suricata
runmode-af-packet.c
Go to the documentation of this file.
1 /* Copyright (C) 2011-2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup afppacket
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Eric Leblond <eric@regit.org>
28  *
29  * AF_PACKET socket runmode
30  *
31  */
32 
33 #include "suricata-common.h"
34 #include "suricata.h"
35 #include "tm-threads.h"
36 #include "conf.h"
37 #include "runmodes.h"
38 #include "runmode-af-packet.h"
39 #include "output.h"
40 #include "detect-engine-mpm.h"
41 
42 #include "alert-fastlog.h"
43 #include "alert-debuglog.h"
44 
45 #include "flow-bypass.h"
46 
47 #include "util-conf.h"
48 #include "util-debug.h"
49 #include "util-time.h"
50 #include "util-cpu.h"
51 #include "util-affinity.h"
52 #include "util-device-private.h"
53 #include "util-runmodes.h"
54 #include "util-ioctl.h"
55 #include "util-ebpf.h"
56 #include "util-byte.h"
57 
58 #include "source-af-packet.h"
59 #include "util-bpf.h"
60 
61 extern uint32_t max_pending_packets;
62 
63 const char *RunModeAFPGetDefaultMode(void)
64 {
65  return "workers";
66 }
67 
68 static bool AFPRunModeIsIPS(void)
69 {
70  int nlive = LiveGetDeviceCount();
71  bool has_ips = false;
72  bool has_ids = false;
73 
74  SCConfNode *af_packet_node = SCConfGetNode("af-packet");
75  if (af_packet_node == NULL) {
76  SCLogConfig("no 'af-packet' section in the yaml, default to IDS");
77  return false;
78  }
79 
80  SCConfNode *if_default = SCConfNodeLookupKeyValue(af_packet_node, "interface", "default");
81 
82  for (int ldev = 0; ldev < nlive; ldev++) {
83  const char *live_dev = LiveGetDeviceName(ldev);
84  if (live_dev == NULL) {
85  SCLogConfig("invalid livedev at index %d, default to IDS", ldev);
86  return false;
87  }
88  SCConfNode *if_root = ConfFindDeviceConfig(af_packet_node, live_dev);
89  if (if_root == NULL) {
90  if (if_default == NULL) {
91  SCLogConfig(
92  "no 'af-packet' section for '%s' or 'default' in the yaml, default to IDS",
93  live_dev);
94  return false;
95  }
96  if_root = if_default;
97  }
98 
99  const char *copymodestr = NULL;
100  const char *copyifacestr = NULL;
101  if (SCConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) == 1 &&
102  SCConfGetChildValue(if_root, "copy-iface", &copyifacestr) == 1) {
103  if (strcmp(copymodestr, "ips") == 0) {
104  has_ips = true;
105  } else {
106  has_ids = true;
107  }
108  } else {
109  has_ids = true;
110  }
111  }
112 
113  if (has_ids && has_ips) {
114  SCLogError("using both IPS and TAP/IDS mode is not allowed due to undefined behavior. See "
115  "ticket #5588.");
116  return false;
117  }
118 
119  return has_ips;
120 }
121 
122 static int AFPRunModeEnableIPS(void)
123 {
124  bool r = AFPRunModeIsIPS();
125  if (r) {
126  SCLogInfo("Setting IPS mode");
127  EngineModeSetIPS(ENGINE_HOST_IS_BRIDGE);
128  }
129  return r;
130 }
131 
132 void RunModeIdsAFPRegister(void)
133 {
134  RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "single", "Single threaded af-packet mode",
135  RunModeIdsAFPSingle, AFPRunModeEnableIPS);
136  RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "workers",
137  "Workers af-packet mode, each thread does all"
138  " tasks from acquisition to logging",
139  RunModeIdsAFPWorkers, AFPRunModeEnableIPS);
140  RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "autofp",
141  "Multi socket AF_PACKET mode. Packets from "
142  "each flow are assigned to a single detect "
143  "thread.",
144  RunModeIdsAFPAutoFp, AFPRunModeEnableIPS);
145 }
146 
147 
148 #ifdef HAVE_AF_PACKET
149 
150 static void AFPDerefConfig(void *conf)
151 {
152  AFPIfaceConfig *pfp = (AFPIfaceConfig *)conf;
153  /* Pcap config is used only once but cost of this low. */
154  if (SC_ATOMIC_SUB(pfp->ref, 1) == 1) {
155  SCFree(pfp);
156  }
157 }
158 
159 /* if cluster id is not set, assign it automagically, uniq value per
160  * interface. */
161 static int cluster_id_auto = 1;
162 
163 /**
164  * \brief extract information from config file
165  *
166  * The returned structure will be freed by the thread init function.
167  * This is thus necessary to or copy the structure before giving it
168  * to thread or to reparse the file for each thread (and thus have
169  * new structure.
