suricata
runmode-af-packet.c
Go to the documentation of this file.
1 /* Copyright (C) 2011-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup afppacket
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Eric Leblond <eric@regit.org>
28  *
29  * AF_PACKET socket runmode
30  *
31  */
32 
33 #include "suricata-common.h"
34 #include "tm-threads.h"
35 #include "conf.h"
36 #include "runmodes.h"
37 #include "runmode-af-packet.h"
38 #include "output.h"
39 #include "log-httplog.h"
40 #include "detect-engine-mpm.h"
41 
42 #include "alert-fastlog.h"
43 #include "alert-debuglog.h"
44 
45 #include "flow-bypass.h"
46 
47 #include "util-debug.h"
48 #include "util-time.h"
49 #include "util-cpu.h"
50 #include "util-affinity.h"
51 #include "util-device.h"
52 #include "util-runmodes.h"
53 #include "util-ioctl.h"
54 #include "util-ebpf.h"
55 #include "util-byte.h"
56 
57 #include "source-af-packet.h"
58 
59 extern int max_pending_packets;
60 
61 const char *RunModeAFPGetDefaultMode(void)
62 {
63  return "workers";
64 }
65 
66 void RunModeIdsAFPRegister(void)
67 {
68  RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "single",
69  "Single threaded af-packet mode",
70  RunModeIdsAFPSingle);
71  RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "workers",
72  "Workers af-packet mode, each thread does all"
73  " tasks from acquisition to logging",
74  RunModeIdsAFPWorkers);
75  RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "autofp",
76  "Multi socket AF_PACKET mode. Packets from "
77  "each flow are assigned to a single detect "
78  "thread.",
79  RunModeIdsAFPAutoFp);
80  return;
81 }
82 
83 
84 #ifdef HAVE_AF_PACKET
85 
86 static void AFPDerefConfig(void *conf)
87 {
88  AFPIfaceConfig *pfp = (AFPIfaceConfig *)conf;
89  /* Pcap config is used only once but cost of this low. */
90  if (SC_ATOMIC_SUB(pfp->ref, 1) == 1) {
91  SCFree(pfp);
92  }
93 }
94 
95 /* if cluster id is not set, assign it automagically, uniq value per
96  * interface. */
97 static int cluster_id_auto = 1;
98 
99 /**
100  * \brief extract information from config file
101  *
102  * The returned structure will be freed by the thread init function.
103  * This is thus necessary to or copy the structure before giving it
104  * to thread or to reparse the file for each thread (and thus have
105  * new structure.
106  *
107  * \return a AFPIfaceConfig corresponding to the interface name
108  */
109 static void *ParseAFPConfig(const char *iface)
110 {
111  const char *threadsstr = NULL;
112  ConfNode *if_root;
113  ConfNode *if_default = NULL;
114  ConfNode *af_packet_node;
115  const char *tmpclusterid;
116  const char *tmpctype;
117  const char *copymodestr;
118  intmax_t value;
119  int boolval;
120  const char *bpf_filter = NULL;
121  const char *out_iface = NULL;
122  int cluster_type = PACKET_FANOUT_HASH;
123  const char *ebpf_file = NULL;
124  const char *active_runmode = RunmodeGetActive();
125 
126  if (iface == NULL) {
127  return NULL;
128  }
129 
130  AFPIfaceConfig *aconf = SCCalloc(1, sizeof(*aconf));
131  if (unlikely(aconf == NULL)) {
132  return NULL;
133  }
134 
135  strlcpy(aconf->iface, iface, sizeof(aconf->iface));
136  aconf->threads = 0;
137  SC_ATOMIC_INIT(aconf->ref);
138  (void) SC_ATOMIC_ADD(aconf->ref, 1);
139  aconf->buffer_size = 0;
140  aconf->cluster_id = 1;
141  aconf->cluster_type = cluster_type | PACKET_FANOUT_FLAG_DEFRAG;
142  aconf->promisc = 1;
143  aconf->checksum_mode = CHECKSUM_VALIDATION_KERNEL;
144  aconf->DerefFunc = AFPDerefConfig;
145  aconf->flags = AFP_RING_MODE;
146  aconf->bpf_filter = NULL;
147  aconf->ebpf_lb_file = NULL;
148  aconf->ebpf_lb_fd = -1;
149  aconf->ebpf_filter_file = NULL;
150  aconf->ebpf_filter_fd = -1;
151  aconf->out_iface = NULL;
152  aconf->copy_mode = AFP_COPY_MODE_NONE;
153  aconf->block_timeout = 10;
154  aconf->block_size = getpagesize() << AFP_BLOCK_SIZE_DEFAULT_ORDER;
155 #ifdef HAVE_PACKET_EBPF
156  aconf->ebpf_t_config.cpus_count = UtilCpuGetNumProcessorsConfigured();
157 #endif
158 
159  if (ConfGet("bpf-filter", &bpf_filter) == 1) {
160  if (strlen(bpf_filter) > 0) {
161  aconf->bpf_filter = bpf_filter;
162  SCLogConfig("Going to use command-line provided bpf filter '%s'",
163  aconf->bpf_filter);
164  }
165  }
166 
167  /* Find initial node */
168  af_packet_node = ConfGetNode("af-packet");
169  if (af_packet_node == NULL) {
170  SCLogInfo("unable to find af-packet config using default values");
171  goto finalize;
172  }
173 
174  if_root = ConfFindDeviceConfig(af_packet_node, iface);
175  if_default = ConfFindDeviceConfig(af_packet_node, "default");
176 
177  if (if_root == NULL && if_default == NULL) {
178  SCLogInfo("unable to find af-packet config for "
179  "interface \"%s\" or \"default\", using default values",
180  iface);
181  goto finalize;
182  }
183 
184  /* If there is no setting for current interface use default one as main iface */
185  if (if_root == NULL) {
186  if_root = if_default;
187  if_default = NULL;
188  }
