;
    tmm_modules[TMM_VERDICTWINDIVERT].flags = TM_FLAG_VERDICT_TM;
}
 
void TmModuleDecodeWinDivertRegister(void)
{
    tmm_modules[TMM_DECODEWINDIVERT].name = "DecodeWinDivert";
    tmm_modules[TMM_DECODEWINDIVERT].ThreadInit = NoWinDivertSupportExit;
    tmm_modules[TMM_DECODEWINDIVERT].flags = TM_FLAG_DECODE_TM;
}
 
TmEcode NoWinDivertSupportExit(ThreadVars *tv, const void *initdata,
                               void **data)
{
    SCLogError("Error creating thread %s: you do not have support for WinDivert "
               "enabled; please recompile with --enable-windivert",
            tv->name);
    exit(EXIT_FAILURE);
}
 
#else /* implied we do have WinDivert support */
#include "action-globals.h"
#include "win32-syscall.h"
 
typedef struct WinDivertThreadVars_ {
    WinDivertHandle filter_handle;
 
    int thread_num;
    int64_t qpc_start_time;
    int64_t qpc_start_count;
    int64_t qpc_freq_usec;
 
    TmSlot *slot;
 
    bool offload_enabled;
 
    TAILQ_HEAD(, LiveDevice_) live_devices;
} WinDivertThreadVars;
 
#define WINDIVERT_MAX_QUEUE 16
static WinDivertThreadVars g_wd_tv[WINDIVERT_MAX_QUEUE];
static WinDivertQueueVars g_wd_qv[WINDIVERT_MAX_QUEUE];
static uint16_t g_wd_num = 0;
static SCMutex g_wd_init_lock = SCMUTEX_INITIALIZER;
 
void *WinDivertGetThread(int n)
{
    if (n >= g_wd_num) {
        return NULL;
    }
    return (void *)&g_wd_tv[n];
}
 
void *WinDivertGetQueue(int n)
{
    if (n >= g_wd_num) {
        return NULL;
    }
    return (void *)&g_wd_qv[n];
}
 
// not defined in MinGW winerror.h
#ifndef ERROR_INVALID_IMAGE_HASH
#define ERROR_INVALID_IMAGE_HASH 577L
#endif
#ifndef ERROR_DATA_NOT_ACCEPTED
#define ERROR_DATA_NOT_ACCEPTED 592L
#endif
 
/**
 * \brief return an error description for Win32 error values commonly returned
 * by WinDivert
 */
static const char *WinDivertGetErrorString(DWORD error_code)
{
    switch (error_code) {
        // WinDivertOpen errors
        case ERROR_FILE_NOT_FOUND:
            return "The driver files WinDivert32.sys or WinDivert64.sys were "
                   "not found.";
        case ERROR_ACCESS_DENIED:
            return "Suricata must be run with Administrator privileges.";
        case ERROR_INVALID_PARAMETER:
            return "The WinDivert packet filter string is invalid.";
        case ERROR_INVALID_IMAGE_HASH:
            return "The WinDivert32.sys or WinDivert64.sys driver does not "
                   "have a valid digital signature, or your copy of Windows is "
                   "not up-to-date. Windows 7 and Server 2008 users need to "
                   "run Windows Update or install the following patch from "
                   "Microsoft: http://support.microsoft.com/kb/2949927";
        case ERROR_DRIVER_BLOCKED:
            return "This error occurs for various reasons, including: "
                   "attempting to load the 32-bit WinDivert.sys driver on a "
                   "64-bit system (or vice versa); the WinDivert.sys driver is "
                   "blocked by security software; or you are using a "
                   "virtualization environment that does not support "
                   "drivers.";
        case EPT_S_NOT_REGISTERED:
            return "This error occurs when the Base Filtering Engine service "
                   "has been disabled.";
        case ERROR_PROC_NOT_FOUND:
            return "The error may occur for Windows Vista users. The "
                   "solution is to install the following patch from Microsoft: "
                   "http://support.microsoft.com/kb/2761494.";
 
