#include #include #include #include "macro.h" #include "times.h" #include "tcp_utils.h" #include "udp_utils.h" #include "id_generator.h" #include "session_pool.h" #include "session_table.h" #include "session_timer.h" #include "session_manager.h" #include "session_transition.h" #include "evicted_session_filter.h" #include "duplicated_packet_filter.h" struct session_manager { struct list_head evicte_queue; struct session_pool *sess_pool; struct session_timer *sess_timer; struct session_table *tcp_sess_table; struct session_table *udp_sess_table; struct duplicated_packet_filter *dup_pkt_filter; struct evicted_session_filter *evicte_sess_filter; struct session_manager_stat stat; struct session_manager_options opts; }; #define EVICTE_SESSION_BURST (RX_BURST_MAX) /****************************************************************************** * Session Manager Stat ******************************************************************************/ #define SESS_MGR_STAT_INC(stat, state, proto) \ { \ switch ((state)) \ { \ case SESSION_STATE_OPENING: \ (stat)->curr_nr_##proto##_sess_opening++; \ break; \ case SESSION_STATE_ACTIVE: \ (stat)->curr_nr_##proto##_sess_active++; \ break; \ case SESSION_STATE_CLOSING: \ (stat)->curr_nr_##proto##_sess_closing++; \ break; \ case SESSION_STATE_DISCARD: \ (stat)->curr_nr_##proto##_sess_discard++; \ break; \ case SESSION_STATE_CLOSED: \ (stat)->curr_nr_##proto##_sess_closed++; \ break; \ default: \ break; \ } \ } #define SESS_MGR_STAT_DEC(stat, state, proto) \ { \ switch ((state)) \ { \ case SESSION_STATE_OPENING: \ (stat)->curr_nr_##proto##_sess_opening--; \ break; \ case SESSION_STATE_ACTIVE: \ (stat)->curr_nr_##proto##_sess_active--; \ break; \ case SESSION_STATE_CLOSING: \ (stat)->curr_nr_##proto##_sess_closing--; \ break; \ case SESSION_STATE_DISCARD: \ (stat)->curr_nr_##proto##_sess_discard--; \ break; \ case SESSION_STATE_CLOSED: \ (stat)->curr_nr_##proto##_sess_closed--; \ break; \ default: \ break; \ } \ } #define SESS_MGR_STAT_UPDATE(stat, curr, next, proto) \ { \ if (curr != next) \ { \ SESS_MGR_STAT_DEC(stat, curr, proto); \ SESS_MGR_STAT_INC(stat, next, proto); \ } \ } /****************************************************************************** * Session Manager Options ******************************************************************************/ static int check_options(const struct session_manager_options *opts) { if (opts == NULL) { SESSION_LOG_ERROR("invalid options"); return -1; } // max session number if (opts->max_tcp_session_num < EVICTE_SESSION_BURST * 2) { SESSION_LOG_ERROR("invalid max_tcp_session_num: %lu, supported range: [%u, %lu]", opts->max_tcp_session_num, EVICTE_SESSION_BURST * 2, UINT64_MAX); return -1; } if (opts->max_udp_session_num < EVICTE_SESSION_BURST * 2) { SESSION_LOG_ERROR("invalid max_udp_session_num: %lu, supported range: [%u, %lu]", opts->max_udp_session_num, EVICTE_SESSION_BURST * 2, UINT64_MAX); return -1; } // session overload (skip) // TCP timeout if (opts->tcp_init_timeout < 1 || opts->tcp_init_timeout > 60000) { SESSION_LOG_ERROR("invalid tcp_init_timeout: %lu, supported range: [1, 60000]", opts->tcp_init_timeout); return -1; } if (opts->tcp_handshake_timeout < 1 || opts->tcp_handshake_timeout > 60000) { SESSION_LOG_ERROR("invalid tcp_handshake_timeout: %lu, supported range: [1, 60000]", opts->tcp_handshake_timeout); return -1; } if (opts->tcp_data_timeout < 1 || opts->tcp_data_timeout > 15999999000) { SESSION_LOG_ERROR("invalid tcp_data_timeout: %lu, supported range: [1, 15999999000]", opts->tcp_data_timeout); return -1; } if (opts->tcp_half_closed_timeout < 1 || opts->tcp_half_closed_timeout > 604800000) { SESSION_LOG_ERROR("invalid tcp_half_closed_timeout: %lu, supported range: [1, 604800000]", opts->tcp_half_closed_timeout); return -1; } if (opts->tcp_time_wait_timeout < 1 || opts->tcp_time_wait_timeout > 600000) { SESSION_LOG_ERROR("invalid tcp_time_wait_timeout: %lu, supported range: [1, 600000]", opts->tcp_time_wait_timeout); return -1; } if (opts->tcp_discard_timeout < 1 || opts->tcp_discard_timeout > 15999999000) { SESSION_LOG_ERROR("invalid tcp_discard_timeout: %lu, supported range: [1, 15999999000]", opts->tcp_discard_timeout); return -1; } if (opts->tcp_unverified_rst_timeout < 1 || opts->tcp_unverified_rst_timeout > 600000) { SESSION_LOG_ERROR("invalid tcp_unverified_rst_timeout: %lu, supported range: [1, 600000]", opts->tcp_unverified_rst_timeout); return -1; } // UDP timeout if (opts->udp_data_timeout < 1 || opts->udp_data_timeout > 15999999000) { SESSION_LOG_ERROR("invalid udp_data_timeout: %lu, supported range: [1, 15999999000]", opts->udp_data_timeout); return -1; } // duplicate packet filter if (opts->duplicated_packet_filter_enable) { if (opts->duplicated_packet_filter_capacity == 0) { // UINT32_MAX = 4294967295 SESSION_LOG_ERROR("invalid duplicated_packet_filter_capacity: %u, supported range: [1, 4294967295]", opts->duplicated_packet_filter_capacity); return -1; } if (opts->duplicated_packet_filter_timeout < 1 || opts->duplicated_packet_filter_timeout > 60000) { SESSION_LOG_ERROR("invalid duplicated_packet_filter_timeout: %u, supported range: [1, 60000]", opts->duplicated_packet_filter_timeout); return -1; } if (opts->duplicated_packet_filter_error_rate < 0.0 || opts->duplicated_packet_filter_error_rate > 1.0) { SESSION_LOG_ERROR("invalid duplicated_packet_filter_error_rate: %f, supported range: [0.0, 1.0]", opts->duplicated_packet_filter_error_rate); return -1; } } // evicted session filter if (opts->evicted_session_filter_enable) { if (opts->evicted_session_filter_capacity == 0) { // UINT32_MAX = 4294967295 SESSION_LOG_ERROR("invalid evicted_session_filter_capacity: %u, supported range: [1, 4294967295]", opts->evicted_session_filter_capacity); return -1; } if (opts->evicted_session_filter_timeout < 1 || opts->evicted_session_filter_timeout > 60000) { SESSION_LOG_ERROR("invalid evicted_session_filter_timeout: %u, supported range: [1, 60000]", opts->evicted_session_filter_timeout); return -1; } if (opts->evicted_session_filter_error_rate < 0.0 || opts->evicted_session_filter_error_rate > 1.0) { SESSION_LOG_ERROR("invalid evicted_session_filter_error_rate: %f, supported range: [0.0, 1.0]", opts->evicted_session_filter_error_rate); return -1; } } // TCP reassembly if (opts->tcp_reassembly_enable) { if (opts->tcp_reassembly_max_timeout < 1 || opts->tcp_reassembly_max_timeout > 60000) { SESSION_LOG_ERROR("invalid tcp_reassembly_max_timeout: %u, supported range: [1, 60000]", opts->tcp_reassembly_max_timeout); return -1; } if (opts->tcp_reassembly_max_segments < 2 || opts->tcp_reassembly_max_segments > 512) { SESSION_LOG_ERROR("invalid tcp_reassembly_max_segments: %u, supported range: [2, 512]", opts->tcp_reassembly_max_segments); return -1; } } return 0; } /****************************************************************************** * TCP ******************************************************************************/ static void tcp_clean(struct session_manager *mgr, struct session *sess) { struct tcp_reassembly *c2s_ssembler = sess->tcp_halfs[FLOW_DIRECTION_C2S].assembler; struct tcp_reassembly *s2c_ssembler = sess->tcp_halfs[FLOW_DIRECTION_S2C].assembler; struct tcp_segment *seg; if (c2s_ssembler) { while ((seg = tcp_reassembly_expire(c2s_ssembler, UINT64_MAX))) { session_inc_stat(sess, FLOW_DIRECTION_C2S, STAT_TCP_SEGMENTS_RELEASED, 1); session_inc_stat(sess, FLOW_DIRECTION_C2S, STAT_TCP_PAYLOADS_RELEASED, seg->len); mgr->stat.nr_tcp_seg_released++; tcp_segment_free(seg); } tcp_reassembly_free(c2s_ssembler); } if (s2c_ssembler) { while ((seg = tcp_reassembly_expire(s2c_ssembler, UINT64_MAX))) { session_inc_stat(sess, FLOW_DIRECTION_S2C, STAT_TCP_SEGMENTS_RELEASED, 1); session_inc_stat(sess, FLOW_DIRECTION_S2C, STAT_TCP_PAYLOADS_RELEASED, seg->len); mgr->stat.nr_tcp_seg_released++; tcp_segment_free(seg); } tcp_reassembly_free(s2c_ssembler); } } static int tcp_init(struct session_manager *mgr, struct session *sess) { if (!mgr->opts.tcp_reassembly_enable) { return 0; } sess->tcp_halfs[FLOW_DIRECTION_C2S].assembler = tcp_reassembly_new(mgr->opts.tcp_reassembly_max_timeout, mgr->opts.tcp_reassembly_max_segments); sess->tcp_halfs[FLOW_DIRECTION_S2C].assembler = tcp_reassembly_new(mgr->opts.tcp_reassembly_max_timeout, mgr->opts.tcp_reassembly_max_segments); if (sess->tcp_halfs[FLOW_DIRECTION_C2S].assembler == NULL || sess->tcp_halfs[FLOW_DIRECTION_S2C].assembler == NULL) { tcp_clean(mgr, sess); return -1; } SESSION_LOG_DEBUG("session %lu %s new c2s tcp assembler %p, s2c tcp assembler %p", session_get_id(sess), session_get_tuple6_str(sess), sess->tcp_halfs[FLOW_DIRECTION_C2S].assembler, sess->tcp_halfs[FLOW_DIRECTION_S2C].assembler); return 0; } static void tcp_update(struct session_manager *mgr, struct session *sess, enum flow_direction dir, const struct packet_layer *tcp_layer, uint64_t now) { struct tcp_segment *seg; struct tcphdr *hdr = (struct tcphdr *)tcp_layer->hdr_ptr; struct tcp_half *half = &sess->tcp_halfs[dir]; uint8_t flags = tcp_hdr_get_flags(hdr); uint16_t len = tcp_layer->pld_len; half->flags = flags; half->history |= flags; half->seq = tcp_hdr_get_seq(hdr); half->ack = tcp_hdr_get_ack(hdr); half->len = tcp_layer->pld_len; if (!mgr->opts.tcp_reassembly_enable) { if (len) { session_inc_stat(sess, dir, STAT_TCP_SEGMENTS_RECEIVED, 1); session_inc_stat(sess, dir, STAT_TCP_PAYLOADS_RECEIVED, len); mgr->stat.nr_tcp_seg_received++; session_inc_stat(sess, dir, STAT_TCP_SEGMENTS_INORDER, 1); session_inc_stat(sess, dir, STAT_TCP_PAYLOADS_INORDER, len); mgr->stat.nr_tcp_seg_inorder++; half->in_order.data = tcp_layer->pld_ptr; half->in_order.len = len; half->in_order_ref = 0; } return; } if (unlikely(flags & TH_SYN)) { // len > 0 is SYN with data (TCP Fast Open) tcp_reassembly_set_recv_next(half->assembler, len ? half->seq : half->seq + 1); } seg = tcp_reassembly_expire(half->assembler, now); if (seg) { session_inc_stat(sess, dir, STAT_TCP_SEGMENTS_EXPIRED, 1); session_inc_stat(sess, dir, STAT_TCP_PAYLOADS_EXPIRED, seg->len); mgr->stat.nr_tcp_seg_expired++; session_inc_stat(sess, dir, STAT_TCP_SEGMENTS_RELEASED, 1); session_inc_stat(sess, dir, STAT_TCP_PAYLOADS_RELEASED, seg->len); mgr->stat.nr_tcp_seg_released++; tcp_segment_free(seg); } if (len) { session_inc_stat(sess, dir, STAT_TCP_SEGMENTS_RECEIVED, 1); session_inc_stat(sess, dir, STAT_TCP_PAYLOADS_RECEIVED, len); mgr->stat.nr_tcp_seg_received++; uint32_t rcv_nxt = tcp_reassembly_get_recv_next(half->assembler); // in order if (half->seq == rcv_nxt) { session_inc_stat(sess, dir, STAT_TCP_SEGMENTS_INORDER, 1); session_inc_stat(sess, dir, STAT_TCP_PAYLOADS_INORDER, len); mgr->stat.nr_tcp_seg_inorder++; half->in_order.data = tcp_layer->pld_ptr; half->in_order.len = len; half->in_order_ref = 0; tcp_reassembly_inc_recv_next(half->assembler, len); } // retransmission else if (uint32_before(uint32_add(half->seq, len), rcv_nxt)) { session_inc_stat(sess, dir, STAT_TCP_SEGMENTS_RETRANSMIT, 1); session_inc_stat(sess, dir, STAT_TCP_PAYLOADS_RETRANSMIT, len); mgr->stat.nr_tcp_seg_retransmit++; } else if ((seg = tcp_segment_new(half->seq, tcp_layer->pld_ptr, len))) { switch (tcp_reassembly_push(half->assembler, seg, now)) { case -2: session_inc_stat(sess, dir, STAT_TCP_SEGMENTS_RETRANSMIT, 1); session_inc_stat(sess, dir, STAT_TCP_PAYLOADS_RETRANSMIT, len); mgr->stat.nr_tcp_seg_retransmit++; tcp_segment_free(seg); break; case -1: session_inc_stat(sess, dir, STAT_TCP_SEGMENTS_NOSPACE, 1); session_inc_stat(sess, dir, STAT_TCP_PAYLOADS_NOSPACE, len); mgr->stat.nr_tcp_seg_no_space++; tcp_segment_free(seg); break; case 0: session_inc_stat(sess, dir, STAT_TCP_SEGMENTS_BUFFERED, 1); session_inc_stat(sess, dir, STAT_TCP_PAYLOADS_BUFFERED, len); mgr->stat.nr_tcp_seg_buffered++; break; case 1: session_inc_stat(sess, dir, STAT_TCP_SEGMENTS_OVERLAP, 1); session_inc_stat(sess, dir, STAT_TCP_PAYLOADS_OVERLAP, len); mgr->stat.nr_tcp_seg_overlap++; session_inc_stat(sess, dir, STAT_TCP_SEGMENTS_BUFFERED, 1); session_inc_stat(sess, dir, STAT_TCP_PAYLOADS_BUFFERED, len); mgr->stat.nr_tcp_seg_buffered++; break; default: assert(0); break; } } else { session_inc_stat(sess, dir, STAT_TCP_SEGMENTS_NOSPACE, 1); session_inc_stat(sess, dir, STAT_TCP_PAYLOADS_NOSPACE, len); mgr->stat.nr_tcp_seg_no_space++; } } } /****************************************************************************** * Session Direction ******************************************************************************/ static enum flow_direction identify_direction_by_port(uint16_t src_port, uint16_t dst_port) { // big port is client if (src_port > dst_port) { return FLOW_DIRECTION_C2S; } else if (src_port < dst_port) { return FLOW_DIRECTION_S2C; } else { // if port is equal, first packet is C2S return FLOW_DIRECTION_C2S; } } static enum flow_direction identify_direction_by_history(const struct session *sess, const struct tuple6 *key) { if (tuple6_cmp(session_get_tuple6(sess), key) == 0) { return session_get_tuple6_direction(sess); } else { return (session_get_tuple6_direction(sess) == FLOW_DIRECTION_C2S ? FLOW_DIRECTION_S2C : FLOW_DIRECTION_C2S); } } /****************************************************************************** * Session Filter ******************************************************************************/ // on new session static int tcp_overload_bypass(struct session_manager *mgr, const struct tuple6 *key, uint64_t now) { if (key->ip_proto == IPPROTO_TCP && mgr->stat.curr_nr_tcp_sess_used >= mgr->opts.max_tcp_session_num) { mgr->stat.nr_tcp_pkts_nospace_bypass++; return 1; } return 0; } static int udp_overload_bypass(struct session_manager *mgr, const struct tuple6 *key, uint64_t now) { if (key->ip_proto == IPPROTO_UDP && mgr->stat.curr_nr_udp_sess_used >= mgr->opts.max_udp_session_num) { mgr->stat.nr_udp_pkts_nospace_bypass++; return 1; } return 0; } static int evicted_session_bypass(struct session_manager *mgr, const struct tuple6 *key, uint64_t now) { if (mgr->opts.evicted_session_filter_enable && evicted_session_filter_lookup(mgr->evicte_sess_filter, key, now)) { mgr->stat.nr_udp_pkts_evctd_bypass++; return 1; } return 0; } // on update session static int duplicated_packet_bypass(struct session_manager *mgr, struct session *sess, const struct packet *pkt, const struct tuple6 *key, uint64_t now) { if (mgr->opts.duplicated_packet_filter_enable == 0) { return 0; } enum flow_direction dir = identify_direction_by_history(sess, key); if (session_get_stat(sess, dir, STAT_RAW_PACKETS_RECEIVED) < 3 || session_has_duplicate_traffic(sess)) { if (duplicated_packet_filter_lookup(mgr->dup_pkt_filter, pkt, now)) { session_inc_stat(sess, dir, STAT_DUPLICATE_PACKETS_BYPASS, 1); session_inc_stat(sess, dir, STAT_DUPLICATE_BYTES_BYPASS, packet_get_len(pkt)); switch (session_get_type(sess)) { case SESSION_TYPE_TCP: mgr->stat.nr_tcp_pkts_duped_bypass++; break; case SESSION_TYPE_UDP: mgr->stat.nr_udp_pkts_duped_bypass++; break; default: assert(0); break; } session_set_duplicate_traffic(sess); return 1; } else { duplicated_packet_filter_add(mgr->dup_pkt_filter, pkt, now); return 0; } } return 0; } /****************************************************************************** * Session Manager ******************************************************************************/ static void session_update(struct session *sess, enum session_state next_state, const struct packet *pkt, const struct tuple6 *key, enum flow_direction dir) { uint64_t real_sec = stellar_get_real_time_sec(); if (session_get_state(sess) == SESSION_STATE_INIT) { session_set_id(sess, id_generator_alloc()); session_set_tuple(sess, key); session_set_tuple_direction(sess, dir); enum packet_direction pkt_dir = packet_get_direction(pkt); if (dir == FLOW_DIRECTION_C2S) { if (pkt_dir == PACKET_DIRECTION_OUTGOING) // Internal -> External { session_set_direction(sess, SESSION_DIRECTION_OUTBOUND); } else { session_set_direction(sess, SESSION_DIRECTION_INBOUND); } } else { if (pkt_dir == PACKET_DIRECTION_OUTGOING) // Internal -> External { session_set_direction(sess, SESSION_DIRECTION_INBOUND); } else { session_set_direction(sess, SESSION_DIRECTION_OUTBOUND); } } tuple6_to_str(key, sess->tuple_str, sizeof(sess->tuple_str)); session_set_timestamp(sess, SESSION_TIMESTAMP_START, real_sec); switch (key->ip_proto) { case IPPROTO_TCP: session_set_type(sess, SESSION_TYPE_TCP); break; case IPPROTO_UDP: session_set_type(sess, SESSION_TYPE_UDP); break; default: assert(0); break; } } session_inc_stat(sess, dir, STAT_RAW_PACKETS_RECEIVED, 1); session_inc_stat(sess, dir, STAT_RAW_BYTES_RECEIVED, packet_get_len(pkt)); if (!session_get_first_packet(sess, dir)) { struct route_ctx ctx = {0}; struct sid_list list = {0}; packet_get_route_ctx(pkt, &ctx); packet_get_sid_list(pkt, &list); session_set_first_packet(sess, dir, packet_dup(pkt)); session_set_route_ctx(sess, dir, &ctx); session_set_sid_list(sess, dir, &list); } session_set_current_packet(sess, pkt); session_set_flow_direction(sess, dir); session_set_timestamp(sess, SESSION_TIMESTAMP_LAST, real_sec); session_set_state(sess, next_state); } static void session_manager_evicte_session(struct session_manager *mgr, struct session *sess, uint64_t now) { if (sess == NULL) { return; } // when session add to evicted queue, session lifetime is over enum session_state curr_state = session_get_state(sess); enum session_state next_state = session_transition_run(curr_state, LRU_EVICT); session_transition_log(sess, curr_state, next_state, LRU_EVICT); session_set_state(sess, next_state); if (!session_get_closing_reason(sess)) { session_set_closing_reason(sess, CLOSING_BY_EVICTED); } session_timer_del(mgr->sess_timer, sess); list_add_tail(&sess->evicte, &mgr->evicte_queue); switch (session_get_type(sess)) { case SESSION_TYPE_TCP: SESSION_LOG_DEBUG("evicte tcp old session: %lu", session_get_id(sess)); session_table_del(mgr->tcp_sess_table, sess); SESS_MGR_STAT_UPDATE(&mgr->stat, curr_state, next_state, tcp); mgr->stat.nr_tcp_sess_evicted++; break; case SESSION_TYPE_UDP: SESSION_LOG_DEBUG("evicte udp old session: %lu", session_get_id(sess)); session_table_del(mgr->udp_sess_table, sess); if (mgr->opts.evicted_session_filter_enable) { evicted_session_filter_add(mgr->evicte_sess_filter, session_get_tuple6(sess), now); } SESS_MGR_STAT_UPDATE(&mgr->stat, curr_state, next_state, udp); mgr->stat.nr_udp_sess_evicted++; break; default: assert(0); break; } } static struct session *session_manager_new_tcp_session(struct session_manager *mgr, const struct packet *pkt, const struct tuple6 *key, uint64_t now) { const struct packet_layer *tcp_layer = packet_get_innermost_layer(pkt, LAYER_TYPE_TCP); const struct tcphdr *hdr = (const struct tcphdr *)tcp_layer->hdr_ptr; uint8_t flags = tcp_hdr_get_flags(hdr); if (!(flags & TH_SYN)) { mgr->stat.nr_tcp_pkts_nosess_bypass++; return NULL; } // tcp table full evict old session if (mgr->opts.tcp_overload_evict_old_sess && mgr->stat.curr_nr_tcp_sess_used >= mgr->opts.max_tcp_session_num - EVICTE_SESSION_BURST) { struct session *evic_sess = session_table_find_lru(mgr->tcp_sess_table); session_manager_evicte_session(mgr, evic_sess, now); } enum flow_direction dir = (flags & TH_ACK) ? FLOW_DIRECTION_S2C : FLOW_DIRECTION_C2S; struct session *sess = session_pool_pop(mgr->sess_pool); if (sess == NULL) { assert(0); return NULL; } session_init(sess); sess->mgr_stat = &mgr->stat; enum session_state next_state = session_transition_run(SESSION_STATE_INIT, TCP_SYN); session_update(sess, next_state, pkt, key, dir); session_transition_log(sess, SESSION_STATE_INIT, next_state, TCP_SYN); if (tcp_init(mgr, sess) == -1) { assert(0); session_pool_push(mgr->sess_pool, sess); return NULL; } tcp_update(mgr, sess, dir, tcp_layer, now); uint64_t timeout = (flags & TH_ACK) ? mgr->opts.tcp_handshake_timeout : mgr->opts.tcp_init_timeout; session_timer_update(mgr->sess_timer, sess, now + timeout); session_table_add(mgr->tcp_sess_table, sess); if (mgr->opts.duplicated_packet_filter_enable) { duplicated_packet_filter_add(mgr->dup_pkt_filter, pkt, now); } SESS_MGR_STAT_INC(&mgr->stat, next_state, tcp); mgr->stat.curr_nr_tcp_sess_used++; mgr->stat.total_nr_tcp_sess_used++; return sess; } static struct