189 
190  if (active_runmode && !strcmp("single", active_runmode)) {
191  aconf->threads = 1;
192  } else if (ConfGetChildValueWithDefault(if_root, if_default, "threads", &threadsstr) != 1) {
193  aconf->threads = 0;
194  } else {
195  if (threadsstr != NULL) {
196  if (strcmp(threadsstr, "auto") == 0) {
197  aconf->threads = 0;
198  } else {
199  if (StringParseInt32(&aconf->threads, 10, 0, (const char *)threadsstr) < 0) {
200  SCLogWarning(SC_ERR_INVALID_VALUE, "Invalid number of "
201  "threads, resetting to default");
202  aconf->threads = 0;
203  }
204  }
205  }
206  }
207 
208  if (ConfGetChildValueWithDefault(if_root, if_default, "copy-iface", &out_iface) == 1) {
209  if (strlen(out_iface) > 0) {
210  aconf->out_iface = out_iface;
211  }
212  }
213 
214  if (ConfGetChildValueBoolWithDefault(if_root, if_default, "use-mmap", (int *)&boolval) == 1) {
215  if (!boolval) {
216  SCLogConfig("Disabling mmaped capture on iface %s",
217  aconf->iface);
218  aconf->flags &= ~(AFP_RING_MODE|AFP_TPACKET_V3);
219  }
220  }
221 
222  if (aconf->flags & AFP_RING_MODE) {
223  (void)ConfGetChildValueBoolWithDefault(if_root, if_default,
224  "mmap-locked", (int *)&boolval);
225  if (boolval) {
226  SCLogConfig("Enabling locked memory for mmap on iface %s",
227  aconf->iface);
228  aconf->flags |= AFP_MMAP_LOCKED;
229  }
230 
231  if (ConfGetChildValueBoolWithDefault(if_root, if_default,
232  "tpacket-v3", (int *)&boolval) == 1)
233  {
234  if (boolval) {
235  if (strcasecmp(RunmodeGetActive(), "workers") == 0) {
236 #ifdef HAVE_TPACKET_V3
237  SCLogConfig("Enabling tpacket v3 capture on iface %s",
238  aconf->iface);
239  aconf->flags |= AFP_TPACKET_V3;
240 #else
241  SCLogNotice("System too old for tpacket v3 switching to v2");
242  aconf->flags &= ~AFP_TPACKET_V3;
243 #endif
244  } else {
245  SCLogWarning(SC_ERR_RUNMODE,
246  "tpacket v3 is only implemented for 'workers' runmode."
247  " Switching to tpacket v2.");
248  aconf->flags &= ~AFP_TPACKET_V3;
249  }
250  } else {
251  aconf->flags &= ~AFP_TPACKET_V3;
252  }
253  }
254 
255  (void)ConfGetChildValueBoolWithDefault(if_root, if_default,
256  "use-emergency-flush", (int *)&boolval);
257  if (boolval) {
258  SCLogConfig("Enabling ring emergency flush on iface %s",
259  aconf->iface);
260  aconf->flags |= AFP_EMERGENCY_MODE;
261  }
262  }
263 
264  aconf->copy_mode = AFP_COPY_MODE_NONE;
265  if (ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) == 1) {
266  if (aconf->out_iface == NULL) {
267  SCLogInfo("Copy mode activated but no destination"
268  " iface. Disabling feature");
269  } else if (!(aconf->flags & AFP_RING_MODE)) {
270  SCLogInfo("Copy mode activated but use-mmap "
271  "set to no. Disabling feature");
272  } else if (strlen(copymodestr) <= 0) {
273  aconf->out_iface = NULL;
274  } else if (strcmp(copymodestr, "ips") == 0) {
275  SCLogInfo("AF_PACKET IPS mode activated %s->%s",
276  iface,
277  aconf->out_iface);
278  aconf->copy_mode = AFP_COPY_MODE_IPS;
279  if (aconf->flags & AFP_TPACKET_V3) {
280  SCLogWarning(SC_ERR_RUNMODE, "Using tpacket_v3 in IPS mode will result in high latency");
281  }
282  } else if (strcmp(copymodestr, "tap") == 0) {
283  SCLogInfo("AF_PACKET TAP mode activated %s->%s",
284  iface,
285  aconf->out_iface);
286  aconf->copy_mode = AFP_COPY_MODE_TAP;
287  if (aconf->flags & AFP_TPACKET_V3) {
288  SCLogWarning(SC_ERR_RUNMODE, "Using tpacket_v3 in TAP mode will result in high latency");
289  }
290  } else {
291  SCLogInfo("Invalid mode (not in tap, ips)");
292  }
293  }
294 
295  if (ConfGetChildValueWithDefault(if_root, if_default, "cluster-id", &tmpclusterid) != 1) {
296  aconf->cluster_id = (uint16_t)(cluster_id_auto++);
297  } else {
298  if (StringParseUint16(&aconf->cluster_id, 10, 0, (const char *)tmpclusterid) < 0) {
299  SCLogWarning(SC_ERR_INVALID_VALUE, "Invalid cluster_id, resetting to 0");
300  aconf->cluster_id = 0;
301  }
302  SCLogDebug("Going to use cluster-id %" PRIu16, aconf->cluster_id);
303  }
304 
305  if (ConfGetChildValueWithDefault(if_root, if_default, "cluster-type", &tmpctype) != 1) {
306  /* default to our safest choice: flow hashing + defrag enabled */
307  aconf->cluster_type = PACKET_FANOUT_HASH | PACKET_FANOUT_FLAG_DEFRAG;
308  cluster_type = PACKET_FANOUT_HASH;
309  } else if (strcmp(tmpctype, "cluster_round_robin") == 0) {
310  SCLogConfig("Using round-robin cluster mode for AF_PACKET (iface %s)",
311  aconf->iface);
312  aconf->cluster_type = PACKET_FANOUT_LB;
313  cluster_type = PACKET_FANOUT_LB;
314  } else if (strcmp(tmpctype, "cluster_flow") == 0) {
315  /* In hash mode, we also ask for defragmentation needed to
316  * compute the hash */
317  uint16_t defrag = 0;
318  int conf_val = 0;
319  SCLogConfig("Using flow cluster mode for AF_PACKET (iface %s)",
320  aconf->iface);
321  ConfGetChildValueBoolWithDefault(if_root, if_default, "defrag", &conf_val);
322  if (conf_val) {
323  SCLogConfig("Using defrag kernel functionality for AF_PACKET (iface %s)",
