Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tunnel/v8 #10597

Closed
wants to merge 8 commits into from
Closed

Tunnel/v8 #10597

wants to merge 8 commits into from

Conversation

victorjulien
Copy link
Member

Tunnel handling updates to improve thread safety.

Misc related cleanups.

Replaces #9985:

  • fixups
  • rebase master

@victorjulien
defrag: match up v4 and v6 packet setup
f4ddeac 
v4 was doing redundant recursion level setup.

v6 was missing PKT_REBUILT_FRAGMENT flag.
@victorjulien
nfq: use bool for verdicted packet var
029035b
@victorjulien
nfq: minor code cleanup
5833d1e
@victorjulien
nfq: remove obsolete comment
245fc7d
@victorjulien
decode/tunnel: move tunnel verdicted logic
c7544d5 
In preparation of cleaning up thread safety, move "verdicted"
logic out of Packet::flags. Unsafe writes to "flags" can potentially
have side effects.
@victorjulien
decode/tunnel: improve tunnel handling
263f442 
Give each packet explicit tunnel type `ttype`: none, root, child.

Assigning happens when a (tunnel) packet is set up and is thread
safe.
@victorjulien
decode/tunnel: split verdict logic
563a31b 
Allows caller to take their own lock.
@victorjulien
nfq: stricter thread sync
3fb4a73 
No longer update `Packet::flags` for tracking packet modifications,
as thread safety was not guaranteed.

Clearly separate between various kinds of `Packet::nfq_v` accesses for:
- mark
- mark_modified
- verdicted
These are either done under lock (Packet::persistent.tunnel_lock) or,
if the Packet is not part of a tunnel, not under lock.

This is safe as in all the related logic the Packet's tunnel state
is fixed and can no longer change.
@victorjulien victorjulien mentioned this pull request Mar 8, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Mar 8, 2024

Codecov Report

Attention: Patch coverage is 67.27273% with 18 lines in your changes are missing coverage. Please review.

Project coverage is 82.73%. Comparing base (f9cf87a) to head (3fb4a73).

Additional details and impacted files 
@@             Coverage Diff             @@
##           master   #10597       +/-   ##
===========================================
+ Coverage   64.07%   82.73%   +18.65%     
===========================================
  Files         851      924       +73     
  Lines      135327   247448   +112121     
===========================================
+ Hits        86716   204722   +118006     
+ Misses      48611    42726     -5885
Flag Coverage Δ
fuzzcorpus 64.14% <50.90%> (+0.06%) ⬆️
suricata-verify 61.87% <63.63%> (?)
unittests 62.20% <25.45%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 19132

lukashino
lukashino requested changes Mar 12, 2024
View reviewed changes
src/decode.h
@@ -1015,7 +1018,7 @@ void DecodeUnregisterCounters(void);
#define PKT_STREAM_NOPCAPLOG BIT_U32(12)

#define PKT_TUNNEL BIT_U32(13)
#define PKT_TUNNEL_VERDICTED BIT_U32(14)
// vacancy

/** Packet checksum is not computed (TX packet for example) */
#define PKT_IGNORE_CHECKSUM BIT_U32(15)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't all the defines be shifted by two?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not shifting to keep flags stable. This mostly helps in debugging reported core dumps.

src/decode.h
} else {
verdict = false;
}
verdict = VerdictTunnelPacketInternal(p);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

declare variable here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess I don't like to declare a var inside a lock, then use it outside. It's a matter of style I think, I don't think it has practical effect

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, the comment was based on the experience from the previous PRs.

src/decode.h
/** Packet mark is modified */
#define PKT_MARK_MODIFIED BIT_U32(11)

// vacancy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shift here as well?

@victorjulien victorjulien requested a review from lukashino March 12, 2024 15:50
@victorjulien victorjulien added this to the 8.0 milestone Mar 12, 2024
@victorjulien victorjulien mentioned this pull request Mar 13, 2024
Merged
@victorjulien
Copy link
Member Author

Merged in #10629, thanks!

@victorjulien victorjulien deleted the tunnel/v8 branch June 23, 2024 06:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukashino lukashino lukashino approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
8.0
Development

Successfully merging this pull request may close these issues.
3 participants
@victorjulien @suricata-qa @lukashino