analyzer: make http3/quic handling more reliable

2026-02-11 15:44:26 +05:30
parent a6075db4ba
commit c3fe0ea16f
1 changed files with 31 additions and 6 deletions
--- a/engine/udp.go
+++ b/engine/udp.go
@@ -131,13 +131,25 @@ func (m *udpStreamManager) MatchWithContext(streamID uint32, ipFlow gopacket.Flo
 	rev := false
 	value, ok := m.streams.Get(streamID)
 	if !ok {
-		// New stream
-		value = &udpStreamValue{
-			Stream:  m.factory.New(ipFlow, udp.TransportFlow(), udp, uc),
-			IPFlow:  ipFlow,
-			UDPFlow: udp.TransportFlow(),
+		// Fallback: conntrack IDs can change during early flow lifetime on some systems.
+		// Try to find an existing stream by 5-tuple before creating a new stream.
+		matchedKey, matchedValue, matchedRev, found := m.findByFlow(ipFlow, udp.TransportFlow())
+		if found {
+			value = matchedValue
+			rev = matchedRev
+			if matchedKey != streamID {
+				m.streams.Remove(matchedKey)
+				m.streams.Add(streamID, matchedValue)
+			}
+		} else {
+			// New stream
+			value = &udpStreamValue{
+				Stream:  m.factory.New(ipFlow, udp.TransportFlow(), udp, uc),
+				IPFlow:  ipFlow,
+				UDPFlow: udp.TransportFlow(),
+			}
+			m.streams.Add(streamID, value)
 		}
-		m.streams.Add(streamID, value)
 	} else {
 		// Stream ID exists, but is it really the same stream?
 		ok, rev = value.Match(ipFlow, udp.TransportFlow())
@@ -157,6 +169,19 @@ func (m *udpStreamManager) MatchWithContext(streamID uint32, ipFlow gopacket.Flo
 	}
 }

+func (m *udpStreamManager) findByFlow(ipFlow, udpFlow gopacket.Flow) (key uint32, value *udpStreamValue, rev bool, found bool) {
+	for _, k := range m.streams.Keys() {
+		v, ok := m.streams.Peek(k)
+		if !ok || v == nil {
+			continue
+		}
+		if ok2, rev2 := v.Match(ipFlow, udpFlow); ok2 {
+			return k, v, rev2, true
+		}
+	}
+	return 0, nil, false, false
+}
+
 type udpStream struct {
 	info          ruleset.StreamInfo
 	virgin        bool // true if no packets have been processed