[BUGFIX]Clean up hit groups promptly during scanning
This commit is contained in:
liuwentan
@@ -96,6 +96,8 @@ int compile_state_update(struct compile_state *compile_state, struct maat *maat_
|
|||||||
int vtable_id, int custom_compile_tbl_id, int Nth_scan,
|
int vtable_id, int custom_compile_tbl_id, int Nth_scan,
|
||||||
struct maat_item *hit_items, size_t n_hit_item);
|
struct maat_item *hit_items, size_t n_hit_item);
|
||||||
|
|
||||||
|
void compile_state_clear_last_hit_group(struct compile_state *compile_state);
|
||||||
|
|
||||||
void compile_state_not_logic_update(struct compile_state *compile_state,
|
void compile_state_not_logic_update(struct compile_state *compile_state,
|
||||||
struct compile_runtime *compile_rt,
|
struct compile_runtime *compile_rt,
|
||||||
struct maat *maat_inst, int vtable_id,
|
struct maat *maat_inst, int vtable_id,
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ extern "C"
|
|||||||
#define MAX_KEYWORDS_STR_LEN 1024
|
#define MAX_KEYWORDS_STR_LEN 1024
|
||||||
#define MAX_TAG_STR_LEN 2048
|
#define MAX_TAG_STR_LEN 2048
|
||||||
#define MAX_MAAT_STAT_NUM 64
|
#define MAX_MAAT_STAT_NUM 64
|
||||||
#define MAX_NAME_STR_LEN 64
|
#define MAX_NAME_STR_LEN 128
|
||||||
#define MAX_IP_STR_LEN 64
|
#define MAX_IP_STR_LEN 64
|
||||||
#define MAX_INSTANCE_NAME_LEN 15
|
#define MAX_INSTANCE_NAME_LEN 15
|
||||||
#define MAX_GROUP_IDS_STR_LEN 256
|
#define MAX_GROUP_IDS_STR_LEN 256
|
||||||
|
|||||||
@@ -1750,6 +1750,11 @@ static void maat_state_add_hit_group(struct maat_state *state, int table_id,
|
|||||||
{
|
{
|
||||||
struct maat *maat_inst = state->maat_inst;
|
struct maat *maat_inst = state->maat_inst;
|
||||||
|
|
||||||
|
//clear compile_state->last_hit_group
|
||||||
|
if (state != NULL && state->compile_state != NULL) {
|
||||||
|
compile_state_clear_last_hit_group(state->compile_state);
|
||||||
|
}
|
||||||
|
|
||||||
if (NULL == state->compile_state) {
|
if (NULL == state->compile_state) {
|
||||||
state->compile_state = compile_state_new();
|
state->compile_state = compile_state_new();
|
||||||
alignment_int64_array_add(maat_inst->stat->compile_state_cnt,
|
alignment_int64_array_add(maat_inst->stat->compile_state_cnt,
|
||||||
@@ -1792,6 +1797,11 @@ maat_state_activate_hit_not_group(struct maat_state *state, int table_id)
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//clear compile_state->last_hit_group
|
||||||
|
if (state != NULL && state->compile_state != NULL) {
|
||||||
|
compile_state_clear_last_hit_group(state->compile_state);
|
||||||
|
}
|
||||||
|
|
||||||
compile_state_not_logic_update(state->compile_state, compile_rt, maat_inst,
|
compile_state_not_logic_update(state->compile_state, compile_rt, maat_inst,
|
||||||
table_id, state->Nth_scan);
|
table_id, state->Nth_scan);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2486,7 +2486,6 @@ int compile_state_update(struct compile_state *compile_state, struct maat *maat_
|
|||||||
struct maat_hit_group hit_group;
|
struct maat_hit_group hit_group;
|
||||||
|
|
||||||
utarray_clear(compile_state->this_scan_hit_clauses);
|
utarray_clear(compile_state->this_scan_hit_clauses);
|
||||||
utarray_clear(compile_state->last_hit_groups);
|
|
||||||
compile_state->this_scan_not_logic = 0;
|
compile_state->this_scan_not_logic = 0;
|
||||||
compile_state->Nth_scan = Nth_scan;
|
