suricata
source-af-packet.c
Go to the documentation of this file.
1 /* Copyright (C) 2011-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup afppacket AF_PACKET running mode
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Eric Leblond <eric@regit.org>
28  *
29  * AF_PACKET socket acquisition support
30  *
31  */
32 
33 #define PCAP_DONT_INCLUDE_PCAP_BPF_H 1
34 #define SC_PCAP_DONT_INCLUDE_PCAP_H 1
35 #include "suricata-common.h"
36 #include "config.h"
37 #include "suricata.h"
38 #include "decode.h"
39 #include "packet-queue.h"
40 #include "threads.h"
41 #include "threadvars.h"
42 #include "tm-queuehandlers.h"
43 #include "tm-modules.h"
44 #include "tm-threads.h"
45 #include "tm-threads-common.h"
46 #include "conf.h"
47 #include "util-cpu.h"
48 #include "util-debug.h"
49 #include "util-device.h"
50 #include "util-ebpf.h"
51 #include "util-error.h"
52 #include "util-privs.h"
53 #include "util-optimize.h"
54 #include "util-checksum.h"
55 #include "util-ioctl.h"
56 #include "util-host-info.h"
57 #include "tmqh-packetpool.h"
58 #include "source-af-packet.h"
59 #include "runmodes.h"
60 #include "flow-storage.h"
61 
62 #ifdef HAVE_AF_PACKET
63 
64 #if HAVE_SYS_IOCTL_H
65 #include <sys/ioctl.h>
66 #endif
67 
68 #if HAVE_LINUX_SOCKIOS_H
69 #include <linux/sockios.h>
70 #endif
71 
72 #ifdef HAVE_PACKET_EBPF
73 #include "util-ebpf.h"
74 #include <bpf/libbpf.h>
75 #include <bpf/bpf.h>
76 #endif
77 
78 struct bpf_program {
79  unsigned int bf_len;
80  struct bpf_insn *bf_insns;
81 };
82 
83 #ifdef HAVE_PCAP_H
84 #include <pcap.h>
85 #endif
86 
87 #ifdef HAVE_PCAP_PCAP_H
88 #include <pcap/pcap.h>
89 #endif
90 
91 #include "util-bpf.h"
92 
93 #if HAVE_LINUX_IF_ETHER_H
94 #include <linux/if_ether.h>
95 #endif
96 
97 #if HAVE_LINUX_IF_PACKET_H
98 #include <linux/if_packet.h>
99 #endif
100 
101 #if HAVE_LINUX_IF_ARP_H
102 #include <linux/if_arp.h>
103 #endif
104 
105 #if HAVE_LINUX_FILTER_H
106 #include <linux/filter.h>
107 #endif
108 
109 #if HAVE_SYS_MMAN_H
110 #include <sys/mman.h>
111 #endif
112 
113 #ifdef HAVE_HW_TIMESTAMPING
114 #include <linux/net_tstamp.h>
115 #endif
116 
117 #endif /* HAVE_AF_PACKET */
118 
119 extern int max_pending_packets;
120 
121 #ifndef HAVE_AF_PACKET
122 
123 TmEcode NoAFPSupportExit(ThreadVars *, const void *, void **);
124 
125 void TmModuleReceiveAFPRegister (void)
126 {
127  tmm_modules[TMM_RECEIVEAFP].name = "ReceiveAFP";
128  tmm_modules[TMM_RECEIVEAFP].ThreadInit = NoAFPSupportExit;
129  tmm_modules[TMM_RECEIVEAFP].Func = NULL;
130  tmm_modules[TMM_RECEIVEAFP].ThreadExitPrintStats = NULL;
131  tmm_modules[TMM_RECEIVEAFP].ThreadDeinit = NULL;
132  tmm_modules[TMM_RECEIVEAFP].RegisterTests = NULL;
133  tmm_modules[TMM_RECEIVEAFP].cap_flags = 0;
134  tmm_modules[TMM_RECEIVEAFP].flags = TM_FLAG_RECEIVE_TM;
135 }
136 
137 /**
138  * \brief Registration Function for DecodeAFP.
139  */
140 void TmModuleDecodeAFPRegister (void)
141 {
142  tmm_modules[TMM_DECODEAFP].name = "DecodeAFP";
143  tmm_modules[TMM_DECODEAFP].ThreadInit = NoAFPSupportExit;
144  tmm_modules[TMM_DECODEAFP].Func = NULL;
145  tmm_modules[TMM_DECODEAFP].ThreadExitPrintStats = NULL;
146  tmm_modules[TMM_DECODEAFP].ThreadDeinit = NULL;
147  tmm_modules[TMM_DECODEAFP].RegisterTests = NULL;
148  tmm_modules[TMM_DECODEAFP].cap_flags = 0;
149  tmm_modules[TMM_DECODEAFP].flags = TM_FLAG_DECODE_TM;
150 }
151 
152 /**
153  * \brief this function prints an error message and exits.
