aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4474889667'
${ noResults }
suricata/src/util-ebpf.c

382 lines
12 KiB
C
Raw Normal View History Unescape Escape

af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
/* Copyright (C) 2018 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \ingroup afppacket
*
* @{
*/
/**
* \file
*
* \author Eric Leblond <eric@regit.org>
*
* eBPF utility
*
*/
#define PCAP_DONT_INCLUDE_PCAP_BPF_H 1
#define SC_PCAP_DONT_INCLUDE_PCAP_H 1
#include "suricata-common.h"
flow-bypass: add abstraction layer The flow bypass thread can now be used by any capture method that register it timeout check function.
8 years ago
#include "flow-bypass.h"
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
#ifdef HAVE_PACKET_EBPF
util-ebpf: add call to remove memlock limit Without that, user has to use ulimit to be able to load the eBPF file.
8 years ago
#include <sys/time.h>
#include <sys/resource.h>
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
#include "util-ebpf.h"
#include "util-cpu.h"
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
#include <bpf/libbpf.h>
#include <bpf/bpf.h>
af-packet: implementation of XDP bypass This patch adds support for XDP bypass. It provides an XDP filter that can be loaded to realize the bypass of flows.
8 years ago
#include <net/if.h>
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
#include "config.h"
#define BPF_MAP_MAX_COUNT 16
flow-bypass: add abstraction layer The flow bypass thread can now be used by any capture method that register it timeout check function.
8 years ago
#define BYPASSED_FLOW_TIMEOUT 60
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
struct bpf_map_item {
const char * name;
int fd;
};
static struct bpf_map_item bpf_map_array[BPF_MAP_MAX_COUNT];
static int bpf_map_last = 0;
flow-bypass: add abstraction layer The flow bypass thread can now be used by any capture method that register it timeout check function.
8 years ago
static void EBPFDeleteKey(int fd, void *key)
{
bpf_map_delete_elem(fd, key);
}
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
int EBPFGetMapFDByName(const char *name)
{
int i;
if (name == NULL)
return -1;
for (i = 0; i < BPF_MAP_MAX_COUNT; i++) {
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
if (!bpf_map_array[i].name)
continue;
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
if (!strcmp(bpf_map_array[i].name, name)) {
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
SCLogDebug("Got fd %d for eBPF map '%s'", bpf_map_array[i].fd, name);
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
return bpf_map_array[i].fd;
}
}
return -1;
}
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
#define bpf__is_error(ee) ee
#define bpf__get_error(ee) 1
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
/**
* Load a section of an eBPF file
*
* This function loads a section inside an eBPF and return
* via a parameter the file descriptor that will be used to
* inject the eBPF code into the kernel via a syscall.
*
* \param path the path of the eBPF file to load
* \param section the section in the eBPF file to load
* \param val a pointer to an integer that will be the file desc
* \return -1 in case of error and 0 in case of success
*/
af-packet: implementation of XDP bypass This patch adds support for XDP bypass. It provides an XDP filter that can be loaded to realize the bypass of flows.
8 years ago
int EBPFLoadFile(const char *path, const char * section, int *val, uint8_t flags)
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
{
int err, pfd;
bool found = false;
struct bpf_object *bpfobj = NULL;
struct bpf_program *bpfprog = NULL;
struct bpf_map *map = NULL;
/* FIXME we will need to close BPF at exit of runmode */
if (! path) {
SCLogError(SC_ERR_INVALID_VALUE, "No file defined to load eBPF from");
return -1;
}
util-ebpf: add call to remove memlock limit Without that, user has to use ulimit to be able to load the eBPF file.
8 years ago
/* Sending the eBPF code to the kernel requires a large amount of
* locked memory so we set it to unlimited to avoid a ENOPERM error */
struct rlimit r = {RLIM_INFINITY, RLIM_INFINITY};
if (setrlimit(RLIMIT_MEMLOCK, &r) != 0) {
SCLogError(SC_ERR_MEM_ALLOC, "Unable to lock memory: %s (%d)",
strerror(errno), errno);
return -1;
}
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
bpfobj = bpf_object__open(path);
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
if (libbpf_get_error(bpfobj)) {
char err_buf[128];
libbpf_strerror(bpf__get_error(bpfobj), err_buf,
sizeof(err_buf));
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
SCLogError(SC_ERR_INVALID_VALUE,
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
"Unable to load eBPF objects in '%s': %s",
path, err_buf);
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
return -1;
}
bpf_object__for_each_program(bpfprog, bpfobj) {
const char *title = bpf_program__title(bpfprog, 0);
if (!strcmp(title, section)) {
af-packet: implementation of XDP bypass This patch adds support for XDP bypass. It provides an XDP filter that can be loaded to realize the bypass of flows.