session *session_manager_new_udp_session(struct session_manager *mgr, const struct packet *pkt, const struct tuple6 *key, uint64_t now) { // udp table full evict old session if (mgr->opts.udp_overload_evict_old_sess && mgr->stat.curr_nr_udp_sess_used >= mgr->opts.max_udp_session_num - EVICTE_SESSION_BURST) { struct session *evic_sess = session_table_find_lru(mgr->udp_sess_table); session_manager_evicte_session(mgr, evic_sess, now); } struct session *sess = session_pool_pop(mgr->sess_pool); if (sess == NULL) { assert(sess); return NULL; } session_init(sess); sess->mgr_stat = &mgr->stat; enum flow_direction dir = identify_direction_by_port(ntohs(key->src_port), ntohs(key->dst_port)); enum session_state next_state = session_transition_run(SESSION_STATE_INIT, UDP_DATA); session_update(sess, next_state, pkt, key, dir); session_transition_log(sess, SESSION_STATE_INIT, next_state, UDP_DATA); session_timer_update(mgr->sess_timer, sess, now + mgr->opts.udp_data_timeout); session_table_add(mgr->udp_sess_table, sess); SESS_MGR_STAT_INC(&mgr->stat, next_state, udp); mgr->stat.curr_nr_udp_sess_used++; mgr->stat.total_nr_udp_sess_used++; return sess; } static int session_manager_update_tcp_session(struct session_manager *mgr, struct session *sess, const struct packet *pkt, const struct tuple6 *key, uint64_t now) { const struct packet_layer *tcp_layer = packet_get_innermost_layer(pkt, LAYER_TYPE_TCP); const struct tcphdr *hdr = (const struct tcphdr *)tcp_layer->hdr_ptr; enum flow_direction dir = identify_direction_by_history(sess, key); uint8_t flags = tcp_hdr_get_flags(hdr); int inputs = 0; inputs |= (flags & TH_SYN) ? TCP_SYN : NONE; inputs |= (flags & TH_FIN) ? TCP_FIN : NONE; inputs |= (flags & TH_RST) ? TCP_RST : NONE; inputs |= tcp_layer->pld_len ? TCP_DATA : NONE; // update state enum session_state curr_state = session_get_state(sess); enum session_state next_state = session_transition_run(curr_state, inputs); // update session session_update(sess, next_state, pkt, key, dir); session_transition_log(sess, curr_state, next_state, inputs); // update tcp tcp_update(mgr, sess, dir, tcp_layer, now); // set closing reason if (next_state == SESSION_STATE_CLOSING && !session_get_closing_reason(sess)) { if (flags & TH_FIN) { session_set_closing_reason(sess, (dir == FLOW_DIRECTION_C2S ? CLOSING_BY_CLIENT_FIN : CLOSING_BY_SERVER_FIN)); } if (flags & TH_RST) { session_set_closing_reason(sess, (dir == FLOW_DIRECTION_C2S ? CLOSING_BY_CLIENT_RST : CLOSING_BY_SERVER_RST)); } } // update timeout struct tcp_half *curr = &sess->tcp_halfs[dir]; struct tcp_half *peer = &sess->tcp_halfs[(dir == FLOW_DIRECTION_C2S ? FLOW_DIRECTION_S2C : FLOW_DIRECTION_C2S)]; uint64_t timeout = 0; switch (next_state) { case SESSION_STATE_OPENING: if (flags & TH_SYN) { timeout = (flags & TH_ACK) ? mgr->opts.tcp_handshake_timeout : mgr->opts.tcp_init_timeout; } else { timeout = mgr->opts.tcp_data_timeout; } break; case SESSION_STATE_ACTIVE: timeout = mgr->opts.tcp_data_timeout; break; case SESSION_STATE_CLOSING: if (flags & TH_FIN) { timeout = (peer->history & TH_FIN) ? mgr->opts.tcp_time_wait_timeout : mgr->opts.tcp_half_closed_timeout; } else if (flags & TH_RST) { // if fin is received, the expected sequence number should be increased by 1 uint32_t expected = (peer->history & TH_FIN) ? peer->ack + 1 : peer->ack; timeout = (expected == curr->seq) ? mgr->opts.tcp_time_wait_timeout : mgr->opts.tcp_unverified_rst_timeout; } else { timeout = mgr->opts.tcp_data_timeout; } break; case SESSION_STATE_DISCARD: timeout = mgr->opts.tcp_discard_timeout; break; default: assert(0); break; } session_timer_update(mgr->sess_timer, sess, now + timeout); SESS_MGR_STAT_UPDATE(&mgr->stat, curr_state, next_state, tcp); return 0; } static int session_manager_update_udp_session(struct session_manager *mgr, struct session *sess, const struct packet *pkt, const struct tuple6 *key, uint64_t now) { enum flow_direction dir = identify_direction_by_history(sess, key); enum session_state curr_state = session_get_state(sess); enum