324  aconf->iface);
325  defrag = PACKET_FANOUT_FLAG_DEFRAG;
326  }
327  aconf->cluster_type = PACKET_FANOUT_HASH | defrag;
328  cluster_type = PACKET_FANOUT_HASH;
329  } else if (strcmp(tmpctype, "cluster_cpu") == 0) {
330  SCLogConfig("Using cpu cluster mode for AF_PACKET (iface %s)",
331  aconf->iface);
332  aconf->cluster_type = PACKET_FANOUT_CPU;
333  cluster_type = PACKET_FANOUT_CPU;
334  } else if (strcmp(tmpctype, "cluster_qm") == 0) {
335  SCLogConfig("Using queue based cluster mode for AF_PACKET (iface %s)",
336  aconf->iface);
337  aconf->cluster_type = PACKET_FANOUT_QM;
338  cluster_type = PACKET_FANOUT_QM;
339  } else if (strcmp(tmpctype, "cluster_random") == 0) {
340  SCLogConfig("Using random based cluster mode for AF_PACKET (iface %s)",
341  aconf->iface);
342  aconf->cluster_type = PACKET_FANOUT_RND;
343  cluster_type = PACKET_FANOUT_RND;
344  } else if (strcmp(tmpctype, "cluster_rollover") == 0) {
345  SCLogConfig("Using rollover based cluster mode for AF_PACKET (iface %s)",
346  aconf->iface);
347  SCLogWarning(SC_WARN_UNCOMMON, "Rollover mode is causing severe flow "
348  "tracking issues, use it at your own risk.");
349  aconf->cluster_type = PACKET_FANOUT_ROLLOVER;
350  cluster_type = PACKET_FANOUT_ROLLOVER;
351 #ifdef HAVE_PACKET_EBPF
352  } else if (strcmp(tmpctype, "cluster_ebpf") == 0) {
353  SCLogInfo("Using ebpf based cluster mode for AF_PACKET (iface %s)",
354  aconf->iface);
355  aconf->cluster_type = PACKET_FANOUT_EBPF;
356  cluster_type = PACKET_FANOUT_EBPF;
357 #endif
358  } else {
359  SCLogWarning(SC_ERR_INVALID_CLUSTER_TYPE,"invalid cluster-type %s",tmpctype);
360  }
361 
362  int conf_val = 0;
363  ConfGetChildValueBoolWithDefault(if_root, if_default, "rollover", &conf_val);
364  if (conf_val) {
365  SCLogConfig("Using rollover kernel functionality for AF_PACKET (iface %s)",
366  aconf->iface);
367  aconf->cluster_type |= PACKET_FANOUT_FLAG_ROLLOVER;
368  SCLogWarning(SC_WARN_UNCOMMON, "Rollover option is causing severe flow "
369  "tracking issues, use it at your own risk.");
370  }
371 
372  /*load af_packet bpf filter*/
373  /* command line value has precedence */
374  if (ConfGet("bpf-filter", &bpf_filter) != 1) {
375  if (ConfGetChildValueWithDefault(if_root, if_default, "bpf-filter", &bpf_filter) == 1) {
376  if (strlen(bpf_filter) > 0) {
377  aconf->bpf_filter = bpf_filter;
378  SCLogConfig("Going to use bpf filter %s", aconf->bpf_filter);
379  }
380  }
381  }
382 
383  if (ConfGetChildValueWithDefault(if_root, if_default, "ebpf-lb-file", &ebpf_file) != 1) {
384  aconf->ebpf_lb_file = NULL;
385  } else {
386 #ifdef HAVE_PACKET_EBPF
387  SCLogConfig("af-packet will use '%s' as eBPF load balancing file",
388  ebpf_file);
389  aconf->ebpf_lb_file = ebpf_file;
390  aconf->ebpf_t_config.flags |= EBPF_SOCKET_FILTER;
391 #endif
392  }
393 
394 #ifdef HAVE_PACKET_EBPF
395  boolval = false;
396  if (ConfGetChildValueBoolWithDefault(if_root, if_default, "pinned-maps", (int *)&boolval) == 1) {
397  if (boolval) {
398  SCLogConfig("Using pinned maps on iface %s",
399  aconf->iface);
400  aconf->ebpf_t_config.flags |= EBPF_PINNED_MAPS;
401  }
402  const char *pinned_maps_name = NULL;
403  if (ConfGetChildValueWithDefault(if_root, if_default,
404  "pinned-maps-name",
405  &pinned_maps_name) != 1) {
406  aconf->ebpf_t_config.pinned_maps_name = pinned_maps_name;
407  } else {
408  aconf->ebpf_t_config.pinned_maps_name = NULL;
409  }
410  } else {
411  aconf->ebpf_t_config.pinned_maps_name = NULL;
412  }
413 #endif
414 
415 #ifdef HAVE_PACKET_EBPF
416  /* One shot loading of the eBPF file */
417  if (aconf->ebpf_lb_file && cluster_type == PACKET_FANOUT_EBPF) {
418  int ret = EBPFLoadFile(aconf->iface, aconf->ebpf_lb_file, "loadbalancer",
419  &aconf->ebpf_lb_fd,
420  &aconf->ebpf_t_config);
421  if (ret != 0) {
422  SCLogWarning(SC_ERR_INVALID_VALUE, "Error when loading eBPF lb file");
423  }
424  }
425 #else
426  if (aconf->ebpf_lb_file) {
427  SCLogError(SC_ERR_UNIMPLEMENTED, "eBPF support is not build-in");
428  }
429 #endif
430 
431  if (ConfGetChildValueWithDefault(if_root, if_default, "ebpf-filter-file", &ebpf_file) != 1) {
432  aconf->ebpf_filter_file = NULL;
433  } else {
434 #ifdef HAVE_PACKET_EBPF
435  SCLogConfig("af-packet will use '%s' as eBPF filter file",
436  ebpf_file);
437  aconf->ebpf_filter_file = ebpf_file;
438  aconf->ebpf_t_config.mode = AFP_MODE_EBPF_BYPASS;
439  aconf->ebpf_t_config.flags |= EBPF_SOCKET_FILTER;
440 #endif
441  ConfGetChildValueBoolWithDefault(if_root, if_default, "bypass", &conf_val);
442  if (conf_val) {
443 #ifdef HAVE_PACKET_EBPF
444  SCLogConfig("Using bypass kernel functionality for AF_PACKET (iface %s)",
445  aconf->iface);
446  aconf->flags |= AFP_BYPASS;
447  BypassedFlowManagerRegisterUpdateFunc(EBPFUpdateFlow, NULL);
448 #else
449  SCLogError(SC_ERR_UNIMPLEMENTED, "Bypass set but eBPF support is not built-in");
450 #endif
451  }
452  }
453 
454  /* One shot loading of the eBPF file */
