next/1410/20260626/v1#15740
Merged
Merged
Conversation
for SV to run tests based on the presence of this feature
Completes commit 7e725c6 autofp-scheduler with value ftp-hash ends up using FlowGetIpPairProtoHash which ignores the ports for ftp-looking flows so that the ftp and ftp-data flow get processed by the same thread. As for the other cases, we want to use every other parameter to compute the flow hash, inclusing the live device
DHCP is a stateless parser where each datagram is its own standalone, single-direction transaction. It was creating transactions with AppLayerTxData::new(), which leaves both SKIP_INSPECT bits clear, so the engine treats every tx as still needing inspection in both directions. For a flow that only ever carries one direction (broadcast DHCP, or a relay seeing one side), the never-observed direction's inspect bit can never be set, so AppLayerParserTransactionsCleanup() never frees the tx. The per-flow transaction Vec then grows without bound and every packet re-scans the whole list, giving O(n^2) CPU and unbounded memory on a busy DHCP aggregation point. Use AppLayerTxData::for_direction() like every other stateless parser (DNS, SNMP, NTP, IKE, KRB5, MQTT, QUIC, SIP, WebSocket, bittorrent-dht) so the tx carries SKIP_INSPECT for the direction it will never be seen in. This lets cleanup free completed transactions and also stops the tx from being inspected (and alerting) twice, once per direction. Issue: 8621
Mark the direction into RDP transactions at creation time, so the tx carries SKIP_INSPECT for the direction it is never seen in, matching DHCP and the other single-direction parsers. This lets cleanup free completed transactions and stops a tx from being inspected (and alerting) twice, once per direction. RDP bounds its transactions to connection setup and stops parsing once bypass_parsing is set. Issue: 8621
Ticket: 7929 One commit as they share the same code
Ticket: 7929
Ticket: 7929 There is only one msg_type by tx
Ticket: 7929 As it supports prefilter
Ticket: 7929 As both syntaxes share comma as delimiter
Ticket: 7929
So, that if a keyword advertises uint16, it can indeed parse a uint16 and is not just a uint8
victorjulien
requested review from
a team,
jasonish and
jufajardini
as code owners
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #15740 +/- ##
==========================================
- Coverage 82.96% 82.95% -0.02%
==========================================
Files 1003 1003
Lines 275031 275096 +65
==========================================
+ Hits 228192 228217 +25
- Misses 46839 46879 +40
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
WARNING:
Pipeline = 32281 |
jasonish
approved these changes
Jun 27, 2026
jasonish
left a comment
jasonish
left a comment
Member
There was a problem hiding this comment.
Staging looks OK.
CI issue doesn't seem related, but the FreeBSD build is reporting:
pkg: No packages available to install matching 'py311-pyyaml' have been found in the repositories
Member
Author
Yeah, it's a bit odd. My own FreeBSD 15 vm is fine. Just updated it to 15.1 and it is still fine. Strangely, I can't get py312-pyyaml installed there, only py311-pyyaml. It's odd because this suggests py312-pyyaml should exist: https://ports.freebsd.org/cgi/ports.cgi?query=pyyaml&stype=all&sektion=all |
This was referenced Jun 27, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Staging:
SV_BRANCH=OISF/suricata-verify#3197