Implement tcp timeout with LRU list (#249)

* Implement tcp timeout with LRU list

* put connection on LRUList on start callback

Author: leoparente

src/inputs/pcap/LRUList.h

@@ -0,0 +1,147 @@
+#ifndef PV_PCAPPP_LRU_LIST
+#define PV_PCAPPP_LRU_LIST
+
+#include <list>
+#include <map>
+
+#if __cplusplus > 199711L || _MSC_VER >= 1800
+#include <utility>
+#endif
+
+/// @file
+
+/**
+ * \namespace pcpp
+ * \brief The main namespace for the PcapPlusPlus lib
+ */
+namespace pcpp {
+
+/**
+ * @class LRUList
+ * A template class that implements a LRU cache with limited size. Each time the user puts an element it goes to head of the
+ * list as the most recently used element (if the element was already in the list it advances to the head of the list).
+ * The last element in the list is the one least recently used and will be pulled out of the list if it reaches its max size
+ * and a new element comes in. All actions on this LRU list are O(1)
+ */
+template <typename T, typename V>
+class LRUList
+{
+public:
+    typedef typename std::list<std::pair<T, V>>::iterator ListIterator;
+    typedef typename std::map<T, ListIterator>::iterator MapIterator;
+
+    /**
+     * A c'tor for this class
+     * @param[in] maxSize The max size this list can go
+     */
+
+    LRUList(size_t maxSize)
+    {
+        m_MaxSize = maxSize;
+    }
+
+    /**
+     * A c'tor for this class with unlimited size
+     */
+    LRUList()
+    {
+        m_MaxSize = 0;
+    }
+
+    /**
+     * Puts an element in the list. This element will be inserted (or advanced if it already exists) to the head of the
+     * list as the most recently used element. If the list already reached its max size and the element is new this method
+     * will remove the least recently used element and return a value in deletedValue. Method complexity is O(log(getSize())).
+     * This is a optimized version of the method T* put(const T&).
+     * @param[in] element The element to insert or to advance to the head of the list (if already exists)
+     * @param[out] deletedValue The value of deleted element if a pointer is not NULL. This parameter is optional.
+     * @return 0 if the list didn't reach its max size, 1 otherwise. In case the list already reached its max size
+     * and deletedValue is not NULL the value of deleted element is copied into the place the deletedValue points to.
+     */
+    int put(const T &element, const V &value, std::pair<T, V> *deletedValue = NULL)
+    {
+        m_CacheItemsList.push_front(std::make_pair(element, value));
+
+        // Inserting a new element. If an element with an equivalent key already exists the method returns an iterator to the element that prevented the insertion
+        std::pair<MapIterator, bool> pair = m_CacheItemsMap.insert(std::make_pair(element, m_CacheItemsList.begin()));
+        if (pair.second == false) // already exists
+        {
+            m_CacheItemsList.erase(pair.first->second);
+            pair.first->second = m_CacheItemsList.begin();
+        }
+
+        if (m_MaxSize && m_CacheItemsMap.size() > m_MaxSize) {
+            ListIterator lruIter = m_CacheItemsList.end();
+            lruIter--;
+
+            if (deletedValue != NULL)
+#if __cplusplus > 199711L || _MSC_VER >= 1800
+                *deletedValue = std::move(*lruIter);
+#else
+                *deletedValue = *lruIter;
+#endif
+            m_CacheItemsMap.erase(lruIter->first);
+            m_CacheItemsList.erase(lruIter);
+            return 1;
+        }
+
+        return 0;
+    }
+
+    /**
+     * Get the most recently used element (the one at the beginning of the list)
+     * @return The most recently used element
+     */
+    inline const std::pair<T, V> &getMRUElement() const
+    {
+        return m_CacheItemsList.front();
+    }
+
+    /**
+     * Get the least recently used element (the one at the end of the list)
+     * @return The least recently used element
+     */
+    inline const std::pair<T, V> &getLRUElement() const
+    {
+        return m_CacheItemsList.back();
+    }
+
+    /**
+     * Erase an element from the list. If element isn't found in the list nothing happens
+     * @param[in] element The element to erase
+     */
+    inline void eraseElement(const T &element)
+    {
+        MapIterator iter = m_CacheItemsMap.find(element);
+        if (iter == m_CacheItemsMap.end())
+            return;
+
+        m_CacheItemsList.erase(iter->second);
+        m_CacheItemsMap.erase(iter);
+    }
+
+    /**
+     * @return The max size of this list as determined in the c'tor
+     */
+    inline size_t getMaxSize() const
+    {
+        return m_MaxSize;
+    }
+
+    /**
+     * @return The number of elements currently in this list
+     */
+    inline size_t getSize() const
+    {
+        return m_CacheItemsMap.size();
+    }
+
+private:
+    std::list<std::pair<T, V>> m_CacheItemsList;
+    std::map<T, ListIterator> m_CacheItemsMap;
+    size_t m_MaxSize;
+};
+
+} // namespace pcpp
+
+#endif /* PV_PCAPPP_LRU_LIST */