170  *
171  * \return a AFPIfaceConfig corresponding to the interface name
172  */
173 static void *ParseAFPConfig(const char *iface)
174 {
175  const char *threadsstr = NULL;
176  SCConfNode *if_root;
177  SCConfNode *if_default = NULL;
178  SCConfNode *af_packet_node;
179  const char *tmpclusterid;
180  const char *tmpctype;
181  const char *copymodestr;
182  intmax_t value;
183  int boolval;
184  const char *out_iface = NULL;
185  int cluster_type = PACKET_FANOUT_HASH;
186  const char *ebpf_file = NULL;
187  const char *active_runmode = RunmodeGetActive();
188 
189  if (iface == NULL) {
190  return NULL;
191  }
192 
193  AFPIfaceConfig *aconf = SCCalloc(1, sizeof(*aconf));
194  if (unlikely(aconf == NULL)) {
195  return NULL;
196  }
197 
198  strlcpy(aconf->iface, iface, sizeof(aconf->iface));
199  aconf->threads = 0;
200  SC_ATOMIC_INIT(aconf->ref);
201  (void) SC_ATOMIC_ADD(aconf->ref, 1);
202  aconf->buffer_size = 0;
203  aconf->cluster_id = 1;
204  aconf->cluster_type = cluster_type | PACKET_FANOUT_FLAG_DEFRAG;
205  aconf->promisc = 1;
206  aconf->checksum_mode = CHECKSUM_VALIDATION_KERNEL;
207  aconf->DerefFunc = AFPDerefConfig;
208  aconf->flags = 0;
209  aconf->bpf_filter = NULL;
210  aconf->ebpf_lb_file = NULL;
211  aconf->ebpf_lb_fd = -1;
212  aconf->ebpf_filter_file = NULL;
213  aconf->ebpf_filter_fd = -1;
214  aconf->out_iface = NULL;
215  aconf->copy_mode = AFP_COPY_MODE_NONE;
216  aconf->block_timeout = 10;
217  aconf->block_size = getpagesize() << AFP_BLOCK_SIZE_DEFAULT_ORDER;
218  aconf->v2_block_size = 0;
219 #ifdef HAVE_PACKET_EBPF
220  aconf->ebpf_t_config.cpus_count = UtilCpuGetNumProcessorsConfigured();
221 #endif
222 
223  /* Find initial node */
224  af_packet_node = SCConfGetNode("af-packet");
225  if (af_packet_node == NULL) {
226  SCLogInfo("%s: unable to find af-packet config using default values", iface);
227  goto finalize;
228  }
229 
230  if_root = ConfFindDeviceConfig(af_packet_node, iface);
231  if_default = ConfFindDeviceConfig(af_packet_node, "default");
232 
233  if (if_root == NULL && if_default == NULL) {
234  SCLogInfo("%s: unable to find af-packet config for "
235  "interface \"%s\" or \"default\", using default values",
236  iface, iface);
237  goto finalize;
238  }
239 
240  /* If there is no setting for current interface use default one as main iface */
241  if (if_root == NULL) {
242  if_root = if_default;
243  if_default = NULL;
244  }
245 
246  if (active_runmode && !strcmp("single", active_runmode)) {
247  aconf->threads = 1;
248  } else if (SCConfGetChildValueWithDefault(if_root, if_default, "threads", &threadsstr) != 1) {
249  aconf->threads = 0;
250  } else {
251  if (threadsstr != NULL) {
252  if (strcmp(threadsstr, "auto") == 0) {
253  aconf->threads = 0;
254  } else {
255  if (StringParseUint16(&aconf->threads, 10, 0, (const char *)threadsstr) < 0) {
256  SCLogWarning("%s: invalid number of "
257  "threads, resetting to default",
258  iface);
259  aconf->threads = 0;
260  }
261  }
262  }
263  }
264 
265  if (SCConfGetChildValueWithDefault(if_root, if_default, "copy-iface", &out_iface) == 1) {
266  if (out_iface != NULL) {
267  if (strlen(out_iface) > 0) {
268  aconf->out_iface = out_iface;
269  if (strcmp(iface, out_iface) == 0) {
270  FatalError(
271  "Invalid config: interface (%s) and copy-iface (%s) can't be the same",
272  iface, out_iface);
273  }
274  }
275  } else {
276  SCLogWarning("copy-iface corresponding to %s interface cannot be NULL", iface);
277  }
278  }
279 
280  (void)SCConfGetChildValueBoolWithDefault(if_root, if_default, "mmap-locked", &boolval);
281  if (boolval) {
282  SCLogConfig("%s: enabling locked memory for mmap", aconf->iface);
283  aconf->flags |= AFP_MMAP_LOCKED;
284  }
285 
286  (void)SCConfGetChildValueBoolWithDefault(if_root, if_default, "use-emergency-flush", &boolval);
287  if (boolval) {
288  SCLogConfig("%s: using emergency ring flush", aconf->iface);
289  aconf->flags |= AFP_EMERGENCY_MODE;
290  }
291 
292  if (SCConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) == 1) {
293  if (aconf->out_iface == NULL) {
294  SCLogWarning("%s: copy mode activated but no destination"
295  " iface. Disabling feature",
296  iface);
297  } else if (strlen(copymodestr) <= 0) {
298  aconf->out_iface = NULL;
299  } else if (strcmp(copymodestr, "ips") == 0) {
300  SCLogInfo("%s: AF_PACKET IPS mode activated %s->%s", iface, iface, aconf->out_iface);
301  aconf->copy_mode = AFP_COPY_MODE_IPS;
302  } else if (strcmp(copymodestr, "tap") == 0) {
303  SCLogInfo("%s: AF_PACKET TAP mode activated %s->%s", iface, iface, aconf->out_iface);
304  aconf->copy_mode = AFP_COPY_MODE_TAP;
305  } else {
306  SCLogWarning("Invalid 'copy-mode' (not in tap, ips)");
307  }
308  }
309 
310  if (SCConfGetChildValueBoolWithDefault(if_root, if_default, "tpacket-v3", &boolval) == 1) {
311  if (boolval) {
312  if (strcasecmp(RunmodeGetActive(), "workers") == 0) {
313  SCLogConfig("%s: enabling tpacket v3", aconf->iface);
314  aconf->flags |= AFP_TPACKET_V3;
315  } else {
316  SCLogWarning("%s: tpacket v3 is only implemented for 'workers' runmode."
317  " Switching to tpacket v2.",
318  iface);
319  aconf->flags &= ~AFP_TPACKET_V3;
320  }
321  } else {
322  aconf->flags &= ~AFP_TPACKET_V3;
323  }
324  } else if (aconf->copy_mode == AFP_COPY_MODE_NONE) {
325  // If copy mode is none (passive IDS) and "tpacket-v3" is not
326  // present, default to TPACKET_V3.