455  if (aconf->ebpf_filter_file) {
456 #ifdef HAVE_PACKET_EBPF
457  int ret = EBPFLoadFile(aconf->iface, aconf->ebpf_filter_file, "filter",
458  &aconf->ebpf_filter_fd,
459  &aconf->ebpf_t_config);
460  if (ret != 0) {
461  SCLogWarning(SC_ERR_INVALID_VALUE,
462  "Error when loading eBPF filter file");
463  }
464 #else
465  SCLogError(SC_ERR_UNIMPLEMENTED, "eBPF support is not build-in");
466 #endif
467  }
468 
469  if (ConfGetChildValueWithDefault(if_root, if_default, "xdp-filter-file", &ebpf_file) != 1) {
470  aconf->xdp_filter_file = NULL;
471  } else {
472 #ifdef HAVE_PACKET_XDP
473  aconf->ebpf_t_config.mode = AFP_MODE_XDP_BYPASS;
474  aconf->ebpf_t_config.flags |= EBPF_XDP_CODE;
475  aconf->xdp_filter_file = ebpf_file;
476  ConfGetChildValueBoolWithDefault(if_root, if_default, "bypass", &conf_val);
477  if (conf_val) {
478  SCLogConfig("Using bypass kernel functionality for AF_PACKET (iface %s)",
479  aconf->iface);
480  aconf->flags |= AFP_XDPBYPASS;
481  /* if maps are pinned we need to read them at start */
482  if (aconf->ebpf_t_config.flags & EBPF_PINNED_MAPS) {
483  RunModeEnablesBypassManager();
484  struct ebpf_timeout_config *ebt = SCCalloc(1, sizeof(struct ebpf_timeout_config));
485  if (ebt == NULL) {
486  SCLogError(SC_ERR_MEM_ALLOC, "Flow bypass alloc error");
487  } else {
488  memcpy(ebt, &(aconf->ebpf_t_config), sizeof(struct ebpf_timeout_config));
489  BypassedFlowManagerRegisterCheckFunc(NULL,
490  EBPFCheckBypassedFlowCreate,
491  (void *)ebt);
492  }
493  }
494  BypassedFlowManagerRegisterUpdateFunc(EBPFUpdateFlow, NULL);
495  }
496 #else
497  SCLogWarning(SC_ERR_UNIMPLEMENTED, "XDP filter set but XDP support is not built-in");
498 #endif
499 #ifdef HAVE_PACKET_XDP
500  const char *xdp_mode;
501  if (ConfGetChildValueWithDefault(if_root, if_default, "xdp-mode", &xdp_mode) != 1) {
502  aconf->xdp_mode = XDP_FLAGS_SKB_MODE;
503  } else {
504  if (!strcmp(xdp_mode, "soft")) {
505  aconf->xdp_mode = XDP_FLAGS_SKB_MODE;
506  } else if (!strcmp(xdp_mode, "driver")) {
507  aconf->xdp_mode = XDP_FLAGS_DRV_MODE;
508  } else if (!strcmp(xdp_mode, "hw")) {
509  aconf->xdp_mode = XDP_FLAGS_HW_MODE;
510  aconf->ebpf_t_config.flags |= EBPF_XDP_HW_MODE;
511  } else {
512  SCLogWarning(SC_ERR_INVALID_VALUE,
513  "Invalid xdp-mode value: '%s'", xdp_mode);
514  }
515  }
516 
517  boolval = true;
518  if (ConfGetChildValueBoolWithDefault(if_root, if_default, "use-percpu-hash", (int *)&boolval) == 1) {
519  if (boolval == false) {
520  SCLogConfig("Not using percpu hash on iface %s",
521  aconf->iface);
522  aconf->ebpf_t_config.cpus_count = 1;
523  }
524  }
525 #endif
526  }
527 
528  /* One shot loading of the eBPF file */
529  if (aconf->xdp_filter_file) {
530 #ifdef HAVE_PACKET_XDP
531  int ret = EBPFLoadFile(aconf->iface, aconf->xdp_filter_file, "xdp",
532  &aconf->xdp_filter_fd,
533  &aconf->ebpf_t_config);
534  switch (ret) {
535  case 1:
536  SCLogInfo("Loaded pinned maps from sysfs");
537  break;
538  case -1:
539  SCLogWarning(SC_ERR_INVALID_VALUE,
540  "Error when loading XDP filter file");
541  break;
542  case 0:
543  ret = EBPFSetupXDP(aconf->iface, aconf->xdp_filter_fd, aconf->xdp_mode);
544  if (ret != 0) {
545  SCLogWarning(SC_ERR_INVALID_VALUE,
546  "Error when setting up XDP");
547  } else {
548  /* Try to get the xdp-cpu-redirect key */
549  const char *cpuset;
550  if (ConfGetChildValueWithDefault(if_root, if_default,
551  "xdp-cpu-redirect", &cpuset) == 1) {
552  SCLogConfig("Setting up CPU map XDP");
553  ConfNode *node = ConfGetChildWithDefault(if_root, if_default, "xdp-cpu-redirect");
554  if (node == NULL) {
555  SCLogError(SC_ERR_INVALID_VALUE,
556  "Previously found node has disappeared");
557  } else {
558  EBPFBuildCPUSet(node, aconf->iface);
559  }
560  } else {
561  /* It will just set CPU count to 0 */
562  EBPFBuildCPUSet(NULL, aconf->iface);
563  }
564  }
565  /* we have a peer and we use bypass so we can set up XDP iface redirect */
566  if (aconf->out_iface) {
567  EBPFSetPeerIface(aconf->iface, aconf->out_iface);
568  }
569  }
570 #else
571  SCLogError(SC_ERR_UNIMPLEMENTED, "XDP support is not built-in");
572 #endif
573  }
574 
575  if ((ConfGetChildValueIntWithDefault(if_root, if_default, "buffer-size", &value)) == 1) {
576  aconf->buffer_size = value;
577  } else {
578  aconf->buffer_size = 0;
579  }
580  if ((ConfGetChildValueIntWithDefault(if_root, if_default, "ring-size", &value)) == 1) {
581  aconf->ring_size = value;
582  }
583 
584  if ((ConfGetChildValueIntWithDefault(if_root, if_default, "block-size", &value)) == 1) {
585  if (value % getpagesize()) {
586  SCLogError(SC_ERR_INVALID_VALUE, "Block-size must be a multiple of pagesize.");
587  } else {
588  aconf->block_size = value;
589  }
590  }
591 
592  if ((ConfGetChildValueIntWithDefault(if_root, if_default, "block-timeout", &value)) == 1) {
593  aconf->block_timeout = value;
594  } else {
595  aconf->block_timeout = 10;
596  }
597 
