suricata
runmode-af-packet.c
Go to the documentation of this file.
1 /* Copyright (C) 2011-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup afppacket
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Eric Leblond <eric@regit.org>
28  *
29  * AF_PACKET socket runmode
30  *
31  */
32 
33 #include "suricata-common.h"
34 #include "tm-threads.h"
35 #include "conf.h"
36 #include "runmodes.h"
37 #include "runmode-af-packet.h"
38 #include "output.h"
39 #include "log-httplog.h"
40 #include "detect-engine-mpm.h"
41 
42 #include "alert-fastlog.h"
43 #include "alert-debuglog.h"
44 
45 #include "flow-bypass.h"
46 
47 #include "util-conf.h"
48 #include "util-debug.h"
49 #include "util-time.h"
50 #include "util-cpu.h"
51 #include "util-affinity.h"
52 #include "util-device.h"
53 #include "util-runmodes.h"
54 #include "util-ioctl.h"
55 #include "util-ebpf.h"
56 #include "util-byte.h"
57 
58 #include "source-af-packet.h"
59 
60 extern int max_pending_packets;
61 
62 const char *RunModeAFPGetDefaultMode(void)
63 {
64  return "workers";
65 }
66 
67 void RunModeIdsAFPRegister(void)
68 {
69  RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "single",
70  "Single threaded af-packet mode",
71  RunModeIdsAFPSingle);
72  RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "workers",
73  "Workers af-packet mode, each thread does all"
74  " tasks from acquisition to logging",
75  RunModeIdsAFPWorkers);
76  RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "autofp",
77  "Multi socket AF_PACKET mode. Packets from "
78  "each flow are assigned to a single detect "
79  "thread.",
80  RunModeIdsAFPAutoFp);
81  return;
82 }
83 
84 
85 #ifdef HAVE_AF_PACKET
86 
87 static void AFPDerefConfig(void *conf)
88 {
89  AFPIfaceConfig *pfp = (AFPIfaceConfig *)conf;
90  /* Pcap config is used only once but cost of this low. */
91  if (SC_ATOMIC_SUB(pfp->ref, 1) == 1) {
92  SCFree(pfp);
93  }
94 }
95 
96 /* if cluster id is not set, assign it automagically, uniq value per
97  * interface. */
98 static int cluster_id_auto = 1;
99 
100 /**
101  * \brief extract information from config file
102  *
103  * The returned structure will be freed by the thread init function.
104  * This is thus necessary to or copy the structure before giving it
105  * to thread or to reparse the file for each thread (and thus have
106  * new structure.
107  *
108  * \return a AFPIfaceConfig corresponding to the interface name
109  */
110 static void *ParseAFPConfig(const char *iface)
111 {
112  const char *threadsstr = NULL;
113  ConfNode *if_root;
114  ConfNode *if_default = NULL;
115  ConfNode *af_packet_node;
116  const char *tmpclusterid;
117  const char *tmpctype;
118  const char *copymodestr;
119  intmax_t value;
120  int boolval;
121  const char *bpf_filter = NULL;
122  const char *out_iface = NULL;
123  int cluster_type = PACKET_FANOUT_HASH;
124  const char *ebpf_file = NULL;
125  const char *active_runmode = RunmodeGetActive();
126 
127  if (iface == NULL) {
128  return NULL;
129  }
130 
131  AFPIfaceConfig *aconf = SCCalloc(1, sizeof(*aconf));
132  if (unlikely(aconf == NULL)) {
133  return NULL;
134  }
135 
136  strlcpy(aconf->iface, iface, sizeof(aconf->iface));
137  aconf->threads = 0;
138  SC_ATOMIC_INIT(aconf->ref);
139  (void) SC_ATOMIC_ADD(aconf->ref, 1);
140  aconf->buffer_size = 0;
141  aconf->cluster_id = 1;
142  aconf->cluster_type = cluster_type | PACKET_FANOUT_FLAG_DEFRAG;
143  aconf->promisc = 1;
144  aconf->checksum_mode = CHECKSUM_VALIDATION_KERNEL;
145  aconf->DerefFunc = AFPDerefConfig;
146  aconf->flags = 0;
147  aconf->bpf_filter = NULL;
148  aconf->ebpf_lb_file = NULL;
149  aconf->ebpf_lb_fd = -1;
150  aconf->ebpf_filter_file = NULL;
151  aconf->ebpf_filter_fd = -1;
152  aconf->out_iface = NULL;
153  aconf->copy_mode = AFP_COPY_MODE_NONE;
154  aconf->block_timeout = 10;
155  aconf->block_size = getpagesize() << AFP_BLOCK_SIZE_DEFAULT_ORDER;
156 #ifdef HAVE_PACKET_EBPF
157  aconf->ebpf_t_config.cpus_count = UtilCpuGetNumProcessorsConfigured();
158 #endif
159 
160  if (ConfGet("bpf-filter", &bpf_filter) == 1) {
161  if (strlen(bpf_filter) > 0) {
162  aconf->bpf_filter = bpf_filter;
163  SCLogConfig("Going to use command-line provided bpf filter '%s'",
164  aconf->bpf_filter);
165  }
166  }
167 
168  /* Find initial node */
169  af_packet_node = ConfGetNode("af-packet");
170  if (af_packet_node == NULL) {
171  SCLogInfo("unable to find af-packet config using default values");
172  goto finalize;
173  }
174 
175  if_root = ConfFindDeviceConfig(af_packet_node, iface);
176  if_default = ConfFindDeviceConfig(af_packet_node, "default");
177 
178  if (if_root == NULL && if_default == NULL) {
179  SCLogInfo("unable to find af-packet config for "
180  "interface \"%s\" or \"default\", using default values",
181  iface);
182  goto finalize;
183  }
184 
185  /* If there is no setting for current interface use default one as main iface */
