suricata/src/source-nfq.h

/* Copyright (C) 2007-2010 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 */

#ifndef __SOURCE_NFQ_H__
#define __SOURCE_NFQ_H__

#ifdef NFQ

#include "threads.h"
#include <linux/netfilter.h>		/* for NF_ACCEPT */
#include <libnetfilter_queue/libnetfilter_queue.h>

// Netfilter's limit
#define NFQ_MAX_QUEUE 65535

/* idea: set the recv-thread id in the packet to
 * select an verdict-queue */

typedef struct NFQPacketVars_
{
    int id; /* this nfq packets id */
    uint16_t nfq_index; /* index in NFQ array */
    uint8_t verdicted;

    uint32_t mark;
    uint32_t ifi;
    uint32_t ifo;
    uint16_t hw_protocol;
} NFQPacketVars;

typedef struct NFQQueueVars_
{
    struct nfq_handle *h;
    struct nfnl_handle *nh;
    int fd;
    uint8_t use_mutex;
    /* 2 threads deal with the queue handle, so add a mutex */
    struct nfq_q_handle *qh;
    SCMutex mutex_qh;
    /* this one should be not changing after init */
    uint16_t queue_num;
    /* position into the NFQ queue var array */
    uint16_t nfq_index;

#ifdef DBG_PERF
    int dbg_maxreadsize;
#endif /* DBG_PERF */

    /* counters */
    uint32_t pkts;
    uint64_t bytes;
    uint32_t errs;
    uint32_t accepted;
    uint32_t dropped;
    uint32_t replaced;
    struct {
        uint32_t packet_id; /* id of last processed packet */
        uint32_t verdict;
        uint32_t mark;
        uint8_t mark_valid:1;
        uint8_t len;
        uint8_t maxlen;
    } verdict_cache;

} NFQQueueVars;

typedef struct NFQGlobalVars_
{
    char unbind;
} NFQGlobalVars;

void NFQInitConfig(char quiet);
int NFQRegisterQueue(const uint16_t number);
int NFQParseAndRegisterQueues(const char *queues);
int NFQGetQueueCount(void);
void *NFQGetQueue(int number);
int NFQGetQueueNum(int number);
void *NFQGetThread(int number);
void NFQContextsClean(void);
#endif /* NFQ */
#endif /* __SOURCE_NFQ_H__ */
GPL and Copyright header updates. 15 years ago			`/* Copyright (C) 2007-2010 Open Information Security Foundation`
Import of GPLv2 Header 050410 15 years ago			`*`
			`* You can copy, redistribute or modify this Program under the terms of`
			`* the GNU General Public License version 2 as published by the Free`
			`* Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* version 2 along with this program; if not, write to the Free Software`
			`* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA`
			`* 02110-1301, USA.`
			`*/`

			`/**`
			`* \file`
			`*`
			`* \author Victor Julien <victor@inliniac.net>`
			`*/`
Initial add of the files. 17 years ago
			`#ifndef __SOURCE_NFQ_H__`
			`#define __SOURCE_NFQ_H__`

Made NFQ optional via --enable-nfqueue, --enable-logsigs will now load local.rules in the path other fixes 16 years ago			`#ifdef NFQ`
Slightly moved around the NFQ define a bit. 16 years ago
Adding support for Mac OS X, FreeBSD, centrailizing mutex/spins/conditions in a macro API, and some unittests 15 years ago			`#include "threads.h"`
Initial add of the files. 17 years ago			`#include <linux/netfilter.h> /* for NF_ACCEPT */`
			`#include <libnetfilter_queue/libnetfilter_queue.h>`

source-nfq: increase maximum queues number to 65535 Previously this was limited to 16, however Netfilter allows up to 65535 queues. Suricata now is able to create as many queues as possible, but at the same time warns user if one specifies more queues than available CPU cores. This change involves dynamic (de)allocation of NFQ contexts instead of on-stack arrays to use less memory. 6 years ago			`// Netfilter's limit`
			`#define NFQ_MAX_QUEUE 65535`
Source NFQ update... less hackish, but still needs work as soon as we know how to do configuration. 17 years ago
Initial add of the files. 17 years ago			`/* idea: set the recv-thread id in the packet to`
			`* select an verdict-queue */`

Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct NFQPacketVars_`
Initial add of the files. 17 years ago			`{`
New approach to tunnel decoding. 17 years ago			`int id; /* this nfq packets id */`
Prepare multi queue support in NFQ This patch prepare support for multiqueue in the source file. The NFQ vars contained in Packet structure has a new member. It is a reference to the NFQ thread var it comes from. The behaviour is modified as a single verdict thread treat packet for all Netfilter queues. Locking is done in the verdict function to ensure that simultaneous modifications of counters can not occur. Signed-off-by: Eric Leblond <eric@regit.org> 14 years ago			`uint16_t nfq_index; /* index in NFQ array */`
nfq: be sure to always verdict packets To be sure to always verdict packets (bug #769), this patch adds a ReleaseData function to NFQ packets. The release function simply drop the packet if it has not been verdicted before. 12 years ago			`uint8_t verdicted;`
New approach to tunnel decoding. 17 years ago
64 bit cleanup part2 16 years ago			`uint32_t mark;`
			`uint32_t ifi;`
			`uint32_t ifo;`
			`uint16_t hw_protocol;`
Initial add of the files. 17 years ago			`} NFQPacketVars;`

Prepare multi queue support in NFQ This patch prepare support for multiqueue in the source file. The NFQ vars contained in Packet structure has a new member. It is a reference to the NFQ thread var it comes from. The behaviour is modified as a single verdict thread treat packet for all Netfilter queues. Locking is done in the verdict function to ensure that simultaneous modifications of counters can not occur. Signed-off-by: Eric Leblond <eric@regit.org> 14 years ago			`typedef struct NFQQueueVars_`
Initial add of the files. 17 years ago			`{`
			`struct nfq_handle *h;`
			`struct nfnl_handle *nh;`
Added inline mode support on Windows 15 years ago			`int fd;`
nfq: do not use mutex in 'worker' mode Using a mutex on the queue handle is not necessary in 'worker' mode as there is no concurrent access to it. 13 years ago			`uint8_t use_mutex;`
Initial add of the files. 17 years ago			`/* 2 threads deal with the queue handle, so add a mutex */`
			`struct nfq_q_handle *qh;`
Changing mutex/spinlocks/conditions naming types 15 years ago			`SCMutex mutex_qh;`
Initial add of the files. 17 years ago			`/* this one should be not changing after init */`
64 bit cleanup part2 16 years ago			`uint16_t queue_num;`
Prepare multi queue support in NFQ This patch prepare support for multiqueue in the source file. The NFQ vars contained in Packet structure has a new member. It is a reference to the NFQ thread var it comes from. The behaviour is modified as a single verdict thread treat packet for all Netfilter queues. Locking is done in the verdict function to ensure that simultaneous modifications of counters can not occur. Signed-off-by: Eric Leblond <eric@regit.org> 14 years ago			`/* position into the NFQ queue var array */`
			`uint16_t nfq_index;`
Added inline mode support on Windows 15 years ago
Initial add of the files. 17 years ago			`#ifdef DBG_PERF`
			`int dbg_maxreadsize;`
			`#endif /* DBG_PERF */`