154  */
155 TmEcode NoAFPSupportExit(ThreadVars *tv, const void *initdata, void **data)
156 {
157  SCLogError(SC_ERR_NO_AF_PACKET,"Error creating thread %s: you do not have "
158  "support for AF_PACKET enabled, on Linux host please recompile "
159  "with --enable-af-packet", tv->name);
160  exit(EXIT_FAILURE);
161 }
162 
163 #else /* We have AF_PACKET support */
164 
165 #define AFP_IFACE_NAME_LENGTH 48
166 
167 #define AFP_STATE_DOWN 0
168 #define AFP_STATE_UP 1
169 
170 #define AFP_RECONNECT_TIMEOUT 500000
171 #define AFP_DOWN_COUNTER_INTERVAL 40
172 
173 #define POLL_TIMEOUT 100
174 
175 #ifndef TP_STATUS_USER_BUSY
176 /* for new use latest bit available in tp_status */
177 #define TP_STATUS_USER_BUSY (1 << 31)
178 #endif
179 
180 #ifndef TP_STATUS_VLAN_VALID
181 #define TP_STATUS_VLAN_VALID (1 << 4)
182 #endif
183 
184 enum {
185  AFP_READ_OK,
186  AFP_READ_FAILURE,
187  /** Error during treatment by other functions of Suricata */
188  AFP_SURI_FAILURE,
189  AFP_KERNEL_DROP,
190 };
191 
192 enum {
193  AFP_FATAL_ERROR = 1,
194  AFP_RECOVERABLE_ERROR,
195 };
196 
197 union thdr {
198  struct tpacket2_hdr *h2;
199 #ifdef HAVE_TPACKET_V3
200  struct tpacket3_hdr *h3;
201 #endif
202  void *raw;
203 };
204 
205 static int AFPBypassCallback(Packet *p);
206 static int AFPXDPBypassCallback(Packet *p);
207 
208 #define MAX_MAPS 32
209 /**
210  * \brief Structure to hold thread specific variables.
211  */
212 typedef struct AFPThreadVars_
213 {
214  union AFPRing {
215  char *v2;
216  struct iovec *v3;
217  } ring;
218 
219  /* counters */
220  uint64_t pkts;
221 
222  ThreadVars *tv;
223  TmSlot *slot;
224  LiveDevice *livedev;
225  /* data link type for the thread */
226  uint32_t datalink;
227 
228 #ifdef HAVE_PACKET_EBPF
229  /* File descriptor of the IPv4 flow bypass table maps */
230  int v4_map_fd;
231  /* File descriptor of the IPv6 flow bypass table maps */
232  int v6_map_fd;
233 #endif
234 
235  unsigned int frame_offset;
236 
237  ChecksumValidationMode checksum_mode;
238 
239  /* references to packet and drop counters */
240  uint16_t capture_kernel_packets;
241  uint16_t capture_kernel_drops;
242  uint16_t capture_errors;
243 
244  /* handle state */
245  uint8_t afp_state;
246  uint8_t copy_mode;
247  unsigned int flags;
248 
249  /* IPS peer */
250  AFPPeer *mpeer;
251 
252  /* no mmap mode */
253  uint8_t *data; /** Per function and thread data */
254  int datalen; /** Length of per function and thread data */
255  int cooked;
256 
257  /*
258  * Init related members
259  */
260 
261  /* thread specific socket */
262  int socket;
263 
264  int ring_size;
265  int block_size;
266  int block_timeout;
267  /* socket buffer size */
268  int buffer_size;
269  /* Filter */
270  const char *bpf_filter;
271  int ebpf_lb_fd;
272  int ebpf_filter_fd;
273 
274  int promisc;
275 
276  int down_count;
277 
278  int cluster_id;
279  int cluster_type;
280 
281  int threads;
282 
283  union AFPTpacketReq {
284  struct tpacket_req v2;
285 #ifdef HAVE_TPACKET_V3
286  struct tpacket_req3 v3;
287 #endif
288  } req;
289 
290  char iface[AFP_IFACE_NAME_LENGTH];
291  /* IPS output iface */
292  char out_iface[AFP_IFACE_NAME_LENGTH];
293 
294  /* mmap'ed ring buffer */
295  unsigned int ring_buflen;
296  uint8_t *ring_buf;
297 
298  uint8_t xdp_mode;
299 
300 #ifdef HAVE_PACKET_EBPF
301  struct ebpf_timeout_config ebpf_t_config;
302 #endif
303 
304 } AFPThreadVars;
305 
306 TmEcode ReceiveAFP(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
307 TmEcode ReceiveAFPThreadInit(ThreadVars *, const void *, void **);
308 void ReceiveAFPThreadExitStats(ThreadVars *, void *);
309 TmEcode ReceiveAFPThreadDeinit(ThreadVars *, void *);
310 TmEcode ReceiveAFPLoop(ThreadVars *tv, void *data, void *slot);
311 
312 TmEcode DecodeAFPThreadInit(ThreadVars *, const void *, void **);
313 TmEcode DecodeAFPThreadDeinit(ThreadVars *tv, void *data);
314 TmEcode DecodeAFP(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
315 
316 TmEcode AFPSetBPFFilter(AFPThreadVars *ptv);
317 static int AFPGetIfnumByDev(int fd, const char *ifname, int verbose);
318 static int AFPGetDevFlags(int fd, const char *ifname);
319 static int AFPDerefSocket(AFPPeer* peer);
320 static int AFPRefSocket(AFPPeer* peer);
321 
322 
323 /**
324  * \brief Registration Function for RecieveAFP.