327  SCLogConfig("%s: enabling tpacket v3", aconf->iface);
328  aconf->flags |= AFP_TPACKET_V3;
329  }
330 
331  if (aconf->flags & AFP_TPACKET_V3 && aconf->copy_mode) {
332  SCLogWarning("%s: using tpacket-v3 in IPS or TAP mode will result in high latency", iface);
333  }
334 
335  if (SCConfGetChildValueWithDefault(if_root, if_default, "cluster-id", &tmpclusterid) != 1) {
336  aconf->cluster_id = (uint16_t)(cluster_id_auto++);
337  } else {
338  if (StringParseUint16(&aconf->cluster_id, 10, 0, (const char *)tmpclusterid) < 0) {
339  SCLogWarning("%s: invalid cluster_id, resetting to 0", iface);
340  aconf->cluster_id = 0;
341  }
342  SCLogDebug("Going to use cluster-id %" PRIu16, aconf->cluster_id);
343  }
344 
345  if (SCConfGetChildValueWithDefault(if_root, if_default, "cluster-type", &tmpctype) != 1) {
346  SCLogConfig("%s: using default cluster-type of \"cluster_flow\"", aconf->iface);
347  tmpctype = "cluster_flow";
348  }
349 
350  if (strcmp(tmpctype, "cluster_rollover") == 0) {
351  SCLogWarning(
352  "%s: cluster_rollover deprecated; using \"cluster_flow\" instead. See ticket #6128",
353  aconf->iface);
354  tmpctype = "cluster_flow";
355  }
356 
357  if (strcmp(tmpctype, "cluster_round_robin") == 0) {
358  SCLogConfig("%s: using round-robin cluster mode for AF_PACKET", aconf->iface);
359  aconf->cluster_type = PACKET_FANOUT_LB;
360  cluster_type = PACKET_FANOUT_LB;
361  } else if (strcmp(tmpctype, "cluster_flow") == 0) {
362  /* Check for defrag. If not set by the user enable it when not
363  * inline. */
364  uint16_t defrag = 0;
365  int conf_val = 0;
366  SCLogConfig("%s: using flow cluster mode for AF_PACKET", aconf->iface);
367  if (SCConfGetChildValueBoolWithDefault(if_root, if_default, "defrag", &conf_val)) {
368  if (conf_val) {
369  SCLogConfig("%s: using defrag kernel functionality for AF_PACKET", aconf->iface);
370  defrag = PACKET_FANOUT_FLAG_DEFRAG;
371  }
372  } else {
373  /* "defrag" not provided in config, default to true if not inline. */
374  if (aconf->copy_mode == 0) {
375  SCLogConfig("%s: enabling defrag for AF_PACKET cluster_flow", aconf->iface);
376  defrag = PACKET_FANOUT_FLAG_DEFRAG;
377  }
378  }
379  aconf->cluster_type = PACKET_FANOUT_HASH | defrag;
380  cluster_type = PACKET_FANOUT_HASH;
381  } else if (strcmp(tmpctype, "cluster_cpu") == 0) {
382  SCLogConfig("%s: using cpu cluster mode for AF_PACKET", aconf->iface);
383  aconf->cluster_type = PACKET_FANOUT_CPU;
384  cluster_type = PACKET_FANOUT_CPU;
385  } else if (strcmp(tmpctype, "cluster_qm") == 0) {
386  SCLogConfig("%s: using queue based cluster mode for AF_PACKET", aconf->iface);
387  aconf->cluster_type = PACKET_FANOUT_QM;
388  cluster_type = PACKET_FANOUT_QM;
389  } else if (strcmp(tmpctype, "cluster_random") == 0) {
390  SCLogConfig("%s: using random based cluster mode for AF_PACKET", aconf->iface);
391  aconf->cluster_type = PACKET_FANOUT_RND;
392  cluster_type = PACKET_FANOUT_RND;
393 #ifdef HAVE_PACKET_EBPF
394  } else if (strcmp(tmpctype, "cluster_ebpf") == 0) {
395  SCLogInfo("%s: using ebpf based cluster mode for AF_PACKET", aconf->iface);
396  aconf->cluster_type = PACKET_FANOUT_EBPF;
397  cluster_type = PACKET_FANOUT_EBPF;
398 #endif
399  } else {
400  SCLogWarning("invalid cluster-type %s", tmpctype);
401  }
402 
403  int conf_val = 0;
404  SCConfGetChildValueBoolWithDefault(if_root, if_default, "rollover", &conf_val);
405  if (conf_val) {
406  SCLogConfig("%s: Rollover requested for AF_PACKET but ignored -- see ticket #6128.",
407  aconf->iface);
408  SCLogWarning("%s: rollover option has been deprecated and will be ignored as it can cause "
409  "severe flow "
410  "tracking issues; see ticket #6128.",
411  iface);
412  }
413 
414  ConfSetBPFFilter(if_root, if_default, iface, &aconf->bpf_filter);
415 
416  if (SCConfGetChildValueWithDefault(if_root, if_default, "ebpf-lb-file", &ebpf_file) != 1) {
417  aconf->ebpf_lb_file = NULL;
418  } else {
419 #ifdef HAVE_PACKET_EBPF
420  SCLogConfig("%s: af-packet will use '%s' as eBPF load balancing file", iface, ebpf_file);
421  aconf->ebpf_lb_file = ebpf_file;
422  aconf->ebpf_t_config.flags |= EBPF_SOCKET_FILTER;
423 #endif
424  }
425 
426 #ifdef HAVE_PACKET_EBPF
427  boolval = false;
428  if (SCConfGetChildValueBoolWithDefault(if_root, if_default, "pinned-maps", &boolval) == 1) {
429  if (boolval) {
430  SCLogConfig("%s: using pinned maps", aconf->iface);
431  aconf->ebpf_t_config.flags |= EBPF_PINNED_MAPS;
432  }
433  const char *pinned_maps_name = NULL;
434  if (SCConfGetChildValueWithDefault(
435  if_root, if_default, "pinned-maps-name", &pinned_maps_name) != 1) {
436  aconf->ebpf_t_config.pinned_maps_name = pinned_maps_name;
437  } else {
438  aconf->ebpf_t_config.pinned_maps_name = NULL;
439  }
440  } else {
441  aconf->ebpf_t_config.pinned_maps_name = NULL;
442  }
443 #endif
444 
445 #ifdef HAVE_PACKET_EBPF
446  /* One shot loading of the eBPF file */
447  if (aconf->ebpf_lb_file && cluster_type == PACKET_FANOUT_EBPF) {
448  int ret = EBPFLoadFile(aconf->iface, aconf->ebpf_lb_file, "loadbalancer",
449  &aconf->ebpf_lb_fd,
450  &aconf->ebpf_t_config);
451  if (ret != 0) {
452  SCLogWarning("%s: failed to load eBPF lb file", iface);
453  }
454  }
