aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b844d4315f'
${ noResults }
suricata/src/source-af-packet.c

1723 lines
51 KiB
C
Raw Normal View History Unescape Escape

Replace ReleaseData function on Packet Structure with ReleasePacket. This commit allows handling Packets allocated by different methods. The ReleaseData function pointer in the Packet structure is replaced with ReleasePacket function pointer, which is then always called to release the memory associated with a Packet. Currently, the only usage of ReleaseData is in AF Packet. Previously ReleaseData was only called when it was not NULL. To implement the same functionality as before in AF Packet, a new function is defined in AF Packet to first call the AFP specific ReleaseData function and then releases the Packet structure. Three new general functions are defined for releasing packets in the default case: 1) PacketFree() - To release a packet alloced with SCMalloc() 2) PacketPoolReturnPacket() - For packets allocated from the Packet Pool. Calls RECYCLE_PACKET(p) 3) PacketFreeOrRelease() - Calls PacketFree() or PacketPoolReturnPacket() based on the PKT_ALLOC flag. Having these functions removes the need to check the PKT_ALLOC flag when releasing a packet in most cases, since the ReleasePacket function encodes how the Packet was allocated. The PKT_ALLOC flag is still set and is needed when AF Packet releases a packet, since it replaces the ReleasePacket function pointer with its own function and then calls PacketFreeOfRelease(), which uses the PKT_ALLOC flag.
12 years ago
/* Copyright (C) 2011-2013 Open Information Security Foundation
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
af-packet: add doxygen comments This patch adds doxygen comments to newly introduced function and adds module AF_PACKET doxygen module with a dedicated AFP peers module.
13 years ago
/**
* \defgroup afppacket AF_PACKET running mode
*
* @{
*/
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
/**
* \file
*
* \author Eric Leblond <eric@regit.org>
*
* AF_PACKET socket acquisition support
*
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
* \todo watch other interface event to detect suppression of the monitored
* interface
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
*/
#include "suricata-common.h"
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
#include "config.h"
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
#include "suricata.h"
#include "decode.h"
#include "packet-queue.h"
#include "threads.h"
#include "threadvars.h"
#include "tm-queuehandlers.h"
#include "tm-modules.h"
#include "tm-threads.h"
#include "tm-threads-common.h"
#include "conf.h"
#include "util-debug.h"
af-packet: auto mode support
14 years ago
#include "util-device.h"
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
#include "util-error.h"
#include "util-privs.h"
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
#include "util-optimize.h"
af-packet: auto mode support
14 years ago
#include "util-checksum.h"
af-packet: detect MTU mismatch and warn user If the MTU on the reception interface and the one on the transmission interface are different, this will result in an error at transmission when sending packet to the wire.
13 years ago
#include "util-ioctl.h"
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
#include "tmqh-packetpool.h"
#include "source-af-packet.h"
af-packet: Implement zero copy This patch adds support for zero copy to AF_PACKET running mode. This requires to use the 'worker' mode which is the only one where the threading architecture is simple enough to permit this without heavy modification.
14 years ago
#include "runmodes.h"
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
Code to enable cuda support for live mode pcap and af-packet. Keep an eye out on the mailing list and http://planet.suricata-ids.org for performance and other profiling data.
12 years ago
#ifdef __SC_CUDA_SUPPORT__
#include "util-cuda.h"
#include "util-cuda-buffer.h"
#include "util-mpm-ac.h"
#include "util-cuda-handlers.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "util-cuda-vars.h"
#endif /* __SC_CUDA_SUPPORT__ */
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
#ifdef HAVE_AF_PACKET
build: more checking for includes
13 years ago
#if HAVE_SYS_IOCTL_H
af-packet: fix compilation problem on windows.
14 years ago
#include <sys/ioctl.h>
build: more checking for includes
13 years ago
#endif
#if HAVE_LINUX_IF_ETHER_H
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
#include <linux/if_ether.h>
build: more checking for includes
13 years ago
#endif
#if HAVE_LINUX_IF_PACKET_H
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
#include <linux/if_packet.h>
build: more checking for includes
13 years ago
#endif
#if HAVE_LINUX_IF_ARP_H
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
#include <linux/if_arp.h>
build: more checking for includes
13 years ago
#endif
af-packet: add support for BPF filter. This patch adds support for BPF in AF_PACKET running mode. The command line syntax is the same as the one used of PF_RING. The method is the same too: The pcap_compile__nopcap() function is used to build the BPF filter. It is then injected into the kernel with a setsockopt() call. If the adding of the BPF fail, suricata exit.
13 years ago
build: more checking for includes
13 years ago
#if HAVE_LINUX_FILTER_H
af-packet: add support for BPF filter. This patch adds support for BPF in AF_PACKET running mode. The command line syntax is the same as the one used of PF_RING. The method is the same too: The pcap_compile__nopcap() function is used to build the BPF filter. It is then injected into the kernel with a setsockopt() call. If the adding of the BPF fail, suricata exit.
13 years ago
#include <linux/filter.h>
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
#endif
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
build: more checking for includes
13 years ago
#if HAVE_SYS_MMAN_H
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
#include <sys/mman.h>
build: more checking for includes
13 years ago
#endif
#endif /* HAVE_AF_PACKET */
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
extern uint8_t suricata_ctl_flags;
extern int max_pending_packets;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
#ifndef HAVE_AF_PACKET
TmEcode NoAFPSupportExit(ThreadVars *, void *, void **);
void TmModuleReceiveAFPRegister (void) {
tmm_modules[TMM_RECEIVEAFP].name = "ReceiveAFP";
tmm_modules[TMM_RECEIVEAFP].ThreadInit = NoAFPSupportExit;
tmm_modules[TMM_RECEIVEAFP].Func = NULL;
tmm_modules[TMM_RECEIVEAFP].ThreadExitPrintStats = NULL;
tmm_modules[TMM_RECEIVEAFP].ThreadDeinit = NULL;
tmm_modules[TMM_RECEIVEAFP].RegisterTests = NULL;
tmm_modules[TMM_RECEIVEAFP].cap_flags = 0;
Add new flags var to tm module. TMs can now set flags to identify special properties. Also use these to identify receive TMs
14 years ago
tmm_modules[TMM_RECEIVEAFP].flags = TM_FLAG_RECEIVE_TM;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
}
/**
* \brief Registration Function for DecodeAFP.
* \todo Unit tests are needed for this module.
*/
void TmModuleDecodeAFPRegister (void) {
tmm_modules[TMM_DECODEAFP].name = "DecodeAFP";
tmm_modules[TMM_DECODEAFP].ThreadInit = NoAFPSupportExit;
tmm_modules[TMM_DECODEAFP].Func = NULL;
tmm_modules[TMM_DECODEAFP].ThreadExitPrintStats = NULL;
tmm_modules[TMM_DECODEAFP].ThreadDeinit = NULL;
tmm_modules[TMM_DECODEAFP].RegisterTests = NULL;
tmm_modules[TMM_DECODEAFP].cap_flags = 0;
#482 - use decode_flag for all decode TMs. Use the flag as a way to retrieve decode TMs from ThreadVars
13 years ago
tmm_modules[TMM_DECODEAFP].flags = TM_FLAG_DECODE_TM;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
}
/**
* \brief this function prints an error message and exits.
*/
TmEcode NoAFPSupportExit(ThreadVars *tv, void *initdata, void **data)
{
SCLogError(SC_ERR_NO_AF_PACKET,"Error creating thread %s: you do not have "
"support for AF_PACKET enabled, on Linux host please recompile "
"with --enable-af-packet", tv->name);
exit(EXIT_FAILURE);
}
#else /* We have AF_PACKET support */
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
#define AFP_IFACE_NAME_LENGTH 48
#define AFP_STATE_DOWN 0
#define AFP_STATE_UP 1
#define AFP_RECONNECT_TIMEOUT 500000
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
#define AFP_DOWN_COUNTER_INTERVAL 40
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
#define POLL_TIMEOUT 100
af-packet: fix looping in ring buffer. A crash can occurs in the following conditions: * Suricata running in other mode than "workers" * Kernel fill in the ring buffer Under this conditions, it is possible that the capture thread reads a packet that has not yet released by one of the treatment threads because there is no modification done on the ring buffer entry when a packet is read. Doing, this it access to memory which can be released to the kernel and modified. This results in a kind of memory corruption. This bug has only been seen recently and this has to be linked with the read speed improvement recently made in AF_PACKET support. The patch fixes the issue by modifying the tp_status bitmask in the ring buffer. It sets the TP_STATUS_USER_BUSY flag when it is confirmed that the packet will be treated. And at the start of the read, it exits from the reading loop (returning to poll) when it reaches a packet with the flag set. As tp_status is set to 0 during packet release the flag is destroyed when releasing the packet. Regarding concurrency, we've got a sequence of modification. The capture thread read the packet and set the flag, then it passes the queue and the packet get processed by other threads. The change on tp_status are thus made at different time. Regarding the value of the flag, the patch uses the last bit of tp_status to avoid be impacting by a change in kernel. I will propose a patch to have TP_STATUS_USER_BUSY included in kernel as this is a generic issue for multithreading application using AF_PACKET mechanism.
13 years ago
#ifndef TP_STATUS_USER_BUSY
/* for new use latest bit available in tp_status */
#define TP_STATUS_USER_BUSY (1 << 31)
#endif
af-packet: add support for BPF filter. This patch adds support for BPF in AF_PACKET running mode. The command line syntax is the same as the one used of PF_RING. The method is the same too: The pcap_compile__nopcap() function is used to build the BPF filter. It is then injected into the kernel with a setsockopt() call. If the adding of the BPF fail, suricata exit.
13 years ago
/** protect pfring_set_bpf_filter, as it is not thread safe */
Create SCMUTEX_INITIALIZER to abstract out PTHREAD_MUTEX_INITIALIZER This allows replacing pthread mutexes with other types of mutex.
12 years ago
static SCMutex afpacket_bpf_set_filter_lock = SCMUTEX_INITIALIZER;
af-packet: add support for BPF filter. This patch adds support for BPF in AF_PACKET running mode. The command line syntax is the same as the one used of PF_RING. The method is the same too: The pcap_compile__nopcap() function is used to build the BPF filter. It is then injected into the kernel with a setsockopt() call. If the adding of the BPF fail, suricata exit.
13 years ago
af-packet: fix reconnection on netdown error. AFPRead can fail following a NETDOWN error. This patch treat errors of AFPRead by forcing a reconnection (instead of exiting thread with error).
14 years ago
enum {
AFP_READ_OK,
AFP_READ_FAILURE,
AFP_FAILURE,
af-packet: add optional emergency mode Flush all waiting packets to be in sync with kernel when drop occurs. This mode can be activated by setting use-emergency-flush to yes in the interface configuration.
13 years ago
AFP_KERNEL_DROP,
af-packet: fix reconnection on netdown error. AFPRead can fail following a NETDOWN error. This patch treat errors of AFPRead by forcing a reconnection (instead of exiting thread with error).
14 years ago
};
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
union thdr {
struct tpacket2_hdr *h2;
void *raw;
};
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
/**
* \brief Structure to hold thread specific variables.
*/
typedef struct AFPThreadVars_
{
/* thread specific socket */
int socket;
/* handle state */
unsigned char afp_state;
/* data link type for the thread */
int datalink;
int cooked;
/* counters */
uint32_t pkts;
uint64_t bytes;
uint32_t errs;
af-packet: switch to pcktacqloop API. This patch gets rid of the old API and brings some optimisation by reordering structure and optimisinf an error test.
14 years ago
ThreadVars *tv;
TmSlot *slot;
uint8_t *data; /** Per function and thread data */
int datalen; /** Length of per function and thread data */
char iface[AFP_IFACE_NAME_LENGTH];
af-packet: auto mode support
14 years ago
LiveDevice *livedev;
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
int down_count;
af-packet: auto mode support
14 years ago
af-packet: add support for BPF filter. This patch adds support for BPF in AF_PACKET running mode. The command line syntax is the same as the one used of PF_RING. The method is the same too: The pcap_compile__nopcap() function is used to build the BPF filter. It is then injected into the kernel with a setsockopt() call. If the adding of the BPF fail, suricata exit.
13 years ago
/* Filter */
char *bpf_filter;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
/* socket buffer size */
int buffer_size;
af-packet: Add option to disable promiscuous mode This patch adds an option to suricata.yaml to be able to disable the switch of the interface into promiscuous mode.
14 years ago
int promisc;
af-packet: add support for checksum verif mode This patch adds support for checksum verification mode. Auto mode is not yet supported.
14 years ago
ChecksumValidationMode checksum_mode;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
/* IPS stuff */
char out_iface[AFP_IFACE_NAME_LENGTH];
AFPPeer *mpeer;
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
int flags;
af-packet: use counter for drop and accept This patch adds counters for kernel drops and accepts to af-packet capture module. This information are periodically displayed in stats.log: capture.kernel_packets | RxAFP1 | 1792 capture.kernel_drops | RxAFP1 | 0 The statistic is fetch via a setsockopt call every 255 packets.
13 years ago
uint16_t capture_kernel_packets;
uint16_t capture_kernel_drops;
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
int cluster_id;
int cluster_type;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
af-packet: multi interface support This patch adds multi interface support to AF_PACKET. A structure is used at thread creation to give all needed information to the input module. Parsing of the options is done in runmode preparation through a dedicated function which return the configuration in a structure usable by thread creation.