        // WinDivertSend errors
        case ERROR_HOST_UNREACHABLE:
            return "This error occurs when an impostor packet (with "
                   "pAddr->Impostor set to 1) is injected and the ip.TTL or "
                   "ipv6.HopLimit field goes to zero. This is a defense of "
                   "last resort against infinite loops caused by impostor "
                   "packets.";
        case ERROR_DATA_NOT_ACCEPTED:
            return "This error is returned when the user application attempts "
                   "to inject a malformed packet. It may also be returned for "
                   "valid inbound packets, and the Windows TCP/IP stack "
                   "rejects the packet for some reason.";
        case ERROR_RETRY:
            return "The underlying cause of this error is unknown. However, "
                   "this error usually occurs when certain kinds of "
                   "anti-virus/firewall/security software is installed, and "
                   "the error message usually resolves once the offending "
                   "program is uninstalled. This suggests a software "
                   "compatibility problem.";
        default:
            return "";
    }
}
 
/**
 * \brief logs a WinDivert error at Error level.
 */
#define WinDivertLogError(err_code)                                                                \
    do {                                                                                           \
        const char *win_err_str = Win32GetErrorString((err_code), NULL);                           \
        SCLogError("WinDivertOpen failed, error %" PRId32 " (0x%08" PRIx32 "): %s %s",             \
                (uint32_t)(err_code), (uint32_t)(err_code), win_err_str,                           \
                WinDivertGetErrorString(err_code));                                                \
        LocalFree((LPVOID)win_err_str);                                                            \
    } while (0);
 
/**
 * \brief initializes QueryPerformanceCounter values so we can get
 * absolute time from WinDivert timestamps.
 */
static void WinDivertInitQPCValues(WinDivertThreadVars *wd_tv)
{
    SCTime_t now = TimeGet();
    (void)QueryPerformanceCounter((LARGE_INTEGER *)&wd_tv->qpc_start_count);
 
    wd_tv->qpc_start_time = (uint64_t)SCTIME_SECS(now) * (1000 * 1000) + (uint64_t)SCTIME_SECS(now);
 
    (void)QueryPerformanceFrequency((LARGE_INTEGER *)&wd_tv->qpc_freq_usec);
    /* \bug: clock drift? */
    wd_tv->qpc_freq_usec /= 1000 * 1000;
}
 
/**
 * \brief WinDivert timestamp to a SCTime_t
 */
static SCTime_t WinDivertTimestampToTimeStamp(WinDivertThreadVars *wd_tv, INT64 timestamp_count)
{
    struct timeval tv;
 
    int64_t qpc_delta = (int64_t)timestamp_count - wd_tv->qpc_start_count;
    int64_t unix_usec = wd_tv->qpc_start_time;
    if (wd_tv->qpc_freq_usec) {
        unix_usec += qpc_delta / wd_tv->qpc_freq_usec;
    }
 
    tv.tv_sec = (long)(unix_usec / (1000 * 1000));
    tv.tv_usec = (long)(unix_usec - (int64_t)tv.tv_sec * (1000 * 1000));
 
    return SCTIME_FROM_TIMEVAL(&tv);
}
 
/**
 * \brief initialize a WinDivert filter
 *
 * \param filter a WinDivert filter string as defined at
 * https://www.reqrypt.org/windivert-doc.html#filter_language
 *
 * \retval 0 on success
 * \retval -1 on failure
 */
int WinDivertRegisterQueue(bool forward, char *filter_str)
{
    SCEnter();
    int ret = 0;
 
    WINDIVERT_LAYER layer =
            forward ? WINDIVERT_LAYER_NETWORK_FORWARD : WINDIVERT_LAYER_NETWORK;
 
    /* validate the filter string */
    const char *error_str;
    uint32_t error_pos;
    bool valid = WinDivertHelperCheckFilter(filter_str, layer, &error_str,
                                            &error_pos);
    if (!valid) {
        SCLogWarning("Invalid filter \"%s\" supplied to WinDivert: %s at position "
                     "%" PRId32 "",
                filter_str, error_str, error_pos);
        SCReturnInt(-1);
    }
 
    /* initialize the queue */
    SCMutexLock(&g_wd_init_lock);
 
    if (g_wd_num >= WINDIVERT_MAX_QUEUE) {
        SCLogError("Too many WinDivert queues specified %" PRId32 "", g_wd_num);
        ret = -1;
        goto unlock;
    }
    if (g_wd_num == 0) {
        /* on first registration, zero-initialize all array structs */
        memset(&g_wd_tv, 0, sizeof(g_wd_tv));
        memset(&g_wd_qv, 0, sizeof(g_wd_qv));
    }
 
    /* init thread vars */
    WinDivertThreadVars *wd_tv = &g_wd_tv[g_wd_num];
    wd_tv->thread_num = g_wd_num;
 
