stream/tcp: add ssnmemcap exception policy counter

Counters for exception policies applied in case a stream session memcap is hit. Task OISF#5816
jufajardini · Apr 16, 2023 · 9502c34 · 9502c34
1 parent ff14f37
commit 9502c34
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 1 deletion.
diff --git a/etc/schema.json b/etc/schema.json
@@ -5270,6 +5270,32 @@
                         "ssn_memcap_drop": {
                             "type": "integer"
                         },
+                        "ssn_memcap_exception_policy": {
+                            "type": "object",
+                            "anyOf": [
+                                {
+                                    "$ref": "#/$defs/drop_flow"
+                                },
+                                {
+                                    "$ref": "#/$defs/drop_packet"
+                                },
+                                {
+                                    "$ref": "#/$defs/pass_flow"
+                                },
+                                {
+                                    "$ref": "#/$defs/pass_packet"
+                                },
+                                {
+                                    "$ref": "#/$defs/bypass"
+                                },
+                                {
+                                    "$ref": "#/$defs/ignore"
+                                },
+                                {
+                                    "$ref": "#/$defs/reject"
+                                }
+                            ]
+                        },
                         "stream_depth_reached": {
                             "type": "integer"
                         },

diff --git a/src/stream-tcp.c b/src/stream-tcp.c
@@ -707,6 +707,34 @@ void StreamTcpFreeConfig(bool quiet)
     SCLogDebug("ssn_pool_cnt %"PRIu64"", ssn_pool_cnt);
 }
 
+static void StreamTcpSsnMemcapExceptionPolicyStatsIncr(
+        ThreadVars *tv, StreamTcpThread *stt, enum ExceptionPolicy policy)
+{
+    switch (policy) {
+        case EXCEPTION_POLICY_NOT_SET:
+            StatsIncr(tv, stt->counter_tcp_ssn_memcap_eps_ignore);
+            break;
+        case EXCEPTION_POLICY_REJECT:
+            StatsIncr(tv, stt->counter_tcp_ssn_memcap_eps_reject);
+            break;
+        case EXCEPTION_POLICY_BYPASS_FLOW:
+            StatsIncr(tv, stt->counter_tcp_ssn_memcap_eps_bypass);
+            break;
+        case EXCEPTION_POLICY_DROP_FLOW:
+            StatsIncr(tv, stt->counter_tcp_ssn_memcap_eps_drop_flow);
+            break;
+        case EXCEPTION_POLICY_DROP_PACKET:
+            StatsIncr(tv, stt->counter_tcp_ssn_memcap_eps_drop_packet);
+            break;
+        case EXCEPTION_POLICY_PASS_PACKET:
+            StatsIncr(tv, stt->counter_tcp_ssn_memcap_eps_pass_packet);
+            break;
+        case EXCEPTION_POLICY_PASS_FLOW:
+            StatsIncr(tv, stt->counter_tcp_ssn_memcap_eps_pass_flow);
+            break;
+    }
+}
+
 /** \internal
  *  \brief The function is used to fetch a TCP session from the
  *         ssn_pool, when a TCP SYN is received.
@@ -746,13 +774,15 @@ static TcpSession *StreamTcpNewSession(ThreadVars *tv, StreamTcpThread *stt, Pac
                       g_eps_stream_ssn_memcap == t_pcapcnt))) {
             SCLogNotice("simulating memcap reached condition for packet %" PRIu64, t_pcapcnt);
             ExceptionPolicyApply(p, stream_config.ssn_memcap_policy, PKT_DROP_REASON_STREAM_MEMCAP);
+            StreamTcpSsnMemcapExceptionPolicyStatsIncr(tv, stt, stream_config.ssn_memcap_policy);
             return NULL;
         }
 #endif
         ssn = (TcpSession *)p->flow->protoctx;
         if (ssn == NULL) {
             SCLogDebug("ssn_pool is empty");
             ExceptionPolicyApply(p, stream_config.ssn_memcap_policy, PKT_DROP_REASON_STREAM_MEMCAP);
+            StreamTcpSsnMemcapExceptionPolicyStatsIncr(tv, stt, stream_config.ssn_memcap_policy);
             return NULL;
         }
 
@@ -5778,6 +5808,20 @@ TmEcode StreamTcpThreadInit(ThreadVars *tv, void *initdata, void **data)
     stt->counter_tcp_ssn_memcap = StatsRegisterCounter("tcp.ssn_memcap_drop", tv);
     stt->counter_tcp_ssn_from_cache = StatsRegisterCounter("tcp.ssn_from_cache", tv);
     stt->counter_tcp_ssn_from_pool = StatsRegisterCounter("tcp.ssn_from_pool", tv);
+    stt->counter_tcp_ssn_memcap_eps_ignore =
+            StatsRegisterCounter("tcp.ssn_memcap_exception_policy.ignore", tv);
+    stt->counter_tcp_ssn_memcap_eps_reject =
+            StatsRegisterCounter("tcp.ssn_memcap_exception_policy.reject", tv);
+    stt->counter_tcp_ssn_memcap_eps_bypass =
+            StatsRegisterCounter("tcp.ssn_memcap_exception_policy.bypass", tv);
+    stt->counter_tcp_ssn_memcap_eps_pass_flow =
+            StatsRegisterCounter("tcp.ssn_memcap_exception_policy.pass_flow", tv);
+    stt->counter_tcp_ssn_memcap_eps_pass_packet =
+            StatsRegisterCounter("tcp.ssn_memcap_exception_policy.pass_packet", tv);
+    stt->counter_tcp_ssn_memcap_eps_drop_flow =
+            StatsRegisterCounter("tcp.ssn_memcap_exception_policy.drop_flow", tv);
+    stt->counter_tcp_ssn_memcap_eps_drop_packet =
+            StatsRegisterCounter("tcp.ssn_memcap_exception_policy.drop_packet", tv);
     stt->counter_tcp_pseudo = StatsRegisterCounter("tcp.pseudo", tv);
     stt->counter_tcp_pseudo_failed = StatsRegisterCounter("tcp.pseudo_failed", tv);
     stt->counter_tcp_invalid_checksum = StatsRegisterCounter("tcp.invalid_checksum", tv);

diff --git a/src/stream-tcp.h b/src/stream-tcp.h
@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2022 Open Information Security Foundation
+/* Copyright (C) 2007-2023 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -85,6 +85,14 @@ typedef struct StreamTcpThread_ {
     uint16_t counter_tcp_ssn_memcap;
     uint16_t counter_tcp_ssn_from_cache;
     uint16_t counter_tcp_ssn_from_pool;
+    /** exception policy */
+    uint16_t counter_tcp_ssn_memcap_eps_ignore;
+    uint16_t counter_tcp_ssn_memcap_eps_reject;
+    uint16_t counter_tcp_ssn_memcap_eps_bypass;
+    uint16_t counter_tcp_ssn_memcap_eps_pass_flow;
+    uint16_t counter_tcp_ssn_memcap_eps_pass_packet;
+    uint16_t counter_tcp_ssn_memcap_eps_drop_flow;
+    uint16_t counter_tcp_ssn_memcap_eps_drop_packet;
     /** pseudo packets processed */
     uint16_t counter_tcp_pseudo;
     /** pseudo packets failed to setup */