aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7f60be83f5'
${ noResults }
suricata/src/util-ebpf.c

897 lines
29 KiB
C
Raw Normal View History Unescape Escape

af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
/* Copyright (C) 2018 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \ingroup afppacket
*
* @{
*/
/**
* \file
*
* \author Eric Leblond <eric@regit.org>
*
* eBPF utility
*
*/
#define PCAP_DONT_INCLUDE_PCAP_BPF_H 1
#define SC_PCAP_DONT_INCLUDE_PCAP_H 1
#include "suricata-common.h"
flow-bypass: add abstraction layer The flow bypass thread can now be used by any capture method that register it timeout check function.
8 years ago
#include "flow-bypass.h"
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
#ifdef HAVE_PACKET_EBPF
util-ebpf: add call to remove memlock limit Without that, user has to use ulimit to be able to load the eBPF file.
8 years ago
#include <sys/time.h>
#include <sys/resource.h>
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
#include "util-ebpf.h"
#include "util-cpu.h"
af-packet: add support for multi iface bypass
8 years ago
#include "util-device.h"
#include "device-storage.h"
af-packet: XDP bypass in IPS mode Implement XDP bypass in IPS mode by using XDP redirect to send packets from bypassed flow directly to the transmission interface.
8 years ago
#include "flow-storage.h"
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
#include "flow.h"
#include "flow-hash.h"
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
#include <bpf/libbpf.h>
#include <bpf/bpf.h>
af-packet: implementation of XDP bypass This patch adds support for XDP bypass. It provides an XDP filter that can be loaded to realize the bypass of flows.
8 years ago
#include <net/if.h>
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
#include "config.h"
#define BPF_MAP_MAX_COUNT 16
flow-bypass: add abstraction layer The flow bypass thread can now be used by any capture method that register it timeout check function.
8 years ago
#define BYPASSED_FLOW_TIMEOUT 60
af-packet: add support for multi iface bypass
8 years ago
static int g_livedev_storage_id = -1;
af-packet: XDP bypass in IPS mode Implement XDP bypass in IPS mode by using XDP redirect to send packets from bypassed flow directly to the transmission interface.
8 years ago
static int g_flow_storage_id = -1;
af-packet: add support for multi iface bypass
8 years ago
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
struct bpf_map_item {
util-ebpf: pin the maps By pinning the maps we are creating a file in /sys/fs/bpf that can be used by external program to access the map. This has multiple benefits such as handling list from an external program. The pinned maps could be persistent accross Suricata reload but this can be complicated in term of handling everything in the life of Suricata.
7 years ago
char iface[IFNAMSIZ];
af-packet: add support for multi iface bypass
8 years ago
char * name;
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
int fd;
util-ebpf: only unlink pinned maps in eBPF filter
7 years ago
uint8_t unlink;
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
};
af-packet: add support for multi iface bypass
8 years ago
struct bpf_maps_info {
struct bpf_map_item array[BPF_MAP_MAX_COUNT];
util-ebpf: add bypassed counters Use LiveDevice bypassed counter and also add hash size counters for the v4 and v6 flow table.
8 years ago
SC_ATOMIC_DECLARE(uint64_t, ipv4_hash_count);
SC_ATOMIC_DECLARE(uint64_t, ipv6_hash_count);
af-packet: add support for multi iface bypass
8 years ago
int last;
};
util-ebpf: suppress spaces at end of line
7 years ago
typedef struct BypassedIfaceList_ {
af-packet: XDP bypass in IPS mode Implement XDP bypass in IPS mode by using XDP redirect to send packets from bypassed flow directly to the transmission interface.
8 years ago
LiveDevice *dev;
struct BypassedIfaceList_ *next;
} BypassedIfaceList;
af-packet: add support for multi iface bypass
8 years ago
static void BpfMapsInfoFree(void *bpf)
{
struct bpf_maps_info *bpfinfo = (struct bpf_maps_info *)bpf;
int i;
for (i = 0; i < bpfinfo->last; i ++) {
if (bpfinfo->array[i].name) {
util-ebpf: only unlink pinned maps in eBPF filter
7 years ago
if (bpfinfo->array[i].unlink) {
char pinnedpath[1024];
snprintf(pinnedpath, sizeof(pinnedpath),
"/sys/fs/bpf/suricata-%s-%s",
bpfinfo->array[i].iface,
bpfinfo->array[i].name);
/* Unlink the pinned entry */
unlink(pinnedpath);
}
af-packet: add support for multi iface bypass
8 years ago
SCFree(bpfinfo->array[i].name);
}
}
SCFree(bpfinfo);
}
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
af-packet: XDP bypass in IPS mode Implement XDP bypass in IPS mode by using XDP redirect to send packets from bypassed flow directly to the transmission interface.
8 years ago
static void BypassedListFree(void *ifl)
{
BypassedIfaceList *mifl = (BypassedIfaceList *)ifl;
BypassedIfaceList *nifl;
while (mifl) {
nifl = mifl->next;
SCFree(mifl);
mifl = nifl;
}
}
flow-bypass: add abstraction layer The flow bypass thread can now be used by any capture method that register it timeout check function.
8 years ago
static void EBPFDeleteKey(int fd, void *key)
{
bpf_map_delete_elem(fd, key);
}
af-packet: add support for multi iface bypass
8 years ago
static struct bpf_maps_info *EBPFGetBpfMap(const char *iface)
{
LiveDevice *livedev = LiveGetDevice(iface);
if (livedev == NULL)
return NULL;
void *data = LiveDevGetStorageById(livedev, g_livedev_storage_id);
return (struct bpf_maps_info *)data;
}
af-packet: add comments to eBPF/XDP code
8 years ago
/**
* Get file descriptor of a map in the scope of a interface
*
* \param iface the interface where the map need to be looked for
* \param name the name of the map
* \return the file descriptor or -1 in case of error
*/
af-packet: add support for multi iface bypass
8 years ago
int EBPFGetMapFDByName(const char *iface, const char *name)
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
{
int i;
af-packet: add support for multi iface bypass
8 years ago
if (iface == NULL || name == NULL)
return -1;
struct bpf_maps_info *bpf_maps = EBPFGetBpfMap(iface);
if (bpf_maps == NULL)
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
return -1;
af-packet: add support for multi iface bypass
8 years ago
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
for (i = 0; i < BPF_MAP_MAX_COUNT; i++) {
af-packet: add support for multi iface bypass
8 years ago
if (!bpf_maps->array[i].name)
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
continue;
af-packet: add support for multi iface bypass
8 years ago
if (!strcmp(bpf_maps->array[i].name, name)) {
SCLogDebug("Got fd %d for eBPF map '%s'", bpf_maps->array[i].fd, name);
return bpf_maps->array[i].fd;
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
}
}
util-ebpf: implement pinned maps loading Load flow tables at start if asked to.