186  if (if_root == NULL) {
187  if_root = if_default;
188  if_default = NULL;
189  }
190 
191  if (active_runmode && !strcmp("single", active_runmode)) {
192  aconf->threads = 1;
193  } else if (ConfGetChildValueWithDefault(if_root, if_default, "threads", &threadsstr) != 1) {
194  aconf->threads = 0;
195  } else {
196  if (threadsstr != NULL) {
197  if (strcmp(threadsstr, "auto") == 0) {
198  aconf->threads = 0;
199  } else {
200  if (StringParseInt32(&aconf->threads, 10, 0, (const char *)threadsstr) < 0) {
201  SCLogWarning(SC_ERR_INVALID_VALUE, "Invalid number of "
202  "threads, resetting to default");
203  aconf->threads = 0;
204  }
205  }
206  }
207  }
208 
209  if (ConfGetChildValueWithDefault(if_root, if_default, "copy-iface", &out_iface) == 1) {
210  if (strlen(out_iface) > 0) {
211  aconf->out_iface = out_iface;
212  }
213  }
214 
215  if (ConfGetChildValueBoolWithDefault(if_root, if_default, "use-mmap", (int *)&boolval) == 1) {
216  if (!boolval) {
217  SCLogWarning(SC_WARN_OPTION_OBSOLETE,
218  "%s: \"use-mmap\" option is obsolete: mmap is always enabled", aconf->iface);
219  }
220  }
221 
222  (void)ConfGetChildValueBoolWithDefault(if_root, if_default, "mmap-locked", (int *)&boolval);
223  if (boolval) {
224  SCLogConfig("Enabling locked memory for mmap on iface %s", aconf->iface);
225  aconf->flags |= AFP_MMAP_LOCKED;
226  }
227 
228  if (ConfGetChildValueBoolWithDefault(if_root, if_default, "tpacket-v3", (int *)&boolval) == 1) {
229  if (boolval) {
230  if (strcasecmp(RunmodeGetActive(), "workers") == 0) {
231 #ifdef HAVE_TPACKET_V3
232  SCLogConfig("Enabling tpacket v3 capture on iface %s", aconf->iface);
233  aconf->flags |= AFP_TPACKET_V3;
234 #else
235  SCLogNotice("System too old for tpacket v3 switching to v2");
236  aconf->flags &= ~AFP_TPACKET_V3;
237 #endif
238  } else {
239  SCLogWarning(SC_ERR_RUNMODE, "tpacket v3 is only implemented for 'workers' runmode."
240  " Switching to tpacket v2.");
241  aconf->flags &= ~AFP_TPACKET_V3;
242  }
243  } else {
244  aconf->flags &= ~AFP_TPACKET_V3;
245  }
246  }
247 
248  (void)ConfGetChildValueBoolWithDefault(
249  if_root, if_default, "use-emergency-flush", (int *)&boolval);
250  if (boolval) {
251  SCLogConfig("Enabling emergency ring flush on iface %s", aconf->iface);
252  aconf->flags |= AFP_EMERGENCY_MODE;
253  }
254 
255  if (ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) == 1) {
256  if (aconf->out_iface == NULL) {
257  SCLogInfo("Copy mode activated but no destination"
258  " iface. Disabling feature");
259  } else if (strlen(copymodestr) <= 0) {
260  aconf->out_iface = NULL;
261  } else if (strcmp(copymodestr, "ips") == 0) {
262  SCLogInfo("AF_PACKET IPS mode activated %s->%s",
263  iface,
264  aconf->out_iface);
265  aconf->copy_mode = AFP_COPY_MODE_IPS;
266  if (aconf->flags & AFP_TPACKET_V3) {
267  SCLogWarning(SC_ERR_RUNMODE, "Using tpacket_v3 in IPS mode will result in high latency");
268  }
269  } else if (strcmp(copymodestr, "tap") == 0) {
270  SCLogInfo("AF_PACKET TAP mode activated %s->%s",
271  iface,
272  aconf->out_iface);
273  aconf->copy_mode = AFP_COPY_MODE_TAP;
274  if (aconf->flags & AFP_TPACKET_V3) {
275  SCLogWarning(SC_ERR_RUNMODE, "Using tpacket_v3 in TAP mode will result in high latency");
276  }
277  } else {
278  SCLogInfo("Invalid mode (not in tap, ips)");
279  }
280  }
281 
282  if (ConfGetChildValueWithDefault(if_root, if_default, "cluster-id", &tmpclusterid) != 1) {
283  aconf->cluster_id = (uint16_t)(cluster_id_auto++);
284  } else {
285  if (StringParseUint16(&aconf->cluster_id, 10, 0, (const char *)tmpclusterid) < 0) {
286  SCLogWarning(SC_ERR_INVALID_VALUE, "Invalid cluster_id, resetting to 0");
287  aconf->cluster_id = 0;
288  }
289  SCLogDebug("Going to use cluster-id %" PRIu16, aconf->cluster_id);
290  }
291 
292  if (ConfGetChildValueWithDefault(if_root, if_default, "cluster-type", &tmpctype) != 1) {
293  /* default to our safest choice: flow hashing + defrag enabled */
294  aconf->cluster_type = PACKET_FANOUT_HASH | PACKET_FANOUT_FLAG_DEFRAG;
295  cluster_type = PACKET_FANOUT_HASH;
296  } else if (strcmp(tmpctype, "cluster_round_robin") == 0) {
297  SCLogConfig("Using round-robin cluster mode for AF_PACKET (iface %s)",
298  aconf->iface);
299  aconf->cluster_type = PACKET_FANOUT_LB;
300  cluster_type = PACKET_FANOUT_LB;
301  } else if (strcmp(tmpctype, "cluster_flow") == 0) {
302  /* In hash mode, we also ask for defragmentation needed to
303  * compute the hash */
304  uint16_t defrag = 0;
305  int conf_val = 0;
306  SCLogConfig("Using flow cluster mode for AF_PACKET (iface %s)",
307  aconf->iface);
308  ConfGetChildValueBoolWithDefault(if_root, if_default, "defrag", &conf_val);
309  if (conf_val) {
310  SCLogConfig("Using defrag kernel functionality for AF_PACKET (iface %s)",
311  aconf->iface);
312  defrag = PACKET_FANOUT_FLAG_DEFRAG;
313  }
314  aconf->cluster_type = PACKET_FANOUT_HASH | defrag;