325  * \todo Unit tests are needed for this module.
326  */
327 void TmModuleReceiveAFPRegister (void)
328 {
329  tmm_modules[TMM_RECEIVEAFP].name = "ReceiveAFP";
330  tmm_modules[TMM_RECEIVEAFP].ThreadInit = ReceiveAFPThreadInit;
331  tmm_modules[TMM_RECEIVEAFP].Func = NULL;
332  tmm_modules[TMM_RECEIVEAFP].PktAcqLoop = ReceiveAFPLoop;
333  tmm_modules[TMM_RECEIVEAFP].PktAcqBreakLoop = NULL;
334  tmm_modules[TMM_RECEIVEAFP].ThreadExitPrintStats = ReceiveAFPThreadExitStats;
335  tmm_modules[TMM_RECEIVEAFP].ThreadDeinit = ReceiveAFPThreadDeinit;
336  tmm_modules[TMM_RECEIVEAFP].RegisterTests = NULL;
337  tmm_modules[TMM_RECEIVEAFP].cap_flags = SC_CAP_NET_RAW;
338  tmm_modules[TMM_RECEIVEAFP].flags = TM_FLAG_RECEIVE_TM;
339 
340 }
341 
342 
343 /**
344  * \defgroup afppeers AFP peers list
345  *
346  * AF_PACKET has an IPS mode were interface are peered: packet from
347  * on interface are sent the peered interface and the other way. The ::AFPPeer
348  * list is maitaining the list of peers. Each ::AFPPeer is storing the needed
349  * information to be able to send packet on the interface.
350  * A element of the list must not be destroyed during the run of Suricata as it
351  * is used by ::Packet and other threads.
352  *
353  * @{
354  */
355 
356 typedef struct AFPPeersList_ {
357  TAILQ_HEAD(, AFPPeer_) peers; /**< Head of list of fragments. */
358  int cnt;
359  int peered;
360  int turn; /**< Next value for initialisation order */
361  SC_ATOMIC_DECLARE(int, reached); /**< Counter used to synchronize start */
362 } AFPPeersList;
363 
364 /**
365  * \brief Update the peer.
366  *
367  * Update the AFPPeer of a thread ie set new state, socket number
368  * or iface index.
369  *
370  */
371 static void AFPPeerUpdate(AFPThreadVars *ptv)
372 {
373  if (ptv->mpeer == NULL) {
374  return;
375  }
376  (void)SC_ATOMIC_SET(ptv->mpeer->if_idx, AFPGetIfnumByDev(ptv->socket, ptv->iface, 0));
377  (void)SC_ATOMIC_SET(ptv->mpeer->socket, ptv->socket);
378  (void)SC_ATOMIC_SET(ptv->mpeer->state, ptv->afp_state);
379 }
380 
381 /**
382  * \brief Clean and free ressource used by an ::AFPPeer
383  */
384 static void AFPPeerClean(AFPPeer *peer)
385 {
386  if (peer->flags & AFP_SOCK_PROTECT)
387  SCMutexDestroy(&peer->sock_protect);
388  SC_ATOMIC_DESTROY(peer->socket);
389  SC_ATOMIC_DESTROY(peer->if_idx);
390  SC_ATOMIC_DESTROY(peer->state);
391  SCFree(peer);
392 }
393 
394 AFPPeersList peerslist;
395 
396 
397 /**
398  * \brief Init the global list of ::AFPPeer
399  */
400 TmEcode AFPPeersListInit()
401 {
402  SCEnter();
403  TAILQ_INIT(&peerslist.peers);
404  peerslist.peered = 0;
405  peerslist.cnt = 0;
406  peerslist.turn = 0;
407  SC_ATOMIC_INIT(peerslist.reached);
408  (void) SC_ATOMIC_SET(peerslist.reached, 0);
409  SCReturnInt(TM_ECODE_OK);
410 }
411 
412 /**
413  * \brief Check that all ::AFPPeer got a peer
414  *
415  * \retval TM_ECODE_FAILED if some threads are not peered or TM_ECODE_OK else.