7 years ago
/* Fallback by getting pinned maps ? */
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
return -1;
}
util-ebpf: implement pinned maps loading Load flow tables at start if asked to.
7 years ago
static int EBPFLoadPinnedMapsFile(LiveDevice *livedev, const char *file)
{
char pinnedpath[1024];
snprintf(pinnedpath, sizeof(pinnedpath),
"/sys/fs/bpf/suricata-%s-%s",
livedev->dev,
file);
return bpf_obj_get(pinnedpath);
}
af-packet: implement pinned-maps-name
7 years ago
static int EBPFLoadPinnedMaps(LiveDevice *livedev, struct ebpf_timeout_config *config)
util-ebpf: implement pinned maps loading Load flow tables at start if asked to.
7 years ago
{
int fd_v4 = -1, fd_v6 = -1;
af-packet: implement pinned-maps-name
7 years ago
/* First try to load the eBPF check map and return if found */
if (config->pinned_maps_name) {
int ret = -1;
ret = EBPFLoadPinnedMapsFile(livedev, config->pinned_maps_name);
if (ret == 0) {
/* pinned maps found, let's just exit as XDP filter is in place */
return ret;
}
}
util-ebpf: conditional flow table loading
7 years ago
if (config->mode == AFP_MODE_XDP_BYPASS) {
/* Get flow v4 table */
fd_v4 = EBPFLoadPinnedMapsFile(livedev, "flow_table_v4");
if (fd_v4 < 0) {
return fd_v4;
}
util-ebpf: implement pinned maps loading Load flow tables at start if asked to.
7 years ago
util-ebpf: conditional flow table loading
7 years ago
/* Get flow v6 table */
fd_v6 = EBPFLoadPinnedMapsFile(livedev, "flow_table_v6");
if (fd_v6 < 0) {
SCLogWarning(SC_ERR_INVALID_ARGUMENT,
"Found a flow_table_v4 map but no flow_table_v6 map");
return fd_v6;
}
util-ebpf: implement pinned maps loading Load flow tables at start if asked to.
7 years ago
}
struct bpf_maps_info *bpf_map_data = SCCalloc(1, sizeof(*bpf_map_data));
if (bpf_map_data == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Can't allocate bpf map array");
return -1;
}
SC_ATOMIC_INIT(bpf_map_data->ipv4_hash_count);
SC_ATOMIC_INIT(bpf_map_data->ipv6_hash_count);
util-ebpf: conditional flow table loading
7 years ago
if (config->mode == AFP_MODE_XDP_BYPASS) {
bpf_map_data->array[0].fd = fd_v4;
bpf_map_data->array[0].name = SCStrdup("flow_table_v4");
bpf_map_data->array[1].fd = fd_v6;
bpf_map_data->array[1].name = SCStrdup("flow_table_v6");
bpf_map_data->last = 2;
} else {
bpf_map_data->last = 0;
}
/* Load other known maps: cpu_map, cpus_available, tx_peer, tx_peer_int */
int fd = EBPFLoadPinnedMapsFile(livedev, "cpu_map");
if (fd >= 0) {
bpf_map_data->array[bpf_map_data->last].fd = fd;
bpf_map_data->array[bpf_map_data->last].name = SCStrdup("cpu_map");
bpf_map_data->last++;
}
fd = EBPFLoadPinnedMapsFile(livedev, "cpus_available");
if (fd >= 0) {
bpf_map_data->array[bpf_map_data->last].fd = fd;
bpf_map_data->array[bpf_map_data->last].name = SCStrdup("cpus_available");
bpf_map_data->last++;
}
fd = EBPFLoadPinnedMapsFile(livedev, "tx_peer");
if (fd >= 0) {
bpf_map_data->array[bpf_map_data->last].fd = fd;
bpf_map_data->array[bpf_map_data->last].name = SCStrdup("tx_peer");
bpf_map_data->last++;
}
fd = EBPFLoadPinnedMapsFile(livedev, "tx_peer_int");
if (fd >= 0) {
bpf_map_data->array[bpf_map_data->last].fd = fd;
bpf_map_data->array[bpf_map_data->last].name = SCStrdup("tx_peer_int");
bpf_map_data->last++;
}
af-packet: implement pinned-maps-name
7 years ago
/* Attach the bpf_maps_info to the LiveDevice via the device storage */
LiveDevSetStorageById(livedev, g_livedev_storage_id, bpf_map_data);
util-ebpf: implement pinned maps loading Load flow tables at start if asked to.
7 years ago
return 0;
}
util-ebpf: suppress spaces at end of line
7 years ago
/**
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
* Load a section of an eBPF file
*
* This function loads a section inside an eBPF and return
af-packet: add comments to eBPF/XDP code
8 years ago
* via the parameter val the file descriptor that will be used to
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
* inject the eBPF code into the kernel via a syscall.
*
* \param path the path of the eBPF file to load
* \param section the section in the eBPF file to load
* \param val a pointer to an integer that will be the file desc
util-ebpf: change return of pinned maps loading The calling function needs to be able to see when this is a success and XDP do not need to be reloaded.