315  cluster_type = PACKET_FANOUT_HASH;
316  } else if (strcmp(tmpctype, "cluster_cpu") == 0) {
317  SCLogConfig("Using cpu cluster mode for AF_PACKET (iface %s)",
318  aconf->iface);
319  aconf->cluster_type = PACKET_FANOUT_CPU;
320  cluster_type = PACKET_FANOUT_CPU;
321  } else if (strcmp(tmpctype, "cluster_qm") == 0) {
322  SCLogConfig("Using queue based cluster mode for AF_PACKET (iface %s)",
323  aconf->iface);
324  aconf->cluster_type = PACKET_FANOUT_QM;
325  cluster_type = PACKET_FANOUT_QM;
326  } else if (strcmp(tmpctype, "cluster_random") == 0) {
327  SCLogConfig("Using random based cluster mode for AF_PACKET (iface %s)",
328  aconf->iface);
329  aconf->cluster_type = PACKET_FANOUT_RND;
330  cluster_type = PACKET_FANOUT_RND;
331  } else if (strcmp(tmpctype, "cluster_rollover") == 0) {
332  SCLogConfig("Using rollover based cluster mode for AF_PACKET (iface %s)",
333  aconf->iface);
334  SCLogWarning(SC_WARN_UNCOMMON, "Rollover mode is causing severe flow "
335  "tracking issues, use it at your own risk.");
336  aconf->cluster_type = PACKET_FANOUT_ROLLOVER;
337  cluster_type = PACKET_FANOUT_ROLLOVER;
338 #ifdef HAVE_PACKET_EBPF
339  } else if (strcmp(tmpctype, "cluster_ebpf") == 0) {
340  SCLogInfo("Using ebpf based cluster mode for AF_PACKET (iface %s)",
341  aconf->iface);
342  aconf->cluster_type = PACKET_FANOUT_EBPF;
343  cluster_type = PACKET_FANOUT_EBPF;
344 #endif
345  } else {
346  SCLogWarning(SC_ERR_INVALID_CLUSTER_TYPE,"invalid cluster-type %s",tmpctype);
347  }
348 
349  int conf_val = 0;
350  ConfGetChildValueBoolWithDefault(if_root, if_default, "rollover", &conf_val);
351  if (conf_val) {
352  SCLogConfig("Using rollover kernel functionality for AF_PACKET (iface %s)",
353  aconf->iface);
354  aconf->cluster_type |= PACKET_FANOUT_FLAG_ROLLOVER;
355  SCLogWarning(SC_WARN_UNCOMMON, "Rollover option is causing severe flow "
356  "tracking issues, use it at your own risk.");
357  }
358 
359  /*load af_packet bpf filter*/
360  /* command line value has precedence */
361  if (ConfGet("bpf-filter", &bpf_filter) != 1) {
362  if (ConfGetChildValueWithDefault(if_root, if_default, "bpf-filter", &bpf_filter) == 1) {
363  if (strlen(bpf_filter) > 0) {
364  aconf->bpf_filter = bpf_filter;
365  SCLogConfig("Going to use bpf filter %s", aconf->bpf_filter);
366  }
367  }
368  }
369 
370  if (ConfGetChildValueWithDefault(if_root, if_default, "ebpf-lb-file", &ebpf_file) != 1) {
371  aconf->ebpf_lb_file = NULL;
372  } else {
373 #ifdef HAVE_PACKET_EBPF
374  SCLogConfig("af-packet will use '%s' as eBPF load balancing file",
375  ebpf_file);
376  aconf->ebpf_lb_file = ebpf_file;
377  aconf->ebpf_t_config.flags |= EBPF_SOCKET_FILTER;
378 #endif
379  }
380 
381 #ifdef HAVE_PACKET_EBPF
382  boolval = false;
383  if (ConfGetChildValueBoolWithDefault(if_root, if_default, "pinned-maps", (int *)&boolval) == 1) {
384  if (boolval) {
385  SCLogConfig("Using pinned maps on iface %s",
386  aconf->iface);
387  aconf->ebpf_t_config.flags |= EBPF_PINNED_MAPS;
388  }
389  const char *pinned_maps_name = NULL;
390  if (ConfGetChildValueWithDefault(if_root, if_default,
391  "pinned-maps-name",
392  &pinned_maps_name) != 1) {
393  aconf->ebpf_t_config.pinned_maps_name = pinned_maps_name;
394  } else {
395  aconf->ebpf_t_config.pinned_maps_name = NULL;
396  }
397  } else {
398  aconf->ebpf_t_config.pinned_maps_name = NULL;
399  }
400 #endif
401 
402 #ifdef HAVE_PACKET_EBPF
403  /* One shot loading of the eBPF file */
404  if (aconf->ebpf_lb_file && cluster_type == PACKET_FANOUT_EBPF) {
405  int ret = EBPFLoadFile(aconf->iface, aconf->ebpf_lb_file, "loadbalancer",
406  &aconf->ebpf_lb_fd,
407  &aconf->ebpf_t_config);
408  if (ret != 0) {
409  SCLogWarning(SC_ERR_INVALID_VALUE, "Error when loading eBPF lb file");
410  }
411  }
412 #else
413  if (aconf->ebpf_lb_file) {
414  SCLogError(SC_ERR_UNIMPLEMENTED, "eBPF support is not build-in");
415  }
416 #endif
417 
418  if (ConfGetChildValueWithDefault(if_root, if_default, "ebpf-filter-file", &ebpf_file) != 1) {
419  aconf->ebpf_filter_file = NULL;
420  } else {
421 #ifdef HAVE_PACKET_EBPF
422  SCLogConfig("af-packet will use '%s' as eBPF filter file",
423  ebpf_file);
424  aconf->ebpf_filter_file = ebpf_file;
425  aconf->ebpf_t_config.mode = AFP_MODE_EBPF_BYPASS;
426  aconf->ebpf_t_config.flags |= EBPF_SOCKET_FILTER;
427 #endif
428  ConfGetChildValueBoolWithDefault(if_root, if_default, "bypass", &conf_val);
429  if (conf_val) {
430 #ifdef HAVE_PACKET_EBPF
431  SCLogConfig("Using bypass kernel functionality for AF_PACKET (iface %s)",
432  aconf->iface);
433  aconf->flags |= AFP_BYPASS;
434  BypassedFlowManagerRegisterUpdateFunc(EBPFUpdateFlow, NULL);
435 #else
436  SCLogError(SC_ERR_UNIMPLEMENTED, "Bypass set but eBPF support is not built-in");
437 #endif
438  }
439  }
440 
441  /* One shot loading of the eBPF file */
442  if (aconf->ebpf_filter_file) {