    /* init queue vars */
    WinDivertQueueVars *wd_qv = &g_wd_qv[g_wd_num];
    wd_qv->queue_num = g_wd_num;
 
    WinDivertInitQPCValues(wd_tv);
 
    /* copy filter to persistent storage */
    size_t filter_len = strlen(filter_str);
    size_t copy_len =
            strlcpy(wd_qv->filter_str, filter_str, sizeof(wd_qv->filter_str));
    if (filter_len > copy_len) {
        SCLogWarning("Queue length exceeds storage by %" PRId32 " bytes",
                (int32_t)(filter_len - copy_len));
        ret = -1;
        goto unlock;
    }
 
    wd_qv->layer = layer;
    wd_qv->priority =
            g_wd_num; /* priority set in the order filters are defined */
    wd_qv->flags = 0; /* normal inline function */
 
    SCMutexInit(&wd_qv->filter_init_mutex, NULL);
    SCMutexInit(&wd_qv->counters_mutex, NULL);
 
    g_wd_num++;
 
unlock:
    SCMutexUnlock(&g_wd_init_lock);
 
    if (ret == 0) {
        // stringify queue index to use as thread name descriptor
        char wd_num_str[6];
        wd_num_str[sizeof(wd_num_str) - 1] = 0;
        snprintf(wd_num_str, sizeof(wd_num_str), "%" PRId16 "", g_wd_num);
 
        LiveRegisterDevice(wd_num_str);
 
        SCLogDebug("Queue %" PRId16 " registered", wd_qv->queue_num);
    }
 
    return ret;
}
 
/* forward declarations of internal functions */
/* Receive functions */
TmEcode ReceiveWinDivertLoop(ThreadVars *, void *, void *);
TmEcode ReceiveWinDivertThreadInit(ThreadVars *, const void *, void **);
TmEcode ReceiveWinDivertThreadDeinit(ThreadVars *, void *);
void ReceiveWinDivertThreadExitStats(ThreadVars *, void *);
 
/* Verdict functions */
TmEcode VerdictWinDivert(ThreadVars *, Packet *, void *);
TmEcode VerdictWinDivertThreadInit(ThreadVars *, const void *, void **);
TmEcode VerdictWinDivertThreadDeinit(ThreadVars *, void *);
 
/* Decode functions */
TmEcode DecodeWinDivert(ThreadVars *, Packet *, void *);
TmEcode DecodeWinDivertThreadInit(ThreadVars *, const void *, void **);
TmEcode DecodeWinDivertThreadDeinit(ThreadVars *, void *);
 
/* internal helper functions */
static TmEcode WinDivertRecvHelper(ThreadVars *tv, WinDivertThreadVars *);
static TmEcode WinDivertVerdictHelper(ThreadVars *tv, Packet *p);
static TmEcode WinDivertCloseHelper(WinDivertThreadVars *);
 
static TmEcode WinDivertCollectFilterDevices(WinDivertThreadVars *,
                                             WinDivertQueueVars *);
static bool WinDivertIfaceMatchFilter(const char *filter_string, int if_index);
static void WinDivertDisableOffloading(WinDivertThreadVars *);
static void WinDivertRestoreOffloading(WinDivertThreadVars *);
 
void TmModuleReceiveWinDivertRegister(void)
{
    TmModule *tm_ptr = &tmm_modules[TMM_RECEIVEWINDIVERT];
 
    tm_ptr->name = "ReceiveWinDivert";
    tm_ptr->ThreadInit = ReceiveWinDivertThreadInit;
    tm_ptr->PktAcqLoop = ReceiveWinDivertLoop;
    tm_ptr->ThreadExitPrintStats = ReceiveWinDivertThreadExitStats;
    tm_ptr->ThreadDeinit = ReceiveWinDivertThreadDeinit;
    tm_ptr->flags = TM_FLAG_RECEIVE_TM;
}
 
void TmModuleVerdictWinDivertRegister(void)
{
    TmModule *tm_ptr = &tmm_modules[TMM_VERDICTWINDIVERT];
 
    tm_ptr->name = "VerdictWinDivert";
    tm_ptr->ThreadInit = VerdictWinDivertThreadInit;
    tm_ptr->Func = VerdictWinDivert;
    tm_ptr->ThreadDeinit = VerdictWinDivertThreadDeinit;
    tm_ptr->flags = TM_FLAG_VERDICT_TM;
}
 
void TmModuleDecodeWinDivertRegister(void)
{
    TmModule *tm_ptr = &tmm_modules[TMM_DECODEWINDIVERT];
 
    tm_ptr->name = "DecodeWinDivert";
    tm_ptr->ThreadInit = DecodeWinDivertThreadInit;
    tm_ptr->Func = DecodeWinDivert;
    tm_ptr->ThreadDeinit = DecodeWinDivertThreadDeinit;
    tm_ptr->flags = TM_FLAG_DECODE_TM;
}
 