compile_state->Nth_scan = Nth_scan;
|
||||||
|
|
||||||
@@ -2552,6 +2551,15 @@ int compile_state_update(struct compile_state *compile_state, struct maat *maat_
|
|||||||
return hit_cnt;
|
return hit_cnt;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void compile_state_clear_last_hit_group(struct compile_state *compile_state)
|
||||||
|
{
|
||||||
|
if (NULL == compile_state) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
utarray_clear(compile_state->last_hit_groups);
|
||||||
|
}
|
||||||
|
|
||||||
void compile_state_not_logic_update(struct compile_state *compile_state,
|
void compile_state_not_logic_update(struct compile_state *compile_state,
|
||||||
struct compile_runtime *compile_rt,
|
struct compile_runtime *compile_rt,
|
||||||
struct maat *maat_inst, int vtable_id,
|
struct maat *maat_inst, int vtable_id,
|
||||||
|
|||||||
@@ -1026,6 +1026,11 @@ int expr_runtime_scan(struct expr_runtime *expr_rt, int thread_id,
|
|||||||
const char *data, size_t data_len,
|
const char *data, size_t data_len,
|
||||||
int vtable_id, struct maat_state *state)
|
int vtable_id, struct maat_state *state)
|
||||||
{
|
{
|
||||||
|
//clear compile_state->last_hit_group
|
||||||
|
if (state != NULL && state->compile_state != NULL) {
|
||||||
|
compile_state_clear_last_hit_group(state->compile_state);
|
||||||
|
}
|
||||||
|
|
||||||
if (0 == expr_rt->rule_num) {
|
if (0 == expr_rt->rule_num) {
|
||||||
//empty expr table
|
//empty expr table
|
||||||
return 0;
|
return 0;
|
||||||
@@ -1116,11 +1121,21 @@ int expr_runtime_stream_scan(struct expr_runtime_stream *expr_rt_stream,
|
|||||||
int vtable_id, struct maat_state *state)
|
int vtable_id, struct maat_state *state)
|
||||||
{
|
{
|
||||||
struct expr_runtime *expr_rt = expr_rt_stream->ref_expr_rt;
|
struct expr_runtime *expr_rt = expr_rt_stream->ref_expr_rt;
|
||||||
|
|
||||||
|
//clear compile_state->last_hit_group
|
||||||
|
if (state != NULL && state->compile_state != NULL) {
|
||||||
|
compile_state_clear_last_hit_group(state->compile_state);
|
||||||
|
}
|
||||||
|
|
||||||
if (0 == expr_rt->rule_num) {
|
if (0 == expr_rt->rule_num) {
|
||||||
//empty expr table
|
//empty expr table
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (NULL == expr_rt_stream->handle) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
size_t n_hit_item = 0;
|
size_t n_hit_item = 0;
|
||||||
size_t n_hit_pattern = 0;
|
size_t n_hit_pattern = 0;
|
||||||
struct expr_scan_result hit_results[MAX_HIT_ITEM_NUM];
|
struct expr_scan_result hit_results[MAX_HIT_ITEM_NUM];
|
||||||
|
|||||||
@@ -557,6 +557,11 @@ long long flag_runtime_rule_count(void *flag_runtime)
|
|||||||
int flag_runtime_scan(struct flag_runtime *flag_rt, int thread_id,
|
int flag_runtime_scan(struct flag_runtime *flag_rt, int thread_id,
|
||||||
long long flag, int vtable_id, struct maat_state *state)
|
long long flag, int vtable_id, struct maat_state *state)
|
||||||
{
|
{
|
||||||
|
//clear compile_state->last_hit_group
|
||||||
|
if (state != NULL && state->compile_state != NULL) {
|
||||||
|
compile_state_clear_last_hit_group(state->compile_state);
|
||||||
|
}
|
||||||
|
|
||||||
if (0 == flag_rt->rule_num) {
|
if (0 == flag_rt->rule_num) {
|
||||||
//empty flag table
|
//empty flag table
|
||||||
return 0;
|
return 0;
|
||||||
|
|||||||
@@ -559,6 +559,11 @@ long long interval_runtime_rule_count(void *interval_runtime)