598  (void)ConfGetChildValueBoolWithDefault(if_root, if_default, "disable-promisc", (int *)&boolval);
599  if (boolval) {
600  SCLogConfig("Disabling promiscuous mode on iface %s",
601  aconf->iface);
602  aconf->promisc = 0;
603  }
604 
605  if (ConfGetChildValueWithDefault(if_root, if_default, "checksum-checks", &tmpctype) == 1) {
606  if (strcmp(tmpctype, "auto") == 0) {
607  aconf->checksum_mode = CHECKSUM_VALIDATION_AUTO;
608  } else if (ConfValIsTrue(tmpctype)) {
609  aconf->checksum_mode = CHECKSUM_VALIDATION_ENABLE;
610  } else if (ConfValIsFalse(tmpctype)) {
611  aconf->checksum_mode = CHECKSUM_VALIDATION_DISABLE;
612  } else if (strcmp(tmpctype, "kernel") == 0) {
613  aconf->checksum_mode = CHECKSUM_VALIDATION_KERNEL;
614  } else {
615  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid value for checksum-checks for %s", aconf->iface);
616  }
617  }
618 
619 finalize:
620 
621  /* if the number of threads is not 1, we need to first check if fanout
622  * functions on this system. */
623  if (aconf->threads != 1) {
624  if (AFPIsFanoutSupported(aconf->cluster_id) == 0) {
625  if (aconf->threads != 0) {
626  SCLogNotice("fanout not supported on this system, falling "
627  "back to 1 capture thread");
628  }
629  aconf->threads = 1;
630  }
631  }
632 
633  /* try to automagically set the proper number of threads */
634  if (aconf->threads == 0) {
635  /* for cluster_flow use core count */
636  if (cluster_type == PACKET_FANOUT_HASH) {
637  aconf->threads = (int)UtilCpuGetNumProcessorsOnline();
638  SCLogPerf("%u cores, so using %u threads", aconf->threads, aconf->threads);
639 
640  /* for cluster_qm use RSS queue count */
641  } else if (cluster_type == PACKET_FANOUT_QM) {
642  int rss_queues = GetIfaceRSSQueuesNum(iface);
643  if (rss_queues > 0) {
644  aconf->threads = rss_queues;
645  SCLogPerf("%d RSS queues, so using %u threads", rss_queues, aconf->threads);
646  }
647  }
648 
649  if (aconf->threads) {
650  SCLogPerf("Using %d AF_PACKET threads for interface %s",
651  aconf->threads, iface);
652  }
653  }
654  if (aconf->threads <= 0) {
655  aconf->threads = 1;
656  }
657  SC_ATOMIC_RESET(aconf->ref);
658  (void) SC_ATOMIC_ADD(aconf->ref, aconf->threads);
659 
660  if (aconf->ring_size != 0) {
661  if (aconf->ring_size * aconf->threads < max_pending_packets) {
662  aconf->ring_size = max_pending_packets / aconf->threads + 1;
663  SCLogWarning(SC_ERR_AFP_CREATE, "Inefficient setup: ring-size < max_pending_packets. "
664  "Resetting to decent value %d.", aconf->ring_size);
665  /* We want at least that max_pending_packets packets can be handled by the
666  * interface. This is generous if we have multiple interfaces listening. */
667  }
668  } else {
669  /* We want that max_pending_packets packets can be handled by suricata
670  * for this interface. To take burst into account we multiply the obtained
671  * size by 2. */
672  aconf->ring_size = max_pending_packets * 2 / aconf->threads;
673  }
674 
675  int ltype = AFPGetLinkType(iface);
676  switch (ltype) {
677  case LINKTYPE_ETHERNET:
678  /* af-packet can handle csum offloading */
679  if (LiveGetOffload() == 0) {
680  if (GetIfaceOffloading(iface, 0, 1) == 1) {
681  SCLogWarning(SC_ERR_AFP_CREATE,
682  "Using AF_PACKET with offloading activated leads to capture problems");
683  }
684  } else {
685  DisableIfaceOffloading(LiveGetDevice(iface), 0, 1);
686  }
687  break;
688  case -1:
689  default:
690  break;
691  }
692 
693  if (active_runmode && !strcmp("workers", active_runmode)) {
694  aconf->flags |= AFP_ZERO_COPY;
695  } else {
696  /* If we are using copy mode we need a lock */
697  aconf->flags |= AFP_SOCK_PROTECT;
698  }
699 
700  /* If we are in RING mode, then we can use ZERO copy
701  * by using the data release mechanism */
702  if (aconf->flags & AFP_RING_MODE) {
703  aconf->flags |= AFP_ZERO_COPY;
704  }
705 
706  if (aconf->flags & AFP_ZERO_COPY) {
707  SCLogConfig("%s: enabling zero copy mode by using data release call", iface);
708  }
709 
710  return aconf;
711 }
712 
713 static int AFPConfigGeThreadsCount(void *conf)
714 {
715  AFPIfaceConfig *afp = (AFPIfaceConfig *)conf;
716  return afp->threads;
717 }
718 
719 int AFPRunModeIsIPS()
720 {
721  int nlive = LiveGetDeviceCount();
722  int ldev;
723  ConfNode *if_root;
724  ConfNode *if_default = NULL;
725  ConfNode *af_packet_node;
726  int has_ips = 0;
727  int has_ids = 0;
728 
729  /* Find initial node */
730  af_packet_node = ConfGetNode("af-packet");
731  if (af_packet_node == NULL) {
732  return 0;
733  }
734 
735  if_default = ConfNodeLookupKeyValue(af_packet_node, "interface", "default");
736 
737  for (ldev = 0; ldev < nlive; ldev++) {
738  const char *live_dev = LiveGetDeviceName(ldev);
739  if (live_dev == NULL) {
740  SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
741  return 0;
742  }
743  const char *copymodestr = NULL;
744  if_root = ConfFindDeviceConfig(af_packet_node, live_dev);
745 
746  if (if_root == NULL) {
747  if (if_default == NULL) {
