suricata
runmode-af-packet.c
Go to the documentation of this file.
1 /* Copyright (C) 2011-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup afppacket
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Eric Leblond <eric@regit.org>
28  *
29  * AF_PACKET socket runmode
30  *
31  */
32 
33 #include "suricata-common.h"
34 #include "config.h"
35 #include "tm-threads.h"
36 #include "conf.h"
37 #include "runmodes.h"
38 #include "runmode-af-packet.h"
39 #include "output.h"
40 #include "log-httplog.h"
41 #include "detect-engine-mpm.h"
42 
43 #include "alert-fastlog.h"
44 #include "alert-prelude.h"
45 #include "alert-debuglog.h"
46 
47 #include "flow-bypass.h"
48 
49 #include "util-debug.h"
50 #include "util-time.h"
51 #include "util-cpu.h"
52 #include "util-affinity.h"
53 #include "util-device.h"
54 #include "util-runmodes.h"
55 #include "util-ioctl.h"
56 #include "util-ebpf.h"
57 
58 #include "source-af-packet.h"
59 
60 extern int max_pending_packets;
61 
62 const char *RunModeAFPGetDefaultMode(void)
63 {
64  return "workers";
65 }
66 
67 void RunModeIdsAFPRegister(void)
68 {
69  RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "single",
70  "Single threaded af-packet mode",
71  RunModeIdsAFPSingle);
72  RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "workers",
73  "Workers af-packet mode, each thread does all"
74  " tasks from acquisition to logging",
75  RunModeIdsAFPWorkers);
76  RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "autofp",
77  "Multi socket AF_PACKET mode. Packets from "
78  "each flow are assigned to a single detect "
79  "thread.",
80  RunModeIdsAFPAutoFp);
81  return;
82 }
83 
84 
85 #ifdef HAVE_AF_PACKET
86 
87 static void AFPDerefConfig(void *conf)
88 {
89  AFPIfaceConfig *pfp = (AFPIfaceConfig *)conf;
90  /* Pcap config is used only once but cost of this low. */
91  if (SC_ATOMIC_SUB(pfp->ref, 1) == 0) {
92  SCFree(pfp);
93  }
94 }
95 
96 /* if cluster id is not set, assign it automagically, uniq value per
97  * interface. */
98 static int cluster_id_auto = 1;
99 
100 /**
101  * \brief extract information from config file
102  *
103  * The returned structure will be freed by the thread init function.
104  * This is thus necessary to or copy the structure before giving it
105  * to thread or to reparse the file for each thread (and thus have
106  * new structure.
107  *
108  * \return a AFPIfaceConfig corresponding to the interface name
109  */
110 static void *ParseAFPConfig(const char *iface)
111 {
112  const char *threadsstr = NULL;
113  ConfNode *if_root;
114  ConfNode *if_default = NULL;
115  ConfNode *af_packet_node;
116  const char *tmpclusterid;
117  const char *tmpctype;
118  const char *copymodestr;
119  intmax_t value;
120  int boolval;
121  const char *bpf_filter = NULL;
122  const char *out_iface = NULL;
123  int cluster_type = PACKET_FANOUT_HASH;
124  const char *ebpf_file = NULL;
125 
126  if (iface == NULL) {
127  return NULL;
128  }
129 
130  AFPIfaceConfig *aconf = SCCalloc(1, sizeof(*aconf));
131  if (unlikely(aconf == NULL)) {
132  return NULL;
133  }
134 
135  strlcpy(aconf->iface, iface, sizeof(aconf->iface));
136  aconf->threads = 0;
137  SC_ATOMIC_INIT(aconf->ref);
138  (void) SC_ATOMIC_ADD(aconf->ref, 1);
139  aconf->buffer_size = 0;
140  aconf->cluster_id = 1;
141  aconf->cluster_type = cluster_type | PACKET_FANOUT_FLAG_DEFRAG;
142  aconf->promisc = 1;
143  aconf->checksum_mode = CHECKSUM_VALIDATION_KERNEL;
144  aconf->DerefFunc = AFPDerefConfig;
145  aconf->flags = AFP_RING_MODE;
146  aconf->bpf_filter = NULL;
147  aconf->ebpf_lb_file = NULL;
148  aconf->ebpf_lb_fd = -1;
149  aconf->ebpf_filter_file = NULL;
150  aconf->ebpf_filter_fd = -1;
151  aconf->out_iface = NULL;
152  aconf->copy_mode = AFP_COPY_MODE_NONE;
153  aconf->block_timeout = 10;
154  aconf->block_size = getpagesize() << AFP_BLOCK_SIZE_DEFAULT_ORDER;
155 #ifdef HAVE_PACKET_EBPF
156  aconf->ebpf_t_config.cpus_count = UtilCpuGetNumProcessorsConfigured();
157 #endif
158 
159  if (ConfGet("bpf-filter", &bpf_filter) == 1) {
160  if (strlen(bpf_filter) > 0) {
161  aconf->bpf_filter = bpf_filter;
162  SCLogConfig("Going to use command-line provided bpf filter '%s'",
163  aconf->bpf_filter);
164  }
165  }
166 
167  /* Find initial node */
168  af_packet_node = ConfGetNode("af-packet");
169  if (af_packet_node == NULL) {
170  SCLogInfo("unable to find af-packet config using default values");
171  goto finalize;
172  }
173 
174  if_root = ConfFindDeviceConfig(af_packet_node, iface);
175  if_default = ConfFindDeviceConfig(af_packet_node, "default");
176 
177  if (if_root == NULL && if_default == NULL) {
178  SCLogInfo("unable to find af-packet config for "
179  "interface \"%s\" or \"default\", using default values",
180  iface);
181  goto finalize;
182  }
183 
184  /* If there is no setting for current interface use default one as main iface */
185  if (if_root == NULL) {
186  if_root = if_default;
187  if_default = NULL;
188  }
189 
190  if (ConfGetChildValueWithDefault(if_root, if_default, "threads", &threadsstr) != 1) {
191  aconf->threads = 0;
192  } else {
193  if (threadsstr != NULL) {
194  if (strcmp(threadsstr, "auto") == 0) {
195  aconf->threads = 0;
196  } else {
197  aconf->threads = atoi(threadsstr);
198  }
199  }
200  }
201 
202  if (ConfGetChildValueWithDefault(if_root, if_default, "copy-iface", &out_iface) == 1) {
203  if (strlen(out_iface) > 0) {
204  aconf->out_iface = out_iface;
205  }
206  }
207 
208  if (ConfGetChildValueBoolWithDefault(if_root, if_default, "use-mmap", (int *)&boolval) == 1) {
209  if (!boolval) {
210  SCLogConfig("Disabling mmaped capture on iface %s",
211  aconf->iface);
212  aconf->flags &= ~(AFP_RING_MODE|AFP_TPACKET_V3);
213  }
214  }
215 
216  if (aconf->flags & AFP_RING_MODE) {
217  (void)ConfGetChildValueBoolWithDefault(if_root, if_default,
218  "mmap-locked", (int *)&boolval);
219  if (boolval) {
220  SCLogConfig("Enabling locked memory for mmap on iface %s",
221  aconf->iface);
222  aconf->flags |= AFP_MMAP_LOCKED;
223  }
224 
225  if (ConfGetChildValueBoolWithDefault(if_root, if_default,
226  "tpacket-v3", (int *)&boolval) == 1)
227  {
228  if (boolval) {
229  if (strcasecmp(RunmodeGetActive(), "workers") == 0) {
230 #ifdef HAVE_TPACKET_V3
231  SCLogConfig("Enabling tpacket v3 capture on iface %s",
232  aconf->iface);
233  aconf->flags |= AFP_TPACKET_V3;
234 #else
235  SCLogNotice("System too old for tpacket v3 switching to v2");
236  aconf->flags &= ~AFP_TPACKET_V3;
237 #endif
238  } else {
239  SCLogWarning(SC_ERR_RUNMODE,
240  "tpacket v3 is only implemented for 'workers' runmode."