455 #else
456  if (aconf->ebpf_lb_file) {
457  SCLogError("%s: eBPF support is not built-in", iface);
458  }
459 #endif
460 
461  if (SCConfGetChildValueWithDefault(if_root, if_default, "ebpf-filter-file", &ebpf_file) != 1) {
462  aconf->ebpf_filter_file = NULL;
463  } else {
464 #ifdef HAVE_PACKET_EBPF
465  SCLogConfig("%s: af-packet will use '%s' as eBPF filter file", iface, ebpf_file);
466  aconf->ebpf_filter_file = ebpf_file;
467  aconf->ebpf_t_config.mode = AFP_MODE_EBPF_BYPASS;
468  aconf->ebpf_t_config.flags |= EBPF_SOCKET_FILTER;
469 #endif
470  SCConfGetChildValueBoolWithDefault(if_root, if_default, "bypass", &conf_val);
471  if (conf_val) {
472 #ifdef HAVE_PACKET_EBPF
473  SCLogConfig("%s: using bypass kernel functionality for AF_PACKET", aconf->iface);
474  aconf->flags |= AFP_BYPASS;
475  BypassedFlowManagerRegisterUpdateFunc(EBPFUpdateFlow, NULL);
476 #else
477  SCLogError("%s: bypass set but eBPF support is not built-in", iface);
478 #endif
479  }
480  }
481 
482  /* One shot loading of the eBPF file */
483  if (aconf->ebpf_filter_file) {
484 #ifdef HAVE_PACKET_EBPF
485  int ret = EBPFLoadFile(aconf->iface, aconf->ebpf_filter_file, "filter",
486  &aconf->ebpf_filter_fd,
487  &aconf->ebpf_t_config);
488  if (ret != 0) {
489  SCLogWarning("%s: failed to load eBPF filter file", iface);
490  }
491 #else
492  SCLogError("%s: eBPF support is not built-in", iface);
493 #endif
494  }
495 
496  if (SCConfGetChildValueWithDefault(if_root, if_default, "xdp-filter-file", &ebpf_file) != 1) {
497  aconf->xdp_filter_file = NULL;
498  } else {
499 #ifdef HAVE_PACKET_XDP
500  aconf->ebpf_t_config.mode = AFP_MODE_XDP_BYPASS;
501  aconf->ebpf_t_config.flags |= EBPF_XDP_CODE;
502  aconf->xdp_filter_file = ebpf_file;
503  SCConfGetChildValueBoolWithDefault(if_root, if_default, "bypass", &conf_val);
504  if (conf_val) {
505  SCLogConfig("%s: using bypass kernel functionality for AF_PACKET", aconf->iface);
506  aconf->flags |= AFP_XDPBYPASS;
507  /* if maps are pinned we need to read them at start */
508  if (aconf->ebpf_t_config.flags & EBPF_PINNED_MAPS) {
509  RunModeEnablesBypassManager();
510  struct ebpf_timeout_config *ebt = SCCalloc(1, sizeof(struct ebpf_timeout_config));
511  if (ebt == NULL) {
512  SCLogError("%s: flow bypass alloc error", iface);
513  } else {
514  memcpy(ebt, &(aconf->ebpf_t_config), sizeof(struct ebpf_timeout_config));
515  BypassedFlowManagerRegisterCheckFunc(NULL,
516  EBPFCheckBypassedFlowCreate,
517  (void *)ebt);
518  }
519  }
520  BypassedFlowManagerRegisterUpdateFunc(EBPFUpdateFlow, NULL);
521  }
522 #else
523  SCLogWarning("%s: XDP filter set but XDP support is not built-in", iface);
524 #endif
525 #ifdef HAVE_PACKET_XDP
526  const char *xdp_mode;
527  if (SCConfGetChildValueWithDefault(if_root, if_default, "xdp-mode", &xdp_mode) != 1) {
528  aconf->xdp_mode = XDP_FLAGS_SKB_MODE;
529  } else {
530  if (!strcmp(xdp_mode, "soft")) {
531  aconf->xdp_mode = XDP_FLAGS_SKB_MODE;
532  } else if (!strcmp(xdp_mode, "driver")) {
533  aconf->xdp_mode = XDP_FLAGS_DRV_MODE;
534  } else if (!strcmp(xdp_mode, "hw")) {
535  aconf->xdp_mode = XDP_FLAGS_HW_MODE;
536  aconf->ebpf_t_config.flags |= EBPF_XDP_HW_MODE;
537  } else {
538  SCLogWarning("Invalid xdp-mode value: '%s'", xdp_mode);
539  }
540  }
541 
542  boolval = true;
543  if (SCConfGetChildValueBoolWithDefault(if_root, if_default, "use-percpu-hash", &boolval) ==
544  1) {
545  if (!boolval) {
546  SCLogConfig("%s: not using percpu hash", aconf->iface);
547  aconf->ebpf_t_config.cpus_count = 1;
548  }
549  }
550 #endif
551  }
552 
553  /* One shot loading of the eBPF file */
554  if (aconf->xdp_filter_file) {
555 #ifdef HAVE_PACKET_XDP
556  int ret = EBPFLoadFile(aconf->iface, aconf->xdp_filter_file, "xdp",
557  &aconf->xdp_filter_fd,
558  &aconf->ebpf_t_config);
559  switch (ret) {
560  case 1:
561  SCLogInfo("%s: loaded pinned maps from sysfs", iface);
562  break;
563  case -1:
564  SCLogWarning("%s: failed to load XDP filter file", iface);
565  break;
566  case 0:
567  ret = EBPFSetupXDP(aconf->iface, aconf->xdp_filter_fd, aconf->xdp_mode);
568  if (ret != 0) {
569  SCLogWarning("%s: failed to set up XDP", iface);
570  } else {
571  /* Try to get the xdp-cpu-redirect key */
572  const char *cpuset;
573  if (SCConfGetChildValueWithDefault(
574  if_root, if_default, "xdp-cpu-redirect", &cpuset) == 1) {
575  SCLogConfig("%s: Setting up CPU map XDP", iface);
576  SCConfNode *node =
577  SCConfGetChildWithDefault(if_root, if_default, "xdp-cpu-redirect");
578  if (node == NULL) {
579  SCLogError("Previously found node has disappeared");
580  } else {
581  EBPFBuildCPUSet(node, aconf->iface);
582  }
583  } else {
584  /* It will just set CPU count to 0 */
585  EBPFBuildCPUSet(NULL, aconf->iface);
586  }
587  }
588  /* we have a peer and we use bypass so we can set up XDP iface redirect */
589  if (aconf->out_iface) {
590  EBPFSetPeerIface(aconf->iface, aconf->out_iface);
591  }
592  }
593 #else
594  SCLogError("%s: XDP support is not built-in", iface);
595 #endif
596  }
597 
598  if ((SCConfGetChildValueIntWithDefault(if_root, if_default, "buffer-size", &value)) == 1) {
599  aconf->buffer_size = (int)value;
600  } else {
601  aconf->buffer_size = 0;