14 years ago
int threads;
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
int copy_mode;
af-packet: multi interface support This patch adds multi interface support to AF_PACKET. A structure is used at thread creation to give all needed information to the input module. Parsing of the options is done in runmode preparation through a dedicated function which return the configuration in a structure usable by thread creation.
14 years ago
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
struct tpacket_req req;
unsigned int tp_hdrlen;
unsigned int ring_buflen;
char *ring_buf;
char *frame_buf;
unsigned int frame_offset;
af-packet: improve mmaped running mode. The mmaped mode was using a too small ring buffer size which was not able to handle burst of packets coming from the network. This may explain the important packet loss rate observed by Edward Fjellskål. This patch increases the default value and adds a ring-size variable which can be used to manually tune the value.
13 years ago
int ring_size;
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
} AFPThreadVars;
TmEcode ReceiveAFP(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
TmEcode ReceiveAFPThreadInit(ThreadVars *, void *, void **);
void ReceiveAFPThreadExitStats(ThreadVars *, void *);
TmEcode ReceiveAFPThreadDeinit(ThreadVars *, void *);
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
TmEcode ReceiveAFPLoop(ThreadVars *tv, void *data, void *slot);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
TmEcode DecodeAFPThreadInit(ThreadVars *, void *, void **);
TmEcode DecodeAFP(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
af-packet: add support for BPF filter. This patch adds support for BPF in AF_PACKET running mode. The command line syntax is the same as the one used of PF_RING. The method is the same too: The pcap_compile__nopcap() function is used to build the BPF filter. It is then injected into the kernel with a setsockopt() call. If the adding of the BPF fail, suricata exit.
13 years ago
TmEcode AFPSetBPFFilter(AFPThreadVars *ptv);
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
static int AFPGetIfnumByDev(int fd, const char *ifname, int verbose);
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
static int AFPGetDevFlags(int fd, const char *ifname);
static int AFPDerefSocket(AFPPeer* peer);
static int AFPRefSocket(AFPPeer* peer);
af-packet: add support for BPF filter. This patch adds support for BPF in AF_PACKET running mode. The command line syntax is the same as the one used of PF_RING. The method is the same too: The pcap_compile__nopcap() function is used to build the BPF filter. It is then injected into the kernel with a setsockopt() call. If the adding of the BPF fail, suricata exit.
13 years ago
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
/**
* \brief Registration Function for RecieveAFP.
* \todo Unit tests are needed for this module.
*/
void TmModuleReceiveAFPRegister (void) {
tmm_modules[TMM_RECEIVEAFP].name = "ReceiveAFP";
tmm_modules[TMM_RECEIVEAFP].ThreadInit = ReceiveAFPThreadInit;
af-packet: switch to pcktacqloop API. This patch gets rid of the old API and brings some optimisation by reordering structure and optimisinf an error test.
14 years ago
tmm_modules[TMM_RECEIVEAFP].Func = NULL;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
tmm_modules[TMM_RECEIVEAFP].PktAcqLoop = ReceiveAFPLoop;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
tmm_modules[TMM_RECEIVEAFP].ThreadExitPrintStats = ReceiveAFPThreadExitStats;
tmm_modules[TMM_RECEIVEAFP].ThreadDeinit = NULL;
tmm_modules[TMM_RECEIVEAFP].RegisterTests = NULL;
tmm_modules[TMM_RECEIVEAFP].cap_flags = SC_CAP_NET_RAW;
flag recieve acq tms that previously missed the receive_tm flag
13 years ago
tmm_modules[TMM_RECEIVEAFP].flags = TM_FLAG_RECEIVE_TM;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
}
af-packet: add doxygen comments This patch adds doxygen comments to newly introduced function and adds module AF_PACKET doxygen module with a dedicated AFP peers module.
13 years ago
/**
* \defgroup afppeers AFP peers list
*
* AF_PACKET has an IPS mode were interface are peered: packet from
* on interface are sent the peered interface and the other way. The ::AFPPeer
* list is maitaining the list of peers. Each ::AFPPeer is storing the needed
* information to be able to send packet on the interface.
* A element of the list must not be destroyed during the run of Suricata as it
* is used by ::Packet and other threads.
*
* @{
*/
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
typedef struct AFPPeersList_ {
TAILQ_HEAD(, AFPPeer_) peers; /**< Head of list of fragments. */
int cnt;
int peered;
af-packet: implement late open This patch implements "late open". On high performance system, it is needed to create the AF_PACKET just before reading to avoid overflow. Socket creation has to be done with respect to the order of thread creation to respect affinity settings. This patch adds a counter to AFPPeer to be ale to synchronize the initial socket creation.
13 years ago
int turn; /**< Next value for initialisation order */
SC_ATOMIC_DECLARE(int, reached); /**< Counter used to synchronize start */
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
} AFPPeersList;
/**
af-packet: add doxygen comments This patch adds doxygen comments to newly introduced function and adds module AF_PACKET doxygen module with a dedicated AFP peers module.
13 years ago
* \brief Update the peer.
*
* Update the AFPPeer of a thread ie set new state, socket number
* or iface index.
*
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
*/
void AFPPeerUpdate(AFPThreadVars *ptv)
{
if (ptv->mpeer == NULL) {
return;
}
(void)SC_ATOMIC_SET(ptv->mpeer->if_idx, AFPGetIfnumByDev(ptv->socket, ptv->iface, 0));
(void)SC_ATOMIC_SET(ptv->mpeer->socket, ptv->socket);
(void)SC_ATOMIC_SET(ptv->mpeer->state, ptv->afp_state);
}
af-packet: add doxygen comments This patch adds doxygen comments to newly introduced function and adds module AF_PACKET doxygen module with a dedicated AFP peers module.
13 years ago
/**
* \brief Clean and free ressource used by an ::AFPPeer
*/
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
void AFPPeerClean(AFPPeer *peer)
{
if (peer->flags & AFP_SOCK_PROTECT)
SCMutexDestroy(&peer->sock_protect);
SC_ATOMIC_DESTROY(peer->socket);
SC_ATOMIC_DESTROY(peer->if_idx);
SC_ATOMIC_DESTROY(peer->state);
SCFree(peer);
}
AFPPeersList peerslist;
af-packet: add doxygen comments This patch adds doxygen comments to newly introduced function and adds module AF_PACKET doxygen module with a dedicated AFP peers module.
13 years ago
/**
* \brief Init the global list of ::AFPPeer
*/
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
TmEcode AFPPeersListInit()
{
SCEnter();
TAILQ_INIT(&peerslist.peers);
peerslist.peered = 0;
peerslist.cnt = 0;
af-packet: implement late open This patch implements "late open". On high performance system, it is needed to create the AF_PACKET just before reading to avoid overflow. Socket creation has to be done with respect to the order of thread creation to respect affinity settings. This patch adds a counter to AFPPeer to be ale to synchronize the initial socket creation.
13 years ago
peerslist.turn = 0;
SC_ATOMIC_INIT(peerslist.reached);
(void) SC_ATOMIC_SET(peerslist.reached, 0);
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
SCReturnInt(TM_ECODE_OK);
}
af-packet: add doxygen comments This patch adds doxygen comments to newly introduced function and adds module AF_PACKET doxygen module with a dedicated AFP peers module.
13 years ago
/**
* \brief Check that all ::AFPPeer got a peer
*
* \retval TM_ECODE_FAILED if some threads are not peered or TM_ECODE_OK else.
*/
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
TmEcode AFPPeersListCheck()
{
#define AFP_PEERS_MAX_TRY 4
#define AFP_PEERS_WAIT 20000
int try = 0;
SCEnter();
while (try < AFP_PEERS_MAX_TRY) {
if (peerslist.cnt != peerslist.peered) {
usleep(AFP_PEERS_WAIT);
} else {
SCReturnInt(TM_ECODE_OK);
}
try++;
}
SCLogError(SC_ERR_AFP_CREATE, "Threads number not equals");
SCReturnInt(TM_ECODE_FAILED);
}
af-packet: add doxygen comments This patch adds doxygen comments to newly introduced function and adds module AF_PACKET doxygen module with a dedicated AFP peers module.
13 years ago
/**
* \brief Declare a new AFP thread to AFP peers list.
*/
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
TmEcode AFPPeersListAdd(AFPThreadVars *ptv)
{
SCEnter();
AFPPeer *peer = SCMalloc(sizeof(AFPPeer));
AFPPeer *pitem;
af-packet: detect MTU mismatch and warn user If the MTU on the reception interface and the one on the transmission interface are different, this will result in an error at transmission when sending packet to the wire.
13 years ago
int mtu, out_mtu;
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(peer == NULL)) {
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
SCReturnInt(TM_ECODE_FAILED);
}
memset(peer, 0, sizeof(AFPPeer));
SC_ATOMIC_INIT(peer->socket);
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
SC_ATOMIC_INIT(peer->sock_usage);
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
SC_ATOMIC_INIT(peer->if_idx);
SC_ATOMIC_INIT(peer->state);
peer->flags = ptv->flags;
af-packet: implement late open This patch implements "late open". On high performance system, it is needed to create the AF_PACKET just before reading to avoid overflow. Socket creation has to be done with respect to the order of thread creation to respect affinity settings. This patch adds a counter to AFPPeer to be ale to synchronize the initial socket creation.
13 years ago
peer->turn = peerslist.turn++;
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
if (peer->flags & AFP_SOCK_PROTECT) {
SCMutexInit(&peer->sock_protect, NULL);
}
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
(void)SC_ATOMIC_SET(peer->sock_usage, 0);
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
(void)SC_ATOMIC_SET(peer->state, AFP_STATE_DOWN);
strlcpy(peer->iface, ptv->iface, AFP_IFACE_NAME_LENGTH);
ptv->mpeer = peer;
/* add element to iface list */
TAILQ_INSERT_TAIL(&peerslist.peers, peer, next);
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
if (ptv->copy_mode != AFP_COPY_MODE_NONE) {
peerslist.cnt++;
/* Iter to find a peer */
TAILQ_FOREACH(pitem, &peerslist.peers, next) {
if (pitem->peer)
continue;
if (strcmp(pitem->iface, ptv->out_iface))
continue;
peer->peer = pitem;
pitem->peer = peer;
mtu = GetIfaceMTU(ptv->iface);
out_mtu = GetIfaceMTU(ptv->out_iface);
if (mtu != out_mtu) {
SCLogError(SC_ERR_AFP_CREATE,
"MTU on %s (%d) and %s (%d) are not equal, "
"transmission of packets bigger than %d will fail.",
ptv->iface, mtu,
ptv->out_iface, out_mtu,
(out_mtu > mtu) ? mtu : out_mtu);
}
peerslist.peered += 2;
break;
af-packet: detect MTU mismatch and warn user If the MTU on the reception interface and the one on the transmission interface are different, this will result in an error at transmission when sending packet to the wire.
13 years ago
}
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
}
AFPPeerUpdate(ptv);
SCReturnInt(TM_ECODE_OK);
}
af-packet: implement late open This patch implements "late open". On high performance system, it is needed to create the AF_PACKET just before reading to avoid overflow. Socket creation has to be done with respect to the order of thread creation to respect affinity settings. This patch adds a counter to AFPPeer to be ale to synchronize the initial socket creation.
13 years ago
int AFPPeersListWaitTurn(AFPPeer *peer)
{
af-packet: handle possible exit of capture loop. If a capture loop does exit, the thread needs to start without synchronization with the other threads. This patch fixes this by resetting the turn count on the peerslist structure and adding a test on this condition in the wait function.
13 years ago
/* If turn is zero, we already have started threads once */
if (peerslist.turn == 0)
return 0;
af-packet: implement late open This patch implements "late open". On high performance system, it is needed to create the AF_PACKET just before reading to avoid overflow. Socket creation has to be done with respect to the order of thread creation to respect affinity settings. This patch adds a counter to AFPPeer to be ale to synchronize the initial socket creation.
13 years ago
if (peer->turn == SC_ATOMIC_GET(peerslist.reached))
return 0;
return 1;
}
void AFPPeersListReachedInc()
{
af-packet: handle possible exit of capture loop. If a capture loop does exit, the thread needs to start without synchronization with the other threads. This patch fixes this by resetting the turn count on the peerslist structure and adding a test on this condition in the wait function.
13 years ago
if (peerslist.turn == 0)
return;
if (SC_ATOMIC_ADD(peerslist.reached, 1) == peerslist.turn) {
SCLogInfo("All AFP capture threads are running.");
(void)SC_ATOMIC_SET(peerslist.reached, 0);
/* Set turn to 0 to skip syncrhonization when ReceiveAFPLoop is
* restarted.
*/
peerslist.turn = 0;
}
af-packet: implement late open This patch implements "late open". On high performance system, it is needed to create the AF_PACKET just before reading to avoid overflow. Socket creation has to be done with respect to the order of thread creation to respect affinity settings. This patch adds a counter to AFPPeer to be ale to synchronize the initial socket creation.
13 years ago
}
af-packet: add doxygen comments This patch adds doxygen comments to newly introduced function and adds module AF_PACKET doxygen module with a dedicated AFP peers module.
13 years ago
/**
* \brief Clean the global peers list.
*/
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
void AFPPeersListClean()
{
AFPPeer *pitem;
while ((pitem = TAILQ_FIRST(&peerslist.peers))) {
TAILQ_REMOVE(&peerslist.peers, pitem, next);
AFPPeerClean(pitem);
}
}
af-packet: add doxygen comments This patch adds doxygen comments to newly introduced function and adds module AF_PACKET doxygen module with a dedicated AFP peers module.