416  */
417 TmEcode AFPPeersListCheck()
418 {
419 #define AFP_PEERS_MAX_TRY 4
420 #define AFP_PEERS_WAIT 20000
421  int try = 0;
422  SCEnter();
423  while (try < AFP_PEERS_MAX_TRY) {
424  if (peerslist.cnt != peerslist.peered) {
425  usleep(AFP_PEERS_WAIT);
426  } else {
427  SCReturnInt(TM_ECODE_OK);
428  }
429  try++;
430  }
431  SCLogError(SC_ERR_AFP_CREATE, "Threads number not equals");
432  SCReturnInt(TM_ECODE_FAILED);
433 }
434 
435 /**
436  * \brief Declare a new AFP thread to AFP peers list.
437  */
438 static TmEcode AFPPeersListAdd(AFPThreadVars *ptv)
439 {
440  SCEnter();
441  AFPPeer *peer = SCMalloc(sizeof(AFPPeer));
442  AFPPeer *pitem;
443  int mtu, out_mtu;
444 
445  if (unlikely(peer == NULL)) {
446  SCReturnInt(TM_ECODE_FAILED);
447  }
448  memset(peer, 0, sizeof(AFPPeer));
449  SC_ATOMIC_INIT(peer->socket);
450  SC_ATOMIC_INIT(peer->sock_usage);
451  SC_ATOMIC_INIT(peer->if_idx);
452  SC_ATOMIC_INIT(peer->state);
453  peer->flags = ptv->flags;
454  peer->turn = peerslist.turn++;
455 
456  if (peer->flags & AFP_SOCK_PROTECT) {
457  SCMutexInit(&peer->sock_protect, NULL);
458  }
459 
460  (void)SC_ATOMIC_SET(peer->sock_usage, 0);
461  (void)SC_ATOMIC_SET(peer->state, AFP_STATE_DOWN);
462  strlcpy(peer->iface, ptv->iface, AFP_IFACE_NAME_LENGTH);
463  ptv->mpeer = peer;
464  /* add element to iface list */
465  TAILQ_INSERT_TAIL(&peerslist.peers, peer, next);
466 
467  if (ptv->copy_mode != AFP_COPY_MODE_NONE) {
468  peerslist.cnt++;
469 
470  /* Iter to find a peer */
471  TAILQ_FOREACH(pitem, &peerslist.peers, next) {
472  if (pitem->peer)
473  continue;
474  if (strcmp(pitem->iface, ptv->out_iface))
475  continue;
476  peer->peer = pitem;
477  pitem->peer = peer;
478  mtu = GetIfaceMTU(ptv->iface);
479  out_mtu = GetIfaceMTU(ptv->out_iface);
480  if (mtu != out_mtu) {
481  SCLogError(SC_ERR_AFP_CREATE,
482  "MTU on %s (%d) and %s (%d) are not equal, "
483  "transmission of packets bigger than %d will fail.",
484  ptv->iface, mtu,
485  ptv->out_iface, out_mtu,
486  (out_mtu > mtu) ? mtu : out_mtu);
487  }
488  peerslist.peered += 2;
489  break;
490  }
491  }
492 
493  AFPPeerUpdate(ptv);
494 
495  SCReturnInt(TM_ECODE_OK);
496 }
497 
498 static int AFPPeersListWaitTurn(AFPPeer *peer)
499 {
500  /* If turn is zero, we already have started threads once */
501  if (peerslist.turn == 0)
502  return 0;
503 
504  if (peer->turn == SC_ATOMIC_GET(peerslist.reached))
505  return 0;
506  return 1;
507 }
508 
509 static void AFPPeersListReachedInc(void)
510 {
511  if (peerslist.turn == 0)
512  return;
513 
514  if (SC_ATOMIC_ADD(peerslist.reached, 1) == peerslist.turn) {
515  SCLogInfo("All AFP capture threads are running.");
516  (void)SC_ATOMIC_SET(peerslist.reached, 0);
517  /* Set turn to 0 to skip syncrhonization when ReceiveAFPLoop is
518  * restarted.
519  */
520  peerslist.turn = 0;
521  }
522 }
523 
524 static int AFPPeersListStarted(void)
525 {
526  return !peerslist.turn;
527 }
528 
529 /**
530  * \brief Clean the global peers list.