602  }
603  if ((SCConfGetChildValueIntWithDefault(if_root, if_default, "ring-size", &value)) == 1) {
604  aconf->ring_size = (int)value;
605  }
606 
607  if ((SCConfGetChildValueIntWithDefault(if_root, if_default, "block-size", &value)) == 1) {
608  if (value % getpagesize()) {
609  SCLogWarning("%s: block-size %" PRIuMAX " must be a multiple of pagesize (%u).", iface,
610  value, getpagesize());
611  } else {
612  aconf->block_size = (int)value;
613  }
614  }
615 
616  if ((SCConfGetChildValueIntWithDefault(if_root, if_default, "block-timeout", &value)) == 1) {
617  aconf->block_timeout = (int)value;
618  } else {
619  aconf->block_timeout = 10;
620  }
621 
622  if ((SCConfGetChildValueIntWithDefault(if_root, if_default, "v2-block-size", &value)) == 1) {
623  if (value % getpagesize()) {
624  SCLogWarning("%s: v2-block-size %" PRIuMAX " must be a multiple of pagesize (%u).",
625  iface, value, getpagesize());
626  } else {
627  aconf->v2_block_size = (int)value;
628  }
629  }
630 
631  (void)SCConfGetChildValueBoolWithDefault(if_root, if_default, "disable-promisc", &boolval);
632  if (boolval) {
633  SCLogConfig("%s: disabling promiscuous mode", aconf->iface);
634  aconf->promisc = 0;
635  }
636 
637  (void)SCConfGetChildValueBoolWithDefault(if_root, if_default, "enable-hwtimestamp", &boolval);
638  if (boolval) {
639 #ifdef HAVE_HW_TIMESTAMPING
640  SCLogConfig("%s: enabling hardware timestamping", aconf->iface);
641 #endif
642  aconf->flags |= AFP_ENABLE_HWTIMESTAMP;
643  }
644 
645  if (SCConfGetChildValueWithDefault(if_root, if_default, "checksum-checks", &tmpctype) == 1) {
646  if (strcmp(tmpctype, "auto") == 0) {
647  aconf->checksum_mode = CHECKSUM_VALIDATION_AUTO;
648  } else if (SCConfValIsTrue(tmpctype)) {
649  aconf->checksum_mode = CHECKSUM_VALIDATION_ENABLE;
650  } else if (SCConfValIsFalse(tmpctype)) {
651  aconf->checksum_mode = CHECKSUM_VALIDATION_DISABLE;
652  } else if (strcmp(tmpctype, "kernel") == 0) {
653  aconf->checksum_mode = CHECKSUM_VALIDATION_KERNEL;
654  } else {
655  SCLogWarning("%s: invalid value for checksum-checks", aconf->iface);
656  }
657  }
658 
659 finalize:
660 
661  /* if the number of threads is not 1, we need to first check if fanout
662  * functions on this system. */
663  if (aconf->threads != 1) {
664  if (AFPIsFanoutSupported(aconf->cluster_id) == 0) {
665  if (aconf->threads != 0) {
666  SCLogNotice("%s: fanout not supported on this system, falling "
667  "back to 1 capture thread",
668  iface);
669  }
670  aconf->threads = 1;
671  }
672  }
673 
674  /* try to automagically set the proper number of threads */
675  if (aconf->threads == 0) {
676  /* for cluster_flow use core count */
677  if (cluster_type == PACKET_FANOUT_HASH) {
678  aconf->threads = UtilCpuGetNumProcessorsOnline();
679  SCLogPerf("%s: cluster_flow: %u cores, using %u threads", iface, aconf->threads,
680  aconf->threads);
681 
682  /* for cluster_qm use RSS queue count */
683  } else if (cluster_type == PACKET_FANOUT_QM) {
684  int rss_queues = GetIfaceRSSQueuesNum(iface);
685  if (rss_queues > 0 && rss_queues <= UINT16_MAX) {
686  aconf->threads = (uint16_t)rss_queues;
687  SCLogPerf("%s: cluster_qm: %d RSS queues, using %u threads", iface, rss_queues,
688  aconf->threads);
689  }
690  }
691 
692  if (aconf->threads) {
693  SCLogDebug("using %d threads for interface %s", aconf->threads, iface);
694  }
695  }
696  if (aconf->threads <= 0) {
697  aconf->threads = 1;
698  }
699  SC_ATOMIC_RESET(aconf->ref);
700  (void) SC_ATOMIC_ADD(aconf->ref, aconf->threads);
701 
702  if (aconf->ring_size != 0) {
703  if (aconf->ring_size * aconf->threads < (int)max_pending_packets) {
704  aconf->ring_size = max_pending_packets / aconf->threads + 1;
705  SCLogWarning("%s: inefficient setup: ring-size < max_pending_packets. "
706  "Resetting to decent value %d.",
707  iface, aconf->ring_size);
708  /* We want at least that max_pending_packets packets can be handled by the
709  * interface. This is generous if we have multiple interfaces listening. */
710  }
711  } else {
712  /* We want that max_pending_packets packets can be handled by suricata
713  * for this interface. To take burst into account we multiply the obtained
714  * size by 2. */
715  aconf->ring_size = max_pending_packets * 2 / aconf->threads;
716  }
717 
718  int ltype = AFPGetLinkType(iface);
719  switch (ltype) {
720  case LINKTYPE_ETHERNET:
721  /* af-packet can handle csum offloading */
722  if (LiveGetOffload() == 0) {
723  if (GetIfaceOffloading(iface, 0, 1) == 1) {
724  SCLogWarning(
725  "%s: using AF_PACKET with offloads enabled leads to capture problems",
726  iface);
727  }
728  } else {
729  DisableIfaceOffloading(LiveGetDevice(iface), 0, 1);
730  }
731  break;
732  case -1:
733  default:
734  break;
735  }
736 
737  if (active_runmode == NULL || strcmp("workers", active_runmode) != 0) {
738  /* If we are using copy mode we need a lock */
739  aconf->flags |= AFP_SOCK_PROTECT;
740  aconf->flags |= AFP_NEED_PEER;
741  }
742 
743  /* Warn if inline and defrag is enabled. */
744  if (aconf->copy_mode != AFP_COPY_MODE_NONE && aconf->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) {
745  SCLogWarning(