13 years ago
/**
* @}
*/
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
/**
* \brief Registration Function for DecodeAFP.
* \todo Unit tests are needed for this module.
*/
void TmModuleDecodeAFPRegister (void) {
tmm_modules[TMM_DECODEAFP].name = "DecodeAFP";
tmm_modules[TMM_DECODEAFP].ThreadInit = DecodeAFPThreadInit;
tmm_modules[TMM_DECODEAFP].Func = DecodeAFP;
tmm_modules[TMM_DECODEAFP].ThreadExitPrintStats = NULL;
tmm_modules[TMM_DECODEAFP].ThreadDeinit = NULL;
tmm_modules[TMM_DECODEAFP].RegisterTests = NULL;
tmm_modules[TMM_DECODEAFP].cap_flags = 0;
#482 - use decode_flag for all decode TMs. Use the flag as a way to retrieve decode TMs from ThreadVars
13 years ago
tmm_modules[TMM_DECODEAFP].flags = TM_FLAG_DECODE_TM;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
}
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
static int AFPCreateSocket(AFPThreadVars *ptv, char *devname, int verbose);
af-packet: dump counter every seconds. This patch updates to kernel counters handling to be almost sure to update at least once per second.
13 years ago
static inline void AFPDumpCounters(AFPThreadVars *ptv)
af-packet: use counter for drop and accept This patch adds counters for kernel drops and accepts to af-packet capture module. This information are periodically displayed in stats.log: capture.kernel_packets | RxAFP1 | 1792 capture.kernel_drops | RxAFP1 | 0 The statistic is fetch via a setsockopt call every 255 packets.
13 years ago
{
#ifdef PACKET_STATISTICS
af-packet: dump counter every seconds. This patch updates to kernel counters handling to be almost sure to update at least once per second.
13 years ago
struct tpacket_stats kstats;
socklen_t len = sizeof (struct tpacket_stats);
if (getsockopt(ptv->socket, SOL_PACKET, PACKET_STATISTICS,
&kstats, &len) > -1) {
SCLogDebug("(%s) Kernel: Packets %" PRIu32 ", dropped %" PRIu32 "",
ptv->tv->name,
kstats.tp_packets, kstats.tp_drops);
SCPerfCounterAddUI64(ptv->capture_kernel_packets, ptv->tv->sc_perf_pca, kstats.tp_packets);
SCPerfCounterAddUI64(ptv->capture_kernel_drops, ptv->tv->sc_perf_pca, kstats.tp_drops);
Add atomic counter for iface drop.
13 years ago
(void) SC_ATOMIC_ADD(ptv->livedev->drop, kstats.tp_drops);
af-packet: fix live device counter usage Live device counter was in fact the number of packets seen by suricata and not the total number of packet reported by kernel. This patch fixes this by using counter provided by kernel instead. The counter is Clear On Read, so by adding the value fetch at each call and earch sockets we get the number of packets and drops for the interface.
12 years ago
(void) SC_ATOMIC_ADD(ptv->livedev->pkts, kstats.tp_packets);
af-packet: use counter for drop and accept This patch adds counters for kernel drops and accepts to af-packet capture module. This information are periodically displayed in stats.log: capture.kernel_packets | RxAFP1 | 1792 capture.kernel_drops | RxAFP1 | 0 The statistic is fetch via a setsockopt call every 255 packets.
13 years ago
}
af-packet: dump counter every seconds. This patch updates to kernel counters handling to be almost sure to update at least once per second.
13 years ago
#endif
af-packet: use counter for drop and accept This patch adds counters for kernel drops and accepts to af-packet capture module. This information are periodically displayed in stats.log: capture.kernel_packets | RxAFP1 | 1792 capture.kernel_drops | RxAFP1 | 0 The statistic is fetch via a setsockopt call every 255 packets.
13 years ago
}
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
/**
* \brief AF packet read function.
*
* This function fills
* From here the packets are picked up by the DecodeAFP thread.
*
* \param user pointer to AFPThreadVars
* \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success
*/
af-packet: fix reconnection on netdown error. AFPRead can fail following a NETDOWN error. This patch treat errors of AFPRead by forcing a reconnection (instead of exiting thread with error).
14 years ago
int AFPRead(AFPThreadVars *ptv)
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
{
Packet *p = NULL;
/* XXX should try to use read that get directly to packet */
int offset = 0;
int caplen;
struct sockaddr_ll from;
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmsg;
union {
struct cmsghdr cmsg;
char buf[CMSG_SPACE(sizeof(struct tpacket_auxdata))];
} cmsg_buf;
af-packet: use counter for drop and accept This patch adds counters for kernel drops and accepts to af-packet capture module. This information are periodically displayed in stats.log: capture.kernel_packets | RxAFP1 | 1792 capture.kernel_drops | RxAFP1 | 0 The statistic is fetch via a setsockopt call every 255 packets.
13 years ago
unsigned char aux_checksum = 0;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
msg.msg_name = &from;
msg.msg_namelen = sizeof(from);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = &cmsg_buf;
msg.msg_controllen = sizeof(cmsg_buf);
msg.msg_flags = 0;
if (ptv->cooked)
offset = SLL_HEADER_LEN;
else
offset = 0;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
iov.iov_len = ptv->datalen - offset;
iov.iov_base = ptv->data + offset;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
caplen = recvmsg(ptv->socket, &msg, MSG_TRUNC);
if (caplen < 0) {
SCLogWarning(SC_ERR_AFP_READ, "recvmsg failed with error code %" PRId32,
errno);
af-packet: fix reconnection on netdown error. AFPRead can fail following a NETDOWN error. This patch treat errors of AFPRead by forcing a reconnection (instead of exiting thread with error).
14 years ago
SCReturnInt(AFP_READ_FAILURE);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
}
af-packet: switch to pcktacqloop API. This patch gets rid of the old API and brings some optimisation by reordering structure and optimisinf an error test.
14 years ago
p = PacketGetFromQueueOrAlloc();
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
if (p == NULL) {
af-packet: fix reconnection on netdown error. AFPRead can fail following a NETDOWN error. This patch treat errors of AFPRead by forcing a reconnection (instead of exiting thread with error).
14 years ago
SCReturnInt(AFP_FAILURE);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
}
Add a packet src for every packet generated inside suricata.
13 years ago
PKT_SET_SRC(p, PKT_SRC_WIRE);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
/* get timestamp of packet via ioctl */
if (ioctl(ptv->socket, SIOCGSTAMP, &p->ts) == -1) {
SCLogWarning(SC_ERR_AFP_READ, "recvmsg failed with error code %" PRId32,
errno);
TmqhOutputPacketpool(ptv->tv, p);
af-packet: fix reconnection on netdown error. AFPRead can fail following a NETDOWN error. This patch treat errors of AFPRead by forcing a reconnection (instead of exiting thread with error).
14 years ago
SCReturnInt(AFP_READ_FAILURE);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
}
ptv->pkts++;
ptv->bytes += caplen + offset;
af-packet: auto mode support
14 years ago
p->livedev = ptv->livedev;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
/* add forged header */
if (ptv->cooked) {
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
SllHdr * hdrp = (SllHdr *)ptv->data;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
/* XXX this is minimalist, but this seems enough */
hdrp->sll_protocol = from.sll_protocol;
}
p->datalink = ptv->datalink;
SET_PKT_LEN(p, caplen + offset);
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
if (PacketCopyData(p, ptv->data, GET_PKT_LEN(p)) == -1) {
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
TmqhOutputPacketpool(ptv->tv, p);
af-packet: fix reconnection on netdown error. AFPRead can fail following a NETDOWN error. This patch treat errors of AFPRead by forcing a reconnection (instead of exiting thread with error).
14 years ago
SCReturnInt(AFP_FAILURE);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
}
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
SCLogDebug("pktlen: %" PRIu32 " (pkt %p, pkt data %p)",
GET_PKT_LEN(p), p, GET_PKT_DATA(p));
af-packet: add support for checksum verif mode This patch adds support for checksum verification mode. Auto mode is not yet supported.
14 years ago
/* We only check for checksum disable */
if (ptv->checksum_mode == CHECKSUM_VALIDATION_DISABLE) {
af-packet: auto mode support
14 years ago
p->flags |= PKT_IGNORE_CHECKSUM;
} else if (ptv->checksum_mode == CHECKSUM_VALIDATION_AUTO) {
if (ptv->livedev->ignore_checksum) {
p->flags |= PKT_IGNORE_CHECKSUM;
af-packet: fallback if 'kernel' mode is not supported This patch adds a fallback to full checksum validation if 'kernel' mode is not supported by the running kernel.
14 years ago
} else if (ChecksumAutoModeCheck(ptv->pkts,
af-packet: auto mode support
14 years ago
SC_ATOMIC_GET(ptv->livedev->pkts),
SC_ATOMIC_GET(ptv->livedev->invalid_checksums))) {
ptv->livedev->ignore_checksum = 1;
af-packet: add support for checksum verif mode This patch adds support for checksum verification mode. Auto mode is not yet supported.
14 years ago
p->flags |= PKT_IGNORE_CHECKSUM;
af-packet: auto mode support
14 years ago
}
af-packet: add support for checksum verif mode This patch adds support for checksum verification mode. Auto mode is not yet supported.
14 years ago
} else {
af-packet: use counter for drop and accept This patch adds counters for kernel drops and accepts to af-packet capture module. This information are periodically displayed in stats.log: capture.kernel_packets | RxAFP1 | 1792 capture.kernel_drops | RxAFP1 | 0 The statistic is fetch via a setsockopt call every 255 packets.
13 years ago
aux_checksum = 1;
}
af-packet: add support for checksum verif mode This patch adds support for checksum verification mode. Auto mode is not yet supported.
14 years ago
af-packet: use counter for drop and accept This patch adds counters for kernel drops and accepts to af-packet capture module. This information are periodically displayed in stats.log: capture.kernel_packets | RxAFP1 | 1792 capture.kernel_drops | RxAFP1 | 0 The statistic is fetch via a setsockopt call every 255 packets.
13 years ago
/* List is NULL if we don't have activated auxiliary data */
for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
struct tpacket_auxdata *aux;
af-packet: parse message to find lack of checksum Emitted packet can have checksum offloading. This patch reads af-packet message parameter to see if the kernel has sent a non checksummed packet.
14 years ago
af-packet: use counter for drop and accept This patch adds counters for kernel drops and accepts to af-packet capture module. This information are periodically displayed in stats.log: capture.kernel_packets | RxAFP1 | 1792 capture.kernel_drops | RxAFP1 | 0 The statistic is fetch via a setsockopt call every 255 packets.
13 years ago
if (cmsg->cmsg_len < CMSG_LEN(sizeof(struct tpacket_auxdata)) ||
cmsg->cmsg_level != SOL_PACKET ||
cmsg->cmsg_type != PACKET_AUXDATA)
continue;
af-packet: parse message to find lack of checksum Emitted packet can have checksum offloading. This patch reads af-packet message parameter to see if the kernel has sent a non checksummed packet.
14 years ago
af-packet: use counter for drop and accept This patch adds counters for kernel drops and accepts to af-packet capture module. This information are periodically displayed in stats.log: capture.kernel_packets | RxAFP1 | 1792 capture.kernel_drops | RxAFP1 | 0 The statistic is fetch via a setsockopt call every 255 packets.
13 years ago
aux = (struct tpacket_auxdata *)CMSG_DATA(cmsg);
if (aux_checksum && (aux->tp_status & TP_STATUS_CSUMNOTREADY)) {
p->flags |= PKT_IGNORE_CHECKSUM;
af-packet: parse message to find lack of checksum Emitted packet can have checksum offloading. This patch reads af-packet message parameter to see if the kernel has sent a non checksummed packet.
14 years ago
}
af-packet: use counter for drop and accept This patch adds counters for kernel drops and accepts to af-packet capture module. This information are periodically displayed in stats.log: capture.kernel_packets | RxAFP1 | 1792 capture.kernel_drops | RxAFP1 | 0 The statistic is fetch via a setsockopt call every 255 packets.
13 years ago
break;
af-packet: parse message to find lack of checksum Emitted packet can have checksum offloading. This patch reads af-packet message parameter to see if the kernel has sent a non checksummed packet.
14 years ago
}
af-packet: improve error handling The return of TmThreadsSlotProcessPkt function was not handled.
14 years ago
if (TmThreadsSlotProcessPkt(ptv->tv, ptv->slot, p) != TM_ECODE_OK) {
TmqhOutputPacketpool(ptv->tv, p);
af-packet: fix reconnection on netdown error. AFPRead can fail following a NETDOWN error. This patch treat errors of AFPRead by forcing a reconnection (instead of exiting thread with error).
14 years ago
SCReturnInt(AFP_FAILURE);
af-packet: improve error handling The return of TmThreadsSlotProcessPkt function was not handled.
14 years ago
}
af-packet: fix reconnection on netdown error. AFPRead can fail following a NETDOWN error. This patch treat errors of AFPRead by forcing a reconnection (instead of exiting thread with error).