7 years ago
* \return -1 in case of error, 0 in case of success, 1 if pinned maps is loaded
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
*/
af-packet: add support for multi iface bypass
8 years ago
int EBPFLoadFile(const char *iface, const char *path, const char * section,
af-packet: implement pinned-maps-name
7 years ago
int *val, struct ebpf_timeout_config *config)
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
{
int err, pfd;
bool found = false;
struct bpf_object *bpfobj = NULL;
struct bpf_program *bpfprog = NULL;
struct bpf_map *map = NULL;
af-packet: add support for multi iface bypass
8 years ago
if (iface == NULL)
return -1;
LiveDevice *livedev = LiveGetDevice(iface);
if (livedev == NULL)
return -1;
util-ebpf: change return of pinned maps loading The calling function needs to be able to see when this is a success and XDP do not need to be reloaded.
7 years ago
if (config->flags & EBPF_XDP_CODE && config->flags & EBPF_PINNED_MAPS) {
util-ebpf: implement pinned maps loading Load flow tables at start if asked to.
7 years ago
/* We try to get our flow table maps and if we have them we can simply return */
af-packet: implement pinned-maps-name
7 years ago
if (EBPFLoadPinnedMaps(livedev, config) == 0) {
util-ebpf: change return of pinned maps loading The calling function needs to be able to see when this is a success and XDP do not need to be reloaded.
7 years ago
return 1;
util-ebpf: implement pinned maps loading Load flow tables at start if asked to.
7 years ago
}
}
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
if (! path) {
SCLogError(SC_ERR_INVALID_VALUE, "No file defined to load eBPF from");
return -1;
}
util-ebpf: add call to remove memlock limit Without that, user has to use ulimit to be able to load the eBPF file.
8 years ago
/* Sending the eBPF code to the kernel requires a large amount of
* locked memory so we set it to unlimited to avoid a ENOPERM error */
struct rlimit r = {RLIM_INFINITY, RLIM_INFINITY};
if (setrlimit(RLIMIT_MEMLOCK, &r) != 0) {
SCLogError(SC_ERR_MEM_ALLOC, "Unable to lock memory: %s (%d)",
strerror(errno), errno);
return -1;
}
af-packet: add comments to eBPF/XDP code
8 years ago
/* Open the eBPF file and parse it */
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
bpfobj = bpf_object__open(path);
util-ebpf: fix libbpf error handling
8 years ago
long error = libbpf_get_error(bpfobj);
if (error) {
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
char err_buf[128];
util-ebpf: fix libbpf error handling
8 years ago
libbpf_strerror(error, err_buf,
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
sizeof(err_buf));
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
SCLogError(SC_ERR_INVALID_VALUE,
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
"Unable to load eBPF objects in '%s': %s",
path, err_buf);
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
return -1;
}
af-packet: add comments to eBPF/XDP code
8 years ago
/* Let's check that our section is here */
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
bpf_object__for_each_program(bpfprog, bpfobj) {
const char *title = bpf_program__title(bpfprog, 0);
if (!strcmp(title, section)) {
af-packet: implement pinned-maps-name
7 years ago
if (config->flags & EBPF_SOCKET_FILTER) {
af-packet: implementation of XDP bypass This patch adds support for XDP bypass. It provides an XDP filter that can be loaded to realize the bypass of flows.
8 years ago
bpf_program__set_socket_filter(bpfprog);
} else {
bpf_program__set_xdp(bpfprog);
}
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
found = true;
break;
}
}
if (found == false) {
SCLogError(SC_ERR_INVALID_VALUE,
"No section '%s' in '%s' file. Will not be able to use the file",
section,
path);
return -1;
}
err = bpf_object__load(bpfobj);
if (err < 0) {
if (err == -EPERM) {
SCLogError(SC_ERR_MEM_ALLOC,
util-ebpf: add call to remove memlock limit Without that, user has to use ulimit to be able to load the eBPF file.
8 years ago
"Permission issue when loading eBPF object: "
"%s (%d)",
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
strerror(err),
err);
} else {
char buf[129];
libbpf_strerror(err, buf, sizeof(buf));
SCLogError(SC_ERR_INVALID_VALUE,
"Unable to load eBPF object: %s (%d)",
buf,
err);
}
return -1;
}
af-packet: add comments to eBPF/XDP code
8 years ago
/* Kernel and userspace are sharing data via map. Userspace access to the
* map via a file descriptor. So we need to store the map to fd info. For
* that we use bpf_maps_info:: */
af-packet: add support for multi iface bypass
8 years ago
struct bpf_maps_info *bpf_map_data = SCCalloc(1, sizeof(*bpf_map_data));
if (bpf_map_data == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Can't allocate bpf map array");
return -1;
}
util-ebpf: add bypassed counters Use LiveDevice bypassed counter and also add hash size counters for the v4 and v6 flow table.
8 years ago
SC_ATOMIC_INIT(bpf_map_data->ipv4_hash_count);
SC_ATOMIC_INIT(bpf_map_data->ipv6_hash_count);
af-packet: add support for multi iface bypass
8 years ago
af-packet: add comments to eBPF/XDP code
8 years ago
/* Store the maps in bpf_maps_info:: */
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
bpf_map__for_each(map, bpfobj) {
af-packet: add support for multi iface bypass
8 years ago
if (bpf_map_data->last == BPF_MAP_MAX_COUNT) {
SCLogError(SC_ERR_NOT_SUPPORTED, "Too many BPF maps in eBPF files");
break;
}
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
SCLogDebug("Got a map '%s' with fd '%d'", bpf_map__name(map), bpf_map__fd(map));
af-packet: add support for multi iface bypass
8 years ago
bpf_map_data->array[bpf_map_data->last].fd = bpf_map__fd(map);
bpf_map_data->array[bpf_map_data->last].name = SCStrdup(bpf_map__name(map));
util-ebpf: pin the maps By pinning the maps we are creating a file in /sys/fs/bpf that can be used by external program to access the map. This has multiple benefits such as handling list from an external program. The pinned maps could be persistent accross Suricata reload but this can be complicated in term of handling everything in the life of Suricata.