746  "%s: AF_PACKET defrag is not recommended for inline use, please disable", iface);
747  }
748 
749  /* Warn if not inline and defrag is disabled. */
750  if (aconf->copy_mode == AFP_COPY_MODE_NONE && cluster_type == PACKET_FANOUT_HASH &&
751  ((aconf->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) == 0)) {
752  SCLogWarning("%s: AF_PACKET defrag is recommended for IDS cluster_flow", iface);
753  }
754 
755  /* For tpacket-v2, warn if defrag is enabled and block-size is
756  * less than max defragmented packet size. */
757  if ((aconf->flags & AFP_TPACKET_V3) == 0 && (aconf->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) &&
758  aconf->v2_block_size > 0 && aconf->v2_block_size < MAX_PACKET_SIZE) {
759  SCLogWarning("%s: AF_PACKET v2-block-size is not large enough for max fragmented IP packet "
760  "size (%u)",
761  iface, MAX_PACKET_SIZE);
762  }
763 
764  /* For tpacket-v3, warn if defrag is enabled and block-block-size
765  * is less than max defragmented packet size. */
766  if ((aconf->flags & AFP_TPACKET_V3) && (aconf->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) &&
767  (aconf->block_size < MAX_PACKET_SIZE)) {
768  SCLogWarning("%s: AF_PACKET block-size is not large enough for max fragmented IP packet "
769  "size (%u)",
770  iface, MAX_PACKET_SIZE);
771  }
772 
773  /* Warn that if not-inline, tpacket-v3 is the better choice. */
774  if (aconf->copy_mode == AFP_COPY_MODE_NONE && (aconf->flags & AFP_TPACKET_V3) == 0) {
775  SCLogWarning("%s: AF_PACKET tpacket-v3 is recommended for non-inline operation", iface);
776  }
777 
778  return aconf;
779 }
780 
781 static uint16_t AFPConfigGeThreadsCount(void *conf)
782 {
783  AFPIfaceConfig *afp = (AFPIfaceConfig *)conf;
784  return afp->threads;
785 }
786 
787 #endif /* HAVE_AF_PACKET */
788 
789 int RunModeIdsAFPAutoFp(void)
790 {
791  SCEnter();
792 
793 /* We include only if AF_PACKET is enabled */
794 #ifdef HAVE_AF_PACKET
795  int ret;
796  const char *live_dev = NULL;
797 
798  TimeModeSetLive();
799 
800  (void)SCConfGet("af-packet.live-interface", &live_dev);
801 
802  SCLogDebug("live_dev %s", live_dev);
803 
804  if (AFPPeersListInit() != TM_ECODE_OK) {
805  FatalError("Unable to init peers list.");
806  }
807 
808  ret = RunModeSetLiveCaptureAutoFp(ParseAFPConfig, AFPConfigGeThreadsCount, "ReceiveAFP",
809  "DecodeAFP", thread_name_autofp, live_dev);
810  if (ret != 0) {
811  FatalError("Unable to start runmode");
812  }
813 
814  /* In IPS mode each threads must have a peer */
815  if (AFPPeersListCheck() != TM_ECODE_OK) {
816  FatalError("Some IPS capture threads did not peer.");
817  }
818 
819  SCLogDebug("RunModeIdsAFPAutoFp initialised");
820 #endif /* HAVE_AF_PACKET */
821 
822  SCReturnInt(0);
823 }
824 
825 /**
826  * \brief Single thread version of the AF_PACKET processing.
827  */
828 int RunModeIdsAFPSingle(void)
829 {
830  SCEnter();
831 #ifdef HAVE_AF_PACKET
832  int ret;
833  const char *live_dev = NULL;
834 
835  TimeModeSetLive();
836 
837  (void)SCConfGet("af-packet.live-interface", &live_dev);
838 
839  if (AFPPeersListInit() != TM_ECODE_OK) {
840  FatalError("Unable to init peers list.");
841  }
842 
843  ret = RunModeSetLiveCaptureSingle(ParseAFPConfig,
844  AFPConfigGeThreadsCount,
845  "ReceiveAFP",
846  "DecodeAFP", thread_name_single,
847  live_dev);
848  if (ret != 0) {
849  FatalError("Unable to start runmode");
850  }
851 
852  /* In IPS mode each threads must have a peer */
853  if (AFPPeersListCheck() != TM_ECODE_OK) {
854  FatalError("Some IPS capture threads did not peer.");
855  }
856 
857  SCLogDebug("RunModeIdsAFPSingle initialised");
858 
859 #endif /* HAVE_AF_PACKET */
860  SCReturnInt(0);
861 }
862 
863 /**
864  * \brief Workers version of the AF_PACKET processing.
865  *
866  * Start N threads with each thread doing all the work.
867  *
868  */
869 int RunModeIdsAFPWorkers(void)
870 {
871  SCEnter();
872 #ifdef HAVE_AF_PACKET
873  int ret;
874  const char *live_dev = NULL;
875 
876  TimeModeSetLive();
877 
878  (void)SCConfGet("af-packet.live-interface", &live_dev);
879 
880  if (AFPPeersListInit() != TM_ECODE_OK) {
881  FatalError("Unable to init peers list.");
882  }
883 
884  ret = RunModeSetLiveCaptureWorkers(ParseAFPConfig, AFPConfigGeThreadsCount, "ReceiveAFP",
885  "DecodeAFP", thread_name_workers, live_dev);
886  if (ret != 0) {
887  FatalError("Unable to start runmode");
888  }
889 
890  /* In IPS mode each threads must have a peer */
891  if (AFPPeersListCheck() != TM_ECODE_OK) {
892  FatalError("Some IPS capture threads did not peer.");
893  }
894 
895  SCLogDebug("RunModeIdsAFPWorkers initialised");
896 
897 #endif /* HAVE_AF_PACKET */
898  SCReturnInt(0);
899 }
900 
901 /**
902  * @}
903  */
thread_name_workers
const char * thread_name_workers
Definition: runmodes.c:68
util-device-private.h
AFPIfaceConfig_::promisc
int promisc
Definition: source-af-packet.h:107
util-byte.h
tm-threads.h
AFPIfaceConfig_::checksum_mode
ChecksumValidationMode checksum_mode
Definition: source-af-packet.h:111
PACKET_FANOUT_FLAG_DEFRAG
#define PACKET_FANOUT_FLAG_DEFRAG
Definition: source-af-packet.h:40
RunModeIdsAFPWorkers
int RunModeIdsAFPWorkers(void)
Workers version of the AF_PACKET processing.
