gen/refactor: transform and misc related changes for improved transform support #12502
Conversation
This commit makes the detection engine thread context available for transforms to use. The Lua transform requires this value. Issue: 2290
Issue: 2290 This commit extends the hash table logic with an alternate free function that provides the detection engine context. Users that wish to use the next functionality must use the HashListTableInitWithCtx function when initializing the hash table. Using this interface will result in the hash table "free with context" function (new) being used instead.
Issue: 2290 Defer freeing the keyword hash table until the engine context has been freed. This eliminates a double-free from occurring. For the unittests ONLY, clear the keyword_hash to prevent a double free attempt.
So transforms can access them through DetectEngineThreadCtx
git grep -A 1 -w InspectionBufferSetup shows numbers cases of the pattern:
- InspectionBufferSetup
- InspectionBufferApplyTransforms
Refactor the implementations of those functions into
InspectionBufferSetupAndApplyTransforms to reduce function call count.
Issuer: 2290
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12502 +/- ##
=======================================
Coverage 80.56% 80.56%
=======================================
Files 925 925
Lines 259292 259322 +30
=======================================
+ Hits 208906 208935 +29
- Misses 50386 50387 +1
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 24425 |
| @@ -1291,7 +1291,7 @@ typedef struct SigTableElmt_ { | |||
| uint8_t flags, File *, const Signature *, const SigMatchCtx *); | |||
|
|
|||
| /** InspectionBuffer transformation callback */ | |||
| void (*Transform)(InspectionBuffer *, void *context); | |||
| void (*Transform)(DetectEngineThreadCtx *, InspectionBuffer *, void *context); | |||
There was a problem hiding this comment.
This requires to bump up SC_PLUGIN_API_VERSION
There was a problem hiding this comment.
This requires to bump up
SC_PLUGIN_API_VERSION
Why? Its currently at 8, and should stay that way until 8 is released.
There was a problem hiding this comment.
It should be modified every time the API gets modified so that runtime suricata and plugins can ensure compatibility
Maybe the current 8 value is not the best fit since 8 is not released...
There was a problem hiding this comment.
Our compatibility promises are for a major version. So 8 is fine, as 8 is not released there is no promise that its stable until 8 is released.
There was a problem hiding this comment.
There is no promise, but we can do it
There was a problem hiding this comment.
We'll need to work on the versioning, so I think its out of scope for this PR.
For example, if we ever did an 8.1 release, we wouldn't consider that compatible with 8.0. So we'd want something like:
- 800000 # 8.0
- 800100 # 8.1
Or were you thinking just an ever increasing int?
Patch releases should not be considered as they should not break the API. I'd still not consider pre-release git snapshot versions either.
As the library matures we'll end up in a position where any change to any public function signature will require an update to this, which could be a lot of commits during a major development cycle.
There was a problem hiding this comment.
I think you forget to take into account the people using git master (like after 8 release before 9)
We'll need to work on the versioning
indeed
so I think its out of scope for this PR.
But a change in SC_PLUGIN_API_VERSION is required by this PR
As the library matures we'll end up in a position where any change to any public function signature will require an update to this, which could be a lot of commits during a major development cycle.
I think we are there
There was a problem hiding this comment.
In git master we make no promises until it is released as a final 8.0.0 release. Ppl relying on a dev branch will have to accept we can still break things.
There was a problem hiding this comment.
I understand that.
Even bumping SC_PLUGIN_API_VERSION, this PR still "breaks things", but it will give a better error message instead of a segfault.
This is to get the good habit for post 8 release
There was a problem hiding this comment.
I understand that.
Even bumping SC_PLUGIN_API_VERSION, this PR still "breaks things", but it will give a better error message instead of a segfault.
This is to get the good habit for post 8 release
| @@ -977,12 +978,18 @@ static void DetectBufferTypeFreeFunc(void *data) | |||
| sigmatch_table[map->transforms.transforms[i].transform].name); | |||
| continue; | |||
| } | |||
| sigmatch_table[map->transforms.transforms[i].transform].Free(NULL, map->transforms.transforms[i].options); | |||
| sigmatch_table[map->transforms.transforms[i].transform].Free( | |||
| de_ctx, map->transforms.transforms[i].options); | |||
There was a problem hiding this comment.
Looks ok but feels painful
Why will we need this de_ctx when freeing ?
There was a problem hiding this comment.
The Luaxform will need the de_ctx to unregister the thread ctx (see #12425 detect-transform-luaxform.c, function DetectTransformLuaxformFree)
There was a problem hiding this comment.
What is this thread ctx ?
There was a problem hiding this comment.
Another option would be to have sigmatch_table having 2 different function pointers Free and
FreeCtx (not sure it is better, but requires less modifications)
| @@ -2606,6 +2606,9 @@ DetectEngineCtx *DetectEngineCtxInitWithPrefix(const char *prefix, uint32_t tena | |||
| static void DetectEngineCtxFreeThreadKeywordData(DetectEngineCtx *de_ctx) | |||
| { | |||
| HashListTableFree(de_ctx->keyword_hash); | |||
| #if UNITTESTS | |||
| de_ctx->keyword_hash = NULL; | |||
There was a problem hiding this comment.
Double free Happens only in unit tests, right ? Just double checking
There was a problem hiding this comment.
And why was CI green if there was this double free ?
There was a problem hiding this comment.
Yes, this is a unit test only situation.
The double free would occur in DetectUnregsiterThreadCtxFuncs iff keyword hash wasn't nullified.
There was a problem hiding this comment.
And why was CI green if there was this double free ?
| @@ -113,7 +113,6 @@ void DetectEngineFrameMpmRegister(DetectEngineCtx *de_ctx, const char *name, int | |||
| const DetectBufferMpmRegistry *mpm_reg, int list_id), | |||
| AppProto alproto, uint8_t type); | |||
|
|
|||
|
|
|||
There was a problem hiding this comment.
Does not deserve its own commit :-p
| InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len); | ||
| InspectionBufferApplyTransforms(det_ctx, buffer, transforms); | ||
| InspectionBufferSetupAndApplyTransforms( | ||
| det_ctx, list_id, buffer, data, data_len, transforms); |
There was a problem hiding this comment.
Can you use DetectHelperGetData to save even more lines ?
There was a problem hiding this comment.
Yes -- I think that pattern could be used in several places but is probably best done in a separate PR, imo
There was a problem hiding this comment.
So, why do you need this commit ? if it "is probably best done in a separate PR"
There was a problem hiding this comment.
So, why do you need this commit ? if it "is probably best done in a separate PR"
Continuation of #12427
A set of changes from #12425 that improve transform support
Describe changes:
Updates:
g_buffer_type_hashto not rely on thede_ctxas there is not a dependency for this global data structure.Provide values to any of the below to override the defaults.
link to the pull request in the respective
_BRANCHvariable.SV_REPO=
SV_BRANCH=
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=