8 years ago
if (flags & EBPF_SOCKET_FILTER) {
bpf_program__set_socket_filter(bpfprog);
} else {
bpf_program__set_xdp(bpfprog);
}
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
found = true;
break;
}
}
if (found == false) {
SCLogError(SC_ERR_INVALID_VALUE,
"No section '%s' in '%s' file. Will not be able to use the file",
section,
path);
return -1;
}
err = bpf_object__load(bpfobj);
if (err < 0) {
if (err == -EPERM) {
SCLogError(SC_ERR_MEM_ALLOC,
util-ebpf: add call to remove memlock limit Without that, user has to use ulimit to be able to load the eBPF file.
8 years ago
"Permission issue when loading eBPF object: "
"%s (%d)",
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
strerror(err),
err);
} else {
char buf[129];
libbpf_strerror(err, buf, sizeof(buf));
SCLogError(SC_ERR_INVALID_VALUE,
"Unable to load eBPF object: %s (%d)",
buf,
err);
}
return -1;
}
/* store the map in our array */
bpf_map__for_each(map, bpfobj) {
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
SCLogDebug("Got a map '%s' with fd '%d'", bpf_map__name(map), bpf_map__fd(map));
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
bpf_map_array[bpf_map_last].fd = bpf_map__fd(map);
bpf_map_array[bpf_map_last].name = SCStrdup(bpf_map__name(map));
if (!bpf_map_array[bpf_map_last].name) {
SCLogError(SC_ERR_MEM_ALLOC, "Unable to duplicate map name");
return -1;
}
bpf_map_last++;
if (bpf_map_last == BPF_MAP_MAX_COUNT) {
SCLogError(SC_ERR_NOT_SUPPORTED, "Too many BPF maps in eBPF files");
return -1;
}
}
pfd = bpf_program__fd(bpfprog);
if (pfd == -1) {
SCLogError(SC_ERR_INVALID_VALUE,
"Unable to find %s section", section);
return -1;
}
*val = pfd;
return 0;
}
af-packet: implementation of XDP bypass This patch adds support for XDP bypass. It provides an XDP filter that can be loaded to realize the bypass of flows.
8 years ago
int EBPFSetupXDP(const char *iface, int fd, uint8_t flags)
{
#ifdef HAVE_PACKET_XDP
unsigned int ifindex = if_nametoindex(iface);
if (ifindex == 0) {
SCLogError(SC_ERR_INVALID_VALUE,
"Unknown interface '%s'", iface);
return -1;
}
int err = bpf_set_link_xdp_fd(ifindex, fd, flags);
if (err != 0) {
char buf[129];
libbpf_strerror(err, buf, sizeof(buf));
SCLogError(SC_ERR_INVALID_VALUE, "Unable to set XDP on '%s': %s (%d)",
iface, buf, err);
return -1;
}
#endif
return 0;
}
flow-bypass: add abstraction layer The flow bypass thread can now be used by any capture method that register it timeout check function.
8 years ago
static int EBPFForEachFlowV4Table(const char *name,
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
int (*FlowCallback)(int fd, struct flowv4_keys *key, struct pair *value, void *data),
struct flows_stats *flowstats,
void *data)
{
int mapfd = EBPFGetMapFDByName(name);
struct flowv4_keys key = {}, next_key;
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
int found = 0;
unsigned int i;
unsigned int nr_cpus = UtilCpuGetNumProcessorsConfigured();
if (nr_cpus == 0) {
SCLogWarning(SC_ERR_INVALID_VALUE, "Unable to get CPU count");
return 0;
}
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
while (bpf_map_get_next_key(mapfd, &key, &next_key) == 0) {
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
int iret = 1;
af-packet: fix bypassing of IPv6 Also misc fixes.
8 years ago
uint64_t pkts_cnt = 0;
uint64_t bytes_cnt = 0;
struct pair values_array[nr_cpus];
memset(values_array, 0, sizeof(values_array));
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
bpf_map_lookup_elem(mapfd, &key, values_array);
for (i = 0; i < nr_cpus; i++) {
int ret = FlowCallback(mapfd, &key, &values_array[i], data);
if (ret) {
util-ebpf: fix ipv6 cleaning and add comments
8 years ago
/* no packet for the flow on this CPU, let's start accumulating
value we can compute the counters */
af-packet: fix bypassing of IPv6 Also misc fixes.
8 years ago
SCLogDebug("%d:%lu: Adding pkts %lu bytes %lu", i, values_array[i].time / 1000000000,
values_array[i].packets, values_array[i].bytes);
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
pkts_cnt += values_array[i].packets;
bytes_cnt += values_array[i].bytes;
} else {
util-ebpf: fix ipv6 cleaning and add comments
8 years ago
/* Packet seen on one CPU so we keep the flow */
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
iret = 0;
break;
}
}
util-ebpf: fix ipv6 cleaning and add comments
8 years ago
/* No packet seen, we discard the flow and do accounting */
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
if (iret) {
af-packet: fix bypassing of IPv6 Also misc fixes.