src/inputs/pcap/PcapInputStream.cpp

@@ -71,7 +71,7 @@ PcapInputStream::PcapInputStream(const std::string &name)
           this,
           _tcp_connection_start_cb,
           _tcp_connection_end_cb,
-          {true, 5, 500, 50})
+          {true, 1, 1000, 50})
 {
     pcpp::Logger::getInstance().suppressLogs();
 }
@@ -230,16 +230,19 @@ void PcapInputStream::stop()
 void PcapInputStream::tcp_message_ready(int8_t side, const pcpp::TcpStreamData &tcpData)
 {
     tcp_message_ready_signal(side, tcpData);
+    _lru_list.put(tcpData.getConnectionData().flowKey, tcpData.getConnectionData().endTime);
 }
 
 void PcapInputStream::tcp_connection_start(const pcpp::ConnectionData &connectionData)
 {
     tcp_connection_start_signal(connectionData);
+    _lru_list.put(connectionData.flowKey, connectionData.startTime);
 }
 
 void PcapInputStream::tcp_connection_end(const pcpp::ConnectionData &connectionData, pcpp::TcpReassembly::ConnectionEndReason reason)
 {
     tcp_connection_end_signal(connectionData, reason);
+    _lru_list.eraseElement(connectionData.flowKey);
 }
 
 void PcapInputStream::process_pcap_stats(const pcpp::IPcapDevice::PcapStats &stats)
@@ -319,7 +322,6 @@ void PcapInputStream::_generate_mock_traffic()
 
 void PcapInputStream::process_raw_packet(pcpp::RawPacket *rawPacket)
 {
-
     pcpp::ProtocolType l3(pcpp::UnknownProtocol), l4(pcpp::UnknownProtocol);
     pcpp::Packet packet(rawPacket, pcpp::TCP | pcpp::UDP);
     if (packet.isPacketOfType(pcpp::IPv4)) {
@@ -359,18 +361,19 @@ void PcapInputStream::process_raw_packet(pcpp::RawPacket *rawPacket)
         }
     }
 
+    auto timestamp = rawPacket->getPacketTimeStamp();
     // interface to handlers
-    packet_signal(packet, dir, l3, l4, rawPacket->getPacketTimeStamp());
+    packet_signal(packet, dir, l3, l4, timestamp);
 
     if (l4 == pcpp::UDP) {
-        udp_signal(packet, dir, l3, pcpp::hash5Tuple(&packet), rawPacket->getPacketTimeStamp());
+        udp_signal(packet, dir, l3, pcpp::hash5Tuple(&packet), timestamp);
     } else if (l4 == pcpp::TCP) {
         auto result = _tcp_reassembly.reassemblePacket(packet);
         switch (result) {
         case pcpp::TcpReassembly::Error_PacketDoesNotMatchFlow:
         case pcpp::TcpReassembly::NonTcpPacket:
         case pcpp::TcpReassembly::NonIpPacket:
-            tcp_reassembly_error_signal(packet, dir, l3, rawPacket->getPacketTimeStamp());
+            tcp_reassembly_error_signal(packet, dir, l3, timestamp);
         case pcpp::TcpReassembly::TcpMessageHandled:
         case pcpp::TcpReassembly::OutOfOrderTcpMessageBuffered:
         case pcpp::TcpReassembly::FIN_RSTWithNoData:
@@ -379,6 +382,15 @@ void PcapInputStream::process_raw_packet(pcpp::RawPacket *rawPacket)
         case pcpp::TcpReassembly::Ignore_Retransimission:
             break;
         }
+
+        for (uint8_t counter = 0; counter < MAX_TCP_CLEANUPS; counter++) {
+            auto connection = _lru_list.getLRUElement();
+            if (timestamp.tv_sec < connection.second.tv_sec + TCP_TIMEOUT) {
+                break;
+            }
+            _tcp_reassembly.closeConnection(connection.first);
+            _lru_list.eraseElement(connection.first);
+        }
     } else {
         // unsupported layer3 protocol
     }

src/inputs/pcap/PcapInputStream.h

@@ -12,6 +12,7 @@
 #include <TcpReassembly.h>
 #include <UdpLayer.h>
 #pragma GCC diagnostic pop
+#include "LRUList.h"
 #include "utils.h"
 #include <functional>
 #include <memory>
@@ -40,8 +41,11 @@ class PcapInputStream : public visor::InputStream
 {
 
 private:
-    static const PcapSource DefaultPcapSource = PcapSource::libpcap;
+    static constexpr uint8_t TCP_TIMEOUT = 30;
+    static constexpr uint8_t MAX_TCP_CLEANUPS = 100;
 
+    static const PcapSource DefaultPcapSource = PcapSource::libpcap;
+    pcpp::LRUList<uint32_t, timeval> _lru_list;
     IPv4subnetList _hostIPv4;
     IPv6subnetList _hostIPv6;