241  " Switching to tpacket v2.");
242  aconf->flags &= ~AFP_TPACKET_V3;
243  }
244  } else {
245  aconf->flags &= ~AFP_TPACKET_V3;
246  }
247  }
248 
249  (void)ConfGetChildValueBoolWithDefault(if_root, if_default,
250  "use-emergency-flush", (int *)&boolval);
251  if (boolval) {
252  SCLogConfig("Enabling ring emergency flush on iface %s",
253  aconf->iface);
254  aconf->flags |= AFP_EMERGENCY_MODE;
255  }
256  }
257 
258  aconf->copy_mode = AFP_COPY_MODE_NONE;
259  if (ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) == 1) {
260  if (aconf->out_iface == NULL) {
261  SCLogInfo("Copy mode activated but no destination"
262  " iface. Disabling feature");
263  } else if (!(aconf->flags & AFP_RING_MODE)) {
264  SCLogInfo("Copy mode activated but use-mmap "
265  "set to no. Disabling feature");
266  } else if (strlen(copymodestr) <= 0) {
267  aconf->out_iface = NULL;
268  } else if (strcmp(copymodestr, "ips") == 0) {
269  SCLogInfo("AF_PACKET IPS mode activated %s->%s",
270  iface,
271  aconf->out_iface);
272  aconf->copy_mode = AFP_COPY_MODE_IPS;
273  if (aconf->flags & AFP_TPACKET_V3) {
274  SCLogWarning(SC_ERR_RUNMODE, "Using tpacket_v3 in IPS mode will result in high latency");
275  }
276  } else if (strcmp(copymodestr, "tap") == 0) {
277  SCLogInfo("AF_PACKET TAP mode activated %s->%s",
278  iface,
279  aconf->out_iface);
280  aconf->copy_mode = AFP_COPY_MODE_TAP;
281  if (aconf->flags & AFP_TPACKET_V3) {
282  SCLogWarning(SC_ERR_RUNMODE, "Using tpacket_v3 in TAP mode will result in high latency");
283  }
284  } else {
285  SCLogInfo("Invalid mode (not in tap, ips)");
286  }
287  }
288 
289  if (ConfGetChildValueWithDefault(if_root, if_default, "cluster-id", &tmpclusterid) != 1) {
290  aconf->cluster_id = (uint16_t)(cluster_id_auto++);
291  } else {
292  aconf->cluster_id = (uint16_t)atoi(tmpclusterid);
293  SCLogDebug("Going to use cluster-id %" PRId32, aconf->cluster_id);
294  }
295 
296  if (ConfGetChildValueWithDefault(if_root, if_default, "cluster-type", &tmpctype) != 1) {
297  /* default to our safest choice: flow hashing + defrag enabled */
298  aconf->cluster_type = PACKET_FANOUT_HASH | PACKET_FANOUT_FLAG_DEFRAG;
299  cluster_type = PACKET_FANOUT_HASH;
300  } else if (strcmp(tmpctype, "cluster_round_robin") == 0) {
301  SCLogConfig("Using round-robin cluster mode for AF_PACKET (iface %s)",
302  aconf->iface);
303  aconf->cluster_type = PACKET_FANOUT_LB;
304  cluster_type = PACKET_FANOUT_LB;
305  } else if (strcmp(tmpctype, "cluster_flow") == 0) {
306  /* In hash mode, we also ask for defragmentation needed to
307  * compute the hash */
308  uint16_t defrag = 0;
309  int conf_val = 0;
310  SCLogConfig("Using flow cluster mode for AF_PACKET (iface %s)",
311  aconf->iface);
312  ConfGetChildValueBoolWithDefault(if_root, if_default, "defrag", &conf_val);
313  if (conf_val) {
314  SCLogConfig("Using defrag kernel functionality for AF_PACKET (iface %s)",
315  aconf->iface);
316  defrag = PACKET_FANOUT_FLAG_DEFRAG;
317  }
318  aconf->cluster_type = PACKET_FANOUT_HASH | defrag;
319  cluster_type = PACKET_FANOUT_HASH;
320  } else if (strcmp(tmpctype, "cluster_cpu") == 0) {
321  SCLogConfig("Using cpu cluster mode for AF_PACKET (iface %s)",
322  aconf->iface);
323  aconf->cluster_type = PACKET_FANOUT_CPU;
324  cluster_type = PACKET_FANOUT_CPU;
325  } else if (strcmp(tmpctype, "cluster_qm") == 0) {
326  SCLogConfig("Using queue based cluster mode for AF_PACKET (iface %s)",
327  aconf->iface);
328  aconf->cluster_type = PACKET_FANOUT_QM;
329  cluster_type = PACKET_FANOUT_QM;
330  } else if (strcmp(tmpctype, "cluster_random") == 0) {
331  SCLogConfig("Using random based cluster mode for AF_PACKET (iface %s)",
332  aconf->iface);
333  aconf->cluster_type = PACKET_FANOUT_RND;
334  cluster_type = PACKET_FANOUT_RND;
335  } else if (strcmp(tmpctype, "cluster_rollover") == 0) {
336  SCLogConfig("Using rollover based cluster mode for AF_PACKET (iface %s)",
337  aconf->iface);
338  SCLogWarning(SC_WARN_UNCOMMON, "Rollover mode is causing severe flow "
339  "tracking issues, use it at your own risk.");
340  aconf->cluster_type = PACKET_FANOUT_ROLLOVER;
341  cluster_type = PACKET_FANOUT_ROLLOVER;
342 #ifdef HAVE_PACKET_EBPF
343  } else if (strcmp(tmpctype, "cluster_ebpf") == 0) {
344  SCLogInfo("Using ebpf based cluster mode for AF_PACKET (iface %s)",
345  aconf->iface);
346  aconf->cluster_type = PACKET_FANOUT_EBPF;
347  cluster_type = PACKET_FANOUT_EBPF;
348 #endif
349  } else {
350  SCLogWarning(SC_ERR_INVALID_CLUSTER_TYPE,"invalid cluster-type %s",tmpctype);
351  }
352 
353  int conf_val = 0;
354  ConfGetChildValueBoolWithDefault(if_root, if_default, "rollover", &conf_val);