748  SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
749  return 0;
750  }
751  if_root = if_default;
752  }
753 
754  if (ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) == 1) {
755  if (strcmp(copymodestr, "ips") == 0) {
756  has_ips = 1;
757  } else {
758  has_ids = 1;
759  }
760  } else {
761  has_ids = 1;
762  }
763  }
764 
765  if (has_ids && has_ips) {
766  SCLogInfo("AF_PACKET mode using IPS and IDS mode");
767  for (ldev = 0; ldev < nlive; ldev++) {
768  const char *live_dev = LiveGetDeviceName(ldev);
769  if (live_dev == NULL) {
770  SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
771  return 0;
772  }
773  if_root = ConfNodeLookupKeyValue(af_packet_node, "interface", live_dev);
774  const char *copymodestr = NULL;
775 
776  if (if_root == NULL) {
777  if (if_default == NULL) {
778  SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
779  return 0;
780  }
781  if_root = if_default;
782  }
783 
784  if (! ((ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) == 1) &&
785  (strcmp(copymodestr, "ips") == 0))) {
786  SCLogError(SC_ERR_INVALID_ARGUMENT,
787  "AF_PACKET IPS mode used and interface '%s' is in IDS or TAP mode. "
788  "Sniffing '%s' but expect bad result as stream-inline is activated.",
789  live_dev, live_dev);
790  }
791  }
792  }
793 
794  return has_ips;
795 }
796 
797 #endif
798 
799 
800 int RunModeIdsAFPAutoFp(void)
801 {
802  SCEnter();
803 
804 /* We include only if AF_PACKET is enabled */
805 #ifdef HAVE_AF_PACKET
806  int ret;
807  const char *live_dev = NULL;
808 
809  RunModeInitialize();
810 
811  TimeModeSetLive();
812 
813  (void)ConfGet("af-packet.live-interface", &live_dev);
814 
815  SCLogDebug("live_dev %s", live_dev);
816 
817  if (AFPPeersListInit() != TM_ECODE_OK) {
818  FatalError(SC_ERR_FATAL, "Unable to init peers list.");
819  }
820 
821  ret = RunModeSetLiveCaptureAutoFp(ParseAFPConfig,
822  AFPConfigGeThreadsCount,
823  "ReceiveAFP",
824  "DecodeAFP", thread_name_autofp,
825  live_dev);
826  if (ret != 0) {
827  FatalError(SC_ERR_FATAL, "Unable to start runmode");
828  }
829 
830  /* In IPS mode each threads must have a peer */
831  if (AFPPeersListCheck() != TM_ECODE_OK) {
832  FatalError(SC_ERR_FATAL, "Some IPS capture threads did not peer.");
833  }
834 
835  SCLogDebug("RunModeIdsAFPAutoFp initialised");
836 #endif /* HAVE_AF_PACKET */
837 
838  SCReturnInt(0);
839 }
840 
841 /**
842  * \brief Single thread version of the AF_PACKET processing.
843  */
844 int RunModeIdsAFPSingle(void)
845 {
846  SCEnter();
847 #ifdef HAVE_AF_PACKET
848  int ret;
849  const char *live_dev = NULL;
850 
851  RunModeInitialize();
852  TimeModeSetLive();
853 
854  (void)ConfGet("af-packet.live-interface", &live_dev);
855 
856  if (AFPPeersListInit() != TM_ECODE_OK) {
857  FatalError(SC_ERR_FATAL, "Unable to init peers list.");
858  }
859 
860  ret = RunModeSetLiveCaptureSingle(ParseAFPConfig,
861  AFPConfigGeThreadsCount,
862  "ReceiveAFP",
863  "DecodeAFP", thread_name_single,
864  live_dev);
865  if (ret != 0) {
866  FatalError(SC_ERR_FATAL, "Unable to start runmode");
867  }
868 
869  /* In IPS mode each threads must have a peer */
870  if (AFPPeersListCheck() != TM_ECODE_OK) {
871  FatalError(SC_ERR_FATAL, "Some IPS capture threads did not peer.");
872  }
873 
874  SCLogDebug("RunModeIdsAFPSingle initialised");
875 
876 #endif /* HAVE_AF_PACKET */
877  SCReturnInt(0);
878 }
879 
880 /**
881  * \brief Workers version of the AF_PACKET processing.
882  *
883  * Start N threads with each thread doing all the work.
884  *
885  */
886 int RunModeIdsAFPWorkers(void)
887 {
888  SCEnter();
889 #ifdef HAVE_AF_PACKET
890  int ret;
891  const char *live_dev = NULL;
892 
893  RunModeInitialize();
894  TimeModeSetLive();
895 
896  (void)ConfGet("af-packet.live-interface", &live_dev);
897 
898  if (AFPPeersListInit() != TM_ECODE_OK) {
899  FatalError(SC_ERR_FATAL, "Unable to init peers list.");
900  }
901 
902  ret = RunModeSetLiveCaptureWorkers(ParseAFPConfig,
903  AFPConfigGeThreadsCount,
904  "ReceiveAFP",
905  "DecodeAFP", thread_name_workers,
906  live_dev);
907  if (ret != 0) {
908  FatalError(SC_ERR_FATAL, "Unable to start runmode");
909  }
910 
911  /* In IPS mode each threads must have a peer */
912  if (AFPPeersListCheck() != TM_ECODE_OK) {
913  FatalError(SC_ERR_FATAL, "Some IPS capture threads did not peer.");
914  }
915 
916  SCLogDebug("RunModeIdsAFPWorkers initialised");
917 
918 #endif /* HAVE_AF_PACKET */
919  SCReturnInt(0);
920 }
921 
922 /**
923  * @}
924  */
thread_name_workers
const char * thread_name_workers
Definition: runmodes.c:65
AFPIfaceConfig_::promisc
int promisc
Definition: source-af-packet.h:98
util-byte.h
tm-threads.h
AFPIfaceConfig_::checksum_mode
ChecksumValidationMode checksum_mode
Definition: source-af-packet.h:102
PACKET_FANOUT_FLAG_DEFRAG
#define PACKET_FANOUT_FLAG_DEFRAG
Definition: source-af-packet.h:40
RunModeIdsAFPWorkers
int RunModeIdsAFPWorkers(void)
Workers version of the AF_PACKET processing.