7 years ago
snprintf(bpf_map_data->array[bpf_map_data->last].iface, IFNAMSIZ,
"%s", iface);
af-packet: add support for multi iface bypass
8 years ago
if (!bpf_map_data->array[bpf_map_data->last].name) {
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
SCLogError(SC_ERR_MEM_ALLOC, "Unable to duplicate map name");
af-packet: add support for multi iface bypass
8 years ago
BpfMapsInfoFree(bpf_map_data);
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
return -1;
}
util-ebpf: only unlink pinned maps in eBPF filter
7 years ago
bpf_map_data->array[bpf_map_data->last].unlink = 0;
af-packet: implement pinned-maps-name
7 years ago
if (config->flags & EBPF_PINNED_MAPS) {
util-ebpf: conditional pinning of maps Only pin maps if `pinned-maps` is set in the configuration. This ensure backward compatibility.
7 years ago
SCLogNotice("Pinning: %d to %s", bpf_map_data->array[bpf_map_data->last].fd,
util-ebpf: pin the maps By pinning the maps we are creating a file in /sys/fs/bpf that can be used by external program to access the map. This has multiple benefits such as handling list from an external program. The pinned maps could be persistent accross Suricata reload but this can be complicated in term of handling everything in the life of Suricata.
7 years ago
bpf_map_data->array[bpf_map_data->last].name);
util-ebpf: conditional pinning of maps Only pin maps if `pinned-maps` is set in the configuration. This ensure backward compatibility.
7 years ago
char buf[1024];
snprintf(buf, sizeof(buf), "/sys/fs/bpf/suricata-%s-%s", iface,
bpf_map_data->array[bpf_map_data->last].name);
int ret = bpf_obj_pin(bpf_map_data->array[bpf_map_data->last].fd, buf);
if (ret != 0) {
SCLogError(SC_ERR_AFP_CREATE, "Can not pin: %s", strerror(errno));
}
util-ebpf: only unlink pinned maps in eBPF filter
7 years ago
/* Don't unlink pinned maps in XDP mode to avoid a state reset */
af-packet: implement pinned-maps-name
7 years ago
if (config->flags & EBPF_XDP_CODE) {
util-ebpf: only unlink pinned maps in eBPF filter
7 years ago
bpf_map_data->array[bpf_map_data->last].unlink = 0;
} else {
bpf_map_data->array[bpf_map_data->last].unlink = 1;
}
util-ebpf: pin the maps By pinning the maps we are creating a file in /sys/fs/bpf that can be used by external program to access the map. This has multiple benefits such as handling list from an external program. The pinned maps could be persistent accross Suricata reload but this can be complicated in term of handling everything in the life of Suricata.
7 years ago
}
af-packet: add support for multi iface bypass
8 years ago
bpf_map_data->last++;
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
}
af-packet: add comments to eBPF/XDP code
8 years ago
/* Attach the bpf_maps_info to the LiveDevice via the device storage */
af-packet: add support for multi iface bypass
8 years ago
LiveDevSetStorageById(livedev, g_livedev_storage_id, bpf_map_data);
af-packet: add comments to eBPF/XDP code
8 years ago
/* Finally we get the file descriptor for our eBPF program. We will use
* the fd to attach the program to the socket (eBPF case) or to the device
* (XDP case). */
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
pfd = bpf_program__fd(bpfprog);
if (pfd == -1) {
SCLogError(SC_ERR_INVALID_VALUE,
"Unable to find %s section", section);
return -1;
}
*val = pfd;
return 0;
}
af-packet: add comments to eBPF/XDP code
8 years ago
/**
* Attach a XDP program identified by its file descriptor to a device
util-ebpf: suppress spaces at end of line
7 years ago
*
af-packet: add comments to eBPF/XDP code
8 years ago
* \param iface the name of interface
* \param fd the eBPF/XDP program file descriptor
util-ebpf: suppress spaces at end of line
7 years ago
* \param a flag to pass to attach function mostly used to set XDP mode
af-packet: add comments to eBPF/XDP code
8 years ago
* \return -1 in case of error, 0 if success
*/
af-packet: implementation of XDP bypass This patch adds support for XDP bypass. It provides an XDP filter that can be loaded to realize the bypass of flows.
8 years ago
int EBPFSetupXDP(const char *iface, int fd, uint8_t flags)
{
#ifdef HAVE_PACKET_XDP
unsigned int ifindex = if_nametoindex(iface);
if (ifindex == 0) {
SCLogError(SC_ERR_INVALID_VALUE,
"Unknown interface '%s'", iface);
return -1;
}
int err = bpf_set_link_xdp_fd(ifindex, fd, flags);
if (err != 0) {
char buf[129];
libbpf_strerror(err, buf, sizeof(buf));
SCLogError(SC_ERR_INVALID_VALUE, "Unable to set XDP on '%s': %s (%d)",
iface, buf, err);
return -1;
}
#endif
return 0;
}
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
static int EBPFUpdateFlowForKey(struct flows_stats *flowstats, FlowKey *flow_key,
uint32_t hash, uint64_t pkts_cnt, uint64_t bytes_cnt)
util-ebpf: simplify code cleaning Avoid to use an unnecessary callback strategy as the purpose of the function using the callback is hardcoded.
8 years ago
{
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
Flow *f = FlowGetExistingFlowFromHash(flow_key, hash);
if (f != NULL) {
SCLogDebug("bypassed flow found %d -> %d, doing accounting",
f->sp, f->dp);
if (flow_key->sp == f->sp) {
if (pkts_cnt != f->todstpktcnt) {
f->todstpktcnt = pkts_cnt;
f->todstbytecnt = bytes_cnt;
/* interval based so no meaning to update the millisecond.
* Let's keep it fast and simple */
f->lastts.tv_sec = time(NULL);
}
} else {
if (pkts_cnt != f->tosrcpktcnt) {
f->tosrcpktcnt = pkts_cnt;
f->tosrcbytecnt = bytes_cnt;
f->lastts.tv_sec = time(NULL);
}
}
FLOWLOCK_UNLOCK(f);
return 0;
} else {
/* Flow has disappeared so it has been removed due to timeout.