355  if (conf_val) {
356  SCLogConfig("Using rollover kernel functionality for AF_PACKET (iface %s)",
357  aconf->iface);
358  aconf->cluster_type |= PACKET_FANOUT_FLAG_ROLLOVER;
359  SCLogWarning(SC_WARN_UNCOMMON, "Rollover option is causing severe flow "
360  "tracking issues, use it at your own risk.");
361  }
362 
363  /*load af_packet bpf filter*/
364  /* command line value has precedence */
365  if (ConfGet("bpf-filter", &bpf_filter) != 1) {
366  if (ConfGetChildValueWithDefault(if_root, if_default, "bpf-filter", &bpf_filter) == 1) {
367  if (strlen(bpf_filter) > 0) {
368  aconf->bpf_filter = bpf_filter;
369  SCLogConfig("Going to use bpf filter %s", aconf->bpf_filter);
370  }
371  }
372  }
373 
374  if (ConfGetChildValueWithDefault(if_root, if_default, "ebpf-lb-file", &ebpf_file) != 1) {
375  aconf->ebpf_lb_file = NULL;
376  } else {
377 #ifdef HAVE_PACKET_EBPF
378  SCLogConfig("af-packet will use '%s' as eBPF load balancing file",
379  ebpf_file);
380  aconf->ebpf_lb_file = ebpf_file;
381  aconf->ebpf_t_config.flags |= EBPF_SOCKET_FILTER;
382 #endif
383  }
384 
385 #ifdef HAVE_PACKET_EBPF
386  boolval = false;
387  if (ConfGetChildValueBoolWithDefault(if_root, if_default, "pinned-maps", (int *)&boolval) == 1) {
388  if (boolval) {
389  SCLogConfig("Using pinned maps on iface %s",
390  aconf->iface);
391  aconf->ebpf_t_config.flags |= EBPF_PINNED_MAPS;
392  }
393  const char *pinned_maps_name = NULL;
394  if (ConfGetChildValueWithDefault(if_root, if_default,
395  "pinned-maps-name",
396  &pinned_maps_name) != 1) {
397  aconf->ebpf_t_config.pinned_maps_name = pinned_maps_name;
398  } else {
399  aconf->ebpf_t_config.pinned_maps_name = NULL;
400  }
401  } else {
402  aconf->ebpf_t_config.pinned_maps_name = NULL;
403  }
404 #endif
405 
406 #ifdef HAVE_PACKET_EBPF
407  /* One shot loading of the eBPF file */
408  if (aconf->ebpf_lb_file && cluster_type == PACKET_FANOUT_EBPF) {
409  int ret = EBPFLoadFile(aconf->iface, aconf->ebpf_lb_file, "loadbalancer",
410  &aconf->ebpf_lb_fd,
411  &aconf->ebpf_t_config);
412  if (ret != 0) {
413  SCLogWarning(SC_ERR_INVALID_VALUE, "Error when loading eBPF lb file");
414  }
415  }
416 #else
417  if (aconf->ebpf_lb_file) {
418  SCLogError(SC_ERR_UNIMPLEMENTED, "eBPF support is not build-in");
419  }
420 #endif
421 
422  if (ConfGetChildValueWithDefault(if_root, if_default, "ebpf-filter-file", &ebpf_file) != 1) {
423  aconf->ebpf_filter_file = NULL;
424  } else {
425 #ifdef HAVE_PACKET_EBPF
426  SCLogConfig("af-packet will use '%s' as eBPF filter file",
427  ebpf_file);
428  aconf->ebpf_filter_file = ebpf_file;
429  aconf->ebpf_t_config.mode = AFP_MODE_EBPF_BYPASS;
430  aconf->ebpf_t_config.flags |= EBPF_SOCKET_FILTER;
431 #endif
432  ConfGetChildValueBoolWithDefault(if_root, if_default, "bypass", &conf_val);
433  if (conf_val) {
434 #ifdef HAVE_PACKET_EBPF
435  SCLogConfig("Using bypass kernel functionality for AF_PACKET (iface %s)",
436  aconf->iface);
437  aconf->flags |= AFP_BYPASS;
438  BypassedFlowManagerRegisterUpdateFunc(EBPFUpdateFlow, NULL);
439 #else
440  SCLogError(SC_ERR_UNIMPLEMENTED, "Bypass set but eBPF support is not built-in");
441 #endif
442  }
443  }
444 
445  /* One shot loading of the eBPF file */
446  if (aconf->ebpf_filter_file) {
447 #ifdef HAVE_PACKET_EBPF
448  int ret = EBPFLoadFile(aconf->iface, aconf->ebpf_filter_file, "filter",
449  &aconf->ebpf_filter_fd,
450  &aconf->ebpf_t_config);
451  if (ret != 0) {
452  SCLogWarning(SC_ERR_INVALID_VALUE,
453  "Error when loading eBPF filter file");
454  }
455 #else
456  SCLogError(SC_ERR_UNIMPLEMENTED, "eBPF support is not build-in");
457 #endif
458  }
459 
460  if (ConfGetChildValueWithDefault(if_root, if_default, "xdp-filter-file", &ebpf_file) != 1) {
461  aconf->xdp_filter_file = NULL;
462  } else {
463 #ifdef HAVE_PACKET_XDP
464  aconf->ebpf_t_config.mode = AFP_MODE_XDP_BYPASS;
465  aconf->ebpf_t_config.flags |= EBPF_XDP_CODE;
466  aconf->xdp_filter_file = ebpf_file;
467  ConfGetChildValueBoolWithDefault(if_root, if_default, "bypass", &conf_val);
468  if (conf_val) {
469  SCLogConfig("Using bypass kernel functionality for AF_PACKET (iface %s)",
470  aconf->iface);
471  aconf->flags |= AFP_XDPBYPASS;
472  /* if maps are pinned we need to read them at start */
473  if (aconf->ebpf_t_config.flags & EBPF_PINNED_MAPS) {
474  RunModeEnablesBypassManager();
475  struct ebpf_timeout_config *ebt = SCCalloc(1, sizeof(struct ebpf_timeout_config));
476  if (ebt == NULL) {
477  SCLogError(SC_ERR_MEM_ALLOC, "Flow bypass alloc error");
478  } else {
479  memcpy(ebt, &(aconf->ebpf_t_config), sizeof(struct ebpf_timeout_config));