/**
 * \brief Main WinDivert packet receive pump
 */
TmEcode ReceiveWinDivertLoop(ThreadVars *tv, void *data, void *slot)
{
    SCEnter();
 
    WinDivertThreadVars *wd_tv = (WinDivertThreadVars *)data;
    wd_tv->slot = ((TmSlot *)slot)->slot_next;
 
    // Indicate that the thread is actually running its application level code (i.e., it can poll
    // packets)
    TmThreadsSetFlag(tv, THV_RUNNING);
 
    while (true) {
        if (suricata_ctl_flags & SURICATA_STOP) {
            SCReturnInt(TM_ECODE_OK);
        }
 
        if (unlikely(WinDivertRecvHelper(tv, wd_tv) != TM_ECODE_OK)) {
            SCReturnInt(TM_ECODE_FAILED);
        }
 
        StatsSyncCountersIfSignalled(tv);
    }
 
    SCReturnInt(TM_ECODE_OK);
}
 
static TmEcode WinDivertRecvHelper(ThreadVars *tv, WinDivertThreadVars *wd_tv)
{
    SCEnter();
 
#ifdef COUNTERS
    WinDivertQueueVars *wd_qv = WinDivertGetQueue(wd_tv->thread_num);
#endif /* COUNTERS */
 
    /* make sure we have at least one packet in the packet pool, to prevent us
     * from alloc'ing packets at line rate
     */
    PacketPoolWait();
 
    /* obtain a packet buffer */
    Packet *p = PacketGetFromQueueOrAlloc();
    if (unlikely(p == NULL)) {
        SCLogDebug(
                "PacketGetFromQueueOrAlloc() - failed to obtain Packet buffer");
        SCReturnInt(TM_ECODE_FAILED);
    }
    PKT_SET_SRC(p, PKT_SRC_WIRE);
 
    /* receive packet, depending on offload status. MTU is used as an estimator
     * for direct data alloc size, and this is meaningless if large segments are
     * coalesced before they reach WinDivert */
    bool success = false;
    uint32_t pktlen = 0;
    if (wd_tv->offload_enabled) {
        /* allocate external, if not already */
        PacketCallocExtPkt(p, MAX_PAYLOAD_SIZE);
 
        success =
                WinDivertRecv(wd_tv->filter_handle, p->ext_pkt,
                              MAX_PAYLOAD_SIZE, &p->windivert_v.addr, &pktlen);
    } else {
        success = WinDivertRecv(wd_tv->filter_handle, GET_PKT_DIRECT_DATA(p),
                                GET_PKT_DIRECT_MAX_SIZE(p),
                                &p->windivert_v.addr, &pktlen);
    }
    SET_PKT_LEN(p, pktlen);
 
    if (!success) {
#ifdef COUNTERS
        SCMutexLock(&wd_qv->counters_mutex);
        wd_qv->errs++;
        SCMutexUnlock(&wd_qv->counters_mutex);
#endif /* COUNTERS */
 
        /* ensure packet length is zero to trigger an error in packet decoding
         */
        SET_PKT_LEN(p, 0);
 
        SCLogInfo("WinDivertRecv failed: error %" PRIu32 "",
                  (uint32_t)(GetLastError()));
        SCReturnInt(TM_ECODE_FAILED);
    }
    SCLogDebug("Packet received, length %" PRId32 "", GET_PKT_LEN(p));
 
    p->ts = WinDivertTimestampToTimeStamp(wd_tv, p->windivert_v.addr.Timestamp);
    p->windivert_v.thread_num = wd_tv->thread_num;
 
#ifdef COUNTERS
    SCMutexLock(&wd_qv->counters_mutex);
    wd_qv->pkts++;
    wd_qv->bytes += GET_PKT_LEN(p);
    SCMutexUnlock(&wd_qv->counters_mutex);
#endif /* COUNTERS */
 