* We discard the flow and do accounting */
SCLogDebug("No flow for %d -> %d", flow_key->sp, flow_key->dp);
SCLogDebug("Dead with pkts %lu bytes %lu", pkts_cnt, bytes_cnt);
flowstats->count++;
flowstats->packets += pkts_cnt;
flowstats->bytes += bytes_cnt;
return pkts_cnt;
util-ebpf: simplify code cleaning Avoid to use an unnecessary callback strategy as the purpose of the function using the callback is hardcoded.
8 years ago
}
}
af-packet: add comments to eBPF/XDP code
8 years ago
/**
* Bypassed flows cleaning for IPv4
*
* This function iterates on all the flows of the IPv4 table
* looking for timeouted flow to delete from the flow table.
*/
util-ebpf: add bypassed counters Use LiveDevice bypassed counter and also add hash size counters for the v4 and v6 flow table.
8 years ago
static int EBPFForEachFlowV4Table(LiveDevice *dev, const char *name,
util-ebpf: simplify code cleaning Avoid to use an unnecessary callback strategy as the purpose of the function using the callback is hardcoded.
8 years ago
struct flows_stats *flowstats,
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
struct timespec *ctime,
struct ebpf_timeout_config *tcfg)
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
{
util-ebpf: add bypassed counters Use LiveDevice bypassed counter and also add hash size counters for the v4 and v6 flow table.
8 years ago
int mapfd = EBPFGetMapFDByName(dev->dev, name);
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
struct flowv4_keys key = {}, next_key;
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
int found = 0;
unsigned int i;
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
uint64_t hash_cnt = 0;
if (tcfg->cpus_count == 0) {
SCLogWarning(SC_ERR_INVALID_VALUE, "CPU count should not be 0");
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
return 0;
}
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
while (bpf_map_get_next_key(mapfd, &key, &next_key) == 0) {
af-packet: fix bypassing of IPv6 Also misc fixes.
8 years ago
uint64_t pkts_cnt = 0;
uint64_t bytes_cnt = 0;
util-ebpf: add bypassed counters Use LiveDevice bypassed counter and also add hash size counters for the v4 and v6 flow table.
8 years ago
hash_cnt++;
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
/* We use a per CPU structure so we will get a array of values. But if nr_cpus
* is 1 then we have a global hash. */
struct pair values_array[tcfg->cpus_count];
af-packet: fix bypassing of IPv6 Also misc fixes.
8 years ago
memset(values_array, 0, sizeof(values_array));
util-ebpf: fix loop on maps We were missing the last element of the map by working on previous key instead of current key.
7 years ago
int res = bpf_map_lookup_elem(mapfd, &next_key, values_array);
util-ebpf: add error handling in hash value fetch
8 years ago
if (res < 0) {
SCLogDebug("no entry in v4 table for %d -> %d", key.port16[0], key.port16[1]);
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
SCLogDebug("errno: (%d) %s", errno, strerror(errno));
util-ebpf: add error handling in hash value fetch
8 years ago
key = next_key;
continue;
}
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
for (i = 0; i < tcfg->cpus_count; i++) {
/* let's start accumulating value so we can compute the counters */
SCLogDebug("%d: Adding pkts %lu bytes %lu", i,
values_array[i].packets, values_array[i].bytes);
pkts_cnt += values_array[i].packets;
bytes_cnt += values_array[i].bytes;
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
}
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
/* Get the corresponding Flow in the Flow table to compare and update
* its counters and lastseen if needed */
FlowKey flow_key;
if (tcfg->mode == AFP_MODE_XDP_BYPASS) {
flow_key.sp = ntohs(key.port16[0]);
flow_key.dp = ntohs(key.port16[1]);
} else {
flow_key.sp = key.port16[0];
flow_key.dp = key.port16[1];
}
flow_key.src.family = AF_INET;
flow_key.src.addr_data32[0] = key.src;
flow_key.src.addr_data32[1] = 0;
flow_key.src.addr_data32[2] = 0;
flow_key.src.addr_data32[3] = 0;
flow_key.dst.family = AF_INET;
flow_key.dst.addr_data32[0] = key.dst;
flow_key.dst.addr_data32[1] = 0;
flow_key.dst.addr_data32[2] = 0;
flow_key.dst.addr_data32[3] = 0;
flow_key.vlan_id[0] = key.vlan_id[0];
flow_key.vlan_id[1] = key.vlan_id[1];
flow_key.proto = key.ip_proto;
flow_key.recursion_level = 0;
pkts_cnt = EBPFUpdateFlowForKey(flowstats, &flow_key, values_array[0].hash,
pkts_cnt, bytes_cnt);
if (pkts_cnt > 0) {
util-ebpf: add bypassed counters Use LiveDevice bypassed counter and also add hash size counters for the v4 and v6 flow table.
8 years ago
SC_ATOMIC_ADD(dev->bypassed, pkts_cnt);
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
EBPFDeleteKey(mapfd, &key);
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
found = 1;
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
}
key = next_key;
}
util-ebpf: add bypassed counters Use LiveDevice bypassed counter and also add hash size counters for the v4 and v6 flow table.
8 years ago
struct bpf_maps_info *bpfdata = LiveDevGetStorageById(dev, g_livedev_storage_id);
if (bpfdata) {
SC_ATOMIC_SET(bpfdata->ipv4_hash_count, hash_cnt);
}
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
return found;
}
af-packet: add comments to eBPF/XDP code
8 years ago
/**
* Bypassed flows cleaning for IPv6
*
* This function iterates on all the flows of the IPv4 table
* looking for timeouted flow to delete from the flow table.
*/
util-ebpf: add bypassed counters Use LiveDevice bypassed counter and also add hash size counters for the v4 and v6 flow table.
8 years ago
static int EBPFForEachFlowV6Table(LiveDevice *dev, const char *name,
util-ebpf: simplify code cleaning Avoid to use an unnecessary callback strategy as the purpose of the function using the callback is hardcoded.
8 years ago
struct flows_stats *flowstats,
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
struct timespec *ctime,
struct ebpf_timeout_config *tcfg)
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
{
util-ebpf: add bypassed counters Use LiveDevice bypassed counter and also add hash size counters for the v4 and v6 flow table.