480  BypassedFlowManagerRegisterCheckFunc(NULL,
481  EBPFCheckBypassedFlowCreate,
482  (void *)ebt);
483  }
484  }
485  BypassedFlowManagerRegisterUpdateFunc(EBPFUpdateFlow, NULL);
486  }
487 #else
488  SCLogWarning(SC_ERR_UNIMPLEMENTED, "XDP filter set but XDP support is not built-in");
489 #endif
490 #ifdef HAVE_PACKET_XDP
491  const char *xdp_mode;
492  if (ConfGetChildValueWithDefault(if_root, if_default, "xdp-mode", &xdp_mode) != 1) {
493  aconf->xdp_mode = XDP_FLAGS_SKB_MODE;
494  } else {
495  if (!strcmp(xdp_mode, "soft")) {
496  aconf->xdp_mode = XDP_FLAGS_SKB_MODE;
497  } else if (!strcmp(xdp_mode, "driver")) {
498  aconf->xdp_mode = XDP_FLAGS_DRV_MODE;
499  } else if (!strcmp(xdp_mode, "hw")) {
500  aconf->xdp_mode = XDP_FLAGS_HW_MODE;
501  aconf->ebpf_t_config.flags |= EBPF_XDP_HW_MODE;
502  } else {
503  SCLogWarning(SC_ERR_INVALID_VALUE,
504  "Invalid xdp-mode value: '%s'", xdp_mode);
505  }
506  }
507 
508  boolval = true;
509  if (ConfGetChildValueBoolWithDefault(if_root, if_default, "use-percpu-hash", (int *)&boolval) == 1) {
510  if (boolval == false) {
511  SCLogConfig("Not using percpu hash on iface %s",
512  aconf->iface);
513  aconf->ebpf_t_config.cpus_count = 1;
514  }
515  }
516 #endif
517  }
518 
519  /* One shot loading of the eBPF file */
520  if (aconf->xdp_filter_file) {
521 #ifdef HAVE_PACKET_XDP
522  int ret = EBPFLoadFile(aconf->iface, aconf->xdp_filter_file, "xdp",
523  &aconf->xdp_filter_fd,
524  &aconf->ebpf_t_config);
525  switch (ret) {
526  case 1:
527  SCLogInfo("Loaded pinned maps from sysfs");
528  break;
529  case -1:
530  SCLogWarning(SC_ERR_INVALID_VALUE,
531  "Error when loading XDP filter file");
532  break;
533  case 0:
534  ret = EBPFSetupXDP(aconf->iface, aconf->xdp_filter_fd, aconf->xdp_mode);
535  if (ret != 0) {
536  SCLogWarning(SC_ERR_INVALID_VALUE,
537  "Error when setting up XDP");
538  } else {
539  /* Try to get the xdp-cpu-redirect key */
540  const char *cpuset;
541  if (ConfGetChildValueWithDefault(if_root, if_default,
542  "xdp-cpu-redirect", &cpuset) == 1) {
543  SCLogConfig("Setting up CPU map XDP");
544  ConfNode *node = ConfGetChildWithDefault(if_root, if_default, "xdp-cpu-redirect");
545  if (node == NULL) {
546  SCLogError(SC_ERR_INVALID_VALUE,
547  "Previously found node has disappeared");
548  } else {
549  EBPFBuildCPUSet(node, aconf->iface);
550  }
551  } else {
552  /* It will just set CPU count to 0 */
553  EBPFBuildCPUSet(NULL, aconf->iface);
554  }
555  }
556  /* we have a peer and we use bypass so we can set up XDP iface redirect */
557  if (aconf->out_iface) {
558  EBPFSetPeerIface(aconf->iface, aconf->out_iface);
559  }
560  }
561 #else
562  SCLogError(SC_ERR_UNIMPLEMENTED, "XDP support is not built-in");
563 #endif
564  }
565 
566  if ((ConfGetChildValueIntWithDefault(if_root, if_default, "buffer-size", &value)) == 1) {
567  aconf->buffer_size = value;
568  } else {
569  aconf->buffer_size = 0;
570  }
571  if ((ConfGetChildValueIntWithDefault(if_root, if_default, "ring-size", &value)) == 1) {
572  aconf->ring_size = value;
573  }
574 
575  if ((ConfGetChildValueIntWithDefault(if_root, if_default, "block-size", &value)) == 1) {
576  if (value % getpagesize()) {
577  SCLogError(SC_ERR_INVALID_VALUE, "Block-size must be a multiple of pagesize.");
578  } else {
579  aconf->block_size = value;
580  }
581  }
582 
583  if ((ConfGetChildValueIntWithDefault(if_root, if_default, "block-timeout", &value)) == 1) {
584  aconf->block_timeout = value;
585  } else {
586  aconf->block_timeout = 10;
587  }
588 
589  (void)ConfGetChildValueBoolWithDefault(if_root, if_default, "disable-promisc", (int *)&boolval);
590  if (boolval) {
591  SCLogConfig("Disabling promiscuous mode on iface %s",
592  aconf->iface);
593  aconf->promisc = 0;
594  }
595 
596  if (ConfGetChildValueWithDefault(if_root, if_default, "checksum-checks", &tmpctype) == 1) {
597  if (strcmp(tmpctype, "auto") == 0) {
598  aconf->checksum_mode = CHECKSUM_VALIDATION_AUTO;
599  } else if (ConfValIsTrue(tmpctype)) {
600  aconf->checksum_mode = CHECKSUM_VALIDATION_ENABLE;
601  } else if (ConfValIsFalse(tmpctype)) {
602  aconf->checksum_mode = CHECKSUM_VALIDATION_DISABLE;
603  } else if (strcmp(tmpctype, "kernel") == 0) {
604  aconf->checksum_mode = CHECKSUM_VALIDATION_KERNEL;
605  } else {
606  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid value for checksum-checks for %s", aconf->iface);
607  }
608  }
609 
610 finalize:
611 
612  /* if the number of threads is not 1, we need to first check if fanout
613  * functions on this system. */
614  if (aconf->threads != 1) {