443 #ifdef HAVE_PACKET_EBPF
444  int ret = EBPFLoadFile(aconf->iface, aconf->ebpf_filter_file, "filter",
445  &aconf->ebpf_filter_fd,
446  &aconf->ebpf_t_config);
447  if (ret != 0) {
448  SCLogWarning(SC_ERR_INVALID_VALUE,
449  "Error when loading eBPF filter file");
450  }
451 #else
452  SCLogError(SC_ERR_UNIMPLEMENTED, "eBPF support is not build-in");
453 #endif
454  }
455 
456  if (ConfGetChildValueWithDefault(if_root, if_default, "xdp-filter-file", &ebpf_file) != 1) {
457  aconf->xdp_filter_file = NULL;
458  } else {
459 #ifdef HAVE_PACKET_XDP
460  aconf->ebpf_t_config.mode = AFP_MODE_XDP_BYPASS;
461  aconf->ebpf_t_config.flags |= EBPF_XDP_CODE;
462  aconf->xdp_filter_file = ebpf_file;
463  ConfGetChildValueBoolWithDefault(if_root, if_default, "bypass", &conf_val);
464  if (conf_val) {
465  SCLogConfig("Using bypass kernel functionality for AF_PACKET (iface %s)",
466  aconf->iface);
467  aconf->flags |= AFP_XDPBYPASS;
468  /* if maps are pinned we need to read them at start */
469  if (aconf->ebpf_t_config.flags & EBPF_PINNED_MAPS) {
470  RunModeEnablesBypassManager();
471  struct ebpf_timeout_config *ebt = SCCalloc(1, sizeof(struct ebpf_timeout_config));
472  if (ebt == NULL) {
473  SCLogError(SC_ERR_MEM_ALLOC, "Flow bypass alloc error");
474  } else {
475  memcpy(ebt, &(aconf->ebpf_t_config), sizeof(struct ebpf_timeout_config));
476  BypassedFlowManagerRegisterCheckFunc(NULL,
477  EBPFCheckBypassedFlowCreate,
478  (void *)ebt);
479  }
480  }
481  BypassedFlowManagerRegisterUpdateFunc(EBPFUpdateFlow, NULL);
482  }
483 #else
484  SCLogWarning(SC_ERR_UNIMPLEMENTED, "XDP filter set but XDP support is not built-in");
485 #endif
486 #ifdef HAVE_PACKET_XDP
487  const char *xdp_mode;
488  if (ConfGetChildValueWithDefault(if_root, if_default, "xdp-mode", &xdp_mode) != 1) {
489  aconf->xdp_mode = XDP_FLAGS_SKB_MODE;
490  } else {
491  if (!strcmp(xdp_mode, "soft")) {
492  aconf->xdp_mode = XDP_FLAGS_SKB_MODE;
493  } else if (!strcmp(xdp_mode, "driver")) {
494  aconf->xdp_mode = XDP_FLAGS_DRV_MODE;
495  } else if (!strcmp(xdp_mode, "hw")) {
496  aconf->xdp_mode = XDP_FLAGS_HW_MODE;
497  aconf->ebpf_t_config.flags |= EBPF_XDP_HW_MODE;
498  } else {
499  SCLogWarning(SC_ERR_INVALID_VALUE,
500  "Invalid xdp-mode value: '%s'", xdp_mode);
501  }
502  }
503 
504  boolval = true;
505  if (ConfGetChildValueBoolWithDefault(if_root, if_default, "use-percpu-hash", (int *)&boolval) == 1) {
506  if (boolval == false) {
507  SCLogConfig("Not using percpu hash on iface %s",
508  aconf->iface);
509  aconf->ebpf_t_config.cpus_count = 1;
510  }
511  }
512 #endif
513  }
514 
515  /* One shot loading of the eBPF file */
516  if (aconf->xdp_filter_file) {
517 #ifdef HAVE_PACKET_XDP
518  int ret = EBPFLoadFile(aconf->iface, aconf->xdp_filter_file, "xdp",
519  &aconf->xdp_filter_fd,
520  &aconf->ebpf_t_config);
521  switch (ret) {
522  case 1:
523  SCLogInfo("Loaded pinned maps from sysfs");
524  break;
525  case -1:
526  SCLogWarning(SC_ERR_INVALID_VALUE,
527  "Error when loading XDP filter file");
528  break;
529  case 0:
530  ret = EBPFSetupXDP(aconf->iface, aconf->xdp_filter_fd, aconf->xdp_mode);
531  if (ret != 0) {
532  SCLogWarning(SC_ERR_INVALID_VALUE,
533  "Error when setting up XDP");
534  } else {
535  /* Try to get the xdp-cpu-redirect key */
536  const char *cpuset;
537  if (ConfGetChildValueWithDefault(if_root, if_default,
538  "xdp-cpu-redirect", &cpuset) == 1) {
539  SCLogConfig("Setting up CPU map XDP");
540  ConfNode *node = ConfGetChildWithDefault(if_root, if_default, "xdp-cpu-redirect");
541  if (node == NULL) {
542  SCLogError(SC_ERR_INVALID_VALUE,
543  "Previously found node has disappeared");
544  } else {
545  EBPFBuildCPUSet(node, aconf->iface);
546  }
547  } else {
548  /* It will just set CPU count to 0 */
549  EBPFBuildCPUSet(NULL, aconf->iface);
550  }
551  }
552  /* we have a peer and we use bypass so we can set up XDP iface redirect */
553  if (aconf->out_iface) {
554  EBPFSetPeerIface(aconf->iface, aconf->out_iface);
555  }
556  }
557 #else
558  SCLogError(SC_ERR_UNIMPLEMENTED, "XDP support is not built-in");
559 #endif
560  }
561 
562  if ((ConfGetChildValueIntWithDefault(if_root, if_default, "buffer-size", &value)) == 1) {
563  aconf->buffer_size = value;
564  } else {
565  aconf->buffer_size = 0;
566  }
567  if ((ConfGetChildValueIntWithDefault(if_root, if_default, "ring-size", &value)) == 1) {
568  aconf->ring_size = value;
569  }
570 
571  if ((ConfGetChildValueIntWithDefault(if_root, if_default, "block-size", &value)) == 1) {
572  if (value % getpagesize()) {
573  SCLogError(SC_ERR_INVALID_VALUE, "Block-size must be a multiple of pagesize.");
574  } else {
575  aconf->block_size = value;
576  }
577  }
578 
579  if ((ConfGetChildValueIntWithDefault(if_root, if_default, "block-timeout", &value)) == 1) {
580  aconf->block_timeout = value;
581  } else {
582  aconf->block_timeout = 10;