    /* Do the packet processing by calling TmThreadsSlotProcessPkt, this will,
     * depending on the running mode, pass the packet to the treatment functions
     * or push it to a packet pool. So processing time can vary.
     */
    if (TmThreadsSlotProcessPkt(tv, wd_tv->slot, p) != TM_ECODE_OK) {
        SCReturnInt(TM_ECODE_FAILED);
    }
 
    SCReturnInt(TM_ECODE_OK);
}
 
/**
 * \brief Init function for ReceiveWinDivert
 *
 * ReceiveWinDivertThreadInit sets up receiving packets via WinDivert.
 *
 * \param tv pointer to generic thread vars
 * \param initdata pointer to the interface passed from the user
 * \param data out-pointer to the WinDivert-specific thread vars
 */
TmEcode ReceiveWinDivertThreadInit(ThreadVars *tv, const void *initdata,
                                   void **data)
{
    SCEnter();
    TmEcode ret = TM_ECODE_OK;
 
    WinDivertThreadVars *wd_tv = (WinDivertThreadVars *)initdata;
 
    if (wd_tv == NULL) {
        SCLogError("initdata == NULL");
        SCReturnInt(TM_ECODE_FAILED);
    }
 
    WinDivertQueueVars *wd_qv = WinDivertGetQueue(wd_tv->thread_num);
 
    if (wd_qv == NULL) {
        SCLogError("queue == NULL");
        SCReturnInt(TM_ECODE_FAILED);
    }
 
    SCMutexLock(&wd_qv->filter_init_mutex);
    /* does the queue already have an active handle? */
    if (wd_qv->filter_handle != NULL &&
        wd_qv->filter_handle != INVALID_HANDLE_VALUE) {
        goto unlock;
    }
 
    TAILQ_INIT(&wd_tv->live_devices);
 
    if (WinDivertCollectFilterDevices(wd_tv, wd_qv) == TM_ECODE_OK) {
        WinDivertDisableOffloading(wd_tv);
    } else {
        SCLogWarning("Failed to obtain network devices for WinDivert filter");
    }
 
    /* we open now so that we can immediately start handling packets,
     * instead of losing however many would occur between registering the
     * queue and starting a receive thread. */
    wd_qv->filter_handle = WinDivertOpen(wd_qv->filter_str, wd_qv->layer,
                                         wd_qv->priority, wd_qv->flags);
    if (wd_qv->filter_handle == INVALID_HANDLE_VALUE) {
        WinDivertLogError(GetLastError());
        ret = TM_ECODE_FAILED;
        goto unlock;
    }
 
unlock:
    if (ret == 0) { /* success */
        wd_tv->filter_handle = wd_qv->filter_handle;
 
        /* set our return context */
        *data = wd_tv;
    }
 
    SCMutexUnlock(&wd_qv->filter_init_mutex);
    SCReturnInt(ret);
}
 
/**
 * \brief collect all devices covered by this filter in the thread vars'
 * live devices list
 *
 * \param wd_tv pointer to WinDivert thread vars
 * \param wd_qv pointer to WinDivert queue vars
 */
static TmEcode WinDivertCollectFilterDevices(WinDivertThreadVars *wd_tv,
                                             WinDivertQueueVars *wd_qv)
{
    SCEnter();
    TmEcode ret = TM_ECODE_OK;
 
    IP_ADAPTER_ADDRESSES *if_info_list;
    DWORD err = (DWORD)Win32GetAdaptersAddresses(&if_info_list);
    if (err != NO_ERROR) {
        ret = TM_ECODE_FAILED;
        goto release;
    }
 
    for (IP_ADAPTER_ADDRESSES *if_info = if_info_list; if_info != NULL;
         if_info = if_info->Next) {
 
        if (WinDivertIfaceMatchFilter(wd_qv->filter_str, if_info->IfIndex)) {
            SCLogConfig("Found adapter %s matching WinDivert filter %s",
                      if_info->AdapterName, wd_qv->filter_str);
 
            LiveDevice *new_ldev = SCCalloc(1, sizeof(LiveDevice));
            if (new_ldev == NULL) {
                ret = TM_ECODE_FAILED;
                goto release;
            }
            new_ldev->dev = SCStrdup(if_info->AdapterName);
            if (new_ldev->dev == NULL) {
                ret = TM_ECODE_FAILED;
                goto release;
            }
            TAILQ_INSERT_TAIL(&wd_tv->live_devices, new_ldev, next);
        } else {
            SCLogDebug("Adapter %s does not match WinDivert filter %s",
                       if_info->AdapterName, wd_qv->filter_str);
        }
    }
 
release:
    SCFree(if_info_list);
 