Definition: runmode-af-packet.c:886
flow-bypass.h
AFPIfaceConfig_::xdp_mode
uint8_t xdp_mode
Definition: source-af-packet.h:110
StringParseUint16
int StringParseUint16(uint16_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:336
AFP_BYPASS
#define AFP_BYPASS
Definition: source-af-packet.h:65
RunModeSetLiveCaptureWorkers
int RunModeSetLiveCaptureWorkers(ConfigIfaceParserFunc ConfigParser, ConfigIfaceThreadsCountFunc ModThreadsCount, const char *recv_mod_name, const char *decode_mod_name, const char *thread_name, const char *live_dev)
Definition: util-runmodes.c:330
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
AFPPeersListCheck
TmEcode AFPPeersListCheck()
Check that all AFPPeer got a peer.
Definition: source-af-packet.c:409
alert-debuglog.h
GetIfaceRSSQueuesNum
int GetIfaceRSSQueuesNum(const char *pcap_dev)
Definition: util-ioctl.c:737
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:315
AFP_COPY_MODE_NONE
#define AFP_COPY_MODE_NONE
Definition: source-af-packet.h:68
RunModeIdsAFPSingle
int RunModeIdsAFPSingle(void)
Single thread version of the AF_PACKET processing.
Definition: runmode-af-packet.c:844
runmode-af-packet.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ERR_INVALID_CLUSTER_TYPE
@ SC_ERR_INVALID_CLUSTER_TYPE
Definition: util-error.h:66
RunModeIdsAFPRegister
void RunModeIdsAFPRegister(void)
Definition: runmode-af-packet.c:66
ConfGetChildValueBoolWithDefault
int ConfGetChildValueBoolWithDefault(const ConfNode *base, const ConfNode *dflt, const char *name, int *val)
Definition: conf.c:542
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
LiveGetOffload
int LiveGetOffload(void)
Definition: util-device.c:79
AFPIfaceConfig_::ebpf_filter_fd
int ebpf_filter_fd
Definition: source-af-packet.h:107
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:175
PACKET_FANOUT_RND
#define PACKET_FANOUT_RND
Definition: source-af-packet.h:36
UtilCpuGetNumProcessorsConfigured
uint16_t UtilCpuGetNumProcessorsConfigured(void)
Get the number of cpus configured in the system.
Definition: util-cpu.c:59
AFP_SOCK_PROTECT
#define AFP_SOCK_PROTECT
Definition: source-af-packet.h:60
PACKET_FANOUT_HASH
#define PACKET_FANOUT_HASH
Definition: source-af-packet.h:32
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:333
RunModeAFPGetDefaultMode
const char * RunModeAFPGetDefaultMode(void)
Definition: runmode-af-packet.c:61
RunModeInitialize
void RunModeInitialize(void)
Definition: runmodes.c:918
PACKET_FANOUT_QM
#define PACKET_FANOUT_QM
Definition: source-af-packet.h:37
AFPIfaceConfig_::threads
int threads
Definition: source-af-packet.h:85
util-runmodes.h
StringParseInt32
int StringParseInt32(int32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:613
AFPIfaceConfig_::ring_size
int ring_size
Definition: source-af-packet.h:89
thread_name_autofp
const char * thread_name_autofp
Definition: runmodes.c:63
AFPIfaceConfig_::block_timeout
int block_timeout
Definition: source-af-packet.h:93
PACKET_FANOUT_ROLLOVER
#define PACKET_FANOUT_ROLLOVER
Definition: source-af-packet.h:35
ConfNodeLookupKeyValue
ConfNode * ConfNodeLookupKeyValue(const ConfNode *base, const char *key, const char *value)
Lookup for a key value under a specific node.
Definition: conf.c:859
CHECKSUM_VALIDATION_DISABLE
@ CHECKSUM_VALIDATION_DISABLE
Definition: decode.h:43
AFPIfaceConfig_::out_iface
const char * out_iface
Definition: source-af-packet.h:111
CHECKSUM_VALIDATION_KERNEL
@ CHECKSUM_VALIDATION_KERNEL
Definition: decode.h:47
AFP_XDPBYPASS
#define AFP_XDPBYPASS
Definition: source-af-packet.h:66
RunmodeGetActive
char * RunmodeGetActive(void)
Definition: runmodes.c:191
AFPIfaceConfig_::flags
unsigned int flags
Definition: source-af-packet.h:100
AFPIfaceConfig_::copy_mode
int copy_mode
Definition: source-af-packet.h:101
AFPIfaceConfig_::xdp_filter_fd
int xdp_filter_fd
Definition: source-af-packet.h:109
ConfGetChildValueIntWithDefault
int ConfGetChildValueIntWithDefault(const ConfNode *base, const ConfNode *dflt, const char *name, intmax_t *val)
Definition: conf.c:494
SC_ERR_RUNMODE
@ SC_ERR_RUNMODE
Definition: util-error.h:219
thread_name_single
const char * thread_name_single
Definition: runmodes.c:64
ConfGetChildWithDefault
ConfNode * ConfGetChildWithDefault(const ConfNode *base, const ConfNode *dflt, const char *name)
Definition: conf.c:401
AFPGetLinkType
int AFPGetLinkType(const char *ifname)
Definition: source-af-packet.c:1678
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:565
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
AFP_BLOCK_SIZE_DEFAULT_ORDER
#define AFP_BLOCK_SIZE_DEFAULT_ORDER
Definition: source-af-packet.h:79
AFPIfaceConfig_::cluster_type
int cluster_type
Definition: source-af-packet.h:96
AFPIfaceConfig_::cluster_id
uint16_t cluster_id
Definition: source-af-packet.h:95
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
RunModeSetLiveCaptureAutoFp
int RunModeSetLiveCaptureAutoFp(ConfigIfaceParserFunc ConfigParser, ConfigIfaceThreadsCountFunc ModThreadsCount, const char *recv_mod_name, const char *decode_mod_name, const char *thread_name, const char *live_dev)
Definition: util-runmodes.c:87
AFPIfaceConfig_::block_size
int block_size
Definition: source-af-packet.h:91
CHECKSUM_VALIDATION_ENABLE
@ CHECKSUM_VALIDATION_ENABLE
Definition: decode.h:44
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:330
CHECKSUM_VALIDATION_AUTO
@ CHECKSUM_VALIDATION_AUTO
Definition: decode.h:45
util-device.h
util-debug.h
AFPIfaceConfig_::ebpf_lb_fd
int ebpf_lb_fd
Definition: source-af-packet.h:105
AFP_MMAP_LOCKED
#define AFP_MMAP_LOCKED
Definition: source-af-packet.h:64
util-cpu.h
AFPIfaceConfig_::ebpf_filter_file
const char * ebpf_filter_file
Definition: source-af-packet.h:106
PACKET_FANOUT_LB
#define PACKET_FANOUT_LB
Definition: source-af-packet.h:33
RunModeEnablesBypassManager
void RunModeEnablesBypassManager(void)
Definition: runmodes.c:411
LiveGetDevice
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
Definition: util-device.c:278
ConfFindDeviceConfig
ConfNode * ConfFindDeviceConfig(ConfNode *node, const char *iface)
Find the configuration node for a specific device.