14 years ago
SCReturnInt(AFP_READ_OK);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
}
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
TmEcode AFPWritePacket(Packet *p)
{
struct sockaddr_ll socket_address;
int socket;
if (p->afp_v.copy_mode == AFP_COPY_MODE_IPS) {
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
return TM_ECODE_OK;
}
}
if (SC_ATOMIC_GET(p->afp_v.peer->state) == AFP_STATE_DOWN)
return TM_ECODE_OK;
if (p->ethh == NULL) {
SCLogWarning(SC_ERR_INVALID_VALUE, "Should have an Ethernet header");
return TM_ECODE_FAILED;
}
/* Index of the network device */
socket_address.sll_ifindex = SC_ATOMIC_GET(p->afp_v.peer->if_idx);
/* Address length*/
socket_address.sll_halen = ETH_ALEN;
/* Destination MAC */
memcpy(socket_address.sll_addr, p->ethh, 6);
/* Send packet, locking the socket if necessary */
if (p->afp_v.peer->flags & AFP_SOCK_PROTECT)
SCMutexLock(&p->afp_v.peer->sock_protect);
socket = SC_ATOMIC_GET(p->afp_v.peer->socket);
if (sendto(socket, GET_PKT_DATA(p), GET_PKT_LEN(p), 0,
(struct sockaddr*) &socket_address,
sizeof(struct sockaddr_ll)) < 0) {
SCLogWarning(SC_ERR_SOCKET, "Sending packet failed on socket %d: %s",
socket,
strerror(errno));
if (p->afp_v.peer->flags & AFP_SOCK_PROTECT)
SCMutexUnlock(&p->afp_v.peer->sock_protect);
return TM_ECODE_FAILED;
}
if (p->afp_v.peer->flags & AFP_SOCK_PROTECT)
SCMutexUnlock(&p->afp_v.peer->sock_protect);
return TM_ECODE_OK;
}
Replace ReleaseData function on Packet Structure with ReleasePacket. This commit allows handling Packets allocated by different methods. The ReleaseData function pointer in the Packet structure is replaced with ReleasePacket function pointer, which is then always called to release the memory associated with a Packet. Currently, the only usage of ReleaseData is in AF Packet. Previously ReleaseData was only called when it was not NULL. To implement the same functionality as before in AF Packet, a new function is defined in AF Packet to first call the AFP specific ReleaseData function and then releases the Packet structure. Three new general functions are defined for releasing packets in the default case: 1) PacketFree() - To release a packet alloced with SCMalloc() 2) PacketPoolReturnPacket() - For packets allocated from the Packet Pool. Calls RECYCLE_PACKET(p) 3) PacketFreeOrRelease() - Calls PacketFree() or PacketPoolReturnPacket() based on the PKT_ALLOC flag. Having these functions removes the need to check the PKT_ALLOC flag when releasing a packet in most cases, since the ReleasePacket function encodes how the Packet was allocated. The PKT_ALLOC flag is still set and is needed when AF Packet releases a packet, since it replaces the ReleasePacket function pointer with its own function and then calls PacketFreeOfRelease(), which uses the PKT_ALLOC flag.
12 years ago
void AFPReleaseDataFromRing(Packet *p)
capture: add data release mechanism This patch adds a data release mechanism. If the capture module has a call to indicate that userland has finished with the data, it is possible to use this system. The data will then be released when the treatment of the packet is finished. To do so the Packet structure has been modified: + TmEcode (*ReleaseData)(ThreadVars *, struct Packet_ *); If ReleaseData is null, the function is called when the treatment of the Packet is finished. Thus it is sufficient for the capture module to code a function wrapping the data release mechanism and to assign it to ReleaseData field. This patch also includes an implementation of this mechanism for AF_PACKET.
13 years ago
{
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
/* Need to be in copy mode and need to detect early release
where Ethernet header could not be set (and pseudo packet) */
if ((p->afp_v.copy_mode != AFP_COPY_MODE_NONE) && !PKT_IS_PSEUDOPKT(p)) {
Replace ReleaseData function on Packet Structure with ReleasePacket. This commit allows handling Packets allocated by different methods. The ReleaseData function pointer in the Packet structure is replaced with ReleasePacket function pointer, which is then always called to release the memory associated with a Packet. Currently, the only usage of ReleaseData is in AF Packet. Previously ReleaseData was only called when it was not NULL. To implement the same functionality as before in AF Packet, a new function is defined in AF Packet to first call the AFP specific ReleaseData function and then releases the Packet structure. Three new general functions are defined for releasing packets in the default case: 1) PacketFree() - To release a packet alloced with SCMalloc() 2) PacketPoolReturnPacket() - For packets allocated from the Packet Pool. Calls RECYCLE_PACKET(p) 3) PacketFreeOrRelease() - Calls PacketFree() or PacketPoolReturnPacket() based on the PKT_ALLOC flag. Having these functions removes the need to check the PKT_ALLOC flag when releasing a packet in most cases, since the ReleasePacket function encodes how the Packet was allocated. The PKT_ALLOC flag is still set and is needed when AF Packet releases a packet, since it replaces the ReleasePacket function pointer with its own function and then calls PacketFreeOfRelease(), which uses the PKT_ALLOC flag.
12 years ago
AFPWritePacket(p);
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
}
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
if (AFPDerefSocket(p->afp_v.mpeer) == 0)
af-packet: clean APFPacketVar before release. This patch resets the AFPPacketVar linked to a Packet in the release function to avoid any side effect when the packet is reused. To do so a new AFPV_CLEANUP macro has been introduced.
13 years ago
goto cleanup;
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
capture: add data release mechanism This patch adds a data release mechanism. If the capture module has a call to indicate that userland has finished with the data, it is possible to use this system. The data will then be released when the treatment of the packet is finished. To do so the Packet structure has been modified: + TmEcode (*ReleaseData)(ThreadVars *, struct Packet_ *); If ReleaseData is null, the function is called when the treatment of the Packet is finished. Thus it is sufficient for the capture module to code a function wrapping the data release mechanism and to assign it to ReleaseData field. This patch also includes an implementation of this mechanism for AF_PACKET.
13 years ago
if (p->afp_v.relptr) {
union thdr h;
h.raw = p->afp_v.relptr;
h.h2->tp_status = TP_STATUS_KERNEL;
}
af-packet: clean APFPacketVar before release. This patch resets the AFPPacketVar linked to a Packet in the release function to avoid any side effect when the packet is reused. To do so a new AFPV_CLEANUP macro has been introduced.
13 years ago
cleanup:
AFPV_CLEANUP(&p->afp_v);
Replace ReleaseData function on Packet Structure with ReleasePacket. This commit allows handling Packets allocated by different methods. The ReleaseData function pointer in the Packet structure is replaced with ReleasePacket function pointer, which is then always called to release the memory associated with a Packet. Currently, the only usage of ReleaseData is in AF Packet. Previously ReleaseData was only called when it was not NULL. To implement the same functionality as before in AF Packet, a new function is defined in AF Packet to first call the AFP specific ReleaseData function and then releases the Packet structure. Three new general functions are defined for releasing packets in the default case: 1) PacketFree() - To release a packet alloced with SCMalloc() 2) PacketPoolReturnPacket() - For packets allocated from the Packet Pool. Calls RECYCLE_PACKET(p) 3) PacketFreeOrRelease() - Calls PacketFree() or PacketPoolReturnPacket() based on the PKT_ALLOC flag. Having these functions removes the need to check the PKT_ALLOC flag when releasing a packet in most cases, since the ReleasePacket function encodes how the Packet was allocated. The PKT_ALLOC flag is still set and is needed when AF Packet releases a packet, since it replaces the ReleasePacket function pointer with its own function and then calls PacketFreeOfRelease(), which uses the PKT_ALLOC flag.
12 years ago
}
void AFPReleasePacket(Packet *p)
{
AFPReleaseDataFromRing(p);
PacketFreeOrRelease(p);
capture: add data release mechanism This patch adds a data release mechanism. If the capture module has a call to indicate that userland has finished with the data, it is possible to use this system. The data will then be released when the treatment of the packet is finished. To do so the Packet structure has been modified: + TmEcode (*ReleaseData)(ThreadVars *, struct Packet_ *); If ReleaseData is null, the function is called when the treatment of the Packet is finished. Thus it is sufficient for the capture module to code a function wrapping the data release mechanism and to assign it to ReleaseData field. This patch also includes an implementation of this mechanism for AF_PACKET.
13 years ago
}
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
/**
* \brief AF packet read function for ring
*
* This function fills
* From here the packets are picked up by the DecodeAFP thread.
*
* \param user pointer to AFPThreadVars
* \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success
*/
int AFPReadFromRing(AFPThreadVars *ptv)
{
Packet *p = NULL;
union thdr h;
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
struct sockaddr_ll *from;
af-packet: add optional emergency mode Flush all waiting packets to be in sync with kernel when drop occurs. This mode can be activated by setting use-emergency-flush to yes in the interface configuration.
13 years ago
uint8_t emergency_flush = 0;
af-packet: fix kernel offset issue It seems that, in some case, there is a read waiting but the offset in the ring buffer is not correct and Suricata need to walk the ring to find the correct place and make the read.
13 years ago
int read_pkts = 0;
af-packet: fix possible infinite loop. If no packet arrives to a capture thread, it is possible that the AFPReadLoop() function goes into an infinite loop. This could cause suricata to hang at exit on non busy system. This patch adds a counter to detect when Suricata start looping in the ring to stop when it reaches this point.
13 years ago
int loop_start = -1;
af-packet: fix kernel offset issue It seems that, in some case, there is a read waiting but the offset in the ring buffer is not correct and Suricata need to walk the ring to find the correct place and make the read.
13 years ago
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
af-packet: loop on ring if there is data to read. This patch should bring some improvements by looping on the ring when there is some data available instead of getting back to the poll. It also fix recovery in case of drops on the ring because the poll command will not return correctly in this case.
13 years ago
/* Loop till we have packets available */
while (1) {
fix for 653. break out of afp readring loop if shutdown is initiated.
13 years ago
if (unlikely(suricata_ctl_flags != 0)) {
break;
}
af-packet: loop on ring if there is data to read. This patch should bring some improvements by looping on the ring when there is some data available instead of getting back to the poll. It also fix recovery in case of drops on the ring because the poll command will not return correctly in this case.
13 years ago
/* Read packet from ring */
h.raw = (((union thdr **)ptv->frame_buf)[ptv->frame_offset]);
if (h.raw == NULL) {
af-packet: Implement zero copy This patch adds support for zero copy to AF_PACKET running mode. This requires to use the 'worker' mode which is the only one where the threading architecture is simple enough to permit this without heavy modification.
14 years ago
SCReturnInt(AFP_FAILURE);
}
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
af-packet: fix problem introduced in recent commit Logic of patch 98e4a14f6d59fe8928fd6e2af3d9c3e8b42d00bf was correct but implementation is wrong because TP_STATUS_KERNEL is equal to zero and thus can not be evaluated in a binary operation. This patch updates the logic by doing two tests. Reported-by: Alessandro Guido
12 years ago
if ((! h.h2->tp_status) || (h.h2->tp_status & TP_STATUS_USER_BUSY)) {
af-packet: fix kernel offset issue It seems that, in some case, there is a read waiting but the offset in the ring buffer is not correct and Suricata need to walk the ring to find the correct place and make the read.
13 years ago
if (read_pkts == 0) {
af-packet: fix possible infinite loop. If no packet arrives to a capture thread, it is possible that the AFPReadLoop() function goes into an infinite loop. This could cause suricata to hang at exit on non busy system. This patch adds a counter to detect when Suricata start looping in the ring to stop when it reaches this point.
13 years ago
if (loop_start == -1) {
loop_start = ptv->frame_offset;
} else if (unlikely(loop_start == (int)ptv->frame_offset)) {
SCReturnInt(AFP_READ_OK);
}
if (++ptv->frame_offset >= ptv->req.tp_frame_nr) {
ptv->frame_offset = 0;
}
continue;
af-packet: fix kernel offset issue It seems that, in some case, there is a read waiting but the offset in the ring buffer is not correct and Suricata need to walk the ring to find the correct place and make the read.
13 years ago
}
af-packet: add optional emergency mode Flush all waiting packets to be in sync with kernel when drop occurs. This mode can be activated by setting use-emergency-flush to yes in the interface configuration.
13 years ago
if ((emergency_flush) && (ptv->flags & AFP_EMERGENCY_MODE)) {
SCReturnInt(AFP_KERNEL_DROP);
} else {
SCReturnInt(AFP_READ_OK);
}
}
af-packet: fix kernel offset issue It seems that, in some case, there is a read waiting but the offset in the ring buffer is not correct and Suricata need to walk the ring to find the correct place and make the read.
13 years ago
read_pkts++;
af-packet: fix possible infinite loop. If no packet arrives to a capture thread, it is possible that the AFPReadLoop() function goes into an infinite loop. This could cause suricata to hang at exit on non busy system. This patch adds a counter to detect when Suricata start looping in the ring to stop when it reaches this point.
13 years ago
loop_start = -1;
af-packet: fix kernel offset issue It seems that, in some case, there is a read waiting but the offset in the ring buffer is not correct and Suricata need to walk the ring to find the correct place and make the read.
13 years ago
af-packet: fix looping in ring buffer. A crash can occurs in the following conditions: * Suricata running in other mode than "workers" * Kernel fill in the ring buffer Under this conditions, it is possible that the capture thread reads a packet that has not yet released by one of the treatment threads because there is no modification done on the ring buffer entry when a packet is read. Doing, this it access to memory which can be released to the kernel and modified. This results in a kind of memory corruption. This bug has only been seen recently and this has to be linked with the read speed improvement recently made in AF_PACKET support. The patch fixes the issue by modifying the tp_status bitmask in the ring buffer. It sets the TP_STATUS_USER_BUSY flag when it is confirmed that the packet will be treated. And at the start of the read, it exits from the reading loop (returning to poll) when it reaches a packet with the flag set. As tp_status is set to 0 during packet release the flag is destroyed when releasing the packet. Regarding concurrency, we've got a sequence of modification. The capture thread read the packet and set the flag, then it passes the queue and the packet get processed by other threads. The change on tp_status are thus made at different time. Regarding the value of the flag, the patch uses the last bit of tp_status to avoid be impacting by a change in kernel. I will propose a patch to have TP_STATUS_USER_BUSY included in kernel as this is a generic issue for multithreading application using AF_PACKET mechanism.