    SCReturnInt(ret);
}
 
/**
 * \brief test if the specified interface index matches the filter
 */
static bool WinDivertIfaceMatchFilter(const char *filter_string, int if_index)
{
    bool match = false;
 
    WINDIVERT_ADDRESS if_addr = {};
    if_addr.IfIdx = if_index;
 
    uint8_t dummy[4] = {4, 4, 4, 4};
 
    match = WinDivertHelperEvalFilter(filter_string, WINDIVERT_LAYER_NETWORK,
                                      dummy, sizeof(dummy), &if_addr);
    if (!match) {
        int err = GetLastError();
        if (err != 0) {
            SCLogWarning("Failed to evaluate filter: 0x%" PRIx32, err);
        }
    }
 
    return match;
}
 
/**
 * \brief disable offload status on devices for this filter
 *
 * \param wd_tv pointer to WinDivert thread vars
 */
static void WinDivertDisableOffloading(WinDivertThreadVars *wd_tv)
{
    for (LiveDevice *ldev = TAILQ_FIRST(&wd_tv->live_devices); ldev != NULL;
         ldev = TAILQ_NEXT(ldev, next)) {
 
        if (LiveGetOffload() == 0) {
            if (GetIfaceOffloading(ldev->dev, 1, 1) == 1) {
                wd_tv->offload_enabled = true;
            }
        } else {
            if (DisableIfaceOffloading(ldev, 1, 1) != 1) {
                wd_tv->offload_enabled = true;
            }
        }
    }
}
 
/**
 * \brief enable offload status on devices for this filter
 *
 * \param wd_tv pointer to WinDivert thread vars
 */
static void WinDivertRestoreOffloading(WinDivertThreadVars *wd_tv)
{
    for (LiveDevice *ldev = TAILQ_FIRST(&wd_tv->live_devices); ldev != NULL;
         ldev = TAILQ_NEXT(ldev, next)) {
 
        RestoreIfaceOffloading(ldev);
    }
}
 
/**
 * \brief Deinit function releases resources at exit.
 *
 * \param tv pointer to generic thread vars
 * \param data pointer to WinDivert-specific thread vars
 */
TmEcode ReceiveWinDivertThreadDeinit(ThreadVars *tv, void *data)
{
    SCEnter();
 
    WinDivertThreadVars *wd_tv = (WinDivertThreadVars *)data;
 
    SCReturnCT(WinDivertCloseHelper(wd_tv), "TmEcode");
}
 
/**
 * \brief ExitStats prints stats to stdout at exit
 *
 *
 * \param tv pointer to generic thread vars
 * \param data pointer to WinDivert-specific thread vars
 */
void ReceiveWinDivertThreadExitStats(ThreadVars *tv, void *data)
{
    SCEnter();
 
    WinDivertThreadVars *wd_tv = (WinDivertThreadVars *)data;
    WinDivertQueueVars *wd_qv = WinDivertGetQueue(wd_tv->thread_num);
    if (wd_qv == NULL) {
        SCLogError("queue == NULL");
        SCReturn;
    }
 
    SCMutexLock(&wd_qv->counters_mutex);
 
    SCLogInfo("(%s) Packets %" PRIu32 ", Bytes %" PRIu64 ", Errors %" PRIu32 "",
              tv->name, wd_qv->pkts, wd_qv->bytes, wd_qv->errs);
    SCLogInfo("(%s) Verdict: Accepted %" PRIu32 ", Dropped %" PRIu32
              ", Replaced %" PRIu32 "",
              tv->name, wd_qv->accepted, wd_qv->dropped, wd_qv->replaced);
 
    SCMutexUnlock(&wd_qv->counters_mutex);
    SCReturn;
}
 
/**
 * \brief WinDivert verdict module packet entry function
 */
TmEcode VerdictWinDivert(ThreadVars *tv, Packet *p, void *data)
{
    SCEnter();
 
    TmEcode ret = TM_ECODE_OK;
 
    ret = WinDivertVerdictHelper(tv, p);
    if (ret != TM_ECODE_OK) {
        SCReturnInt(ret);
    }
 
    SCReturnInt(TM_ECODE_OK);
}
 
/**
 * \brief internal helper function to do the bulk of verdict work
 */
static TmEcode WinDivertVerdictHelper(ThreadVars *tv, Packet *p)
{
    SCEnter();
    WinDivertThreadVars *wd_tv = WinDivertGetThread(p->windivert_v.thread_num);
 