615  if (AFPIsFanoutSupported(aconf->cluster_id) == 0) {
616  if (aconf->threads != 0) {
617  SCLogNotice("fanout not supported on this system, falling "
618  "back to 1 capture thread");
619  }
620  aconf->threads = 1;
621  }
622  }
623 
624  /* try to automagically set the proper number of threads */
625  if (aconf->threads == 0) {
626  /* for cluster_flow use core count */
627  if (cluster_type == PACKET_FANOUT_HASH) {
628  aconf->threads = (int)UtilCpuGetNumProcessorsOnline();
629  SCLogPerf("%u cores, so using %u threads", aconf->threads, aconf->threads);
630 
631  /* for cluster_qm use RSS queue count */
632  } else if (cluster_type == PACKET_FANOUT_QM) {
633  int rss_queues = GetIfaceRSSQueuesNum(iface);
634  if (rss_queues > 0) {
635  aconf->threads = rss_queues;
636  SCLogPerf("%d RSS queues, so using %u threads", rss_queues, aconf->threads);
637  }
638  }
639 
640  if (aconf->threads) {
641  SCLogPerf("Using %d AF_PACKET threads for interface %s",
642  aconf->threads, iface);
643  }
644  }
645  if (aconf->threads <= 0) {
646  aconf->threads = 1;
647  }
648  SC_ATOMIC_RESET(aconf->ref);
649  (void) SC_ATOMIC_ADD(aconf->ref, aconf->threads);
650 
651  if (aconf->ring_size != 0) {
652  if (aconf->ring_size * aconf->threads < max_pending_packets) {
653  aconf->ring_size = max_pending_packets / aconf->threads + 1;
654  SCLogWarning(SC_ERR_AFP_CREATE, "Inefficient setup: ring-size < max_pending_packets. "
655  "Resetting to decent value %d.", aconf->ring_size);
656  /* We want at least that max_pending_packets packets can be handled by the
657  * interface. This is generous if we have multiple interfaces listening. */
658  }
659  } else {
660  /* We want that max_pending_packets packets can be handled by suricata
661  * for this interface. To take burst into account we multiply the obtained
662  * size by 2. */
663  aconf->ring_size = max_pending_packets * 2 / aconf->threads;
664  }
665 
666  int ltype = AFPGetLinkType(iface);
667  switch (ltype) {
668  case LINKTYPE_ETHERNET:
669  /* af-packet can handle csum offloading */
670  if (LiveGetOffload() == 0) {
671  if (GetIfaceOffloading(iface, 0, 1) == 1) {
672  SCLogWarning(SC_ERR_AFP_CREATE,
673  "Using AF_PACKET with offloading activated leads to capture problems");
674  }
675  } else {
676  DisableIfaceOffloading(LiveGetDevice(iface), 0, 1);
677  }
678  break;
679  case -1:
680  default:
681  break;
682  }
683 
684  char *active_runmode = RunmodeGetActive();
685  if (active_runmode && !strcmp("workers", active_runmode)) {
686  aconf->flags |= AFP_ZERO_COPY;
687  } else {
688  /* If we are using copy mode we need a lock */
689  aconf->flags |= AFP_SOCK_PROTECT;
690  }
691 
692  /* If we are in RING mode, then we can use ZERO copy
693  * by using the data release mechanism */
694  if (aconf->flags & AFP_RING_MODE) {
695  aconf->flags |= AFP_ZERO_COPY;
696  }
697 
698  if (aconf->flags & AFP_ZERO_COPY) {
699  SCLogConfig("%s: enabling zero copy mode by using data release call", iface);
700  }
701 
702  return aconf;
703 }
704 
705 static int AFPConfigGeThreadsCount(void *conf)
706 {
707  AFPIfaceConfig *afp = (AFPIfaceConfig *)conf;
708  return afp->threads;
709 }
710 
711 int AFPRunModeIsIPS()
712 {
713  int nlive = LiveGetDeviceCount();
714  int ldev;
715  ConfNode *if_root;
716  ConfNode *if_default = NULL;
717  ConfNode *af_packet_node;
718  int has_ips = 0;
719  int has_ids = 0;
720 
721  /* Find initial node */
722  af_packet_node = ConfGetNode("af-packet");
723  if (af_packet_node == NULL) {
724  return 0;
725  }
726 
727  if_default = ConfNodeLookupKeyValue(af_packet_node, "interface", "default");
728 
729  for (ldev = 0; ldev < nlive; ldev++) {
730  const char *live_dev = LiveGetDeviceName(ldev);
731  if (live_dev == NULL) {
732  SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
733  return 0;
734  }
735  const char *copymodestr = NULL;
736  if_root = ConfFindDeviceConfig(af_packet_node, live_dev);
737 
738  if (if_root == NULL) {
739  if (if_default == NULL) {
740  SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
741  return 0;
742  }
743  if_root = if_default;
744  }
745 
746  if (ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) == 1) {
747  if (strcmp(copymodestr, "ips") == 0) {
748  has_ips = 1;
749  } else {
750  has_ids = 1;
751  }
752  } else {
753  has_ids = 1;
754  }
755  }
756 
757  if (has_ids && has_ips) {
758  SCLogInfo("AF_PACKET mode using IPS and IDS mode");
759  for (ldev = 0; ldev < nlive; ldev++) {
760  const char *live_dev = LiveGetDeviceName(ldev);
761  if (live_dev == NULL) {
762  SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
