Applayer plugin 5053 v3.4

[catenacyber]

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
Preliminary work for https://redmine.openinfosecfoundation.org/issues/5053

Describe changes:

• get ready to use dynamic number of app-layer protos (also work with static constant) in some places
• preventive fix of macro with parenthesis cc @jufajardini

#11572 next round

#11701 with comments taken into account

Still more work to do after :
Only AppProtoStrings is to be handled, but it is the big one.

And then take remaining commits out of #11321
And supply an example of an app-layer plugin

[codecov]

Codecov Report

Attention: Patch coverage is 90.52632% with 18 lines in your changes missing coverage. Please review.

Project coverage is 82.36%. Comparing base (d3eb656) to head (65f4fa8).
Report is 62 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11795      +/-   ##
==========================================
- Coverage   82.53%   82.36%   -0.18%     
==========================================
  Files         919      919              
  Lines      248979   248987       +8     
==========================================
- Hits       205506   205087     -419     
- Misses      43473    43900     +427     

Flag	Coverage Δ
fuzzcorpus	59.50% <80.85%> (-0.83%)	⬇️
livemode	18.71% <69.14%> (+<0.01%)	⬆️
pcap	44.14% <84.04%> (-0.01%)	⬇️
suricata-verify	61.90% <90.42%> (+0.02%)	⬆️
unittests	58.99% <69.47%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[suricata-qa]

Information:

ERROR: QA failed on SURI_TLPR1_alerts_cmp.

field	baseline	test	%
	SURI_TLPR1_stats_chk
.app_layer.flow.dcerpc_tcp	40	42	105.0%

Pipeline 22740

[suricata-qa]

WARNING:

field	baseline	test	%
	SURI_TLPR1_stats_chk
.uptime	649	625	96.3%

Pipeline 22778

[catenacyber]

I will do the commit autosquash after some review ;-)

[victorjulien]

Commits are very light on explanation, please expand them a bit.

[victorjulien]

See inline comments / questions.

This PR still uses the hardcoded ALPROTO_MAX from the enum declaration, right? Is a next step to turn that into a variable?

[victorjulien]

I don't understand the type here. What does it point to?

[catenacyber]

This is an array of ALPROTO_MAX "iptypes" : IPPROTO_TCP, IPPROTO_UDP or something else like 0
see AppLayerRegisterExpectationProto

[victorjulien]

what does this mean?

[catenacyber]

It is more a TODO note for me for the next PR that alpd_ctx.alproto_names should get reallocated when a new protocol registers itself

[victorjulien]

this notation confuses me... what does it mean?

[catenacyber]

We had a fixed-size 2-dimensional array of pointers (void *)

Now we have a fixed-size 1-dimensional array of pointers-as-pointer-to-an-array of pointers (void *)

This allows to keep notation alproto_local_storage[alproto][flow_proto] (as we know one dimension)

Alternative would be to use void **alproto_local_storage and index/access it like alproto_local_storage[alproto*FLOW_PROTO_MAX+flow_proto] (or have many allocations instead of just one contiguous SCCalloc(ALPROTO_MAX*FLOW_PROTO_MAX, sizeof(void *)))

[victorjulien]

comment confused me, do you mean something like "initial allocation that will later be grown using realloc" or something?

[catenacyber]

yes

[victorjulien]

do we just not need this anymore?

[catenacyber]

I think so

[catenacyber]

By the way, I am not sure what these AppLayerParserTest01 really test : they check that AppLayerParserParse returns failure for this newly registered ALPROTO_TEST as TestProtocolParser returns error but it would also return failure without the registration...

[catenacyber]

So, could we remove this ALPROTO_TEST ?

[catenacyber]

This PR still uses the hardcoded ALPROTO_MAX from the enum declaration, right? Is a next step to turn that into a variable?

Right, a bit like 61ae154

[catenacyber]

Next in #11910