583  }
584 
585  (void)ConfGetChildValueBoolWithDefault(if_root, if_default, "disable-promisc", (int *)&boolval);
586  if (boolval) {
587  SCLogConfig("Disabling promiscuous mode on iface %s",
588  aconf->iface);
589  aconf->promisc = 0;
590  }
591 
592  if (ConfGetChildValueWithDefault(if_root, if_default, "checksum-checks", &tmpctype) == 1) {
593  if (strcmp(tmpctype, "auto") == 0) {
594  aconf->checksum_mode = CHECKSUM_VALIDATION_AUTO;
595  } else if (ConfValIsTrue(tmpctype)) {
596  aconf->checksum_mode = CHECKSUM_VALIDATION_ENABLE;
597  } else if (ConfValIsFalse(tmpctype)) {
598  aconf->checksum_mode = CHECKSUM_VALIDATION_DISABLE;
599  } else if (strcmp(tmpctype, "kernel") == 0) {
600  aconf->checksum_mode = CHECKSUM_VALIDATION_KERNEL;
601  } else {
602  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid value for checksum-checks for %s", aconf->iface);
603  }
604  }
605 
606 finalize:
607 
608  /* if the number of threads is not 1, we need to first check if fanout
609  * functions on this system. */
610  if (aconf->threads != 1) {
611  if (AFPIsFanoutSupported(aconf->cluster_id) == 0) {
612  if (aconf->threads != 0) {
613  SCLogNotice("fanout not supported on this system, falling "
614  "back to 1 capture thread");
615  }
616  aconf->threads = 1;
617  }
618  }
619 
620  /* try to automagically set the proper number of threads */
621  if (aconf->threads == 0) {
622  /* for cluster_flow use core count */
623  if (cluster_type == PACKET_FANOUT_HASH) {
624  aconf->threads = (int)UtilCpuGetNumProcessorsOnline();
625  SCLogPerf("%u cores, so using %u threads", aconf->threads, aconf->threads);
626 
627  /* for cluster_qm use RSS queue count */
628  } else if (cluster_type == PACKET_FANOUT_QM) {
629  int rss_queues = GetIfaceRSSQueuesNum(iface);
630  if (rss_queues > 0) {
631  aconf->threads = rss_queues;
632  SCLogPerf("%d RSS queues, so using %u threads", rss_queues, aconf->threads);
633  }
634  }
635 
636  if (aconf->threads) {
637  SCLogPerf("Using %d AF_PACKET threads for interface %s",
638  aconf->threads, iface);
639  }
640  }
641  if (aconf->threads <= 0) {
642  aconf->threads = 1;
643  }
644  SC_ATOMIC_RESET(aconf->ref);
645  (void) SC_ATOMIC_ADD(aconf->ref, aconf->threads);
646 
647  if (aconf->ring_size != 0) {
648  if (aconf->ring_size * aconf->threads < max_pending_packets) {
649  aconf->ring_size = max_pending_packets / aconf->threads + 1;
650  SCLogWarning(SC_ERR_AFP_CREATE, "Inefficient setup: ring-size < max_pending_packets. "
651  "Resetting to decent value %d.", aconf->ring_size);
652  /* We want at least that max_pending_packets packets can be handled by the
653  * interface. This is generous if we have multiple interfaces listening. */
654  }
655  } else {
656  /* We want that max_pending_packets packets can be handled by suricata
657  * for this interface. To take burst into account we multiply the obtained
658  * size by 2. */
659  aconf->ring_size = max_pending_packets * 2 / aconf->threads;
660  }
661 
662  int ltype = AFPGetLinkType(iface);
663  switch (ltype) {
664  case LINKTYPE_ETHERNET:
665  /* af-packet can handle csum offloading */
666  if (LiveGetOffload() == 0) {
667  if (GetIfaceOffloading(iface, 0, 1) == 1) {
668  SCLogWarning(SC_ERR_AFP_CREATE,
669  "Using AF_PACKET with offloading activated leads to capture problems");
670  }
671  } else {
672  DisableIfaceOffloading(LiveGetDevice(iface), 0, 1);
673  }
674  break;
675  case -1:
676  default:
677  break;
678  }
679 
680  if (active_runmode == NULL || strcmp("workers", active_runmode) != 0) {
681  /* If we are using copy mode we need a lock */
682  aconf->flags |= AFP_SOCK_PROTECT;
683  aconf->flags |= AFP_NEED_PEER;
684  }
685  return aconf;
686 }
687 
688 static int AFPConfigGeThreadsCount(void *conf)
689 {
690  AFPIfaceConfig *afp = (AFPIfaceConfig *)conf;
691  return afp->threads;
692 }
693 
694 int AFPRunModeIsIPS()
695 {
696  int nlive = LiveGetDeviceCount();
697  int ldev;
698  ConfNode *if_root;
699  ConfNode *if_default = NULL;
700  ConfNode *af_packet_node;
701  int has_ips = 0;
702  int has_ids = 0;
703 
704  /* Find initial node */
705  af_packet_node = ConfGetNode("af-packet");
706  if (af_packet_node == NULL) {
707  return 0;
708  }
709 
710  if_default = ConfNodeLookupKeyValue(af_packet_node, "interface", "default");
711 
712  for (ldev = 0; ldev < nlive; ldev++) {
713  const char *live_dev = LiveGetDeviceName(ldev);
714  if (live_dev == NULL) {
715  SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
716  return 0;
717  }
718  const char *copymodestr = NULL;
719  if_root = ConfFindDeviceConfig(af_packet_node, live_dev);
720 
721  if (if_root == NULL) {
722  if (if_default == NULL) {
723  SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
724  return 0;
725  }
726  if_root = if_default;
727  }
728 
729  if (ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) == 1) {
730  if (strcmp(copymodestr, "ips") == 0) {