8 years ago
int mapfd = EBPFGetMapFDByName(dev->dev, name);
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
struct flowv6_keys key = {}, next_key;
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
int found = 0;
unsigned int i;
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
uint64_t hash_cnt = 0;
if (tcfg->cpus_count == 0) {
SCLogWarning(SC_ERR_INVALID_VALUE, "CPU count should not be 0");
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
return 0;
}
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
while (bpf_map_get_next_key(mapfd, &key, &next_key) == 0) {
af-packet: fix bypassing of IPv6 Also misc fixes.
8 years ago
uint64_t pkts_cnt = 0;
uint64_t bytes_cnt = 0;
util-ebpf: add bypassed counters Use LiveDevice bypassed counter and also add hash size counters for the v4 and v6 flow table.
8 years ago
hash_cnt++;
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
/* We use a per CPU structure so we will get a array of values. But if nr_cpus
* is 1 then we have a global hash. */
struct pair values_array[tcfg->cpus_count];
af-packet: fix bypassing of IPv6 Also misc fixes.
8 years ago
memset(values_array, 0, sizeof(values_array));
util-ebpf: fix loop on maps We were missing the last element of the map by working on previous key instead of current key.
7 years ago
int res = bpf_map_lookup_elem(mapfd, &next_key, values_array);
util-ebpf: add error handling in hash value fetch
8 years ago
if (res < 0) {
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
SCLogDebug("no entry in v4 table for %d -> %d", key.port16[0], key.port16[1]);
util-ebpf: add error handling in hash value fetch
8 years ago
key = next_key;
continue;
}
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
for (i = 0; i < tcfg->cpus_count; i++) {
/* let's start accumulating value so we can compute the counters */
SCLogDebug("%d: Adding pkts %lu bytes %lu", i,
values_array[i].packets, values_array[i].bytes);
pkts_cnt += values_array[i].packets;
bytes_cnt += values_array[i].bytes;
}
/* Get the corresponding Flow in the Flow table to compare and update
* its counters and lastseen if needed */
FlowKey flow_key;
if (tcfg->mode == AFP_MODE_XDP_BYPASS) {
flow_key.sp = ntohs(key.port16[0]);
flow_key.dp = ntohs(key.port16[1]);
} else {
flow_key.sp = key.port16[0];
flow_key.dp = key.port16[1];
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
}
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
flow_key.src.family = AF_INET6;
flow_key.src.addr_data32[0] = key.src[0];
flow_key.src.addr_data32[1] = key.src[1];
flow_key.src.addr_data32[2] = key.src[2];
flow_key.src.addr_data32[3] = key.src[3];
flow_key.dst.family = AF_INET6;
flow_key.dst.addr_data32[0] = key.dst[0];
flow_key.dst.addr_data32[1] = key.dst[1];
flow_key.dst.addr_data32[2] = key.dst[2];
flow_key.dst.addr_data32[3] = key.dst[3];
flow_key.vlan_id[0] = key.vlan_id[0];
flow_key.vlan_id[1] = key.vlan_id[1];
flow_key.proto = key.ip_proto;
flow_key.recursion_level = 0;
pkts_cnt = EBPFUpdateFlowForKey(flowstats, &flow_key, values_array[0].hash,
pkts_cnt, bytes_cnt);
if (pkts_cnt > 0) {
util-ebpf: add bypassed counters Use LiveDevice bypassed counter and also add hash size counters for the v4 and v6 flow table.
8 years ago
SC_ATOMIC_ADD(dev->bypassed, pkts_cnt);
af-packet: use per CPU hash in bypass eBPF has a data type which is a per CPU array. By adding one element to the array it is in fact added to all per CPU arrays in the kernel. This allows to have a lockless structure in the kernel even when doing counter update. In userspace, we need to update the flow bypass code to fetch all elements of the per CPU arrays.
8 years ago
EBPFDeleteKey(mapfd, &key);
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
found = 1;
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
}
key = next_key;
}
util-ebpf: add bypassed counters Use LiveDevice bypassed counter and also add hash size counters for the v4 and v6 flow table.
8 years ago
struct bpf_maps_info *bpfdata = LiveDevGetStorageById(dev, g_livedev_storage_id);
if (bpfdata) {
SC_ATOMIC_SET(bpfdata->ipv6_hash_count, hash_cnt);
}
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
return found;
}
af-packet: add comments to eBPF/XDP code
8 years ago
/**
* Flow timeout checking function
*
* This function is called by the Flow bypass manager to trigger removal
* of entries in the kernel/userspace flow table if needed.
*
*/
flow-bypass: add abstraction layer The flow bypass thread can now be used by any capture method that register it timeout check function.
8 years ago
int EBPFCheckBypassedFlowTimeout(struct flows_stats *bypassstats,
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
struct timespec *curtime,
void *data)
flow-bypass: add abstraction layer The flow bypass thread can now be used by any capture method that register it timeout check function.
8 years ago
{
util-ebpf: rename local variable
8 years ago
struct flows_stats local_bypassstats = { 0, 0, 0};
flow-bypass: add abstraction layer The flow bypass thread can now be used by any capture method that register it timeout check function.
8 years ago
int ret = 0;
int tcount = 0;
af-packet: add support for multi iface bypass
8 years ago
LiveDevice *ldev = NULL, *ndev;
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
struct ebpf_timeout_config *cfg = (struct ebpf_timeout_config *)data;
if (cfg == NULL) {
SCLogError(SC_ERR_INVALID_VALUE,
"Programming error, contact developer");
return 0;
}
af-packet: add support for multi iface bypass
8 years ago
while(LiveDeviceForEach(&ldev, &ndev)) {
util-ebpf: add bypassed counters Use LiveDevice bypassed counter and also add hash size counters for the v4 and v6 flow table.