8 years ago
SCLogDebug("Got no packet for %d -> %d", key.port16[0], key.port16[1]);
SCLogDebug("Dead with pkts %lu bytes %lu", pkts_cnt, bytes_cnt);
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
flowstats->count++;
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
flowstats->packets += pkts_cnt;
flowstats->bytes += bytes_cnt;
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
found = 1;
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
EBPFDeleteKey(mapfd, &key);
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
}
key = next_key;
}
return found;
}
flow-bypass: add abstraction layer The flow bypass thread can now be used by any capture method that register it timeout check function.
8 years ago
static int EBPFForEachFlowV6Table(const char *name,
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
int (*FlowCallback)(int fd, struct flowv6_keys *key, struct pair *value, void *data),
struct flows_stats *flowstats,
void *data)
{
int mapfd = EBPFGetMapFDByName(name);
struct flowv6_keys key = {}, next_key;
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
int found = 0;
unsigned int i;
unsigned int nr_cpus = UtilCpuGetNumProcessorsConfigured();
if (nr_cpus == 0) {
SCLogWarning(SC_ERR_INVALID_VALUE, "Unable to get CPU count");
return 0;
}
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
while (bpf_map_get_next_key(mapfd, &key, &next_key) == 0) {
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
int iret = 1;
af-packet: fix bypassing of IPv6 Also misc fixes.
8 years ago
uint64_t pkts_cnt = 0;
uint64_t bytes_cnt = 0;
struct pair values_array[nr_cpus];
memset(values_array, 0, sizeof(values_array));
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
bpf_map_lookup_elem(mapfd, &key, values_array);
for (i = 0; i < nr_cpus; i++) {
int ret = FlowCallback(mapfd, &key, &values_array[i], data);
if (ret) {
pkts_cnt += values_array[i].packets;
bytes_cnt += values_array[i].bytes;
} else {
iret = 0;
break;
}
}
if (iret) {
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
flowstats->count++;
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
flowstats->packets += pkts_cnt;
flowstats->bytes += bytes_cnt;
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
found = 1;
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
EBPFDeleteKey(mapfd, &key);
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
}
key = next_key;
}
return found;
}
flow-bypass: add abstraction layer The flow bypass thread can now be used by any capture method that register it timeout check function.
8 years ago
static int EBPFBypassedFlowV4Timeout(int fd, struct flowv4_keys *key, struct pair *value, void *data)
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
{
flow-bypass: add abstraction layer The flow bypass thread can now be used by any capture method that register it timeout check function.
8 years ago
struct timespec *curtime = (struct timespec *)data;
SCLogDebug("Got curtime %" PRIu64 " and value %" PRIu64 " (sp:%d, dp:%d) %u",
curtime->tv_sec, value->time / 1000000000,
key->port16[0], key->port16[1], key->ip_proto
);
if (curtime->tv_sec - value->time / 1000000000 > BYPASSED_FLOW_TIMEOUT) {
SCLogDebug("Got no packet for %d -> %d at %" PRIu64,
key->port16[0], key->port16[1], value->time);
return 1;
}
return 0;
}
static int EBPFBypassedFlowV6Timeout(int fd, struct flowv6_keys *key, struct pair *value, void *data)
{
struct timespec *curtime = (struct timespec *)data;
SCLogDebug("Got curtime %" PRIu64 " and value %" PRIu64 " (sp:%d, dp:%d)",
curtime->tv_sec, value->time / 1000000000,
key->port16[0], key->port16[1]
);
if (curtime->tv_sec - value->time / 1000000000 > BYPASSED_FLOW_TIMEOUT) {
SCLogDebug("Got no packet for %d -> %d at %" PRIu64,
key->port16[0], key->port16[1], value->time);
return 1;
}
return 0;
}
int EBPFCheckBypassedFlowTimeout(struct flows_stats *bypassstats,
struct timespec *curtime)
{
struct flows_stats l_bypassstats = { 0, 0, 0};
int ret = 0;
int tcount = 0;
tcount = EBPFForEachFlowV4Table("flow_table_v4", EBPFBypassedFlowV4Timeout,
&l_bypassstats, curtime);
if (tcount) {
bypassstats->count = l_bypassstats.count;
bypassstats->packets = l_bypassstats.packets ;
bypassstats->bytes = l_bypassstats.bytes;
ret = 1;
}
memset(&l_bypassstats, 0, sizeof(l_bypassstats));
tcount = EBPFForEachFlowV6Table("flow_table_v6", EBPFBypassedFlowV6Timeout,
&l_bypassstats, curtime);
if (tcount) {
bypassstats->count += l_bypassstats.count;
bypassstats->packets += l_bypassstats.packets ;
bypassstats->bytes += l_bypassstats.bytes;
ret = 1;
}
return ret;
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
}
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
#endif