731  has_ips = 1;
732  } else {
733  has_ids = 1;
734  }
735  } else {
736  has_ids = 1;
737  }
738  }
739 
740  if (has_ids && has_ips) {
741  SCLogWarning(SC_ERR_INVALID_ARGUMENT,
742  "AF_PACKET using both IPS and TAP/IDS mode, this will not "
743  "be allowed in Suricata 8 due to undefined behavior. See ticket #5588.");
744  for (ldev = 0; ldev < nlive; ldev++) {
745  const char *live_dev = LiveGetDeviceName(ldev);
746  if (live_dev == NULL) {
747  SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
748  return 0;
749  }
750  if_root = ConfNodeLookupKeyValue(af_packet_node, "interface", live_dev);
751  const char *copymodestr = NULL;
752 
753  if (if_root == NULL) {
754  if (if_default == NULL) {
755  SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
756  return 0;
757  }
758  if_root = if_default;
759  }
760 
761  if (! ((ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) == 1) &&
762  (strcmp(copymodestr, "ips") == 0))) {
763  SCLogError(SC_ERR_INVALID_ARGUMENT,
764  "AF_PACKET IPS mode used and interface '%s' is in IDS or TAP mode. "
765  "Sniffing '%s' but expect bad result as stream-inline is activated.",
766  live_dev, live_dev);
767  }
768  }
769  }
770 
771  return has_ips;
772 }
773 
774 #endif
775 
776 
777 int RunModeIdsAFPAutoFp(void)
778 {
779  SCEnter();
780 
781 /* We include only if AF_PACKET is enabled */
782 #ifdef HAVE_AF_PACKET
783  int ret;
784  const char *live_dev = NULL;
785 
786  RunModeInitialize();
787 
788  TimeModeSetLive();
789 
790  (void)ConfGet("af-packet.live-interface", &live_dev);
791 
792  SCLogDebug("live_dev %s", live_dev);
793 
794  if (AFPPeersListInit() != TM_ECODE_OK) {
795  FatalError(SC_ERR_FATAL, "Unable to init peers list.");
796  }
797 
798  ret = RunModeSetLiveCaptureAutoFp(ParseAFPConfig,
799  AFPConfigGeThreadsCount,
800  "ReceiveAFP",
801  "DecodeAFP", thread_name_autofp,
802  live_dev);
803  if (ret != 0) {
804  FatalError(SC_ERR_FATAL, "Unable to start runmode");
805  }
806 
807  /* In IPS mode each threads must have a peer */
808  if (AFPPeersListCheck() != TM_ECODE_OK) {
809  FatalError(SC_ERR_FATAL, "Some IPS capture threads did not peer.");
810  }
811 
812  SCLogDebug("RunModeIdsAFPAutoFp initialised");
813 #endif /* HAVE_AF_PACKET */
814 
815  SCReturnInt(0);
816 }
817 
818 /**
819  * \brief Single thread version of the AF_PACKET processing.
820  */
821 int RunModeIdsAFPSingle(void)
822 {
823  SCEnter();
824 #ifdef HAVE_AF_PACKET
825  int ret;
826  const char *live_dev = NULL;
827 
828  RunModeInitialize();
829  TimeModeSetLive();
830 
831  (void)ConfGet("af-packet.live-interface", &live_dev);
832 
833  if (AFPPeersListInit() != TM_ECODE_OK) {
834  FatalError(SC_ERR_FATAL, "Unable to init peers list.");
835  }
836 
837  ret = RunModeSetLiveCaptureSingle(ParseAFPConfig,
838  AFPConfigGeThreadsCount,
839  "ReceiveAFP",
840  "DecodeAFP", thread_name_single,
841  live_dev);
842  if (ret != 0) {
843  FatalError(SC_ERR_FATAL, "Unable to start runmode");
844  }
845 
846  /* In IPS mode each threads must have a peer */
847  if (AFPPeersListCheck() != TM_ECODE_OK) {
848  FatalError(SC_ERR_FATAL, "Some IPS capture threads did not peer.");
849  }
850 
851  SCLogDebug("RunModeIdsAFPSingle initialised");
852 
853 #endif /* HAVE_AF_PACKET */
854  SCReturnInt(0);
855 }
856 
857 /**
858  * \brief Workers version of the AF_PACKET processing.
859  *
860  * Start N threads with each thread doing all the work.
861  *
862  */
863 int RunModeIdsAFPWorkers(void)
864 {
865  SCEnter();
866 #ifdef HAVE_AF_PACKET
867  int ret;
868  const char *live_dev = NULL;
869 
870  RunModeInitialize();
871  TimeModeSetLive();
872 
873  (void)ConfGet("af-packet.live-interface", &live_dev);
874 
875  if (AFPPeersListInit() != TM_ECODE_OK) {
876  FatalError(SC_ERR_FATAL, "Unable to init peers list.");
877  }
878 
879  ret = RunModeSetLiveCaptureWorkers(ParseAFPConfig,
880  AFPConfigGeThreadsCount,
881  "ReceiveAFP",
882  "DecodeAFP", thread_name_workers,
883  live_dev);
884  if (ret != 0) {
885  FatalError(SC_ERR_FATAL, "Unable to start runmode");
886  }
887 
888  /* In IPS mode each threads must have a peer */
889  if (AFPPeersListCheck() != TM_ECODE_OK) {
890  FatalError(SC_ERR_FATAL, "Some IPS capture threads did not peer.");
891  }
892 
893  SCLogDebug("RunModeIdsAFPWorkers initialised");
894 
895 #endif /* HAVE_AF_PACKET */
896  SCReturnInt(0);
897 }
898 
899 /**
900  * @}
901  */
thread_name_workers
const char * thread_name_workers
Definition: runmodes.c:80
AFPIfaceConfig_::promisc
int promisc
Definition: source-af-packet.h:97
util-byte.h
tm-threads.h
AFPIfaceConfig_::checksum_mode
ChecksumValidationMode checksum_mode
Definition: source-af-packet.h:101
PACKET_FANOUT_FLAG_DEFRAG
#define PACKET_FANOUT_FLAG_DEFRAG
Definition: source-af-packet.h:40
RunModeIdsAFPWorkers
int RunModeIdsAFPWorkers(void)
Workers version of the AF_PACKET processing.