Definition: runmode-af-packet.c:869
flow-bypass.h
AFPIfaceConfig_::xdp_mode
uint8_t xdp_mode
Definition: source-af-packet.h:119
SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:552
AFP_BYPASS
#define AFP_BYPASS
Definition: source-af-packet.h:65
EngineModeSetIPS
void EngineModeSetIPS(const enum EngineHostMode mode)
Definition: suricata.c:264
RunModeSetLiveCaptureWorkers
int RunModeSetLiveCaptureWorkers(ConfigIfaceParserFunc ConfigParser, ConfigIfaceThreadsCountFunc ModThreadsCount, const char *recv_mod_name, const char *decode_mod_name, const char *thread_name, const char *live_dev)
Definition: util-runmodes.c:330
alert-debuglog.h
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:314
AFP_COPY_MODE_NONE
#define AFP_COPY_MODE_NONE
Definition: source-af-packet.h:68
RunModeIdsAFPSingle
int RunModeIdsAFPSingle(void)
Single thread version of the AF_PACKET processing.
Definition: runmode-af-packet.c:828
runmode-af-packet.h
util-bpf.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
RunModeIdsAFPRegister
void RunModeIdsAFPRegister(void)
Definition: runmode-af-packet.c:132
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
LiveGetOffload
int LiveGetOffload(void)
Definition: util-device.c:87
AFPIfaceConfig_::ebpf_filter_fd
int ebpf_filter_fd
Definition: source-af-packet.h:116
PACKET_FANOUT_RND
#define PACKET_FANOUT_RND
Definition: source-af-packet.h:36
UtilCpuGetNumProcessorsConfigured
uint16_t UtilCpuGetNumProcessorsConfigured(void)
Get the number of cpus configured in the system.
Definition: util-cpu.c:59
AFP_SOCK_PROTECT
#define AFP_SOCK_PROTECT
Definition: source-af-packet.h:60
PACKET_FANOUT_HASH
#define PACKET_FANOUT_HASH
Definition: source-af-packet.h:32
AFPPeersListInit
TmEcode AFPPeersListInit(void)
Init the global list of AFPPeer.
Definition: source-af-packet.c:449
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
RunModeAFPGetDefaultMode
const char * RunModeAFPGetDefaultMode(void)
Definition: runmode-af-packet.c:63
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:296
SCConfGet
int SCConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:351
PACKET_FANOUT_QM
#define PACKET_FANOUT_QM
Definition: source-af-packet.h:37
util-runmodes.h
AFPIfaceConfig_::ring_size
int ring_size
Definition: source-af-packet.h:96
thread_name_autofp
const char * thread_name_autofp
Definition: runmodes.c:66
AFPIfaceConfig_::block_timeout
int block_timeout
Definition: source-af-packet.h:100
SCConfValIsFalse
int SCConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:577
CHECKSUM_VALIDATION_DISABLE
@ CHECKSUM_VALIDATION_DISABLE
Definition: decode.h:43
AFPIfaceConfig_::out_iface
const char * out_iface
Definition: source-af-packet.h:120
CHECKSUM_VALIDATION_KERNEL
@ CHECKSUM_VALIDATION_KERNEL
Definition: decode.h:47
AFP_XDPBYPASS
#define AFP_XDPBYPASS
Definition: source-af-packet.h:66
RunmodeGetActive
char * RunmodeGetActive(void)
Definition: runmodes.c:199
AFPIfaceConfig_::flags
unsigned int flags
Definition: source-af-packet.h:109
AFPIfaceConfig_::xdp_filter_fd
int xdp_filter_fd
Definition: source-af-packet.h:118
thread_name_single
const char * thread_name_single
Definition: runmodes.c:67
AFPGetLinkType
int AFPGetLinkType(const char *ifname)
Definition: source-af-packet.c:1533
AFPPeersListCheck
TmEcode AFPPeersListCheck(void)
Check that all AFPPeer got a peer.
Definition: source-af-packet.c:466
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:81
ConfSetBPFFilter
void ConfSetBPFFilter(SCConfNode *if_root, SCConfNode *if_default, const char *iface, const char **bpf_filter)
Definition: util-bpf.c:30
AFP_BLOCK_SIZE_DEFAULT_ORDER
#define AFP_BLOCK_SIZE_DEFAULT_ORDER
Definition: source-af-packet.h:78
AFPIfaceConfig_::cluster_type
int cluster_type
Definition: source-af-packet.h:105
AFPIfaceConfig_::cluster_id
uint16_t cluster_id
Definition: source-af-packet.h:104
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
RunModeSetLiveCaptureAutoFp
int RunModeSetLiveCaptureAutoFp(ConfigIfaceParserFunc ConfigParser, ConfigIfaceThreadsCountFunc ModThreadsCount, const char *recv_mod_name, const char *decode_mod_name, const char *thread_name, const char *live_dev)
Definition: util-runmodes.c:86
AFPIfaceConfig_::block_size
int block_size
Definition: source-af-packet.h:98
CHECKSUM_VALIDATION_ENABLE
@ CHECKSUM_VALIDATION_ENABLE
Definition: decode.h:44
CHECKSUM_VALIDATION_AUTO
@ CHECKSUM_VALIDATION_AUTO
Definition: decode.h:45
util-debug.h
AFPIfaceConfig_::ebpf_lb_fd
int ebpf_lb_fd
Definition: source-af-packet.h:114
SCConfGetChildValueIntWithDefault
int SCConfGetChildValueIntWithDefault(const SCConfNode *base, const SCConfNode *dflt, const char *name, intmax_t *val)
Definition: conf.c:477
AFP_MMAP_LOCKED
#define AFP_MMAP_LOCKED
Definition: source-af-packet.h:64
util-cpu.h
AFPIfaceConfig_::ebpf_filter_file
const char * ebpf_filter_file
Definition: source-af-packet.h:115
PACKET_FANOUT_LB
#define PACKET_FANOUT_LB
Definition: source-af-packet.h:33
RunModeEnablesBypassManager
void RunModeEnablesBypassManager(void)
Definition: runmodes.c:461
LiveGetDevice
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
Definition: util-device.c:269
GetIfaceRSSQueuesNum
int GetIfaceRSSQueuesNum(const char *dev)
Definition: util-ioctl.c:713
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
detect-engine-mpm.h
util-ebpf.h
util-affinity.h
PACKET_FANOUT_CPU
#define PACKET_FANOUT_CPU
Definition: source-af-packet.h:34
SCConfGetChildWithDefault
SCConfNode * SCConfGetChildWithDefault(const SCConfNode *base, const SCConfNode *dflt, const char *name)
Definition: conf.c:380
util-time.h
AFPIfaceConfig_::DerefFunc
void(* DerefFunc)(void *)
Definition: source-af-packet.h:125
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:262
AFP_COPY_MODE_TAP
#define AFP_COPY_MODE_TAP
Definition: source-af-packet.h:69
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:341
AFPIfaceConfig_::threads
uint16_t threads
Definition: source-af-packet.h:92
conf.h
RunModeRegisterNewRunMode
void RunModeRegisterNewRunMode(enum SCRunModes runmode, const char *name, const char *description, int(*RunModeFunc)(void), int(*RunModeIsIPSEnabled)(void))
Registers a new runmode.