531  */
532 void AFPPeersListClean()
533 {
534  AFPPeer *pitem;
535 
536  while ((pitem = TAILQ_FIRST(&peerslist.peers))) {
537  TAILQ_REMOVE(&peerslist.peers, pitem, next);
538  AFPPeerClean(pitem);
539  }
540 }
541 
542 /**
543  * @}
544  */
545 
546 /**
547  * \brief Registration Function for DecodeAFP.
548  * \todo Unit tests are needed for this module.
549  */
550 void TmModuleDecodeAFPRegister (void)
551 {
552  tmm_modules[TMM_DECODEAFP].name = "DecodeAFP";
553  tmm_modules[TMM_DECODEAFP].ThreadInit = DecodeAFPThreadInit;
554  tmm_modules[TMM_DECODEAFP].Func = DecodeAFP;
555  tmm_modules[TMM_DECODEAFP].ThreadExitPrintStats = NULL;
556  tmm_modules[TMM_DECODEAFP].ThreadDeinit = DecodeAFPThreadDeinit;
557  tmm_modules[TMM_DECODEAFP].RegisterTests = NULL;
558  tmm_modules[TMM_DECODEAFP].cap_flags = 0;
559  tmm_modules[TMM_DECODEAFP].flags = TM_FLAG_DECODE_TM;
560 }
561 
562 
563 static int AFPCreateSocket(AFPThreadVars *ptv, char *devname, int verbose);
564 
565 static inline void AFPDumpCounters(AFPThreadVars *ptv)
566 {
567 #ifdef PACKET_STATISTICS
568  struct tpacket_stats kstats;
569  socklen_t len = sizeof (struct tpacket_stats);
570  if (getsockopt(ptv->socket, SOL_PACKET, PACKET_STATISTICS,
571  &kstats, &len) > -1) {
572  SCLogDebug("(%s) Kernel: Packets %" PRIu32 ", dropped %" PRIu32 "",
573  ptv->tv->name,
574  kstats.tp_packets, kstats.tp_drops);
575  StatsAddUI64(ptv->tv, ptv->capture_kernel_packets, kstats.tp_packets);
576  StatsAddUI64(ptv->tv, ptv->capture_kernel_drops, kstats.tp_drops);
577  (void) SC_ATOMIC_ADD(ptv->livedev->drop, (uint64_t) kstats.tp_drops);
578  (void) SC_ATOMIC_ADD(ptv->livedev->pkts, (uint64_t) kstats.tp_packets);
579  }
580 #endif
581 }
582 
583 /**
584  * \brief AF packet read function.
585  *
586  * This function fills
587  * From here the packets are picked up by the DecodeAFP thread.
588  *
589  * \param user pointer to AFPThreadVars
590  * \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success
591  */
592 static int AFPRead(AFPThreadVars *ptv)
593 {
594  Packet *p = NULL;
595  /* XXX should try to use read that get directly to packet */
596  int offset = 0;
597  int caplen;
598  struct sockaddr_ll from;
599  struct iovec iov;
600  struct msghdr msg;
601  struct cmsghdr *cmsg;
602  union {
603  struct cmsghdr cmsg;
604  char buf[CMSG_SPACE(sizeof(struct tpacket_auxdata))];
605  } cmsg_buf;
606  unsigned char aux_checksum = 0;
607 
608  msg.msg_name = &from;
609  msg.msg_namelen = sizeof(from);
610  msg.msg_iov = &iov;
611  msg.msg_iovlen = 1;
612  msg.msg_control = &cmsg_buf;
613  msg.msg_controllen = sizeof(cmsg_buf);
614  msg.msg_flags = 0;
615 
616  if (ptv->cooked)
617  offset = SLL_HEADER_LEN;
618  else
619  offset = 0;
620  iov.iov_len = ptv->datalen - offset;
621  iov.iov_base = ptv->data + offset;
622 
623  caplen = recvmsg(ptv->socket, &msg, MSG_TRUNC);
624 
625  if (caplen < 0) {
626  SCLogWarning(SC_ERR_AFP_READ, "recvmsg failed with error code %" PRId32,
627  errno);
628  SCReturnInt(AFP_READ_FAILURE);
629  }