13 years ago
/* Our packet is still used by suricata, we exit read loop to
* gain some time */
if (h.h2->tp_status & TP_STATUS_USER_BUSY) {
SCReturnInt(AFP_READ_OK);
}
af-packet: add optional emergency mode Flush all waiting packets to be in sync with kernel when drop occurs. This mode can be activated by setting use-emergency-flush to yes in the interface configuration.
13 years ago
if ((ptv->flags & AFP_EMERGENCY_MODE) && (emergency_flush == 1)) {
h.h2->tp_status = TP_STATUS_KERNEL;
goto next_frame;
af-packet: loop on ring if there is data to read. This patch should bring some improvements by looping on the ring when there is some data available instead of getting back to the poll. It also fix recovery in case of drops on the ring because the poll command will not return correctly in this case.
13 years ago
}
p = PacketGetFromQueueOrAlloc();
if (p == NULL) {
af-packet: Implement zero copy This patch adds support for zero copy to AF_PACKET running mode. This requires to use the 'worker' mode which is the only one where the threading architecture is simple enough to permit this without heavy modification.
14 years ago
SCReturnInt(AFP_FAILURE);
}
Add a packet src for every packet generated inside suricata.
13 years ago
PKT_SET_SRC(p, PKT_SRC_WIRE);
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
af-packet: fix looping in ring buffer. A crash can occurs in the following conditions: * Suricata running in other mode than "workers" * Kernel fill in the ring buffer Under this conditions, it is possible that the capture thread reads a packet that has not yet released by one of the treatment threads because there is no modification done on the ring buffer entry when a packet is read. Doing, this it access to memory which can be released to the kernel and modified. This results in a kind of memory corruption. This bug has only been seen recently and this has to be linked with the read speed improvement recently made in AF_PACKET support. The patch fixes the issue by modifying the tp_status bitmask in the ring buffer. It sets the TP_STATUS_USER_BUSY flag when it is confirmed that the packet will be treated. And at the start of the read, it exits from the reading loop (returning to poll) when it reaches a packet with the flag set. As tp_status is set to 0 during packet release the flag is destroyed when releasing the packet. Regarding concurrency, we've got a sequence of modification. The capture thread read the packet and set the flag, then it passes the queue and the packet get processed by other threads. The change on tp_status are thus made at different time. Regarding the value of the flag, the patch uses the last bit of tp_status to avoid be impacting by a change in kernel. I will propose a patch to have TP_STATUS_USER_BUSY included in kernel as this is a generic issue for multithreading application using AF_PACKET mechanism.
13 years ago
/* Suricata will treat packet so telling it is busy, this
* status will be reset to 0 (ie TP_STATUS_KERNEL) in the release
* function. */
h.h2->tp_status |= TP_STATUS_USER_BUSY;
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
from = (void *)h.raw + TPACKET_ALIGN(ptv->tp_hdrlen);
af-packet: loop on ring if there is data to read. This patch should bring some improvements by looping on the ring when there is some data available instead of getting back to the poll. It also fix recovery in case of drops on the ring because the poll command will not return correctly in this case.
13 years ago
ptv->pkts++;
ptv->bytes += h.h2->tp_len;
(void) SC_ATOMIC_ADD(ptv->livedev->pkts, 1);
p->livedev = ptv->livedev;
/* add forged header */
if (ptv->cooked) {
SllHdr * hdrp = (SllHdr *)ptv->data;
/* XXX this is minimalist, but this seems enough */
hdrp->sll_protocol = from->sll_protocol;
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
}
af-packet: loop on ring if there is data to read. This patch should bring some improvements by looping on the ring when there is some data available instead of getting back to the poll. It also fix recovery in case of drops on the ring because the poll command will not return correctly in this case.
13 years ago
p->datalink = ptv->datalink;
if (h.h2->tp_len > h.h2->tp_snaplen) {
SCLogDebug("Packet length (%d) > snaplen (%d), truncating",
h.h2->tp_len, h.h2->tp_snaplen);
}
if (ptv->flags & AFP_ZERO_COPY) {
if (PacketSetData(p, (unsigned char*)h.raw + h.h2->tp_mac, h.h2->tp_snaplen) == -1) {
TmqhOutputPacketpool(ptv->tv, p);
SCReturnInt(AFP_FAILURE);
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
} else {
af-packet: ring mode is not optionnal in AFPReadFromRing
13 years ago
p->afp_v.relptr = h.raw;
Replace ReleaseData function on Packet Structure with ReleasePacket. This commit allows handling Packets allocated by different methods. The ReleaseData function pointer in the Packet structure is replaced with ReleasePacket function pointer, which is then always called to release the memory associated with a Packet. Currently, the only usage of ReleaseData is in AF Packet. Previously ReleaseData was only called when it was not NULL. To implement the same functionality as before in AF Packet, a new function is defined in AF Packet to first call the AFP specific ReleaseData function and then releases the Packet structure. Three new general functions are defined for releasing packets in the default case: 1) PacketFree() - To release a packet alloced with SCMalloc() 2) PacketPoolReturnPacket() - For packets allocated from the Packet Pool. Calls RECYCLE_PACKET(p) 3) PacketFreeOrRelease() - Calls PacketFree() or PacketPoolReturnPacket() based on the PKT_ALLOC flag. Having these functions removes the need to check the PKT_ALLOC flag when releasing a packet in most cases, since the ReleasePacket function encodes how the Packet was allocated. The PKT_ALLOC flag is still set and is needed when AF Packet releases a packet, since it replaces the ReleasePacket function pointer with its own function and then calls PacketFreeOfRelease(), which uses the PKT_ALLOC flag.
12 years ago
p->ReleasePacket = AFPReleasePacket;
af-packet: little code cleaning This patch cleans the code were two almost identical treatment on the packet we're made. It may be linked by a merge error I've done or to a simple mistake on my side.
13 years ago
p->afp_v.mpeer = ptv->mpeer;
AFPRefSocket(ptv->mpeer);
af-packet: ring mode is not optionnal in AFPReadFromRing
13 years ago
p->afp_v.copy_mode = ptv->copy_mode;
if (p->afp_v.copy_mode != AFP_COPY_MODE_NONE) {
p->afp_v.peer = ptv->mpeer->peer;
} else {
p->afp_v.peer = NULL;
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
}
af-packet: loop on ring if there is data to read. This patch should bring some improvements by looping on the ring when there is some data available instead of getting back to the poll. It also fix recovery in case of drops on the ring because the poll command will not return correctly in this case.
13 years ago
}
} else {
if (PacketCopyData(p, (unsigned char*)h.raw + h.h2->tp_mac, h.h2->tp_snaplen) == -1) {
TmqhOutputPacketpool(ptv->tv, p);
SCReturnInt(AFP_FAILURE);
}
}
/* Timestamp */
p->ts.tv_sec = h.h2->tp_sec;
p->ts.tv_usec = h.h2->tp_nsec/1000;
SCLogDebug("pktlen: %" PRIu32 " (pkt %p, pkt data %p)",
GET_PKT_LEN(p), p, GET_PKT_DATA(p));
/* We only check for checksum disable */
if (ptv->checksum_mode == CHECKSUM_VALIDATION_DISABLE) {
p->flags |= PKT_IGNORE_CHECKSUM;
} else if (ptv->checksum_mode == CHECKSUM_VALIDATION_AUTO) {
if (ptv->livedev->ignore_checksum) {
p->flags |= PKT_IGNORE_CHECKSUM;
} else if (ChecksumAutoModeCheck(ptv->pkts,
SC_ATOMIC_GET(ptv->livedev->pkts),
SC_ATOMIC_GET(ptv->livedev->invalid_checksums))) {
ptv->livedev->ignore_checksum = 1;
p->flags |= PKT_IGNORE_CHECKSUM;
}
} else {
if (h.h2->tp_status & TP_STATUS_CSUMNOTREADY) {
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
p->flags |= PKT_IGNORE_CHECKSUM;
af-packet: loop on ring if there is data to read. This patch should bring some improvements by looping on the ring when there is some data available instead of getting back to the poll. It also fix recovery in case of drops on the ring because the poll command will not return correctly in this case.
13 years ago
}
af-packet: fix emergency mode This patch fixes emergency mode by setting the variable even if we have a non kernel checksum check. It also does a call to AFPDUmpCounters() as it seems to improve thing to do it ASAP.
13 years ago
}
if (h.h2->tp_status & TP_STATUS_LOSING) {
emergency_flush = 1;
af-packet: dump counter every seconds. This patch updates to kernel counters handling to be almost sure to update at least once per second.
13 years ago
AFPDumpCounters(ptv);
af-packet: loop on ring if there is data to read. This patch should bring some improvements by looping on the ring when there is some data available instead of getting back to the poll. It also fix recovery in case of drops on the ring because the poll command will not return correctly in this case.
13 years ago
}
af-packet: little code cleaning This patch cleans the code were two almost identical treatment on the packet we're made. It may be linked by a merge error I've done or to a simple mistake on my side.
13 years ago
/* release frame if not in zero copy mode */
if (!(ptv->flags & AFP_ZERO_COPY)) {
h.h2->tp_status = TP_STATUS_KERNEL;
}
af-packet: loop on ring if there is data to read. This patch should bring some improvements by looping on the ring when there is some data available instead of getting back to the poll. It also fix recovery in case of drops on the ring because the poll command will not return correctly in this case.
13 years ago
if (TmThreadsSlotProcessPkt(ptv->tv, ptv->slot, p) != TM_ECODE_OK) {
h.h2->tp_status = TP_STATUS_KERNEL;
if (++ptv->frame_offset >= ptv->req.tp_frame_nr) {
ptv->frame_offset = 0;
}
TmqhOutputPacketpool(ptv->tv, p);
SCReturnInt(AFP_FAILURE);
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
}
af-packet: add optional emergency mode Flush all waiting packets to be in sync with kernel when drop occurs. This mode can be activated by setting use-emergency-flush to yes in the interface configuration.
13 years ago
next_frame:
af-packet: Implement zero copy This patch adds support for zero copy to AF_PACKET running mode. This requires to use the 'worker' mode which is the only one where the threading architecture is simple enough to permit this without heavy modification.
14 years ago
if (++ptv->frame_offset >= ptv->req.tp_frame_nr) {
ptv->frame_offset = 0;
af-packet: leave reading loop at each turn The idea of this patch is to be sure to leave the ring reading loop enough to be able to sync counters. This should fix #706.
13 years ago
/* Get out of loop to be sure we will reach maintenance tasks */
SCReturnInt(AFP_READ_OK);
af-packet: Implement zero copy This patch adds support for zero copy to AF_PACKET running mode. This requires to use the 'worker' mode which is the only one where the threading architecture is simple enough to permit this without heavy modification.
14 years ago
}
}
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
SCReturnInt(AFP_READ_OK);
}
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
/**
* \brief Reference socket
*
* \retval O in case of failure, 1 in case of success
*/
static int AFPRefSocket(AFPPeer* peer)
{
if (unlikely(peer == NULL))
return 0;
(void)SC_ATOMIC_ADD(peer->sock_usage, 1);
return 1;
}
/**
* \brief Dereference socket
*
* \retval 1 if socket is still alive, 0 if not
*/
static int AFPDerefSocket(AFPPeer* peer)
{
af-packet: add sanity check in free function
12 years ago
if (peer == NULL)
return 1;
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
if (SC_ATOMIC_SUB(peer->sock_usage, 1) == 0) {
if (SC_ATOMIC_GET(peer->state) == AFP_STATE_DOWN) {
SCLogInfo("Cleaning socket connected to '%s'", peer->iface);
close(SC_ATOMIC_GET(peer->socket));
return 0;
}
}
return 1;
}
void AFPSwitchState(AFPThreadVars *ptv, int state)
{
ptv->afp_state = state;
ptv->down_count = 0;
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
AFPPeerUpdate(ptv);
/* Do cleaning if switching to down state */
if (state == AFP_STATE_DOWN) {
if (ptv->frame_buf) {
/* only used in reading phase, we can free it */
SCFree(ptv->frame_buf);
ptv->frame_buf = NULL;
}
if (ptv->socket != -1) {
/* we need to wait for all packets to return data */
if (SC_ATOMIC_SUB(ptv->mpeer->sock_usage, 1) == 0) {
SCLogInfo("Cleaning socket connected to '%s'", ptv->iface);
close(ptv->socket);
ptv->socket = -1;
}
}
}
if (state == AFP_STATE_UP) {
(void)SC_ATOMIC_SET(ptv->mpeer->sock_usage, 1);
}
}
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
/**
* \brief Try to reopen socket
*
* \retval 0 in case of success, negative if error occurs or a condition
* is not met.
