Applayer plugin 5053 v1

[catenacyber]

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/5053

Describe changes:

• App-layer plugins

Comes after merge of #11291

Draft to get general feedback
especially the use of ALPROTO_DYNAMIC_NB

Still todo: supply an example of an app-layer plugin

[codecov]

Codecov Report

Attention: Patch coverage is 25.84270% with 66 lines in your changes missing coverage. Please review.

Project coverage is 77.67%. Comparing base (49ecf37) to head (a01b68d).
Report is 3 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11321      +/-   ##
==========================================
- Coverage   82.47%   77.67%   -4.80%     
==========================================
  Files         934      934              
  Lines      252270   252235      -35     
==========================================
- Hits       208055   195920   -12135     
- Misses      44215    56315   +12100     

Flag	Coverage Δ
fuzzcorpus	?
livemode	18.76% <7.86%> (+<0.01%)	⬆️
pcap	43.73% <25.84%> (-0.05%)	⬇️
suricata-verify	61.30% <25.84%> (-0.02%)	⬇️
unittests	59.90% <7.86%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[jasonish]

Do you see new "built-in" app-layers going through this API? Or still using a static assignment?

[catenacyber]

Do you see new "built-in" app-layers going through this API? Or still using a static assignment?

still static...

[suricata-qa]

ERROR:

ERROR: QA failed on build_asan.

Pipeline 21127

[victorjulien]

I would like to see the registration of AppProto's to be cleaner. Like in other places, we can have something like built-in app protos are static, followed by a dynamic range. _MAX would be replaced by a fully dynamic app_proto_max or something, and the arrays and other things will have to be replaced by more dynamic data structures.

[victorjulien]

AppProto as an enum also isn't a great fit anymore, it's more just a registered id for these dynamic cases

[victorjulien]

This would not be something that should be compile time optional?

[jasonish]

Do you see new "built-in" app-layers going through this API? Or still using a static assignment?

still static...

Any particular reason? It would be nice to use these APIs for built in and dynamically loaded unless there is good reason not to.

[catenacyber]

I would like to see the registration of AppProto's to be cleaner. Like in other places, we can have something like built-in app protos are static, followed by a dynamic range. _MAX would be replaced by a fully dynamic app_proto_max or something, and the arrays and other things will have to be replaced by more dynamic data structures.

There a re 33 arrays to handle, not 2 like for keywords (cf git grep '\[ALPROTO_MAX'). :-/
And I guess some of them would now need a post init stuff to realloc the array after the alprotos have been registered

Any particular reason? It would be nice to use these APIs for built in and dynamically loaded unless there is good reason not to.

Ok, it can be done in follow up works like keywords in #11316

AppProto as an enum also isn't a great fit anymore, it's more just a registered id for these dynamic cases

It is no longer the case here : `typedef uint16_t AppProto;

[victorjulien]

Yeah I realize it's major effort, but I think we shouldn't hack around it, esp not in this phase of the 8 dev cycle.

[catenacyber]

Some work done in #11355

[catenacyber]

So, closing this draft.

#11572 is the first PR towards it