Definition: runmode-af-packet.c:863
flow-bypass.h
AFPIfaceConfig_::xdp_mode
uint8_t xdp_mode
Definition: source-af-packet.h:109
AFP_BYPASS
#define AFP_BYPASS
Definition: source-af-packet.h:65
RunModeSetLiveCaptureWorkers
int RunModeSetLiveCaptureWorkers(ConfigIfaceParserFunc ConfigParser, ConfigIfaceThreadsCountFunc ModThreadsCount, const char *recv_mod_name, const char *decode_mod_name, const char *thread_name, const char *live_dev)
Definition: util-runmodes.c:330
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
AFPPeersListCheck
TmEcode AFPPeersListCheck()
Check that all AFPPeer got a peer.
Definition: source-af-packet.c:465
alert-debuglog.h
GetIfaceRSSQueuesNum
int GetIfaceRSSQueuesNum(const char *pcap_dev)
Definition: util-ioctl.c:737
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:315
AFP_COPY_MODE_NONE
#define AFP_COPY_MODE_NONE
Definition: source-af-packet.h:68
RunModeIdsAFPSingle
int RunModeIdsAFPSingle(void)
Single thread version of the AF_PACKET processing.
Definition: runmode-af-packet.c:821
runmode-af-packet.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ERR_INVALID_CLUSTER_TYPE
@ SC_ERR_INVALID_CLUSTER_TYPE
Definition: util-error.h:66
RunModeIdsAFPRegister
void RunModeIdsAFPRegister(void)
Definition: runmode-af-packet.c:67
ConfGetChildValueBoolWithDefault
int ConfGetChildValueBoolWithDefault(const ConfNode *base, const ConfNode *dflt, const char *name, int *val)
Definition: conf.c:499
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
LiveGetOffload
int LiveGetOffload(void)
Definition: util-device.c:81
AFPIfaceConfig_::ebpf_filter_fd
int ebpf_filter_fd
Definition: source-af-packet.h:106
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:176
PACKET_FANOUT_RND
#define PACKET_FANOUT_RND
Definition: source-af-packet.h:36
UtilCpuGetNumProcessorsConfigured
uint16_t UtilCpuGetNumProcessorsConfigured(void)
Get the number of cpus configured in the system.
Definition: util-cpu.c:59
AFP_SOCK_PROTECT
#define AFP_SOCK_PROTECT
Definition: source-af-packet.h:60
PACKET_FANOUT_HASH
#define PACKET_FANOUT_HASH
Definition: source-af-packet.h:32
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:333
RunModeAFPGetDefaultMode
const char * RunModeAFPGetDefaultMode(void)
Definition: runmode-af-packet.c:62
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:336
RunModeInitialize
void RunModeInitialize(void)
Definition: runmodes.c:967
PACKET_FANOUT_QM
#define PACKET_FANOUT_QM
Definition: source-af-packet.h:37
AFPIfaceConfig_::threads
int threads
Definition: source-af-packet.h:84
util-runmodes.h
AFPIfaceConfig_::ring_size
int ring_size
Definition: source-af-packet.h:88
thread_name_autofp
const char * thread_name_autofp
Definition: runmodes.c:78
AFPIfaceConfig_::block_timeout
int block_timeout
Definition: source-af-packet.h:92
PACKET_FANOUT_ROLLOVER
#define PACKET_FANOUT_ROLLOVER
Definition: source-af-packet.h:35
ConfNodeLookupKeyValue
ConfNode * ConfNodeLookupKeyValue(const ConfNode *base, const char *key, const char *value)
Lookup for a key value under a specific node.
Definition: conf.c:816
CHECKSUM_VALIDATION_DISABLE
@ CHECKSUM_VALIDATION_DISABLE
Definition: decode.h:46
AFPIfaceConfig_::out_iface
const char * out_iface
Definition: source-af-packet.h:110
CHECKSUM_VALIDATION_KERNEL
@ CHECKSUM_VALIDATION_KERNEL
Definition: decode.h:50
AFP_XDPBYPASS
#define AFP_XDPBYPASS
Definition: source-af-packet.h:66
RunmodeGetActive
char * RunmodeGetActive(void)
Definition: runmodes.c:213
AFPIfaceConfig_::flags
unsigned int flags
Definition: source-af-packet.h:99
StringParseInt32
int StringParseInt32(int32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:613
AFPIfaceConfig_::xdp_filter_fd
int xdp_filter_fd
Definition: source-af-packet.h:108
ConfGetChildValueIntWithDefault
int ConfGetChildValueIntWithDefault(const ConfNode *base, const ConfNode *dflt, const char *name, intmax_t *val)
Definition: conf.c:451
SC_ERR_RUNMODE
@ SC_ERR_RUNMODE
Definition: util-error.h:219
thread_name_single
const char * thread_name_single
Definition: runmodes.c:79
ConfGetChildWithDefault
ConfNode * ConfGetChildWithDefault(const ConfNode *base, const ConfNode *dflt, const char *name)
Definition: conf.c:358
AFPGetLinkType
int AFPGetLinkType(const char *ifname)
Definition: source-af-packet.c:1507
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:522
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:82
AFP_BLOCK_SIZE_DEFAULT_ORDER
#define AFP_BLOCK_SIZE_DEFAULT_ORDER
Definition: source-af-packet.h:78
AFPIfaceConfig_::cluster_type
int cluster_type
Definition: source-af-packet.h:95
AFPIfaceConfig_::cluster_id
uint16_t cluster_id
Definition: source-af-packet.h:94
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
RunModeSetLiveCaptureAutoFp
int RunModeSetLiveCaptureAutoFp(ConfigIfaceParserFunc ConfigParser, ConfigIfaceThreadsCountFunc ModThreadsCount, const char *recv_mod_name, const char *decode_mod_name, const char *thread_name, const char *live_dev)
Definition: util-runmodes.c:87
AFPIfaceConfig_::block_size
int block_size
Definition: source-af-packet.h:90
CHECKSUM_VALIDATION_ENABLE
@ CHECKSUM_VALIDATION_ENABLE
Definition: decode.h:47
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:331
CHECKSUM_VALIDATION_AUTO
@ CHECKSUM_VALIDATION_AUTO
Definition: decode.h:48
util-device.h
util-debug.h
AFPIfaceConfig_::ebpf_lb_fd
int ebpf_lb_fd
Definition: source-af-packet.h:104
AFP_MMAP_LOCKED
#define AFP_MMAP_LOCKED
Definition: source-af-packet.h:64
util-cpu.h
AFPIfaceConfig_::ebpf_filter_file
const char * ebpf_filter_file
Definition: source-af-packet.h:105
PACKET_FANOUT_LB
#define PACKET_FANOUT_LB
Definition: source-af-packet.h:33
RunModeEnablesBypassManager
void RunModeEnablesBypassManager(void)
Definition: runmodes.c:439
LiveGetDevice
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
Definition: util-device.c:280
ConfFindDeviceConfig
ConfNode * ConfFindDeviceConfig(ConfNode *node, const char *iface)
Find the configuration node for a specific device.