630 
631  p = PacketGetFromQueueOrAlloc();
632  if (p == NULL) {
633  SCReturnInt(AFP_SURI_FAILURE);
634  }
635  PKT_SET_SRC(p, PKT_SRC_WIRE);
636  if (ptv->flags & AFP_BYPASS) {
637  p->BypassPacketsFlow = AFPBypassCallback;
638 #ifdef HAVE_PACKET_EBPF
639  p->afp_v.v4_map_fd = ptv->v4_map_fd;
640  p->afp_v.v6_map_fd = ptv->v6_map_fd;
641  p->afp_v.nr_cpus = ptv->ebpf_t_config.cpus_count;
642 #endif
643  }
644  if (ptv->flags & AFP_XDPBYPASS) {
645  p->BypassPacketsFlow = AFPXDPBypassCallback;
646 #ifdef HAVE_PACKET_EBPF
647  p->afp_v.v4_map_fd = ptv->v4_map_fd;
648  p->afp_v.v6_map_fd = ptv->v6_map_fd;
649  p->afp_v.nr_cpus = ptv->ebpf_t_config.cpus_count;
650 #endif
651  }
652 
653  /* get timestamp of packet via ioctl */
654  if (ioctl(ptv->socket, SIOCGSTAMP, &p->ts) == -1) {
655  SCLogWarning(SC_ERR_AFP_READ, "recvmsg failed with error code %" PRId32,
656  errno);
657  TmqhOutputPacketpool(ptv->tv, p);
658  SCReturnInt(AFP_READ_FAILURE);
659  }
660 
661  ptv->pkts++;
662  p->livedev = ptv->livedev;
663 
664  /* add forged header */
665  if (ptv->cooked) {
666  SllHdr * hdrp = (SllHdr *)ptv->data;
667  /* XXX this is minimalist, but this seems enough */
668  hdrp->sll_protocol = from.sll_protocol;
669  }
670 
671  p->datalink = ptv->datalink;
672  SET_PKT_LEN(p, caplen + offset);
673  if (PacketCopyData(p, ptv->data, GET_PKT_LEN(p)) == -1) {
674  TmqhOutputPacketpool(ptv->tv, p);
675  SCReturnInt(AFP_SURI_FAILURE);
676  }
677  SCLogDebug("pktlen: %" PRIu32 " (pkt %p, pkt data %p)",
678  GET_PKT_LEN(p), p, GET_PKT_DATA(p));
679 
680  /* We only check for checksum disable */
681  if (ptv->checksum_mode == CHECKSUM_VALIDATION_DISABLE) {
682  p->flags |= PKT_IGNORE_CHECKSUM;
683  } else if (ptv->checksum_mode == CHECKSUM_VALIDATION_AUTO) {
684  if (ptv->livedev->ignore_checksum) {
685  p->flags |= PKT_IGNORE_CHECKSUM;
686  } else if (ChecksumAutoModeCheck(ptv->pkts,
687  SC_ATOMIC_GET(ptv->livedev->pkts),
688  SC_ATOMIC_GET(ptv->livedev->invalid_checksums))) {
689  ptv->livedev->ignore_checksum = 1;
690  p->flags |= PKT_IGNORE_CHECKSUM;
691  }
692  } else {
693  aux_checksum = 1;
694  }
695 
696  /* List is NULL if we don't have activated auxiliary data */
697  for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
698  struct tpacket_auxdata *aux;
699 
700  if (cmsg->cmsg_len < CMSG_LEN(sizeof(struct tpacket_auxdata)) ||
701  cmsg->cmsg_level != SOL_PACKET ||
702  cmsg->cmsg_type != PACKET_AUXDATA)
703  continue;
704 
705  aux = (struct tpacket_auxdata *)CMSG_DATA(cmsg);
706 
707  if (aux_checksum && (aux->tp_status & TP_STATUS_CSUMNOTREADY)) {
708  p->flags |= PKT_IGNORE_CHECKSUM;
709  }
710  break;
711  }
712 
713  if (TmThreadsSlotProcessPkt(ptv->tv, ptv->slot, p) != TM_ECODE_OK) {
714  TmqhOutputPacketpool(ptv->tv, p);
715  SCReturnInt(AFP_SURI_FAILURE);
716  }
717  SCReturnInt(AFP_READ_OK);
718 }
719 
720 /**
721  * \brief AF packet write function.
722  *
723  * This function has to be called before the memory
724  * related to Packet in ring buffer is released.