*/
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
static int AFPTryReopen(AFPThreadVars *ptv)
{
int afp_activate_r;
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
ptv->down_count++;
/* Don't reconnect till we have packet that did not release data */
if (SC_ATOMIC_GET(ptv->mpeer->sock_usage) != 0) {
return -1;
}
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
afp_activate_r = AFPCreateSocket(ptv, ptv->iface, 0);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
if (afp_activate_r != 0) {
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
if (ptv->down_count % AFP_DOWN_COUNTER_INTERVAL == 0) {
SCLogWarning(SC_ERR_AFP_CREATE, "Can not open iface '%s'",
ptv->iface);
}
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
return afp_activate_r;
}
af-packet: improve logged messages.
13 years ago
SCLogInfo("Interface '%s' is back", ptv->iface);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
return 0;
}
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
/**
* \brief Main AF_PACKET reading Loop function
*/
TmEcode ReceiveAFPLoop(ThreadVars *tv, void *data, void *slot)
{
rx TMs shouldn't return TM_ECODE_FAILED if engine is in shutdown mode + minor cleanup
13 years ago
SCEnter();
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
uint16_t packet_q_len = 0;
AFPThreadVars *ptv = (AFPThreadVars *)data;
struct pollfd fds;
int r;
rx TMs shouldn't return TM_ECODE_FAILED if engine is in shutdown mode + minor cleanup
13 years ago
TmSlot *s = (TmSlot *)slot;
af-packet: dump counter every seconds. This patch updates to kernel counters handling to be almost sure to update at least once per second.
13 years ago
time_t last_dump = 0;
struct timeval current_time;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
rx TMs shouldn't return TM_ECODE_FAILED if engine is in shutdown mode + minor cleanup
13 years ago
ptv->slot = s->slot_next;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
af-packet: implement late open This patch implements "late open". On high performance system, it is needed to create the AF_PACKET just before reading to avoid overflow. Socket creation has to be done with respect to the order of thread creation to respect affinity settings. This patch adds a counter to AFPPeer to be ale to synchronize the initial socket creation.
13 years ago
if (ptv->afp_state == AFP_STATE_DOWN) {
/* Wait for our turn, threads before us must have opened the socket */
while (AFPPeersListWaitTurn(ptv->mpeer)) {
usleep(1000);
}
r = AFPCreateSocket(ptv, ptv->iface, 1);
if (r < 0) {
SCLogError(SC_ERR_AFP_CREATE, "Couldn't init AF_PACKET socket");
}
AFPPeersListReachedInc();
}
if (ptv->afp_state == AFP_STATE_UP) {
SCLogInfo("Thread %s using socket %d", tv->name, ptv->socket);
}
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
fds.fd = ptv->socket;
fds.events = POLLIN;
while (1) {
/* Start by checking the state of our interface */
if (unlikely(ptv->afp_state == AFP_STATE_DOWN)) {
int dbreak = 0;
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
do {
usleep(AFP_RECONNECT_TIMEOUT);
if (suricata_ctl_flags != 0) {
dbreak = 1;
break;
}
r = AFPTryReopen(ptv);
af-packet: fix reconnect code Reconnect code was in a "work by luck" stage as we did not update the socket number after reconnect.
13 years ago
fds.fd = ptv->socket;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
} while (r < 0);
if (dbreak == 1)
break;
}
/* make sure we have at least one packet in the packet pool, to prevent
* us from alloc'ing packets at line rate */
do {
packet_q_len = PacketPoolSize();
if (unlikely(packet_q_len == 0)) {
PacketPoolWait();
}
} while (packet_q_len == 0);
r = poll(&fds, 1, POLL_TIMEOUT);
if (suricata_ctl_flags != 0) {
break;
}
if (r > 0 &&
(fds.revents & (POLLHUP|POLLRDHUP|POLLERR|POLLNVAL))) {
if (fds.revents & (POLLHUP | POLLRDHUP)) {
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
AFPSwitchState(ptv, AFP_STATE_DOWN);
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
continue;
af-packet: switch to pcktacqloop API. This patch gets rid of the old API and brings some optimisation by reordering structure and optimisinf an error test.
14 years ago
} else if (fds.revents & POLLERR) {
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
char c;
/* Do a recv to get errno */
if (recv(ptv->socket, &c, sizeof c, MSG_PEEK) != -1)
continue; /* what, no error? */
af-packet: improve logged messages.
13 years ago
SCLogError(SC_ERR_AFP_READ,
"Error reading data from iface '%s': (%d" PRIu32 ") %s",
ptv->iface, errno, strerror(errno));
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
AFPSwitchState(ptv, AFP_STATE_DOWN);
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
continue;
af-packet: switch to pcktacqloop API. This patch gets rid of the old API and brings some optimisation by reordering structure and optimisinf an error test.
14 years ago
} else if (fds.revents & POLLNVAL) {
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
SCLogError(SC_ERR_AFP_READ, "Invalid polling request");
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
AFPSwitchState(ptv, AFP_STATE_DOWN);
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
continue;
}
} else if (r > 0) {
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
if (ptv->flags & AFP_RING_MODE) {
r = AFPReadFromRing(ptv);
} else {
/* AFPRead will call TmThreadsSlotProcessPkt on read packets */
r = AFPRead(ptv);
}
af-packet: fix reconnection on netdown error. AFPRead can fail following a NETDOWN error. This patch treat errors of AFPRead by forcing a reconnection (instead of exiting thread with error).
14 years ago
switch (r) {
case AFP_READ_FAILURE:
/* AFPRead in error: best to reset the socket */
af-packet: improve logged messages.
13 years ago
SCLogError(SC_ERR_AFP_READ,
"AFPRead error reading data from iface '%s': (%d" PRIu32 ") %s",
ptv->iface, errno, strerror(errno));
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
AFPSwitchState(ptv, AFP_STATE_DOWN);
af-packet: fix reconnection on netdown error. AFPRead can fail following a NETDOWN error. This patch treat errors of AFPRead by forcing a reconnection (instead of exiting thread with error).
14 years ago
continue;
case AFP_FAILURE:
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
AFPSwitchState(ptv, AFP_STATE_DOWN);
af-packet: fix reconnection on netdown error. AFPRead can fail following a NETDOWN error. This patch treat errors of AFPRead by forcing a reconnection (instead of exiting thread with error).
14 years ago
SCReturnInt(TM_ECODE_FAILED);
break;
case AFP_READ_OK:
af-packet: dump counter every seconds. This patch updates to kernel counters handling to be almost sure to update at least once per second.
13 years ago
/* Trigger one dump of stats every second */
TimeGet(&current_time);
if (current_time.tv_sec != last_dump) {
AFPDumpCounters(ptv);
last_dump = current_time.tv_sec;
}
af-packet: fix reconnection on netdown error. AFPRead can fail following a NETDOWN error. This patch treat errors of AFPRead by forcing a reconnection (instead of exiting thread with error).
14 years ago
break;
af-packet: add optional emergency mode Flush all waiting packets to be in sync with kernel when drop occurs. This mode can be activated by setting use-emergency-flush to yes in the interface configuration.
13 years ago
case AFP_KERNEL_DROP:
af-packet: dump counter every seconds. This patch updates to kernel counters handling to be almost sure to update at least once per second.
13 years ago
AFPDumpCounters(ptv);
af-packet: add optional emergency mode Flush all waiting packets to be in sync with kernel when drop occurs. This mode can be activated by setting use-emergency-flush to yes in the interface configuration.
13 years ago
break;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
}
} else if ((r < 0) && (errno != EINTR)) {
af-packet: improve logged messages.
13 years ago
SCLogError(SC_ERR_AFP_READ, "Error reading data from iface '%s': (%d" PRIu32 ") %s",
ptv->iface,
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
errno, strerror(errno));
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
AFPSwitchState(ptv, AFP_STATE_DOWN);
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
continue;
}
Counters: more unused code removal
12 years ago
SCPerfSyncCountersIfSignalled(tv);
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
}
SCReturnInt(TM_ECODE_OK);
}
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
static int AFPGetDevFlags(int fd, const char *ifname)
{
struct ifreq ifr;
memset(&ifr, 0, sizeof(ifr));
strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
if (ioctl(fd, SIOCGIFFLAGS, &ifr) == -1) {
SCLogError(SC_ERR_AFP_CREATE, "Unable to find type for iface \"%s\": %s",
ifname, strerror(errno));
return -1;
}
return ifr.ifr_flags;
}
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
static int AFPGetIfnumByDev(int fd, const char *ifname, int verbose)
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
{
struct ifreq ifr;
memset(&ifr, 0, sizeof(ifr));
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) {
if (verbose)
SCLogError(SC_ERR_AFP_CREATE, "Unable to find iface %s: %s",
ifname, strerror(errno));
return -1;
}
return ifr.ifr_ifindex;
}
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
static int AFPGetDevLinktype(int fd, const char *ifname)
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
{
struct ifreq ifr;
memset(&ifr, 0, sizeof(ifr));
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) {
SCLogError(SC_ERR_AFP_CREATE, "Unable to find type for iface \"%s\": %s",
ifname, strerror(errno));
return -1;
}
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
switch (ifr.ifr_hwaddr.sa_family) {
case ARPHRD_LOOPBACK:
return LINKTYPE_ETHERNET;
case ARPHRD_PPP:
return LINKTYPE_RAW;
default:
return ifr.ifr_hwaddr.sa_family;
}
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
}
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
static int AFPComputeRingParams(AFPThreadVars *ptv, int order)
{
/* Compute structure:
Target is to store all pending packets
with a size equal to MTU + auxdata
And we keep a decent number of block
To do so:
Compute frame_size (aligned to be able to fit in block
Check which block size we need. Blocksize is a 2^n * pagesize
We then need to get order, big enough to have
frame_size < block size
Find number of frame per block (divide)
Fill in packet_req
Compute frame size:
described in packet_mmap.txt
dependant on snaplen (need to use a variable ?)
snaplen: MTU ?
tp_hdrlen determine_version in daq_afpacket
in V1: sizeof(struct tpacket_hdr);
in V2: val in getsockopt(instance->fd, SOL_PACKET, PACKET_HDRLEN, &val, &len)
frame size: TPACKET_ALIGN(snaplen + TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
*/
int tp_hdrlen = sizeof(struct tpacket_hdr);
int snaplen = default_packet_size;
ptv->req.tp_frame_size = TPACKET_ALIGN(snaplen +TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
ptv->req.tp_block_size = getpagesize() << order;
int frames_per_block = ptv->req.tp_block_size / ptv->req.tp_frame_size;
if (frames_per_block == 0) {
SCLogInfo("frame size to big");
return -1;
}
af-packet: improve mmaped running mode. The mmaped mode was using a too small ring buffer size which was not able to handle burst of packets coming from the network. This may explain the important packet loss rate observed by Edward Fjellskål. This patch increases the default value and adds a ring-size variable which can be used to manually tune the value.
13 years ago
ptv->req.tp_frame_nr = ptv->ring_size;
af_packet: misc improvements. Improve block count and only copy snaplen length to avoid overflow.
13 years ago
ptv->req.tp_block_nr = ptv->req.tp_frame_nr / frames_per_block + 1;
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
/* exact division */
ptv->req.tp_frame_nr = ptv->req.tp_block_nr * frames_per_block;
SCLogInfo("AF_PACKET RX Ring params: block_size=%d block_nr=%d frame_size=%d frame_nr=%d",
ptv->req.tp_block_size, ptv->req.tp_block_nr,
ptv->req.tp_frame_size, ptv->req.tp_frame_nr);
return 1;
}
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
static int AFPCreateSocket(AFPThreadVars *ptv, char *devname, int verbose)
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
{
int r;
struct packet_mreq sock_params;
struct sockaddr_ll bind_address;
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
int order;
unsigned int i;
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
int if_idx;
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
/* open socket */
ptv->socket = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
if (ptv->socket == -1) {
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
SCLogError(SC_ERR_AFP_CREATE, "Couldn't create a AF_PACKET socket, error %s", strerror(errno));
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
goto error;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
}
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
if_idx = AFPGetIfnumByDev(ptv->socket, devname, verbose);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
/* bind socket */
memset(&bind_address, 0, sizeof(bind_address));
bind_address.sll_family = AF_PACKET;
bind_address.sll_protocol = htons(ETH_P_ALL);
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
bind_address.sll_ifindex = if_idx;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
if (bind_address.sll_ifindex == -1) {
if (verbose)
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
SCLogError(SC_ERR_AFP_CREATE, "Couldn't find iface %s", devname);
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
goto socket_err;
}
if (ptv->promisc != 0) {
/* Force promiscuous mode */
memset(&sock_params, 0, sizeof(sock_params));
sock_params.mr_type = PACKET_MR_PROMISC;
sock_params.mr_ifindex = bind_address.sll_ifindex;
r = setsockopt(ptv->socket, SOL_PACKET, PACKET_ADD_MEMBERSHIP,(void *)&sock_params, sizeof(sock_params));
if (r < 0) {
SCLogError(SC_ERR_AFP_CREATE,
"Couldn't switch iface %s to promiscuous, error %s",
devname, strerror(errno));
goto frame_err;
}
}
if (ptv->checksum_mode == CHECKSUM_VALIDATION_KERNEL) {
int val = 1;
if (setsockopt(ptv->socket, SOL_PACKET, PACKET_AUXDATA, &val,
sizeof(val)) == -1 && errno != ENOPROTOOPT) {
SCLogWarning(SC_ERR_NO_AF_PACKET,
"'kernel' checksum mode not supported, failling back to full mode.");
ptv->checksum_mode = CHECKSUM_VALIDATION_ENABLE;
}
}
/* set socket recv buffer size */
if (ptv->buffer_size != 0) {
/*
* Set the socket buffer size to the specified value.