8 years ago
tcount = EBPFForEachFlowV4Table(ldev, "flow_table_v4",
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
&local_bypassstats, curtime,
cfg);
af-packet: add support for multi iface bypass
8 years ago
if (tcount) {
util-ebpf: rename local variable
8 years ago
bypassstats->count = local_bypassstats.count;
bypassstats->packets = local_bypassstats.packets ;
bypassstats->bytes = local_bypassstats.bytes;
af-packet: add support for multi iface bypass
8 years ago
ret = 1;
}
util-ebpf: rename local variable
8 years ago
memset(&local_bypassstats, 0, sizeof(local_bypassstats));
util-ebpf: add bypassed counters Use LiveDevice bypassed counter and also add hash size counters for the v4 and v6 flow table.
8 years ago
tcount = EBPFForEachFlowV6Table(ldev, "flow_table_v6",
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
&local_bypassstats, curtime,
cfg);
af-packet: add support for multi iface bypass
8 years ago
if (tcount) {
util-ebpf: rename local variable
8 years ago
bypassstats->count += local_bypassstats.count;
bypassstats->packets += local_bypassstats.packets ;
bypassstats->bytes += local_bypassstats.bytes;
af-packet: add support for multi iface bypass
8 years ago
ret = 1;
}
flow-bypass: add abstraction layer The flow bypass thread can now be used by any capture method that register it timeout check function.
8 years ago
}
return ret;
af-packet: kernel bypass implementation This patch implements bypass capability for af-packet. The filter only bypass TCP and UDP in IPv4 and IPv6. It don't don't bypass IPv6 with extended headers. This patch also introduces a bypassed flow manager that takes care of timeouting the bypassed flows. It uses a 60 sec timeout on flow. As they are supposed to be active we can try that. If they are not active then we don't care to get them back in Suricata.
8 years ago
}
unix-socket: add ebpf-bypassed-stats command This command output the count of element in IPv4 and IPv6 flow table of interfaces using eBPF/XDP bypass.
8 years ago
#ifdef BUILD_UNIX_SOCKET
TmEcode EBPFGetBypassedStats(json_t *cmd, json_t *answer, void *data)
{
LiveDevice *ldev = NULL, *ndev;
json_t *ifaces = NULL;
while(LiveDeviceForEach(&ldev, &ndev)) {
struct bpf_maps_info *bpfdata = LiveDevGetStorageById(ldev, g_livedev_storage_id);
if (bpfdata) {
uint64_t ipv4_hash_count = SC_ATOMIC_GET(bpfdata->ipv4_hash_count);
uint64_t ipv6_hash_count = SC_ATOMIC_GET(bpfdata->ipv6_hash_count);
json_t *iface = json_object();
if (ifaces == NULL) {
ifaces = json_object();
if (ifaces == NULL) {
json_object_set_new(answer, "message",
json_string("internal error at json object creation"));
return TM_ECODE_FAILED;
}
}
json_object_set_new(iface, "ipv4_count", json_integer(ipv4_hash_count));
json_object_set_new(iface, "ipv6_count", json_integer(ipv6_hash_count));
json_object_set_new(ifaces, ldev->dev, iface);
}
}
if (ifaces) {
json_object_set_new(answer, "message", ifaces);
SCReturnInt(TM_ECODE_OK);
}
json_object_set_new(answer, "message",
json_string("No interface using eBPF bypass"));
SCReturnInt(TM_ECODE_FAILED);
}
#endif
af-packet: add support for multi iface bypass
8 years ago
void EBPFRegisterExtension(void)
{
g_livedev_storage_id = LiveDevStorageRegister("bpfmap", sizeof(void *), NULL, BpfMapsInfoFree);
af-packet: XDP bypass in IPS mode Implement XDP bypass in IPS mode by using XDP redirect to send packets from bypassed flow directly to the transmission interface.
8 years ago
g_flow_storage_id = FlowStorageRegister("bypassedlist", sizeof(void *), NULL, BypassedListFree);
af-packet: add support for multi iface bypass
8 years ago
}
af-packet: add support for XDP cpu redirect map This patch adds a boolean option "xdp-cpu-redirect" to af-packet interface configuration. If set, then the XDP filter will load balance the skb creation on specified CPUs instead of doing the creation on the CPU handling the packet. In the case of a card with asymetric hashing this will allow to avoid saturating the single CPU handling the trafic. The XDP filter must contains a set of map allowing load balancing. This is the case of xdp_filter.bpf. Fixed-by: Jesper Dangaard Brouer <netoptimizer@brouer.com>
8 years ago
#ifdef HAVE_PACKET_XDP
static uint32_t g_redirect_iface_cpu_counter = 0;
static int EBPFAddCPUToMap(const char *iface, uint32_t i)
{
int cpumap = EBPFGetMapFDByName(iface, "cpu_map");
uint32_t queue_size = 4096;
int ret;
if (cpumap < 0) {
SCLogError(SC_ERR_AFP_CREATE, "Can't find cpu_map");
return -1;
}
ret = bpf_map_update_elem(cpumap, &i, &queue_size, 0);
if (ret) {
SCLogError(SC_ERR_AFP_CREATE, "Create CPU entry failed (err:%d)", ret);
return -1;
}
int cpus_available = EBPFGetMapFDByName(iface, "cpus_available");
if (cpus_available < 0) {
SCLogError(SC_ERR_AFP_CREATE, "Can't find cpus_available map");
return -1;
}
ret = bpf_map_update_elem(cpus_available, &g_redirect_iface_cpu_counter, &i, 0);
if (ret) {
SCLogError(SC_ERR_AFP_CREATE, "Create CPU entry failed (err:%d)", ret);
return -1;
}
return 0;
}
static void EBPFRedirectMapAddCPU(int i, void *data)
{
if (EBPFAddCPUToMap(data, i) < 0) {
SCLogError(SC_ERR_INVALID_VALUE,
"Unable to add CPU %d to set", i);
} else {
g_redirect_iface_cpu_counter++;
}
}
void EBPFBuildCPUSet(ConfNode *node, char *iface)
{
uint32_t key0 = 0;
int mapfd = EBPFGetMapFDByName(iface, "cpus_count");
if (mapfd < 0) {
SCLogError(SC_ERR_INVALID_VALUE,
"Unable to find 'cpus_count' map");
return;
}
g_redirect_iface_cpu_counter = 0;
if (node == NULL) {
bpf_map_update_elem(mapfd, &key0, &g_redirect_iface_cpu_counter,
BPF_ANY);
return;
}
BuildCpusetWithCallback("xdp-cpu-redirect", node,
EBPFRedirectMapAddCPU,
iface);
bpf_map_update_elem(mapfd, &key0, &g_redirect_iface_cpu_counter,
BPF_ANY);
}
ebpf: document XDP iface redirect
7 years ago
/**
* Setup peer interface in XDP system
*
* Ths function set up the peer interface in the XDP maps used by the
* bypass filter. The first map tx_peer has type device map and is
* used to store the peer. The second map tx_peer_int is used by the
* code to check if we have a peer defined for this interface.