			`/* counters */`
64 bit cleanup part2 16 years ago			`uint32_t pkts;`
			`uint64_t bytes;`
			`uint32_t errs;`
			`uint32_t accepted;`
			`uint32_t dropped;`
Add a counter to NFQ for modified packets. 14 years ago			`uint32_t replaced;`
nfq: add support for batch verdicts Normally, there is one verdict per packet, i.e., we receive a packet, process it, and then tell the kernel what to do with that packet (eg. DROP or ACCEPT). recv(), packet id x send verdict v, packet id x recv(), packet id x+1 send verdict v, packet id x+1 [..] recv(), packet id x+n send verdict v, packet id x+n An alternative is to process several packets from the queue, and then send a batch-verdict. recv(), packet id x recv(), packet id x+1 [..] recv(), packet id x+n send batch verdict v, packet id x+n A batch verdict affects all previous packets (packet_id <= x+n), we thus only need to remember the last packet_id seen. Caveats: - can't modify payload - verdict is applied to all packets - nfmark (if set) will be set for all packets - increases latency (packets remain queued by the kernel until batch verdict is sent). To solve this, we only defer verdict for up to 20 packets and send pending batch-verdict immediately if: - no packets are currently queue - current packet should be dropped - current packet has different nfmark - payload of packet was modified This patch adds a configurable batch verdict support for workers runmode. The batch verdicts are turned off by default. Problem is that batch verdicts only work with kernels >= 3.1, i.e. using newer libnetfilter_queue with an old kernel means non-working suricata. So the functionnality has to be disabled by default. 12 years ago			`struct {`
			`uint32_t packet_id; /* id of last processed packet */`
			`uint32_t verdict;`
			`uint32_t mark;`
			`uint8_t mark_valid:1;`
			`uint8_t len;`
			`uint8_t maxlen;`
			`} verdict_cache;`
Initial add of the files. 17 years ago
Prepare multi queue support in NFQ This patch prepare support for multiqueue in the source file. The NFQ vars contained in Packet structure has a new member. It is a reference to the NFQ thread var it comes from. The behaviour is modified as a single verdict thread treat packet for all Netfilter queues. Locking is done in the verdict function to ensure that simultaneous modifications of counters can not occur. Signed-off-by: Eric Leblond <eric@regit.org> 14 years ago			`} NFQQueueVars;`

Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct NFQGlobalVars_`
Initial add of the files. 17 years ago			`{`
			`char unbind;`
			`} NFQGlobalVars;`

source-nfq: add simulated non-terminal NFQUEUE verdict This patch adds a new mode for NFQ inline mode. The idea is to simulate a non final NFQUEUE rules. This permit to do send all needed packets to suricata via a simple FORWARD rule: iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE And below, we have a standard filtering ruleset. To do so, suricata issues a NF_REPEAT instead of a NF_ACCEPT verdict and put a mark ($MARK) with respect to a mask ($MASK) on the handled packet. NF_REPEAT verdict has for effect to have the packet reinjected at start of the hook after the verdict. As it has been marked by suricata during the verdict it will not rematch the initial rules and make his way to the following classical ruleset. Mode, mark and mask can be configured via suricata.yaml file with the following syntax: nfq: repeat_mode: (false\|true) mark: $MARK mask: $MASK Default is false to preserve backward compatibility. Signed-off-by: Eric Leblond <eric@regit.org> 14 years ago			`void NFQInitConfig(char quiet);`
source-nfq: support queue range If one needs to use multiple sequential Netfilter queues, it can be done with a new '-q' option's syntax: "start:end" (just like it's done with iptables '--queue-balance' option). 6 years ago			`int NFQRegisterQueue(const uint16_t number);`
			`int NFQParseAndRegisterQueues(const char *queues);`
Prepare multi queue support in NFQ This patch prepare support for multiqueue in the source file. The NFQ vars contained in Packet structure has a new member. It is a reference to the NFQ thread var it comes from. The behaviour is modified as a single verdict thread treat packet for all Netfilter queues. Locking is done in the verdict function to ensure that simultaneous modifications of counters can not occur. Signed-off-by: Eric Leblond <eric@regit.org> 14 years ago			`int NFQGetQueueCount(void);`
			`void *NFQGetQueue(int number);`
			`int NFQGetQueueNum(int number);`
			`void *NFQGetThread(int number);`
Bug 2857: NFQ ASAN 'heap-use-after-free' error. Global NFQ contexts were not freed properly causing 'use-after-free' error. Moving contexts cleanup to a separate NFQContextsCleanup() and calling it from GlobalsDestroy(), like it's done for AFPacket, solves the problem. 6 years ago			`void NFQContextsClean(void);`
Slightly moved around the NFQ define a bit. 16 years ago			`#endif /* NFQ */`
Initial add of the files. 17 years ago			`#endif /* __SOURCE_NFQ_H__ */`