*/
SCLogInfo("Setting AF_PACKET socket buffer to %d", ptv->buffer_size);
if (setsockopt(ptv->socket, SOL_SOCKET, SO_RCVBUF,
&ptv->buffer_size,
sizeof(ptv->buffer_size)) == -1) {
SCLogError(SC_ERR_AFP_CREATE,
"Couldn't set buffer size to %d on iface %s, error %s",
ptv->buffer_size, devname, strerror(errno));
goto frame_err;
}
}
r = bind(ptv->socket, (struct sockaddr *)&bind_address, sizeof(bind_address));
if (r < 0) {
if (verbose) {
if (errno == ENETDOWN) {
SCLogError(SC_ERR_AFP_CREATE,
"Couldn't bind AF_PACKET socket, iface %s is down",
devname);
} else {
SCLogError(SC_ERR_AFP_CREATE,
"Couldn't bind AF_PACKET socket to iface %s, error %s",
devname, strerror(errno));
}
}
goto frame_err;
}
int if_flags = AFPGetDevFlags(ptv->socket, ptv->iface);
if (if_flags == -1) {
if (verbose) {
SCLogError(SC_ERR_AFP_READ,
"Can not acces to interface '%s'",
ptv->iface);
}
goto frame_err;
}
if ((if_flags & IFF_UP) == 0) {
if (verbose) {
SCLogError(SC_ERR_AFP_READ,
"Interface '%s' is down",
ptv->iface);
}
goto frame_err;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
}
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
if (ptv->flags & AFP_RING_MODE) {
int val = TPACKET_V2;
unsigned int len = sizeof(val);
if (getsockopt(ptv->socket, SOL_PACKET, PACKET_HDRLEN, &val, &len) < 0) {
if (errno == ENOPROTOOPT) {
SCLogError(SC_ERR_AFP_CREATE,
"Too old kernel giving up (need 2.6.27 at least)");
}
SCLogError(SC_ERR_AFP_CREATE, "Error when retrieving packet header len");
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
goto socket_err;
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
}
ptv->tp_hdrlen = val;
val = TPACKET_V2;
if (setsockopt(ptv->socket, SOL_PACKET, PACKET_VERSION, &val,
sizeof(val)) < 0) {
SCLogError(SC_ERR_AFP_CREATE,
"Can't activate TPACKET_V2 on packet socket: %s",
strerror(errno));
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
goto socket_err;
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
}
af-packet: add warning message if LRO or GRO are set This patch query the network interface to detect if LRO or GRO are used in mmap TPACKET_V2 mode.
12 years ago
if (GetIfaceOffloading(devname) == 1) {
SCLogWarning(SC_ERR_AFP_CREATE,
"Using mmap mode with GRO or LRO activated can lead to capture problems");
}
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
/* Allocate RX ring */
#define DEFAULT_ORDER 3
for (order = DEFAULT_ORDER; order >= 0; order--) {
if (AFPComputeRingParams(ptv, order) != 1) {
SCLogInfo("Ring parameter are incorrect. Please correct the devel");
}
r = setsockopt(ptv->socket, SOL_PACKET, PACKET_RX_RING, (void *) &ptv->req, sizeof(ptv->req));
if (r < 0) {
if (errno == ENOMEM) {
SCLogInfo("Memory issue with ring parameters. Retrying.");
continue;
}
SCLogError(SC_ERR_MEM_ALLOC,
"Unable to allocate RX Ring for iface %s: (%d) %s",
devname,
errno,
strerror(errno));
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
goto socket_err;
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
} else {
break;
}
}
if (order < 0) {
SCLogError(SC_ERR_MEM_ALLOC,
"Unable to allocate RX Ring for iface %s (order 0 failed)",
devname);
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
goto socket_err;
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
}
/* Allocate the Ring */
ptv->ring_buflen = ptv->req.tp_block_nr * ptv->req.tp_block_size;
ptv->ring_buf = mmap(0, ptv->ring_buflen, PROT_READ|PROT_WRITE,
MAP_SHARED, ptv->socket, 0);
if (ptv->ring_buf == MAP_FAILED) {
SCLogError(SC_ERR_MEM_ALLOC, "Unable to mmap");
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
goto socket_err;
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
}
/* allocate a ring for each frame header pointer*/
ptv->frame_buf = SCMalloc(ptv->req.tp_frame_nr * sizeof (union thdr *));
if (ptv->frame_buf == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Unable to allocate frame buf");
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
goto mmap_err;
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
}
memset(ptv->frame_buf, 0, ptv->req.tp_frame_nr * sizeof (union thdr *));
/* fill the header ring with proper frame ptr*/
ptv->frame_offset = 0;
for (i = 0; i < ptv->req.tp_block_nr; ++i) {
void *base = &ptv->ring_buf[i * ptv->req.tp_block_size];
unsigned int j;
for (j = 0; j < ptv->req.tp_block_size / ptv->req.tp_frame_size; ++j, ++ptv->frame_offset) {
(((union thdr **)ptv->frame_buf)[ptv->frame_offset]) = base;
base += ptv->req.tp_frame_size;
}
}
ptv->frame_offset = 0;
}
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
SCLogInfo("Using interface '%s' via socket %d", (char *)devname, ptv->socket);
af-packet: reorder socket operation. This patch moves raw socket binding at the end of init code to avoid to have a flow of packets reaching the socket before we start to read them. The socket creation is now made in the loop function to avoid any timing issue between init function and the call of the loop.
13 years ago
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
#ifdef HAVE_PACKET_FANOUT
/* add binded socket to fanout group */
af-packet: multi interface support This patch adds multi interface support to AF_PACKET. A structure is used at thread creation to give all needed information to the input module. Parsing of the options is done in runmode preparation through a dedicated function which return the configuration in a structure usable by thread creation.
14 years ago
if (ptv->threads > 1) {
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
uint32_t option = 0;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
uint16_t mode = ptv->cluster_type;
uint16_t id = ptv->cluster_id;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
option = (mode << 16) | (id & 0xffff);
r = setsockopt(ptv->socket, SOL_PACKET, PACKET_FANOUT,(void *)&option, sizeof(option));
if (r < 0) {
SCLogError(SC_ERR_AFP_CREATE,
"Coudn't set fanout mode, error %s",
strerror(errno));
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
goto frame_err;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
}
}
#endif
af-packet: get datalink for each socket creation. This patch will allow us to use the datalink when computing the filter. It also fixes a potential issue where an interface data type change after the interface if going down/up.
13 years ago
ptv->datalink = AFPGetDevLinktype(ptv->socket, ptv->iface);
switch (ptv->datalink) {
case ARPHRD_PPP:
case ARPHRD_ATM:
ptv->cooked = 1;
Add a /* fall through */ comment for all switch case fall throughs. This should server as a message to coverity that the fall through is intentional.
12 years ago
break;
af-packet: get datalink for each socket creation. This patch will allow us to use the datalink when computing the filter. It also fixes a potential issue where an interface data type change after the interface if going down/up.
13 years ago
}
af-packet: add support for BPF filter. This patch adds support for BPF in AF_PACKET running mode. The command line syntax is the same as the one used of PF_RING. The method is the same too: The pcap_compile__nopcap() function is used to build the BPF filter. It is then injected into the kernel with a setsockopt() call. If the adding of the BPF fail, suricata exit.
13 years ago
TmEcode rc;
rc = AFPSetBPFFilter(ptv);
if (rc == TM_ECODE_FAILED) {
SCLogError(SC_ERR_AFP_CREATE, "Set AF_PACKET bpf filter \"%s\" failed.", ptv->bpf_filter);
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
goto frame_err;
af-packet: add support for BPF filter. This patch adds support for BPF in AF_PACKET running mode. The command line syntax is the same as the one used of PF_RING. The method is the same too: The pcap_compile__nopcap() function is used to build the BPF filter. It is then injected into the kernel with a setsockopt() call. If the adding of the BPF fail, suricata exit.
13 years ago
}
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
/* Init is ok */
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
AFPSwitchState(ptv, AFP_STATE_UP);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
return 0;
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
frame_err:
if (ptv->frame_buf)
SCFree(ptv->frame_buf);
mmap_err:
/* Packet mmap does the cleaning when socket is closed */
socket_err:
close(ptv->socket);
ptv->socket = -1;
error:
return -1;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
}
af-packet: add support for BPF filter. This patch adds support for BPF in AF_PACKET running mode. The command line syntax is the same as the one used of PF_RING. The method is the same too: The pcap_compile__nopcap() function is used to build the BPF filter. It is then injected into the kernel with a setsockopt() call. If the adding of the BPF fail, suricata exit.
13 years ago
TmEcode AFPSetBPFFilter(AFPThreadVars *ptv)
{
struct bpf_program filter;
struct sock_fprog fcode;
int rc;
if (!ptv->bpf_filter)
return TM_ECODE_OK;
SCMutexLock(&afpacket_bpf_set_filter_lock);
SCLogInfo("Using BPF '%s' on iface '%s'",
ptv->bpf_filter,
ptv->iface);
if (pcap_compile_nopcap(default_packet_size, /* snaplen_arg */
ptv->datalink, /* linktype_arg */
&filter, /* program */
ptv->bpf_filter, /* const char *buf */
0, /* optimize */
0 /* mask */
) == -1) {
SCLogError(SC_ERR_AFP_CREATE, "Filter compilation failed.");
SCMutexUnlock(&afpacket_bpf_set_filter_lock);
return TM_ECODE_FAILED;
}
SCMutexUnlock(&afpacket_bpf_set_filter_lock);
if (filter.bf_insns == NULL) {
SCLogError(SC_ERR_AFP_CREATE, "Filter badly setup.");
return TM_ECODE_FAILED;
}
fcode.len = filter.bf_len;
fcode.filter = (struct sock_filter*)filter.bf_insns;
rc = setsockopt(ptv->socket, SOL_SOCKET, SO_ATTACH_FILTER, &fcode, sizeof(fcode));
if(rc == -1) {
SCLogError(SC_ERR_AFP_CREATE, "Failed to attach filter: %s", strerror(errno));
return TM_ECODE_FAILED;
}
SCMutexUnlock(&afpacket_bpf_set_filter_lock);
return TM_ECODE_OK;
}
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
/**
* \brief Init function for ReceiveAFP.
*
* \param tv pointer to ThreadVars
* \param initdata pointer to the interface passed from the user
* \param data pointer gets populated with AFPThreadVars
*
* \todo Create a general AFP setup function.
*/
TmEcode ReceiveAFPThreadInit(ThreadVars *tv, void *initdata, void **data) {
SCEnter();
af-packet: multi interface support This patch adds multi interface support to AF_PACKET. A structure is used at thread creation to give all needed information to the input module. Parsing of the options is done in runmode preparation through a dedicated function which return the configuration in a structure usable by thread creation.
14 years ago
AFPIfaceConfig *afpconfig = initdata;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
if (initdata == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "initdata == NULL");
SCReturnInt(TM_ECODE_FAILED);
}
AFPThreadVars *ptv = SCMalloc(sizeof(AFPThreadVars));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(ptv == NULL)) {
runmode: introduce configuration dereferencing. A devide configuration can be used by multiple threads. It is thus necessary to wait that all threads stop using the configuration before freeing it. This patch introduces an atomic counter and a free function which has to be called by each thread when it will not use anymore the structure. If the configuration is not used anymore, it is freed by the free function.
14 years ago
afpconfig->DerefFunc(afpconfig);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
SCReturnInt(TM_ECODE_FAILED);
runmode: introduce configuration dereferencing. A devide configuration can be used by multiple threads. It is thus necessary to wait that all threads stop using the configuration before freeing it. This patch introduces an atomic counter and a free function which has to be called by each thread when it will not use anymore the structure. If the configuration is not used anymore, it is freed by the free function.
14 years ago
}
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
memset(ptv, 0, sizeof(AFPThreadVars));
ptv->tv = tv;
ptv->cooked = 0;
af-packet: multi interface support This patch adds multi interface support to AF_PACKET. A structure is used at thread creation to give all needed information to the input module. Parsing of the options is done in runmode preparation through a dedicated function which return the configuration in a structure usable by thread creation.
14 years ago
strlcpy(ptv->iface, afpconfig->iface, AFP_IFACE_NAME_LENGTH);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
ptv->iface[AFP_IFACE_NAME_LENGTH - 1]= '\0';
af-packet: auto mode support
14 years ago
ptv->livedev = LiveGetDevice(ptv->iface);
if (ptv->livedev == NULL) {
SCLogError(SC_ERR_INVALID_VALUE, "Unable to find Live device");
Various improvements to error handling found by Coverity.
14 years ago
SCFree(ptv);
af-packet: auto mode support
14 years ago
SCReturnInt(TM_ECODE_FAILED);
}
af-packet: multi interface support This patch adds multi interface support to AF_PACKET. A structure is used at thread creation to give all needed information to the input module. Parsing of the options is done in runmode preparation through a dedicated function which return the configuration in a structure usable by thread creation.
14 years ago
ptv->buffer_size = afpconfig->buffer_size;
af-packet: improve mmaped running mode. The mmaped mode was using a too small ring buffer size which was not able to handle burst of packets coming from the network. This may explain the important packet loss rate observed by Edward Fjellskål. This patch increases the default value and adds a ring-size variable which can be used to manually tune the value.
13 years ago
ptv->ring_size = afpconfig->ring_size;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
af-packet: Add option to disable promiscuous mode This patch adds an option to suricata.yaml to be able to disable the switch of the interface into promiscuous mode.