*
* As the map are per device we just need maps with one single element.
* In both case, we use the key 0 to enter element so XDP kernel code
* is using the same key.
*/
af-packet: XDP bypass in IPS mode Implement XDP bypass in IPS mode by using XDP redirect to send packets from bypassed flow directly to the transmission interface.
8 years ago
int EBPFSetPeerIface(const char *iface, const char *out_iface)
{
int mapfd = EBPFGetMapFDByName(iface, "tx_peer");
if (mapfd < 0) {
SCLogError(SC_ERR_INVALID_VALUE,
"Unable to find 'tx_peer' map");
return -1;
}
int intmapfd = EBPFGetMapFDByName(iface, "tx_peer_int");
if (intmapfd < 0) {
SCLogError(SC_ERR_INVALID_VALUE,
"Unable to find 'tx_peer_int' map");
return -1;
}
int key0 = 0;
unsigned int peer_index = if_nametoindex(out_iface);
if (peer_index == 0) {
SCLogError(SC_ERR_INVALID_VALUE, "No iface '%s'", out_iface);
return -1;
}
int ret = bpf_map_update_elem(mapfd, &key0, &peer_index, BPF_ANY);
if (ret) {
SCLogError(SC_ERR_AFP_CREATE, "Create peer entry failed (err:%d)", ret);
return -1;
}
ret = bpf_map_update_elem(intmapfd, &key0, &peer_index, BPF_ANY);
if (ret) {
SCLogError(SC_ERR_AFP_CREATE, "Create peer entry failed (err:%d)", ret);
return -1;
}
return 0;
}
ebpf: change the logic to avoid ktime usage Kernel time is not available (and/or costly) on NIC such as Netronome so we update the logic to detect dead flows based on a lack of update of packets counters. This way, the XDP filter will be usable by network card. This patch also updates the ebpf code to support per CPU and regular mapping. Netronome is not supporting it and the structure is using atomic for counter so the cost of simultaneous update is really low. This patch also updates the xdp_filter to be able to select if the flow table is per CPU on shared. Second option will be used for hardward offload. To deactivate the per cpu hash, you need to set USE_PERCPU_HASH to 0. This patch also adds an new option to af-packet named no-percpu-hash If this option is set to yes then the Flow bypassed manager thread will use one CPU instead of the number of cores. By doing that we are able to handle the case where USE_PERCPU_HASH is unset (so hardware offload for Netronome). This patch also remove aligment indications in the eBPF filter. This was not really needed and it seems it is causing problem with some recent version of LLVM toolchain.
7 years ago
/**
* Bypass the flow on all ifaces it is seen on. This is used
* in IPS mode.
*/
int EBPFUpdateFlow(Flow *f, Packet *p, void *data)
af-packet: XDP bypass in IPS mode Implement XDP bypass in IPS mode by using XDP redirect to send packets from bypassed flow directly to the transmission interface.
8 years ago
{
BypassedIfaceList *ifl = (BypassedIfaceList *)FlowGetStorageById(f, g_flow_storage_id);
if (ifl == NULL) {
ifl = SCCalloc(1, sizeof(*ifl));
if (ifl == NULL) {
return 0;
}
ifl->dev = p->livedev;
FlowSetStorageById(f, g_flow_storage_id, ifl);
return 1;
}
/* Look for packet iface in the list */
BypassedIfaceList *ldev = ifl;
while (ldev) {
if (p->livedev == ldev->dev) {
return 1;
}
ldev = ldev->next;
}
util-ebpf: suppress spaces at end of line
7 years ago
/* Call bypass function if ever not in the list */
af-packet: XDP bypass in IPS mode Implement XDP bypass in IPS mode by using XDP redirect to send packets from bypassed flow directly to the transmission interface.
8 years ago
p->BypassPacketsFlow(p);
/* Add iface to the list */
BypassedIfaceList *nifl = SCCalloc(1, sizeof(*nifl));
if (nifl == NULL) {
return 0;
}
nifl->dev = p->livedev;
nifl->next = ifl;
FlowSetStorageById(f, g_flow_storage_id, nifl);
return 1;
}
af-packet: add support for XDP cpu redirect map This patch adds a boolean option "xdp-cpu-redirect" to af-packet interface configuration. If set, then the XDP filter will load balance the skb creation on specified CPUs instead of doing the creation on the CPU handling the packet. In the case of a card with asymetric hashing this will allow to avoid saturating the single CPU handling the trafic. The XDP filter must contains a set of map allowing load balancing. This is the case of xdp_filter.bpf. Fixed-by: Jesper Dangaard Brouer <netoptimizer@brouer.com>
8 years ago
#endif /* HAVE_PACKET_XDP */
af-packet: add support for eBPF cluster and filter This patch introduces the ebpf cluster mode. This mode is using an extended BPF function that is loaded into the kernel and provide the load balancing. An example of cluster function is provided in the ebpf subdirectory and provide ippair load balancing function. This is a function which uses the same method as the one used in autofp ippair to provide a symetrical load balancing based on IP addresses. A simple filter example allowing to drop IPv6 is added to the source. This patch also prepares the infrastructure to be able to load and use map inside eBPF files. This will be used later for flow bypass.
8 years ago
#endif