This patch adds a new mode for NFQ inline mode. The idea is to
simulate a non final NFQUEUE rules.
This permit to do send all needed packets to suricata via a simple
FORWARD rule:
iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
And below, we have a standard filtering ruleset.
To do so, suricata issues a NF_REPEAT instead of a NF_ACCEPT verdict and
put a mark ($MARK) with respect to a mask ($MASK) on the handled packet.
NF_REPEAT verdict has for effect to have the packet reinjected at start
of the hook after the verdict. As it has been marked by suricata during
the verdict it will not rematch the initial rules and make his way to
the following classical ruleset.
Mode, mark and mask can be configured via suricata.yaml file with the
following syntax:
nfq:
repeat_mode: (false|true)
mark: $MARK
mask: $MASK
Default is false to preserve backward compatibility.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch adds support for multiple Netfilter queue
in the NFQ run mode. Suricata can now be started on
multiple queue by using a comma separated list of
queue identifier on the command line. The following syntax:
suricata -q 0 -q 1 -c /opt/suricata/etc/suricata.yaml
will start a suricata listening to Netfilter queue 0 and 1.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch prepare support for multiqueue in the
source file. The NFQ vars contained in Packet structure
has a new member. It is a reference to the NFQ thread var
it comes from. The behaviour is modified as a single verdict
thread treat packet for all Netfilter queues.
Locking is done in the verdict function to ensure that
simultaneous modifications of counters can not occur.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch adds a new parameter the affinity. The 'threads' keyword
is used to set the number of threads to start for a family. It can
only be used on family where multiple thread are laucnh in the running
mode. This is mainly the case of the detect threads.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch updates affinity setting to add a support for per cpu
priority setting. In exclusive mode a thread is dedicated to a CPU.
This patch adds the ability to set the thread prio for all threads
of a family running on a given CPU.
With this patch we can write
- detect_cpu_set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
low_prio: [ 0 ]
medium_prio: [ "1-2" ]
high_prio: [ 3 ]
With this configuration, detect threads assigned to cpu 0 will
have a low priority. Detect threads on cpus 1 and 2 will have
prio medium...
The previous configuration is equivalent to:
- detect_cpu_set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
low_prio: [ 0 ]
high_prio: [ 3 ]
prio: "medium"
because the prio value is used a default.
Signed-off-by: Eric Leblond <eric@regit.org>
The default NFQ run mode is now using the new affinity system. It
thus can be configured via suricata.yaml.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch implement the setting of each management threads in
the corresponding thread affinity. This is done by modifiying
thread creation function.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch features the implementation of affinity related
changes in tm-threads. In place code has been used but some
refactoring has been done to avoid code duplication.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch modifies runmode to parse configuration file related
to affinity settings. It also prepare the export of the
set_cpu_affinity which was previously local. It is now used
in the affinity and tm-threads files.
Signed-off-by: Eric Leblond <eric@regit.org>
This small patch add inclusion of util-affinity.h in the
files that will have to use affinity related features.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch introduces the configuration part of cpu_affinity
evolution. The idea is to have thread families (receive, stream, ...)
and to be able to specify for each of them:
- The cpus to use
- The mode of balancing between the cpus
- The thread priority to use (value of nice)
Signed-off-by: Eric Leblond <eric@regit.org>
Eric Leblond
Martin Beyer
Victor Julien