aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

af-packet: use tpacket v3 by default for ids mode

Browse Source 
If "tpacket-v3" is not present in the configuration file, and we are
in IDS mode, default to "tpacket-v3".

Required moving the check for tpacket-v3 after the copy-mode
configuration, so the warning about tpacket-v3 in active modes has
been moved as well.

Ticket: #4798
pull/12815/head
Jason Ish 6 months ago committed by Victor Julien
parent 374762d202
commit 7fdb08b7c7
2 changed files with 29 additions and 23 deletions
Show Stats Download Patch File Download Diff File

47
src/runmode-af-packet.c
Unescape Escape View File

@ -284,22 +284,6 @@ static void *ParseAFPConfig(const char *iface)
aconf->flags |= AFP_MMAP_LOCKED;
}
if (ConfGetChildValueBoolWithDefault(if_root, if_default, "tpacket-v3", &boolval) == 1) {
if (boolval) {
if (strcasecmp(RunmodeGetActive(), "workers") == 0) {
SCLogConfig("%s: enabling tpacket v3", aconf->iface);
aconf->flags |= AFP_TPACKET_V3;
} else {
SCLogWarning("%s: tpacket v3 is only implemented for 'workers' runmode."
" Switching to tpacket v2.",
iface);
aconf->flags &= ~AFP_TPACKET_V3;
}
} else {
aconf->flags &= ~AFP_TPACKET_V3;
}
}
(void)ConfGetChildValueBoolWithDefault(if_root, if_default, "use-emergency-flush", &boolval);
if (boolval) {
SCLogConfig("%s: using emergency ring flush", aconf->iface);
@ -316,20 +300,39 @@ static void *ParseAFPConfig(const char *iface)
} else if (strcmp(copymodestr, "ips") == 0) {
SCLogInfo("%s: AF_PACKET IPS mode activated %s->%s", iface, iface, aconf->out_iface);
aconf->copy_mode = AFP_COPY_MODE_IPS;
if (aconf->flags & AFP_TPACKET_V3) {
SCLogWarning("%s: using tpacket_v3 in IPS mode will result in high latency", iface);
}
} else if (strcmp(copymodestr, "tap") == 0) {
SCLogInfo("%s: AF_PACKET TAP mode activated %s->%s", iface, iface, aconf->out_iface);
aconf->copy_mode = AFP_COPY_MODE_TAP;
if (aconf->flags & AFP_TPACKET_V3) {
SCLogWarning("%s: using tpacket_v3 in TAP mode will result in high latency", iface);
}
} else {
SCLogWarning("Invalid 'copy-mode' (not in tap, ips)");
}
}
if (ConfGetChildValueBoolWithDefault(if_root, if_default, "tpacket-v3", &boolval) == 1) {
if (boolval) {
if (strcasecmp(RunmodeGetActive(), "workers") == 0) {
SCLogConfig("%s: enabling tpacket v3", aconf->iface);
aconf->flags |= AFP_TPACKET_V3;
} else {
SCLogWarning("%s: tpacket v3 is only implemented for 'workers' runmode."
" Switching to tpacket v2.",
iface);
aconf->flags &= ~AFP_TPACKET_V3;
}
} else {
aconf->flags &= ~AFP_TPACKET_V3;
}
} else if (aconf->copy_mode == AFP_COPY_MODE_NONE) {
// If copy mode is none (passive IDS) and "tpacket-v3" is not
// present, default to TPACKET_V3.
SCLogConfig("%s: enabling tpacket v3", aconf->iface);
aconf->flags |= AFP_TPACKET_V3;
}
if (aconf->flags & AFP_TPACKET_V3 && aconf->copy_mode) {
SCLogWarning("%s: using tpacket-v3 in IPS or TAP mode will result in high latency", iface);
}
if (ConfGetChildValueWithDefault(if_root, if_default, "cluster-id", &tmpclusterid) != 1) {
aconf->cluster_id = (uint16_t)(cluster_id_auto++);
} else {

5
suricata.yaml.in
Unescape Escape View File

@ -667,7 +667,8 @@ af-packet:
# subscribing could lock your system
#mmap-locked: yes
# Use tpacket_v3 capture mode.
# Don't use it in IPS or TAP mode as it causes severe latency
# Defaults to true for non-copy modes, and false for tap and ips mode.
# Don't use it in IPS or TAP mode as it causes severe latency.
#tpacket-v3: yes
# Ring size will be computed with respect to "max-pending-packets" and number
# of threads. You can set manually the ring size in number of packets by setting
@ -720,6 +721,8 @@ af-packet:
# in the list above.
- interface: default
#threads: auto
# If left commented out, defaults to true when not in a copy
# (inline) mode.
#tpacket-v3: yes
# Linux high speed af-xdp capture support

Write Preview
Loading…
Cancel
Save