725  *
726  * \param pointer to Packet
727  * \param version of capture: TPACKET_V2 or TPACKET_V3
728  * \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success
729  *
730  */
731 static TmEcode AFPWritePacket(Packet *p, int version)
732 {
733  struct sockaddr_ll socket_address;
734  int socket;
735  uint8_t *pstart;
736  size_t plen;
737  union thdr h;
738  uint16_t vlan_tci = 0;
739 
740  if (p->afp_v.copy_mode == AFP_COPY_MODE_IPS) {
741  if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
742  return TM_ECODE_OK;
743  }
744  }
745 
746  if (SC_ATOMIC_GET(p->afp_v.peer->state) == AFP_STATE_DOWN)
747  return TM_ECODE_OK;
748 
749  if (p->ethh == NULL) {
750  SCLogWarning(SC_ERR_INVALID_VALUE, "Should have an Ethernet header");
751  return TM_ECODE_FAILED;
752  }
753  /* Index of the network device */
754  socket_address.sll_ifindex = SC_ATOMIC_GET(p->afp_v.peer->if_idx);
755  /* Address length*/
756  socket_address.sll_halen = ETH_ALEN;
757  /* Destination MAC */
758  memcpy(socket_address.sll_addr, p->ethh, 6);
759 
760  /* Send packet, locking the socket if necessary */
761  if (p->afp_v.peer->flags & AFP_SOCK_PROTECT)
762  SCMutexLock(&p->afp_v.peer->sock_protect);
763  socket = SC_ATOMIC_GET(p->afp_v.peer->socket);
764 
765  h.raw = p->afp_v.relptr;
766 
767  if (version == TPACKET_V2) {
768  /* Copy VLAN header from ring memory. For post june 2011 kernel we test
769  * the flag. It is not defined for older kernel so we go best effort
770  * and test for non zero value of the TCI header. */
771  if (h.h2->tp_status & TP_STATUS_VLAN_VALID || h.h2->tp_vlan_tci) {
772  vlan_tci = h.h2->tp_vlan_tci;
773  }
774  } else {
775 #ifdef HAVE_TPACKET_V3
776  if (h.h3->tp_status & TP_STATUS_VLAN_VALID || h.h3->hv1.tp_vlan_tci) {
777  vlan_tci = h.h3->hv1.tp_vlan_tci;
778  }
779 #else
780  /* Should not get here */
781  BUG_ON(1);
782 #endif
783  }
784 
785  if (vlan_tci != 0) {
786  pstart = GET_PKT_DATA(p) - VLAN_HEADER_LEN;
787  plen = GET_PKT_LEN(p) + VLAN_HEADER_LEN;
788  /* move ethernet addresses */
789  memmove(pstart, GET_PKT_DATA(p), 2 * ETH_ALEN);
790  /* write vlan info */
791  *(uint16_t *)(pstart + 2 * ETH_ALEN) = htons(0x8100);
792  *(uint16_t *)(pstart + 2 * ETH_ALEN + 2) = htons(vlan_tci);
793  } else {
794  pstart = GET_PKT_DATA(p);
795  plen = GET_PKT_LEN(p);
796  }
797 
798  if (sendto(socket, pstart, plen, 0,
799  (struct sockaddr*) &socket_address,
800  sizeof(struct sockaddr_ll)) < 0) {
801  SCLogWarning(SC_ERR_SOCKET, "Sending packet failed on socket %d: %s",
802  socket,
803  strerror(errno));
804  if (p->afp_v.peer->flags & AFP_SOCK_PROTECT)
805  SCMutexUnlock(&p->afp_v.peer->sock_protect);
806  return TM_ECODE_FAILED;
807  }
808  if (p->afp_v.peer->flags & AFP_SOCK_PROTECT)
809  SCMutexUnlock(&p->afp_v.peer->sock_protect);
810 
811  return TM_ECODE_OK;
812 }
813 
814 static void AFPReleaseDataFromRing(Packet *p)
815 {
816  /* Need to be in copy mode and need to detect early release
817  where Ethernet header could not be set (and pseudo packet) */
818  if ((p->afp_v.copy_mode != AFP_COPY_MODE_NONE) && !PKT_IS_PSEUDOPKT(p)) {
819  AFPWritePacket(p, TPACKET_V2);
820  }
821 
822  if (AFPDerefSocket(p->afp_v.mpeer) == 0)
823  goto cleanup;
824 
825  if (p->afp_v.relptr) {
826  union thdr h;
827  h.raw = p->afp_v.relptr;
828  h.h2->tp_status = TP_STATUS_KERNEL;
829  }
830 
831 cleanup:
832  AFPV_CLEANUP(&p->afp_v);
833 }
834 
835 #ifdef HAVE_TPACKET_V3
836 static void AFPReleasePacketV3(Packet *p)
837 {
838  /* Need to be in copy mode and need to detect early release
839  where Ethernet header could not be set (and pseudo packet) */
840  if ((p->afp_v.copy_mode != AFP_COPY_MODE_NONE) && !PKT_IS_PSEUDOPKT(p)) {
841  AFPWritePacket(p, TPACKET_V3);
842  }
843  PacketFreeOrRelease(p);
844 }
845 #endif
846 
847 static void AFPReleasePacket(Packet *p)
848 {
849  AFPReleaseDataFromRing(p);
850  PacketFreeOrRelease(p);
851 }
852 
853 /**
854  * \brief AF packet read function for ring
855  *
856  * This function fills
857  * From here the packets are picked up by the DecodeAFP thread.