763  return 0;
764  }
765  if_root = ConfNodeLookupKeyValue(af_packet_node, "interface", live_dev);
766  const char *copymodestr = NULL;
767 
768  if (if_root == NULL) {
769  if (if_default == NULL) {
770  SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file");
771  return 0;
772  }
773  if_root = if_default;
774  }
775 
776  if (! ((ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", &copymodestr) == 1) &&
777  (strcmp(copymodestr, "ips") == 0))) {
778  SCLogError(SC_ERR_INVALID_ARGUMENT,
779  "AF_PACKET IPS mode used and interface '%s' is in IDS or TAP mode. "
780  "Sniffing '%s' but expect bad result as stream-inline is activated.",
781  live_dev, live_dev);
782  }
783  }
784  }
785 
786  return has_ips;
787 }
788 
789 #endif
790 
791 
792 int RunModeIdsAFPAutoFp(void)
793 {
794  SCEnter();
795 
796 /* We include only if AF_PACKET is enabled */
797 #ifdef HAVE_AF_PACKET
798  int ret;
799  const char *live_dev = NULL;
800 
801  RunModeInitialize();
802 
803  TimeModeSetLive();
804 
805  (void)ConfGet("af-packet.live-interface", &live_dev);
806 
807  SCLogDebug("live_dev %s", live_dev);
808 
809  if (AFPPeersListInit() != TM_ECODE_OK) {
810  SCLogError(SC_ERR_RUNMODE, "Unable to init peers list.");
811  exit(EXIT_FAILURE);
812  }
813 
814  ret = RunModeSetLiveCaptureAutoFp(ParseAFPConfig,
815  AFPConfigGeThreadsCount,
816  "ReceiveAFP",
817  "DecodeAFP", thread_name_autofp,
818  live_dev);
819  if (ret != 0) {
820  SCLogError(SC_ERR_RUNMODE, "Unable to start runmode");
821  exit(EXIT_FAILURE);
822  }
823 
824  /* In IPS mode each threads must have a peer */
825  if (AFPPeersListCheck() != TM_ECODE_OK) {
826  SCLogError(SC_ERR_RUNMODE, "Some IPS capture threads did not peer.");
827  exit(EXIT_FAILURE);
828  }
829 
830  SCLogDebug("RunModeIdsAFPAutoFp initialised");
831 #endif /* HAVE_AF_PACKET */
832 
833  SCReturnInt(0);
834 }
835 
836 /**
837  * \brief Single thread version of the AF_PACKET processing.
838  */
839 int RunModeIdsAFPSingle(void)
840 {
841  SCEnter();
842 #ifdef HAVE_AF_PACKET
843  int ret;
844  const char *live_dev = NULL;
845 
846  RunModeInitialize();
847  TimeModeSetLive();
848 
849  (void)ConfGet("af-packet.live-interface", &live_dev);
850 
851  if (AFPPeersListInit() != TM_ECODE_OK) {
852  SCLogError(SC_ERR_RUNMODE, "Unable to init peers list.");
853  exit(EXIT_FAILURE);
854  }
855 
856  ret = RunModeSetLiveCaptureSingle(ParseAFPConfig,
857  AFPConfigGeThreadsCount,
858  "ReceiveAFP",
859  "DecodeAFP", thread_name_single,
860  live_dev);
861  if (ret != 0) {
862  SCLogError(SC_ERR_RUNMODE, "Unable to start runmode");
863  exit(EXIT_FAILURE);
864  }
865 
866  /* In IPS mode each threads must have a peer */
867  if (AFPPeersListCheck() != TM_ECODE_OK) {
868  SCLogError(SC_ERR_RUNMODE, "Some IPS capture threads did not peer.");
869  exit(EXIT_FAILURE);
870  }
871 
872  SCLogDebug("RunModeIdsAFPSingle initialised");
873 
874 #endif /* HAVE_AF_PACKET */
875  SCReturnInt(0);
876 }
877 
878 /**
879  * \brief Workers version of the AF_PACKET processing.
880  *
881  * Start N threads with each thread doing all the work.
882  *
883  */
884 int RunModeIdsAFPWorkers(void)
885 {
886  SCEnter();
887 #ifdef HAVE_AF_PACKET
888  int ret;
889  const char *live_dev = NULL;
890 
891  RunModeInitialize();
892  TimeModeSetLive();
893 
894  (void)ConfGet("af-packet.live-interface", &live_dev);
895 
896  if (AFPPeersListInit() != TM_ECODE_OK) {
897  SCLogError(SC_ERR_RUNMODE, "Unable to init peers list.");
898  exit(EXIT_FAILURE);
899  }
900 
901  ret = RunModeSetLiveCaptureWorkers(ParseAFPConfig,
902  AFPConfigGeThreadsCount,
903  "ReceiveAFP",
904  "DecodeAFP", thread_name_workers,
905  live_dev);
906  if (ret != 0) {
907  SCLogError(SC_ERR_RUNMODE, "Unable to start runmode");
908  exit(EXIT_FAILURE);
909  }
910 
911  /* In IPS mode each threads must have a peer */
912  if (AFPPeersListCheck() != TM_ECODE_OK) {
913  SCLogError(SC_ERR_RUNMODE, "Some IPS capture threads did not peer.");
914  exit(EXIT_FAILURE);
915  }
916 
917  SCLogDebug("RunModeIdsAFPWorkers initialised");
918 
919 #endif /* HAVE_AF_PACKET */
920  SCReturnInt(0);
921 }
922 
923 /**
924  * @}
925  */
thread_name_workers
const char * thread_name_workers
Definition: runmodes.c:63
AFPIfaceConfig_::promisc
int promisc
Definition: source-af-packet.h:98
tm-threads.h
AFPIfaceConfig_::checksum_mode
ChecksumValidationMode checksum_mode
Definition: source-af-packet.h:102
PACKET_FANOUT_FLAG_DEFRAG
#define PACKET_FANOUT_FLAG_DEFRAG
Definition: source-af-packet.h:40
RunModeIdsAFPWorkers
int RunModeIdsAFPWorkers(void)
Workers version of the AF_PACKET processing.