|
|||||||
int interval_runtime_scan(struct interval_runtime *interval_rt, int thread_id,
|
int interval_runtime_scan(struct interval_runtime *interval_rt, int thread_id,
|
||||||
long long integer, int vtable_id, struct maat_state *state)
|
long long integer, int vtable_id, struct maat_state *state)
|
||||||
{
|
{
|
||||||
|
//clear compile_state->last_hit_group
|
||||||
|
if (state != NULL && state->compile_state != NULL) {
|
||||||
|
compile_state_clear_last_hit_group(state->compile_state);
|
||||||
|
}
|
||||||
|
|
||||||
if (0 == interval_rt->rule_num) {
|
if (0 == interval_rt->rule_num) {
|
||||||
//empty interval table
|
//empty interval table
|
||||||
return 0;
|
return 0;
|
||||||
|
|||||||
@@ -597,11 +597,20 @@ long long ip_runtime_ipv6_rule_count(void *ip_runtime)
|
|||||||
int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type,
|
int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type,
|
||||||
uint8_t *ip_addr, int port, int vtable_id, struct maat_state *state)
|
uint8_t *ip_addr, int port, int vtable_id, struct maat_state *state)
|
||||||
{
|
{
|
||||||
|
//clear compile_state->last_hit_group
|
||||||
|
if (state != NULL && state->compile_state != NULL) {
|
||||||
|
compile_state_clear_last_hit_group(state->compile_state);
|
||||||
|
}
|
||||||
|
|
||||||
if (0 == ip_rt->rule_num) {
|
if (0 == ip_rt->rule_num) {
|
||||||
//empty ip table
|
//empty ip table
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (NULL == ip_rt->ip_matcher) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
struct ip_data scan_data;
|
struct ip_data scan_data;
|
||||||
struct scan_result ip_results[MAX_HIT_ITEM_NUM];
|
struct scan_result ip_results[MAX_HIT_ITEM_NUM];
|
||||||
|
|
||||||
@@ -619,10 +628,6 @@ int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type,
|
|||||||
size_t real_hit_item_cnt = 0;
|
size_t real_hit_item_cnt = 0;
|
||||||
struct maat_item hit_maat_items[MAX_HIT_ITEM_NUM];
|
struct maat_item hit_maat_items[MAX_HIT_ITEM_NUM];
|
||||||
|
|
||||||
if (NULL == ip_rt->ip_matcher) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
int n_hit_ip_item = ip_matcher_match(ip_rt->ip_matcher, &scan_data,
|
int n_hit_ip_item = ip_matcher_match(ip_rt->ip_matcher, &scan_data,
|
||||||
ip_results, MAX_HIT_ITEM_NUM);
|
ip_results, MAX_HIT_ITEM_NUM);
|
||||||
if (n_hit_ip_item < 0) {
|
if (n_hit_ip_item < 0) {
|
||||||
@@ -642,12 +647,13 @@ int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type,
|
|||||||
// item config has been deleted
|
// item config has been deleted
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if(port < 0 && ip_item->port_start!=0 && ip_item->port_end!=65535)
|
|
||||||
{
|
if (port < 0 && ip_item->port_start != 0 && ip_item->port_end != 65535) {
|
||||||
//If port is not speicified, an IP should NOT match rules with port range.
|
//If port is not speicified, an IP should NOT match rules with port range.
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if(port >= 0 && (port<ip_item->port_start || port>ip_item->port_end)){
|
|
||||||
|
if (port >= 0 && (port < ip_item->port_start || port > ip_item->port_end)) {
|
||||||
//If port is specified, the port should within the port range.
|
//If port is specified, the port should within the port range.
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user