#ifdef COUNTERS
    WinDivertQueueVars *wd_qv = WinDivertGetQueue(wd_tv->thread_num);
#endif /* COUNTERS */
 
    p->windivert_v.verdicted = true;
 
    /* can't verdict a "fake" packet */
    if (PKT_IS_PSEUDOPKT(p)) {
        SCReturnInt(TM_ECODE_OK);
    }
 
    /* the handle has been closed and we can no longer use it */
    if (wd_tv->filter_handle == INVALID_HANDLE_VALUE ||
        wd_tv->filter_handle == NULL) {
        SCReturnInt(TM_ECODE_OK);
    }
 
    /* we can't verdict tunnel packets without ensuring all encapsulated
     * packets are verdicted */
    if (PacketIsTunnel(p)) {
        bool finalVerdict = VerdictTunnelPacket(p);
        if (!finalVerdict) {
            SCReturnInt(TM_ECODE_OK);
        }
 
        // the action needs to occur on the root packet.
        if (p->root != NULL) {
            p = p->root;
        }
    }
 
    /* DROP simply means we do nothing; the WinDivert driver does the rest.
     */
    if (PacketCheckAction(p, ACTION_DROP)) {
#ifdef COUNTERS
        SCMutexLock(&wd_qv->counters_mutex);
        wd_qv->dropped++;
        SCMutexUnlock(&wd_qv->counters_mutex);
#endif /* counters */
 
        SCReturnInt(TM_ECODE_OK);
    }
 
    bool success = WinDivertSend(wd_tv->filter_handle, GET_PKT_DATA(p),
                                 GET_PKT_LEN(p), &p->windivert_v.addr, NULL);
 
    if (unlikely(!success)) {
        WinDivertLogError(GetLastError());
        SCReturnInt(TM_ECODE_FAILED);
    }
 
#ifdef COUNTERS
    SCMutexLock(&wd_qv->counters_mutex);
    wd_qv->accepted++;
    SCMutexUnlock(&wd_qv->counters_mutex);
#endif /* counters */
 
    SCReturnInt(TM_ECODE_OK);
}
 
/**
 * \brief init the verdict thread, which is piggybacked off the receive
 * thread
 */
TmEcode VerdictWinDivertThreadInit(ThreadVars *tv, const void *initdata,
                                   void **data)
{
    SCEnter();
 
    WinDivertThreadVars *wd_tv = (WinDivertThreadVars *)initdata;
    *data = wd_tv;
 
    SCReturnInt(TM_ECODE_OK);
}
 
/**
 * \brief deinit the verdict thread and shut down the WinDivert driver if
 * it's still up.
 */
TmEcode VerdictWinDivertThreadDeinit(ThreadVars *tv, void *data)
{
    SCEnter();
 
    WinDivertThreadVars *wd_tv = (WinDivertThreadVars *)data;
 
    SCReturnCT(WinDivertCloseHelper(wd_tv), "TmEcode");
}
 
/**
 * \brief decode a raw packet submitted to suricata from the WinDivert
 * driver
 *
 * All WinDivert packets are IPv4/v6, but do not include the network layer
 * to differentiate the two, so instead we must check the version and go
 * from there.
 */
TmEcode DecodeWinDivert(ThreadVars *tv, Packet *p, void *data)
{
    SCEnter();
 
    IPV4Hdr *ip4h = (IPV4Hdr *)GET_PKT_DATA(p);
    IPV6Hdr *ip6h = (IPV6Hdr *)GET_PKT_DATA(p);
    DecodeThreadVars *d_tv = (DecodeThreadVars *)data;
 
    BUG_ON(PKT_IS_PSEUDOPKT(p));
 
    DecodeUpdatePacketCounters(tv, d_tv, p);
 
    if (IPV4_GET_RAW_VER(ip4h) == 4) {
        SCLogDebug("IPv4 packet");
        DecodeIPV4(tv, d_tv, p, GET_PKT_DATA(p), GET_PKT_LEN(p));
    } else if (IPV6_GET_RAW_VER(ip6h) == 6) {
        SCLogDebug("IPv6 packet");
        DecodeIPV6(tv, d_tv, p, GET_PKT_DATA(p), GET_PKT_LEN(p));
    } else {
        SCLogDebug("packet unsupported by WinDivert, first byte: %02x",
                   *GET_PKT_DATA(p));
    }
 