Definition: runmodes.c:482
GetIfaceOffloading
int GetIfaceOffloading(const char *dev, int csum, int other)
output offloading status of the link
Definition: util-ioctl.c:670
RUNMODE_AFP_DEV
@ RUNMODE_AFP_DEV
Definition: runmodes.h:36
DisableIfaceOffloading
int DisableIfaceOffloading(LiveDevice *dev, int csum, int other)
Definition: util-ioctl.c:683
AFP_ENABLE_HWTIMESTAMP
#define AFP_ENABLE_HWTIMESTAMP
Definition: source-af-packet.h:59
runmodes.h
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:232
AFP_NEED_PEER
#define AFP_NEED_PEER
Definition: source-af-packet.h:58
max_pending_packets
uint32_t max_pending_packets
Definition: suricata.c:187
TimeModeSetLive
void TimeModeSetLive(void)
Definition: util-time.c:100
alert-fastlog.h
util-conf.h
SCConfNodeLookupKeyValue
SCConfNode * SCConfNodeLookupKeyValue(const SCConfNode *base, const char *key, const char *value)
Lookup for a key value under a specific node.
Definition: conf.c:869
SCConfGetChildValue
int SCConfGetChildValue(const SCConfNode *base, const char *name, const char **vptr)
Definition: conf.c:364
suricata-common.h
LiveGetDeviceName
const char * LiveGetDeviceName(int number)
Get a pointer to the device name at idx.
Definition: util-device.c:205
SCLogPerf
#define SCLogPerf(...)
Definition: util-debug.h:241
AFPIfaceConfig_::xdp_filter_file
const char * xdp_filter_file
Definition: source-af-packet.h:117
AFP_TPACKET_V3
#define AFP_TPACKET_V3
Definition: source-af-packet.h:62
FatalError
#define FatalError(...)
Definition: util-debug.h:517
AFPIfaceConfig_::v2_block_size
int v2_block_size
Definition: source-af-packet.h:102
RunModeIdsAFPAutoFp
int RunModeIdsAFPAutoFp(void)
Definition: runmode-af-packet.c:789
SC_ATOMIC_RESET
#define SC_ATOMIC_RESET(name)
wrapper for reinitializing an atomic variable.
Definition: util-atomic.h:323
BypassedFlowManagerRegisterUpdateFunc
int BypassedFlowManagerRegisterUpdateFunc(BypassedUpdateFunc UpdateFunc, void *data)
source-af-packet.h
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
MAX_PACKET_SIZE
#define MAX_PACKET_SIZE
Definition: source-af-packet.h:81
SCConfGetNode
SCConfNode * SCConfGetNode(const char *name)
Get a SCConfNode by name.
Definition: conf.c:182
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:274
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AFP_COPY_MODE_IPS
#define AFP_COPY_MODE_IPS
Definition: source-af-packet.h:70
AFPIfaceConfig_::buffer_size
int buffer_size
Definition: source-af-packet.h:94
util-ioctl.h
RunModeSetLiveCaptureSingle
int RunModeSetLiveCaptureSingle(ConfigIfaceParserFunc ConfigParser, ConfigIfaceThreadsCountFunc ModThreadsCount, const char *recv_mod_name, const char *decode_mod_name, const char *thread_name, const char *live_dev)
Definition: util-runmodes.c:354
AFPIfaceConfig_::iface
char iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.h:90
suricata.h
AFPIfaceConfig_::copy_mode
uint8_t copy_mode
Definition: source-af-packet.h:110
AFPIfaceConfig_
Definition: source-af-packet.h:89
AFPIfaceConfig_::bpf_filter
const char * bpf_filter
Definition: source-af-packet.h:112
ConfFindDeviceConfig
SCConfNode * ConfFindDeviceConfig(SCConfNode *node, const char *iface)
Find the configuration node for a specific device.
Definition: util-conf.c:126
LiveGetDeviceCount
int LiveGetDeviceCount(void)
Get the number of registered devices.
Definition: util-device.c:171
SCConfGetChildValueWithDefault
int SCConfGetChildValueWithDefault(const SCConfNode *base, const SCConfNode *dflt, const char *name, const char **vptr)
Definition: conf.c:394
ENGINE_HOST_IS_BRIDGE
@ ENGINE_HOST_IS_BRIDGE
Definition: suricata.h:118
UtilCpuGetNumProcessorsOnline
uint16_t UtilCpuGetNumProcessorsOnline(void)
Get the number of cpus online in the system.
Definition: util-cpu.c:108
AFPIfaceConfig_::ebpf_lb_file
const char * ebpf_lb_file
Definition: source-af-packet.h:113
SCConfGetChildValueBoolWithDefault
int SCConfGetChildValueBoolWithDefault(const SCConfNode *base, const SCConfNode *dflt, const char *name, int *val)
Definition: conf.c:529
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:250
BypassedFlowManagerRegisterCheckFunc
int BypassedFlowManagerRegisterCheckFunc(BypassedCheckFunc CheckFunc, BypassedCheckFuncInit CheckFuncInit, void *data)
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:288
SCConfNode_
Definition: conf.h:37
AFPIsFanoutSupported
int AFPIsFanoutSupported(uint16_t cluster_id)
test if we can use FANOUT. Older kernels like those in CentOS6 have HAVE_PACKET_FANOUT defined but fa...
Definition: source-af-packet.c:1892
output.h
AFP_EMERGENCY_MODE
#define AFP_EMERGENCY_MODE
Definition: source-af-packet.h:61