session_state next_state = session_transition_run(curr_state, UDP_DATA); session_update(sess, next_state, pkt, key, dir); session_transition_log(sess, curr_state, next_state, UDP_DATA); if (session_get_state(sess) == SESSION_STATE_DISCARD) { session_timer_update(mgr->sess_timer, sess, now + mgr->opts.udp_discard_timeout); } else { session_timer_update(mgr->sess_timer, sess, now + mgr->opts.udp_data_timeout); } SESS_MGR_STAT_UPDATE(&mgr->stat, curr_state, next_state, udp); return 0; } /****************************************************************************** * Public API ******************************************************************************/ struct session_manager *session_manager_new(struct session_manager_options *opts, uint64_t now) { if (check_options(opts) == -1) { return NULL; } struct session_manager *mgr = (struct session_manager *)calloc(1, sizeof(struct session_manager)); if (mgr == NULL) { return NULL; } memcpy(&mgr->opts, opts, sizeof(struct session_manager_options)); mgr->sess_pool = session_pool_new(mgr->opts.max_tcp_session_num + mgr->opts.max_udp_session_num); mgr->tcp_sess_table = session_table_new(); mgr->udp_sess_table = session_table_new(); mgr->sess_timer = session_timer_new(now); if (mgr->sess_pool == NULL || mgr->tcp_sess_table == NULL || mgr->udp_sess_table == NULL || mgr->sess_timer == NULL) { goto error; } if (mgr->opts.evicted_session_filter_enable) { mgr->evicte_sess_filter = evicted_session_filter_new(mgr->opts.evicted_session_filter_capacity, mgr->opts.evicted_session_filter_timeout, mgr->opts.evicted_session_filter_error_rate, now); if (mgr->evicte_sess_filter == NULL) { goto error; } } if (mgr->opts.duplicated_packet_filter_enable) { mgr->dup_pkt_filter = duplicated_packet_filter_new(mgr->opts.duplicated_packet_filter_capacity, mgr->opts.duplicated_packet_filter_timeout, mgr->opts.duplicated_packet_filter_error_rate, now); if (mgr->dup_pkt_filter == NULL) { goto error; } } INIT_LIST_HEAD(&mgr->evicte_queue); session_transition_init(); return mgr; error: session_manager_free(mgr); return NULL; } void session_manager_free(struct session_manager *mgr) { struct session *sess; if (mgr) { // free all evicted session while (!list_empty(&mgr->evicte_queue)) { sess = list_first_entry(&mgr->evicte_queue, struct session, evicte); list_del(&sess->evicte); session_manager_free_session(mgr, sess); } // free all udp session while (mgr->udp_sess_table && (sess = session_table_find_lru(mgr->udp_sess_table))) { session_manager_free_session(mgr, sess); } // free all tcp session while (mgr->tcp_sess_table && (sess = session_table_find_lru(mgr->tcp_sess_table))) { session_manager_free_session(mgr, sess); } if (mgr->opts.evicted_session_filter_enable) { evicted_session_filter_free(mgr->evicte_sess_filter); } if (mgr->opts.duplicated_packet_filter_enable) { duplicated_packet_filter_free(mgr->dup_pkt_filter); } session_timer_free(mgr->sess_timer); session_table_free(mgr->udp_sess_table); session_table_free(mgr->tcp_sess_table); session_pool_free(mgr->sess_pool); free(mgr); mgr = NULL; } } void session_manager_record_duplicated_packet(struct session_manager *mgr, const struct packet *pkt, uint64_t now) { if (mgr->opts.duplicated_packet_filter_enable) { duplicated_packet_filter_add(mgr->dup_pkt_filter, pkt, now); } } struct session *session_manager_new_session(struct session_manager *mgr, const struct packet *pkt, uint64_t now) { struct tuple6 key; if (packet_get_innermost_tuple6(pkt, &key)) { return NULL; } switch (key.ip_proto) { case IPPROTO_TCP: if (tcp_overload_bypass(mgr, &key, now)) { return NULL; } return session_manager_new_tcp_session(mgr, pkt, &key, now); case IPPROTO_UDP: if (udp_overload_bypass(mgr, &key, now)) { return NULL; } if (evicted_session_bypass(mgr, &key, now)) { return NULL; } return session_manager_new_udp_session(mgr, pkt, &key, now); default: return NULL; } } void session_manager_free_session(struct session_manager *mgr, struct session *sess) { if (sess) { SESSION_LOG_DEBUG("session %lu closed (%s)", session_get_id(sess), closing_reason_to_str(session_get_closing_reason(sess))); session_timer_del(mgr->sess_timer, sess); switch (session_get_type(sess)) { case SESSION_TYPE_TCP: tcp_clean(mgr, sess); if (session_table_find_sessid(mgr->tcp_sess_table, session_get_id(sess)) == sess) { session_table_del(mgr->tcp_sess_table, sess); } SESS_MGR_STAT_DEC(&mgr->stat, session_get_state(sess), tcp); mgr->stat.curr_nr_tcp_sess_used--; break; case SESSION_TYPE_UDP: if (session_table_find_sessid(mgr->udp_sess_table, session_get_id(sess)) == sess) { session_table_del(mgr->udp_sess_table, sess); } SESS_MGR_STAT_DEC(&mgr->stat, session_get_state(sess), udp); mgr->stat.curr_nr_udp_sess_used--; break; default: assert(0); break; } session_free_all_ex_data(sess); packet_free((struct packet *)session_get_first_packet(sess, FLOW_DIRECTION_C2S)); packet_free((struct packet *)session_get_first_packet(sess, FLOW_DIRECTION_S2C)); session_set_first_packet(sess, FLOW_DIRECTION_C2S, NULL); session_set_first_packet(sess, FLOW_DIRECTION_S2C, NULL); session_clear_route_ctx(sess, FLOW_DIRECTION_C2S); session_clear_route_ctx(sess, FLOW_DIRECTION_S2C); session_clear_sid_list(sess, FLOW_DIRECTION_C2S); session_clear_sid_list(sess, FLOW_DIRECTION_S2C); session_set_current_packet(sess, NULL); session_set_flow_direction(sess, FLOW_DIRECTION_NONE); session_pool_push(mgr->sess_pool, sess); sess = NULL; } } struct session *session_manager_lookup_session(struct session_manager *mgr, const struct packet *pkt) { struct tuple6 key; if (packet_get_innermost_tuple6(pkt, &key)) { return NULL; } switch (key.ip_proto) { case IPPROTO_UDP: return session_table_find_tuple6(mgr->udp_sess_table, &key); case IPPROTO_TCP: return session_table_find_tuple6(mgr->tcp_sess_table, &key); default: return NULL; } } int session_manager_update_session(struct session_manager *mgr, struct session *sess, const struct packet *pkt, uint64_t now) { struct tuple6 key; if (packet_get_innermost_tuple6(pkt, &key)) { return -1; } if (duplicated_packet_bypass(mgr, sess, pkt, &key, now)) { return -1; } switch (session_get_type(sess)) { case SESSION_TYPE_TCP: return session_manager_update_tcp_session(mgr, sess, pkt, &key, now); case SESSION_TYPE_UDP: return session_manager_update_udp_session(mgr, sess, pkt, &key, now); default: return -1; } } struct session *session_manager_get_expired_session(struct session_manager *mgr, uint64_t now) { struct session *sess = session_timer_expire(mgr->sess_timer, now); if (sess) { enum session_state curr_state = session_get_state(sess); enum session_state next_state = session_transition_run(curr_state, TIMEOUT); session_transition_log(sess, curr_state, next_state, TIMEOUT); session_set_state(sess, next_state); switch (session_get_type(sess)) { case SESSION_TYPE_TCP: SESS_MGR_STAT_UPDATE(&mgr->stat, curr_state, next_state, tcp); break; case SESSION_TYPE_UDP: SESS_MGR_STAT_UPDATE(&mgr->stat, curr_state, next_state, udp); break; default: assert(0); break; } // next state is closed, need to free session if (next_state == SESSION_STATE_CLOSED) { if (!session_get_closing_reason(sess)) { session_set_closing_reason(sess, CLOSING_BY_TIMEOUT); } return sess; } // next state is closing, only update timeout else { switch (session_get_type(sess)) { case SESSION_TYPE_TCP: session_timer_update(mgr->sess_timer, sess, now + mgr->opts.tcp_data_timeout); break; case SESSION_TYPE_UDP: session_timer_update(mgr->sess_timer, sess, now + mgr->opts.udp_data_timeout); break; default: assert(0); break; } return NULL; } } return NULL; } struct session *session_manager_get_evicted_session(struct session_manager *mgr) { if (list_empty(&mgr->evicte_queue)) { return NULL; } else { struct session *sess = list_first_entry(&mgr->evicte_queue, struct session, evicte); list_del(&sess->evicte); return sess; } } uint64_t session_manager_get_expire_interval(struct session_manager *mgr) { return session_timer_next_expire_interval(mgr->sess_timer); } struct session_manager_stat *session_manager_stat(struct session_manager *mgr) { return &mgr->stat; }