Definition: util-conf.c:130
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
detect-engine-mpm.h
util-ebpf.h
util-affinity.h
PACKET_FANOUT_CPU
#define PACKET_FANOUT_CPU
Definition: source-af-packet.h:34
ConfGetChildValueWithDefault
int ConfGetChildValueWithDefault(const ConfNode *base, const ConfNode *dflt, const char *name, const char **vptr)
Definition: conf.c:372
util-time.h
AFPIfaceConfig_::DerefFunc
void(* DerefFunc)(void *)
Definition: source-af-packet.h:115
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
AFP_COPY_MODE_TAP
#define AFP_COPY_MODE_TAP
Definition: source-af-packet.h:69
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:342
AFPRunModeIsIPS
int AFPRunModeIsIPS()
Definition: runmode-af-packet.c:694
conf.h
GetIfaceOffloading
int GetIfaceOffloading(const char *dev, int csum, int other)
output offloading status of the link
Definition: util-ioctl.c:694
DisableIfaceOffloading
int DisableIfaceOffloading(LiveDevice *dev, int csum, int other)
Definition: util-ioctl.c:707
runmodes.h
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:215
AFP_NEED_PEER
#define AFP_NEED_PEER
Definition: source-af-packet.h:58
TimeModeSetLive
void TimeModeSetLive(void)
Definition: util-time.c:99
alert-fastlog.h
util-conf.h
suricata-common.h
RunModeRegisterNewRunMode
void RunModeRegisterNewRunMode(enum RunModes runmode, const char *name, const char *description, int(*RunModeFunc)(void))
Registers a new runmode.
Definition: runmodes.c:460
LiveGetDeviceName
const char * LiveGetDeviceName(int number)
Get a pointer to the device name at idx.
Definition: util-device.c:178
SCLogPerf
#define SCLogPerf(...)
Definition: util-debug.h:222
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
AFPIfaceConfig_::xdp_filter_file
const char * xdp_filter_file
Definition: source-af-packet.h:107
AFP_TPACKET_V3
#define AFP_TPACKET_V3
Definition: source-af-packet.h:62
FatalError
#define FatalError(x,...)
Definition: util-debug.h:530
SC_ERR_AFP_CREATE
@ SC_ERR_AFP_CREATE
Definition: util-error.h:222
log-httplog.h
SC_ERR_UNIMPLEMENTED
@ SC_ERR_UNIMPLEMENTED
Definition: util-error.h:118
RunModeIdsAFPAutoFp
int RunModeIdsAFPAutoFp(void)
Definition: runmode-af-packet.c:777
SC_ATOMIC_RESET
#define SC_ATOMIC_RESET(name)
wrapper for reinitializing an atomic variable.
Definition: util-atomic.h:324
BypassedFlowManagerRegisterUpdateFunc
int BypassedFlowManagerRegisterUpdateFunc(BypassedUpdateFunc UpdateFunc, void *data)
source-af-packet.h
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:242
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AFP_COPY_MODE_IPS
#define AFP_COPY_MODE_IPS
Definition: source-af-packet.h:70
max_pending_packets
int max_pending_packets
Definition: suricata.c:175
ConfNode_
Definition: conf.h:32
SC_ERR_FATAL
@ SC_ERR_FATAL
Definition: util-error.h:203
AFPIfaceConfig_::buffer_size
int buffer_size
Definition: source-af-packet.h:86
util-ioctl.h
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:547
RunModeSetLiveCaptureSingle
int RunModeSetLiveCaptureSingle(ConfigIfaceParserFunc ConfigParser, ConfigIfaceThreadsCountFunc ModThreadsCount, const char *recv_mod_name, const char *decode_mod_name, const char *thread_name, const char *live_dev)
Definition: util-runmodes.c:361
SC_WARN_OPTION_OBSOLETE
@ SC_WARN_OPTION_OBSOLETE
Definition: util-error.h:265
AFPIfaceConfig_::iface
char iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.h:82
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
AFPIfaceConfig_::copy_mode
uint8_t copy_mode
Definition: source-af-packet.h:100
AFPIfaceConfig_
Definition: source-af-packet.h:81
AFPIfaceConfig_::bpf_filter
const char * bpf_filter
Definition: source-af-packet.h:102
LiveGetDeviceCount
int LiveGetDeviceCount(void)
Get the number of registered devices.
Definition: util-device.c:158
UtilCpuGetNumProcessorsOnline
uint16_t UtilCpuGetNumProcessorsOnline(void)
Get the number of cpus online in the system.
Definition: util-cpu.c:106
AFPIfaceConfig_::ebpf_lb_file
const char * ebpf_lb_file
Definition: source-af-packet.h:103
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:230
BypassedFlowManagerRegisterCheckFunc
int BypassedFlowManagerRegisterCheckFunc(BypassedCheckFunc CheckFunc, BypassedCheckFuncInit CheckFuncInit, void *data)
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
RUNMODE_AFP_DEV
@ RUNMODE_AFP_DEV
Definition: runmodes.h:37
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
PACKET_FANOUT_FLAG_ROLLOVER
#define PACKET_FANOUT_FLAG_ROLLOVER
Definition: source-af-packet.h:39
AFPPeersListInit
TmEcode AFPPeersListInit()
Init the global list of AFPPeer.
Definition: source-af-packet.c:448
AFPIsFanoutSupported
int AFPIsFanoutSupported(uint16_t cluster_id)
test if we can use FANOUT. Older kernels like those in CentOS6 have HAVE_PACKET_FANOUT defined but fa...
Definition: source-af-packet.c:1805
output.h
LINKTYPE_ETHERNET
#define LINKTYPE_ETHERNET
Definition: decode.h:965
AFP_EMERGENCY_MODE
#define AFP_EMERGENCY_MODE
Definition: source-af-packet.h:61
SC_WARN_UNCOMMON
@ SC_WARN_UNCOMMON
Definition: util-error.h:262