Definition: util-conf.c:128
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
util-ebpf.h
util-affinity.h
PACKET_FANOUT_CPU
#define PACKET_FANOUT_CPU
Definition: source-af-packet.h:34
ConfGetChildValueWithDefault
int ConfGetChildValueWithDefault(const ConfNode *base, const ConfNode *dflt, const char *name, const char **vptr)
Definition: conf.c:415
util-time.h
AFPIfaceConfig_::DerefFunc
void(* DerefFunc)(void *)
Definition: source-af-packet.h:116
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
AFP_COPY_MODE_TAP
#define AFP_COPY_MODE_TAP
Definition: source-af-packet.h:69
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:342
AFPRunModeIsIPS
int AFPRunModeIsIPS()
Definition: runmode-af-packet.c:719
conf.h
GetIfaceOffloading
int GetIfaceOffloading(const char *dev, int csum, int other)
output offloading status of the link
Definition: util-ioctl.c:694
DisableIfaceOffloading
int DisableIfaceOffloading(LiveDevice *dev, int csum, int other)
Definition: util-ioctl.c:707
runmodes.h
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:217
TimeModeSetLive
void TimeModeSetLive(void)
Definition: util-time.c:97
alert-fastlog.h
suricata-common.h
RunModeRegisterNewRunMode
void RunModeRegisterNewRunMode(enum RunModes runmode, const char *name, const char *description, int(*RunModeFunc)(void))
Registers a new runmode.
Definition: runmodes.c:432
LiveGetDeviceName
const char * LiveGetDeviceName(int number)
Get a pointer to the device name at idx.
Definition: util-device.c:176
SCLogPerf
#define SCLogPerf(...)
Definition: util-debug.h:224
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
AFP_RING_MODE
#define AFP_RING_MODE
Definition: source-af-packet.h:58
AFPIfaceConfig_::xdp_filter_file
const char * xdp_filter_file
Definition: source-af-packet.h:108
AFP_TPACKET_V3
#define AFP_TPACKET_V3
Definition: source-af-packet.h:62
FatalError
#define FatalError(x,...)
Definition: util-debug.h:532
SC_ERR_AFP_CREATE
@ SC_ERR_AFP_CREATE
Definition: util-error.h:222
log-httplog.h
SC_ERR_UNIMPLEMENTED
@ SC_ERR_UNIMPLEMENTED
Definition: util-error.h:118
RunModeIdsAFPAutoFp
int RunModeIdsAFPAutoFp(void)
Definition: runmode-af-packet.c:800
SC_ATOMIC_RESET
#define SC_ATOMIC_RESET(name)
wrapper for reinitializing an atomic variable.
Definition: util-atomic.h:324
BypassedFlowManagerRegisterUpdateFunc
int BypassedFlowManagerRegisterUpdateFunc(BypassedUpdateFunc UpdateFunc, void *data)
source-af-packet.h
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AFP_COPY_MODE_IPS
#define AFP_COPY_MODE_IPS
Definition: source-af-packet.h:70
max_pending_packets
int max_pending_packets
Definition: suricata.c:210
ConfNode_
Definition: conf.h:32
SC_ERR_FATAL
@ SC_ERR_FATAL
Definition: util-error.h:203
AFPIfaceConfig_::buffer_size
int buffer_size
Definition: source-af-packet.h:87
util-ioctl.h
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:590
RunModeSetLiveCaptureSingle
int RunModeSetLiveCaptureSingle(ConfigIfaceParserFunc ConfigParser, ConfigIfaceThreadsCountFunc ModThreadsCount, const char *recv_mod_name, const char *decode_mod_name, const char *thread_name, const char *live_dev)
Definition: util-runmodes.c:364
AFP_ZERO_COPY
#define AFP_ZERO_COPY
Definition: source-af-packet.h:59
AFPIfaceConfig_::iface
char iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.h:83
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
AFPIfaceConfig_
Definition: source-af-packet.h:82
AFPIfaceConfig_::bpf_filter
const char * bpf_filter
Definition: source-af-packet.h:103
LiveGetDeviceCount
int LiveGetDeviceCount(void)
Get the number of registered devices.
Definition: util-device.c:156
UtilCpuGetNumProcessorsOnline
uint16_t UtilCpuGetNumProcessorsOnline(void)
Get the number of cpus online in the system.
Definition: util-cpu.c:106
AFPIfaceConfig_::ebpf_lb_file
const char * ebpf_lb_file
Definition: source-af-packet.h:104
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:232
BypassedFlowManagerRegisterCheckFunc
int BypassedFlowManagerRegisterCheckFunc(BypassedCheckFunc CheckFunc, BypassedCheckFuncInit CheckFuncInit, void *data)
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
RUNMODE_AFP_DEV
@ RUNMODE_AFP_DEV
Definition: runmodes.h:37
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
PACKET_FANOUT_FLAG_ROLLOVER
#define PACKET_FANOUT_FLAG_ROLLOVER
Definition: source-af-packet.h:39
AFPPeersListInit
TmEcode AFPPeersListInit()
Init the global list of AFPPeer.
Definition: source-af-packet.c:392
AFPIsFanoutSupported
int AFPIsFanoutSupported(uint16_t cluster_id)
test if we can use FANOUT. Older kernels like those in CentOS6 have HAVE_PACKET_FANOUT defined but fa...
Definition: source-af-packet.c:1980
output.h
LINKTYPE_ETHERNET
#define LINKTYPE_ETHERNET
Definition: decode.h:1121
AFP_EMERGENCY_MODE
#define AFP_EMERGENCY_MODE
Definition: source-af-packet.h:61
SC_WARN_UNCOMMON
@ SC_WARN_UNCOMMON
Definition: util-error.h:262