14 years ago
ptv->promisc = afpconfig->promisc;
af-packet: add support for checksum verif mode This patch adds support for checksum verification mode. Auto mode is not yet supported.
14 years ago
ptv->checksum_mode = afpconfig->checksum_mode;
af-packet: use counter for drop and accept This patch adds counters for kernel drops and accepts to af-packet capture module. This information are periodically displayed in stats.log: capture.kernel_packets | RxAFP1 | 1792 capture.kernel_drops | RxAFP1 | 0 The statistic is fetch via a setsockopt call every 255 packets.
13 years ago
ptv->bpf_filter = NULL;
af-packet: Add option to disable promiscuous mode This patch adds an option to suricata.yaml to be able to disable the switch of the interface into promiscuous mode.
14 years ago
af-packet: multi interface support This patch adds multi interface support to AF_PACKET. A structure is used at thread creation to give all needed information to the input module. Parsing of the options is done in runmode preparation through a dedicated function which return the configuration in a structure usable by thread creation.
14 years ago
ptv->threads = 1;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
#ifdef HAVE_PACKET_FANOUT
ptv->cluster_type = PACKET_FANOUT_LB;
ptv->cluster_id = 1;
/* We only set cluster info if the number of reader threads is greater than 1 */
af-packet: multi interface support This patch adds multi interface support to AF_PACKET. A structure is used at thread creation to give all needed information to the input module. Parsing of the options is done in runmode preparation through a dedicated function which return the configuration in a structure usable by thread creation.
14 years ago
if (afpconfig->threads > 1) {
ptv->cluster_id = afpconfig->cluster_id;
ptv->cluster_type = afpconfig->cluster_type;
ptv->threads = afpconfig->threads;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
}
#endif
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
14 years ago
ptv->flags = afpconfig->flags;
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
af-packet: add support for BPF filter. This patch adds support for BPF in AF_PACKET running mode. The command line syntax is the same as the one used of PF_RING. The method is the same too: The pcap_compile__nopcap() function is used to build the BPF filter. It is then injected into the kernel with a setsockopt() call. If the adding of the BPF fail, suricata exit.
13 years ago
if (afpconfig->bpf_filter) {
ptv->bpf_filter = afpconfig->bpf_filter;
}
af-packet: use counter for drop and accept This patch adds counters for kernel drops and accepts to af-packet capture module. This information are periodically displayed in stats.log: capture.kernel_packets | RxAFP1 | 1792 capture.kernel_drops | RxAFP1 | 0 The statistic is fetch via a setsockopt call every 255 packets.
13 years ago
#ifdef PACKET_STATISTICS
ptv->capture_kernel_packets = SCPerfTVRegisterCounter("capture.kernel_packets",
ptv->tv,
SC_PERF_TYPE_UINT64,
"NULL");
ptv->capture_kernel_drops = SCPerfTVRegisterCounter("capture.kernel_drops",
ptv->tv,
SC_PERF_TYPE_UINT64,
"NULL");
#endif
af-packet: Implement zero copy This patch adds support for zero copy to AF_PACKET running mode. This requires to use the 'worker' mode which is the only one where the threading architecture is simple enough to permit this without heavy modification.
14 years ago
char *active_runmode = RunmodeGetActive();
if (active_runmode && !strcmp("workers", active_runmode)) {
ptv->flags |= AFP_ZERO_COPY;
SCLogInfo("Enabling zero copy mode");
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
} else {
/* If we are using copy mode we need a lock */
ptv->flags |= AFP_SOCK_PROTECT;
af-packet: Implement zero copy This patch adds support for zero copy to AF_PACKET running mode. This requires to use the 'worker' mode which is the only one where the threading architecture is simple enough to permit this without heavy modification.
14 years ago
}
capture: add data release mechanism This patch adds a data release mechanism. If the capture module has a call to indicate that userland has finished with the data, it is possible to use this system. The data will then be released when the treatment of the packet is finished. To do so the Packet structure has been modified: + TmEcode (*ReleaseData)(ThreadVars *, struct Packet_ *); If ReleaseData is null, the function is called when the treatment of the Packet is finished. Thus it is sufficient for the capture module to code a function wrapping the data release mechanism and to assign it to ReleaseData field. This patch also includes an implementation of this mechanism for AF_PACKET.
13 years ago
/* If we are in RING mode, then we can use ZERO copy
* by using the data release mechanism */
if (ptv->flags & AFP_RING_MODE) {
ptv->flags |= AFP_ZERO_COPY;
SCLogInfo("Enabling zero copy mode by using data release call");
}
af-packet: Implement zero copy This patch adds support for zero copy to AF_PACKET running mode. This requires to use the 'worker' mode which is the only one where the threading architecture is simple enough to permit this without heavy modification.
14 years ago
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
ptv->copy_mode = afpconfig->copy_mode;
if (ptv->copy_mode != AFP_COPY_MODE_NONE) {
strlcpy(ptv->out_iface, afpconfig->out_iface, AFP_IFACE_NAME_LENGTH);
ptv->out_iface[AFP_IFACE_NAME_LENGTH - 1]= '\0';
af-packet: warn about BPF filter consequence in IPS mode This patch add a message to warn user about the impact of using a BPF filter in IPS mode.
12 years ago
/* Warn about BPF filter consequence */
if (ptv->bpf_filter) {
SCLogWarning(SC_WARN_UNCOMMON, "Enabling a BPF filter in IPS mode result"
" in dropping all non matching packets.");
}
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
}
af-packet: get datalink for each socket creation. This patch will allow us to use the datalink when computing the filter. It also fixes a potential issue where an interface data type change after the interface if going down/up.
13 years ago
af-packet: warn about BPF filter consequence in IPS mode This patch add a message to warn user about the impact of using a BPF filter in IPS mode.
12 years ago
af-packet: fix IPS mode There was an inversion in code resulting as all sockets being seen as non IPS mode when doing the peering. This resulted in a crash at first packet because it has no peer.
13 years ago
if (AFPPeersListAdd(ptv) == TM_ECODE_FAILED) {
SCFree(ptv);
afpconfig->DerefFunc(afpconfig);
SCReturnInt(TM_ECODE_FAILED);
}
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
#define T_DATA_SIZE 70000
ptv->data = SCMalloc(T_DATA_SIZE);
if (ptv->data == NULL) {
runmode: introduce configuration dereferencing. A devide configuration can be used by multiple threads. It is thus necessary to wait that all threads stop using the configuration before freeing it. This patch introduces an atomic counter and a free function which has to be called by each thread when it will not use anymore the structure. If the configuration is not used anymore, it is freed by the free function.
14 years ago
afpconfig->DerefFunc(afpconfig);
Fix minor memleak in case af-packet init fails.
14 years ago
SCFree(ptv);
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
SCReturnInt(TM_ECODE_FAILED);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
}
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
ptv->datalen = T_DATA_SIZE;
#undef T_DATA_SIZE
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
*data = (void *)ptv;
af-packet: multi interface support This patch adds multi interface support to AF_PACKET. A structure is used at thread creation to give all needed information to the input module. Parsing of the options is done in runmode preparation through a dedicated function which return the configuration in a structure usable by thread creation.
14 years ago
runmode: introduce configuration dereferencing. A devide configuration can be used by multiple threads. It is thus necessary to wait that all threads stop using the configuration before freeing it. This patch introduces an atomic counter and a free function which has to be called by each thread when it will not use anymore the structure. If the configuration is not used anymore, it is freed by the free function.
14 years ago
afpconfig->DerefFunc(afpconfig);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
SCReturnInt(TM_ECODE_OK);
}
/**
* \brief This function prints stats to the screen at exit.
* \param tv pointer to ThreadVars
* \param data pointer that gets cast into AFPThreadVars for ptv
*/
void ReceiveAFPThreadExitStats(ThreadVars *tv, void *data) {
SCEnter();
AFPThreadVars *ptv = (AFPThreadVars *)data;
af-packet: add kernel statistics to exit stats. This patch should fix #325.
14 years ago
#ifdef PACKET_STATISTICS
af-packet: dump counter every seconds. This patch updates to kernel counters handling to be almost sure to update at least once per second.
13 years ago
AFPDumpCounters(ptv);
af-packet: use counter for drop and accept This patch adds counters for kernel drops and accepts to af-packet capture module. This information are periodically displayed in stats.log: capture.kernel_packets | RxAFP1 | 1792 capture.kernel_drops | RxAFP1 | 0 The statistic is fetch via a setsockopt call every 255 packets.
13 years ago
SCLogInfo("(%s) Kernel: Packets %" PRIu64 ", dropped %" PRIu64 "",
tv->name,
(uint64_t) SCPerfGetLocalCounterValue(ptv->capture_kernel_packets, tv->sc_perf_pca),
(uint64_t) SCPerfGetLocalCounterValue(ptv->capture_kernel_drops, tv->sc_perf_pca));
af-packet: add kernel statistics to exit stats. This patch should fix #325.
14 years ago
#endif
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
SCLogInfo("(%s) Packets %" PRIu32 ", bytes %" PRIu64 "", tv->name, ptv->pkts, ptv->bytes);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
}
/**
* \brief DeInit function closes af packet socket at exit.
* \param tv pointer to ThreadVars
* \param data pointer that gets cast into AFPThreadVars for ptv
*/
TmEcode ReceiveAFPThreadDeinit(ThreadVars *tv, void *data) {
AFPThreadVars *ptv = (AFPThreadVars *)data;
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
AFPSwitchState(ptv, AFP_STATE_DOWN);
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
if (ptv->data != NULL) {
SCFree(ptv->data);
ptv->data = NULL;
}
ptv->datalen = 0;
af-packet: add support for BPF filter. This patch adds support for BPF in AF_PACKET running mode. The command line syntax is the same as the one used of PF_RING. The method is the same too: The pcap_compile__nopcap() function is used to build the BPF filter. It is then injected into the kernel with a setsockopt() call. If the adding of the BPF fail, suricata exit.
13 years ago
ptv->bpf_filter = NULL;
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
SCReturnInt(TM_ECODE_OK);
}
/**
* \brief This function passes off to link type decoders.
*
* DecodeAFP reads packets from the PacketQueue and passes
* them off to the proper link type decoder.
*
* \param t pointer to ThreadVars
* \param p pointer to the current packet
* \param data pointer that gets cast into AFPThreadVars for ptv
* \param pq pointer to the current PacketQueue
*/
TmEcode DecodeAFP(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
SCEnter();
DecodeThreadVars *dtv = (DecodeThreadVars *)data;
/* update counters */
SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
Counters: remove all unused parts of the API
12 years ago
// SCPerfCounterIncr(dtv->counter_pkts_per_sec, tv->sc_perf_pca);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
SCPerfCounterAddUI64(dtv->counter_bytes, tv->sc_perf_pca, GET_PKT_LEN(p));
#if 0
SCPerfCounterAddDouble(dtv->counter_bytes_per_sec, tv->sc_perf_pca, GET_PKT_LEN(p));
SCPerfCounterAddDouble(dtv->counter_mbit_per_sec, tv->sc_perf_pca,
(GET_PKT_LEN(p) * 8)/1000000.0);
#endif
SCPerfCounterAddUI64(dtv->counter_avg_pkt_size, tv->sc_perf_pca, GET_PKT_LEN(p));
SCPerfCounterSetUI64(dtv->counter_max_pkt_size, tv->sc_perf_pca, GET_PKT_LEN(p));
/* call the decoder */
switch(p->datalink) {
case LINKTYPE_LINUX_SLL:
DecodeSll(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
case LINKTYPE_ETHERNET:
DecodeEthernet(tv, dtv, p,GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
case LINKTYPE_PPP:
DecodePPP(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
case LINKTYPE_RAW:
DecodeRaw(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
default:
SCLogError(SC_ERR_DATALINK_UNIMPLEMENTED, "Error: datalink type %" PRId32 " not yet supported in module DecodeAFP", p->datalink);
break;
}
Add invalid pkt counter. This patch adds and increments a invalid packet counter. It does this by introducing PacketDecodeFinalize function This function is incrementing the invalid counter and is also signalling the packet to CUDA.
13 years ago
PacketDecodeFinalize(tv, dtv, p);
Code to enable cuda support for live mode pcap and af-packet. Keep an eye out on the mailing list and http://planet.suricata-ids.org for performance and other profiling data.
12 years ago
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
SCReturnInt(TM_ECODE_OK);
}
TmEcode DecodeAFPThreadInit(ThreadVars *tv, void *initdata, void **data)
{
SCEnter();
DecodeThreadVars *dtv = NULL;
dtv = DecodeThreadVarsAlloc();
if (dtv == NULL)
SCReturnInt(TM_ECODE_FAILED);
DecodeRegisterPerfCounters(dtv, tv);
*data = (void *)dtv;
Code to enable cuda support for live mode pcap and af-packet. Keep an eye out on the mailing list and http://planet.suricata-ids.org for performance and other profiling data.
12 years ago
#ifdef __SC_CUDA_SUPPORT__
if (CudaThreadVarsInit(&dtv->cuda_vars) < 0)
SCReturnInt(TM_ECODE_FAILED);
#endif
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
SCReturnInt(TM_ECODE_OK);
}
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
#endif /* HAVE_AF_PACKET */
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
/* eof */
af-packet: add doxygen comments This patch adds doxygen comments to newly introduced function and adds module AF_PACKET doxygen module with a dedicated AFP peers module.
13 years ago
/**
* @}
*/