    PacketDecodeFinalize(tv, d_tv, p);
 
    SCReturnInt(TM_ECODE_OK);
}
 
TmEcode DecodeWinDivertThreadInit(ThreadVars *tv, const void *initdata,
                                  void **data)
{
    SCEnter();
 
    DecodeThreadVars *d_tv = DecodeThreadVarsAlloc(tv);
    if (d_tv == NULL) {
        SCReturnInt(TM_ECODE_FAILED);
    }
 
    DecodeRegisterPerfCounters(d_tv, tv);
 
    *data = d_tv;
 
    SCReturnInt(TM_ECODE_OK);
}
 
TmEcode DecodeWinDivertThreadDeinit(ThreadVars *tv, void *data)
{
    SCEnter();
 
    if (data != NULL) {
        DecodeThreadVarsFree(tv, data);
    }
 
    SCReturnInt(TM_ECODE_OK);
}
 
/**
 * \brief helper function for use with ThreadDeinit functions
 */
static TmEcode WinDivertCloseHelper(WinDivertThreadVars *wd_tv)
{
    SCEnter();
    TmEcode ret = TM_ECODE_OK;
 
    WinDivertQueueVars *wd_qv = WinDivertGetQueue(wd_tv->thread_num);
    if (wd_qv == NULL) {
        SCLogDebug("No queue could be found for thread num %" PRId32 "",
                   wd_tv->thread_num);
        SCReturnInt(TM_ECODE_FAILED);
    }
 
    SCMutexLock(&wd_qv->filter_init_mutex);
 
    /* check if there's nothing to close */
    if (wd_qv->filter_handle == INVALID_HANDLE_VALUE ||
        wd_qv->filter_handle == NULL) {
        goto unlock;
    }
 
    if (!WinDivertClose(wd_qv->filter_handle)) {
        SCLogError("WinDivertClose failed: error %" PRIu32 "", (uint32_t)(GetLastError()));
        ret = TM_ECODE_FAILED;
        goto unlock;
    }
 
    (void)WinDivertRestoreOffloading(wd_tv);
 
    wd_qv->filter_handle = NULL;
 
unlock:
    SCMutexUnlock(&wd_qv->filter_init_mutex);
 
    if (ret == TM_ECODE_OK) {
        SCMutexDestroy(&wd_qv->filter_init_mutex);
        SCMutexDestroy(&wd_qv->counters_mutex);
    }
 
    SCReturnInt(ret);
}
 
#ifdef UNITTESTS
static int SourceWinDivertTestIfaceMatchFilter(void)
{
    struct testdata {
        const char *filter;
        int if_index;
        bool expected;
    };
 
    struct testdata tests[] = {
            {"true", 11, true},
            {"ifIdx=11", 11, true},
            {"ifIdx==11", 11, true},
            {"ifIdx!=11", 1, true},
            {"ifIdx!=11", 11, false},
            {"ifIdx=3", 4, false},
            {"ifIdx=11 || ifIdx=5", 5, true},
            {"ifIdx=11 || ifIdx=4", 5, false},
            {"ifIdx<3 || ifIdx>7", 8, true},
            {"ifIdx<3 || ifIdx>7", 5, false},
            {"ifIdx>3 or ifIdx<7", 5, true},
            {"ifIdx>3 && ifIdx<7", 5, true},
            {"ifIdx>3 && ifIdx<7", 1, false},
            {"(ifIdx > 3 && ifIdx < 7) or ifIdx == 11", 11, true}};
 
    size_t count = (sizeof(tests) / sizeof(tests[0]));
 
    for (size_t i = 0; i < count; i++) {
        struct testdata test = tests[i];
 
        bool actual = WinDivertIfaceMatchFilter(test.filter, test.if_index);
        if (actual != test.expected) {
            printf("WinDivertIfaceMatchFilter(\"%s\", %d) == %d, expected %d\n",
                   test.filter, test.if_index, actual, test.expected);
            FAIL;
        }
    }
    PASS;
}
#endif
 
/**
 * \brief this function registers unit tests for the WinDivert Source
 */
void SourceWinDivertRegisterTests(void)
{
#ifdef UNITTESTS
    UtRegisterTest("SourceWinDivertTestIfaceMatchFilter",
                   SourceWinDivertTestIfaceMatchFilter);
#endif
}
 
#endif /* WINDIVERT */