Definition: runmode-af-packet.c:884
flow-bypass.h
AFPIfaceConfig_::xdp_mode
uint8_t xdp_mode
Definition: source-af-packet.h:110
AFP_BYPASS
#define AFP_BYPASS
Definition: source-af-packet.h:65
RunModeSetLiveCaptureWorkers
int RunModeSetLiveCaptureWorkers(ConfigIfaceParserFunc ConfigParser, ConfigIfaceThreadsCountFunc ModThreadsCount, const char *recv_mod_name, const char *decode_mod_name, const char *thread_name, const char *live_dev)
Definition: util-runmodes.c:341
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
AFPPeersListCheck
TmEcode AFPPeersListCheck()
Check that all AFPPeer got a peer.
Definition: source-af-packet.c:416
alert-debuglog.h
GetIfaceRSSQueuesNum
int GetIfaceRSSQueuesNum(const char *pcap_dev)
Definition: util-ioctl.c:737
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
Initialize the previously declared atomic variable and it's lock.
Definition: util-atomic.h:81
AFP_COPY_MODE_NONE
#define AFP_COPY_MODE_NONE
Definition: source-af-packet.h:68
RunModeIdsAFPSingle
int RunModeIdsAFPSingle(void)
Single thread version of the AF_PACKET processing.
Definition: runmode-af-packet.c:839
runmode-af-packet.h
SCFree
#define SCFree(a)
Definition: util-mem.h:322
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ERR_INVALID_CLUSTER_TYPE
@ SC_ERR_INVALID_CLUSTER_TYPE
Definition: util-error.h:66
RunModeIdsAFPRegister
void RunModeIdsAFPRegister(void)
Definition: runmode-af-packet.c:67
ConfGetChildValueBoolWithDefault
int ConfGetChildValueBoolWithDefault(const ConfNode *base, const ConfNode *dflt, const char *name, int *val)
Definition: conf.c:543
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
LiveGetOffload
int LiveGetOffload(void)
Definition: util-device.c:79
AFPIfaceConfig_::ebpf_filter_fd
int ebpf_filter_fd
Definition: source-af-packet.h:107
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:176
PACKET_FANOUT_RND
#define PACKET_FANOUT_RND
Definition: source-af-packet.h:36
UtilCpuGetNumProcessorsConfigured
uint16_t UtilCpuGetNumProcessorsConfigured(void)
Get the number of cpus configured in the system.
Definition: util-cpu.c:58
AFP_SOCK_PROTECT
#define AFP_SOCK_PROTECT
Definition: source-af-packet.h:60
PACKET_FANOUT_HASH
#define PACKET_FANOUT_HASH
Definition: source-af-packet.h:32
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:107
RunModeAFPGetDefaultMode
const char * RunModeAFPGetDefaultMode(void)
Definition: runmode-af-packet.c:62
RunModeInitialize
void RunModeInitialize(void)
Definition: runmodes.c:907
PACKET_FANOUT_QM
#define PACKET_FANOUT_QM
Definition: source-af-packet.h:37
AFPIfaceConfig_::threads
int threads
Definition: source-af-packet.h:85
util-runmodes.h
AFPIfaceConfig_::ring_size
int ring_size
Definition: source-af-packet.h:89
thread_name_autofp
const char * thread_name_autofp
Definition: runmodes.c:61
AFPIfaceConfig_::block_timeout
int block_timeout
Definition: source-af-packet.h:93
PACKET_FANOUT_ROLLOVER
#define PACKET_FANOUT_ROLLOVER
Definition: source-af-packet.h:35
ConfNodeLookupKeyValue
ConfNode * ConfNodeLookupKeyValue(const ConfNode *base, const char *key, const char *value)
Lookup for a key value under a specific node.
Definition: conf.c:860
CHECKSUM_VALIDATION_DISABLE
@ CHECKSUM_VALIDATION_DISABLE
Definition: decode.h:41
AFPIfaceConfig_::out_iface
const char * out_iface
Definition: source-af-packet.h:111
CHECKSUM_VALIDATION_KERNEL
@ CHECKSUM_VALIDATION_KERNEL
Definition: decode.h:45
AFP_XDPBYPASS
#define AFP_XDPBYPASS
Definition: source-af-packet.h:66
RunmodeGetActive
char * RunmodeGetActive(void)
Definition: runmodes.c:187
AFPIfaceConfig_::flags
unsigned int flags
Definition: source-af-packet.h:100
AFPIfaceConfig_::copy_mode
int copy_mode
Definition: source-af-packet.h:101
AFPIfaceConfig_::xdp_filter_fd
int xdp_filter_fd
Definition: source-af-packet.h:109
ConfGetChildValueIntWithDefault
int ConfGetChildValueIntWithDefault(const ConfNode *base, const ConfNode *dflt, const char *name, intmax_t *val)
Definition: conf.c:495
SC_ERR_RUNMODE
@ SC_ERR_RUNMODE
Definition: util-error.h:219
thread_name_single
const char * thread_name_single
Definition: runmodes.c:62
ConfGetChildWithDefault
ConfNode * ConfGetChildWithDefault(const ConfNode *base, const ConfNode *dflt, const char *name)
Definition: conf.c:402
AFPGetLinkType
int AFPGetLinkType(const char *ifname)
Definition: source-af-packet.c:1692
ConfValIsTrue
int ConfValIsTrue(const char *val)
Check if a value is true.
Definition: conf.c:566
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:78
AFP_BLOCK_SIZE_DEFAULT_ORDER
#define AFP_BLOCK_SIZE_DEFAULT_ORDER
Definition: source-af-packet.h:79
AFPIfaceConfig_::cluster_type
int cluster_type
Definition: source-af-packet.h:96
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
RunModeSetLiveCaptureAutoFp
int RunModeSetLiveCaptureAutoFp(ConfigIfaceParserFunc ConfigParser, ConfigIfaceThreadsCountFunc ModThreadsCount, const char *recv_mod_name, const char *decode_mod_name, const char *thread_name, const char *live_dev)
Definition: util-runmodes.c:89
AFPIfaceConfig_::block_size
int block_size
Definition: source-af-packet.h:91
CHECKSUM_VALIDATION_ENABLE
@ CHECKSUM_VALIDATION_ENABLE
Definition: decode.h:42
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:331
CHECKSUM_VALIDATION_AUTO
@ CHECKSUM_VALIDATION_AUTO
Definition: decode.h:43
util-device.h
util-debug.h
AFPIfaceConfig_::ebpf_lb_fd
int ebpf_lb_fd
Definition: source-af-packet.h:105
AFP_MMAP_LOCKED
#define AFP_MMAP_LOCKED
Definition: source-af-packet.h:64
util-cpu.h
AFPIfaceConfig_::ebpf_filter_file
const char * ebpf_filter_file
Definition: source-af-packet.h:106
PACKET_FANOUT_LB
#define PACKET_FANOUT_LB
Definition: source-af-packet.h:33
RunModeEnablesBypassManager
void RunModeEnablesBypassManager(void)
Definition: runmodes.c:398
LiveGetDevice
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
Definition: util-device.c:279
ConfFindDeviceConfig
ConfNode * ConfFindDeviceConfig(ConfNode *node, const char *iface)
Find the configuration node for a specific device.
