fix: eliminate stale verdict poisoning, memory leaks, data races, and per-packet allocations in engine

2026-05-15 02:08:22 +00:00
parent bc25169f41
commit 301c252c43
15 changed files with 222 additions and 163 deletions
@@ -3,6 +3,7 @@ package engine
 import (
 	"context"
 	"net"
+	"time"

 	"git.difuse.io/Difuse/Mellaris/io"
 	"git.difuse.io/Difuse/Mellaris/ruleset"
@@ -119,10 +120,16 @@ func (w *worker) FeedBlocking(p *workerPacket) {
 func (w *worker) Run(ctx context.Context) {
 	w.logger.WorkerStart(w.id)
 	defer w.logger.WorkerStop(w.id)
+
+	tcpSweepTicker := time.NewTicker(1 * time.Minute)
+	defer tcpSweepTicker.Stop()
+
 	for {
 		select {
 		case <-ctx.Done():
 			return
+		case <-tcpSweepTicker.C:
+			w.tcpFlowMgr.cleanupIdle(time.Now())
 		case wp := <-w.packetChan:
 			if wp == nil {
 				return
@@ -202,15 +209,6 @@ func (w *worker) handleIPPacket(wp *workerPacket, data []byte) (io.Verdict, []by
 func (w *worker) handleUDP(streamID uint32, l3 L3Info, udp UDPInfo, payload []byte, srcMAC, dstMAC net.HardwareAddr) (io.Verdict, []byte) {
 	ipSrc := l3.SrcIPAddr()
 	ipDst := l3.DstIPAddr()
-	endpointType := layers.EndpointIPv4
-	flowSrc := ipSrc.To4()
-	flowDst := ipDst.To4()
-	if l3.Version == 6 {
-		endpointType = layers.EndpointIPv6
-		flowSrc = ipSrc.To16()
-		flowDst = ipDst.To16()
-	}
-	ipFlow := gopacket.NewFlow(endpointType, flowSrc, flowDst)

 	if len(srcMAC) == 0 && w.macResolver != nil {
 		srcMAC = w.macResolver.Resolve(ipSrc)
@@ -221,12 +219,9 @@ func (w *worker) handleUDP(streamID uint32, l3 L3Info, udp UDPInfo, payload []by
 		SrcMAC:  srcMAC,
 		DstMAC:  dstMAC,
 	}
-	// Temporarily set payload on a UDP layer so existing UDP handling works.
-	w.udpSM.MatchWithContext(streamID, ipFlow, &layers.UDP{
-		BaseLayer: layers.BaseLayer{Payload: payload},
-		SrcPort:   layers.UDPPort(udp.SrcPort),
-		DstPort:   layers.UDPPort(udp.DstPort),
-	}, uc)
+
+	tuple := canonicalUDPTupleKey(ipSrc, ipDst, udp.SrcPort, udp.DstPort)
+	w.udpSM.MatchWithContext(streamID, tuple, false, payload, uc)
 	return io.Verdict(uc.Verdict), uc.Packet
 }

@@ -253,7 +248,7 @@ func (w *worker) serializeModifiedUDP(fullData []byte, l3 L3Info, modPayload []b
 	if err != nil {
 		return io.VerdictAccept, nil
 	}
-	return io.VerdictAcceptModify, w.modSerializeBuffer.Bytes()
+	return io.VerdictAcceptModify, append([]byte(nil), w.modSerializeBuffer.Bytes()...)
 }

 func extractL3PayloadFromEthernet(data []byte) ([]byte, bool) {