Definition: util-conf.c:129
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
detect-engine-mpm.h
util-ebpf.h
util-affinity.h
PACKET_FANOUT_CPU
#define PACKET_FANOUT_CPU
Definition: source-af-packet.h:34
ConfGetChildValueWithDefault
int ConfGetChildValueWithDefault(const ConfNode *base, const ConfNode *dflt, const char *name, const char **vptr)
Definition: conf.c:416
util-time.h
AFPIfaceConfig_::DerefFunc
void(* DerefFunc)(void *)
Definition: source-af-packet.h:116
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
AFP_COPY_MODE_TAP
#define AFP_COPY_MODE_TAP
Definition: source-af-packet.h:69
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:124
AFPRunModeIsIPS
int AFPRunModeIsIPS()
Definition: runmode-af-packet.c:711
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:253
conf.h
GetIfaceOffloading
int GetIfaceOffloading(const char *dev, int csum, int other)
output offloading status of the link
Definition: util-ioctl.c:694
DisableIfaceOffloading
int DisableIfaceOffloading(LiveDevice *dev, int csum, int other)
Definition: util-ioctl.c:707
runmodes.h
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
alert-prelude.h
AFPIfaceConfig_::cluster_id
int cluster_id
Definition: source-af-packet.h:95
TimeModeSetLive
void TimeModeSetLive(void)
Definition: util-time.c:97
alert-fastlog.h
AFPIsFanoutSupported
int AFPIsFanoutSupported(int cluster_id)
test if we can use FANOUT. Older kernels like those in CentOS6 have HAVE_PACKET_FANOUT defined but fa...
Definition: source-af-packet.c:1994
suricata-common.h
RunModeRegisterNewRunMode
void RunModeRegisterNewRunMode(enum RunModes runmode, const char *name, const char *description, int(*RunModeFunc)(void))
Registers a new runmode.
Definition: runmodes.c:419
LiveGetDeviceName
const char * LiveGetDeviceName(int number)
Get a pointer to the device name at idx.
Definition: util-device.c:177
SCLogPerf
#define SCLogPerf(...)
Definition: util-debug.h:261
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
AFP_RING_MODE
#define AFP_RING_MODE
Definition: source-af-packet.h:58
AFPIfaceConfig_::xdp_filter_file
const char * xdp_filter_file
Definition: source-af-packet.h:108
AFP_TPACKET_V3
#define AFP_TPACKET_V3
Definition: source-af-packet.h:62
SC_ERR_AFP_CREATE
@ SC_ERR_AFP_CREATE
Definition: util-error.h:222
log-httplog.h
SC_ERR_UNIMPLEMENTED
@ SC_ERR_UNIMPLEMENTED
Definition: util-error.h:118
RunModeIdsAFPAutoFp
int RunModeIdsAFPAutoFp(void)
Definition: runmode-af-packet.c:792
SC_ATOMIC_RESET
#define SC_ATOMIC_RESET(name)
Initialize the previously declared atomic variable and it's lock.
Definition: util-atomic.h:90
BypassedFlowManagerRegisterUpdateFunc
int BypassedFlowManagerRegisterUpdateFunc(BypassedUpdateFunc UpdateFunc, void *data)
source-af-packet.h
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
AFP_COPY_MODE_IPS
#define AFP_COPY_MODE_IPS
Definition: source-af-packet.h:70
max_pending_packets
int max_pending_packets
Definition: suricata.c:212
ConfNode_
Definition: conf.h:32
AFPIfaceConfig_::buffer_size
int buffer_size
Definition: source-af-packet.h:87
util-ioctl.h
ConfValIsFalse
int ConfValIsFalse(const char *val)
Check if a value is false.
Definition: conf.c:591
RunModeSetLiveCaptureSingle
int RunModeSetLiveCaptureSingle(ConfigIfaceParserFunc ConfigParser, ConfigIfaceThreadsCountFunc ModThreadsCount, const char *recv_mod_name, const char *decode_mod_name, const char *thread_name, const char *live_dev)
Definition: util-runmodes.c:375
AFP_ZERO_COPY
#define AFP_ZERO_COPY
Definition: source-af-packet.h:59
AFPIfaceConfig_::iface
char iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.h:83
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
AFPIfaceConfig_
Definition: source-af-packet.h:81
AFPIfaceConfig_::bpf_filter
const char * bpf_filter
Definition: source-af-packet.h:103
LiveGetDeviceCount
int LiveGetDeviceCount(void)
Get the number of registered devices.
Definition: util-device.c:157
UtilCpuGetNumProcessorsOnline
uint16_t UtilCpuGetNumProcessorsOnline(void)
Get the number of cpus online in the system.
Definition: util-cpu.c:99
AFPIfaceConfig_::ebpf_lb_file
const char * ebpf_lb_file
Definition: source-af-packet.h:104
SCLogNotice
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:269
BypassedFlowManagerRegisterCheckFunc
int BypassedFlowManagerRegisterCheckFunc(BypassedCheckFunc CheckFunc, BypassedCheckFuncInit CheckFuncInit, void *data)
RUNMODE_AFP_DEV
@ RUNMODE_AFP_DEV
Definition: runmodes.h:37
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
PACKET_FANOUT_FLAG_ROLLOVER
#define PACKET_FANOUT_FLAG_ROLLOVER
Definition: source-af-packet.h:39
AFPPeersListInit
TmEcode AFPPeersListInit()
Init the global list of AFPPeer.
Definition: source-af-packet.c:399
output.h
LINKTYPE_ETHERNET
#define LINKTYPE_ETHERNET
Definition: decode.h:1057
AFP_EMERGENCY_MODE
#define AFP_EMERGENCY_MODE
Definition: source-af-packet.h:61
SC_WARN_UNCOMMON
@ SC_WARN_UNCOMMON
Definition: util-error.h:262