858  *
859  * \param user pointer to AFPThreadVars
860  * \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success
861  */
862 static int AFPReadFromRing(AFPThreadVars *ptv)
863 {
864  Packet *p = NULL;
865  union thdr h;
866  uint8_t emergency_flush = 0;
867  int read_pkts = 0;
868  int loop_start = -1;
869 
870 
871  /* Loop till we have packets available */
872  while (1) {
873  if (unlikely(suricata_ctl_flags != 0)) {
874  break;
875  }
876 
877  /* Read packet from ring */
878  h.raw = (((union thdr **)ptv->ring.v2)[ptv->frame_offset]);
879  if (unlikely(h.raw == NULL)) {
880  /* Impossible we reach this point in normal condition, so trigger
881  * a failure in reading */
882  SCReturnInt(AFP_READ_FAILURE);
883  }
884 
885  if ((! h.h2->tp_status) || (h.h2->tp_status & TP_STATUS_USER_BUSY)) {
886  if (read_pkts == 0) {
887  if (loop_start == -1) {
888  loop_start = ptv->frame_offset;
889  } else if (unlikely(loop_start == (int)ptv->frame_offset)) {
890  SCReturnInt(AFP_READ_OK);
891  }
892  if (++ptv->frame_offset >= ptv->req.v2.tp_frame_nr) {
893  ptv->frame_offset = 0;
894  }
895  continue;
896  }
897  if ((emergency_flush) && (ptv->flags & AFP_EMERGENCY_MODE)) {
898  SCReturnInt(AFP_KERNEL_DROP);
899  } else {
900  SCReturnInt(AFP_READ_OK);
901  }
902  }
903 
904  read_pkts++;
905  loop_start = -1;
906 
907  /* Our packet is still used by suricata, we exit read loop to
908  * gain some time */
909  if (h.h2->tp_status & TP_STATUS_USER_BUSY) {
910  SCReturnInt(AFP_READ_OK);
911  }
912 
913  if ((ptv->flags & AFP_EMERGENCY_MODE) && (emergency_flush == 1)) {
914  h.h2->tp_status = TP_STATUS_KERNEL;
915  goto next_frame;
916  }
917 
918  p = PacketGetFromQueueOrAlloc();
919  if (p == NULL) {
920  SCReturnInt(AFP_SURI_FAILURE);
921  }
922  PKT_SET_SRC(p, PKT_SRC_WIRE);
923  if (ptv->flags & AFP_BYPASS) {
924  p->BypassPacketsFlow = AFPBypassCallback;
925 #ifdef HAVE_PACKET_EBPF
926  p->afp_v.v4_map_fd = ptv->v4_map_fd;
927  p->afp_v.v6_map_fd = ptv->v6_map_fd;
928  p->afp_v.nr_cpus = ptv->ebpf_t_config.cpus_count;
929 #endif
930  }
931  if (ptv->flags & AFP_XDPBYPASS) {
932  p->BypassPacketsFlow = AFPXDPBypassCallback;
933 #ifdef HAVE_PACKET_EBPF
934  p->afp_v.v4_map_fd = ptv->v4_map_fd;
935  p->afp_v.v6_map_fd = ptv->v6_map_fd;
936  p->afp_v.nr_cpus = ptv->ebpf_t_config.cpus_count;
937 #endif
938  }
939 
940  /* Suricata will treat packet so telling it is busy, this
941  * status will be reset to 0 (ie TP_STATUS_KERNEL) in the release
942  * function. */
943  h.h2->tp_status |= TP_STATUS_USER_BUSY;
944 
945  ptv->pkts++;
946  p->livedev = ptv->livedev;
947  p->datalink = ptv->datalink;
948 
949  if (h.h2->tp_len > h.h2->tp_snaplen) {
950  SCLogDebug("Packet length (%d) > snaplen (%d), truncating",
951  h.h2->tp_len, h.h2->tp_snaplen);
952  }
953 
954  /* get vlan id from header */
955  if ((ptv->flags & AFP_VLAN_IN_HEADER) &&
956  (h.h2->tp_status & TP_STATUS_VLAN_VALID || h.h2->tp_vlan_tci)) {
957  p->vlan_id[0] = h.h2->tp_vlan_tci & 0x0fff;
958  p->vlan_idx = 1;
959  }
960 
961  if (ptv->flags & AFP_ZERO_COPY) {
962  if (PacketSetData(p, (unsigned char*)h.raw + h.h2->tp_mac, h.h2->tp_snaplen) == -1) {
963  TmqhOutputPacketpool(ptv->tv, p);
964  SCReturnInt(AFP_SURI_FAILURE);
965  } else {
966  p->afp_v.relptr = h.raw;
967  p->ReleasePacket = AFPReleasePacket;
968  p->afp_v.mpeer = ptv->mpeer;
969  AFPRefSocket(ptv->mpeer);
970 
971  p->afp_v.copy_mode = ptv->copy_mode;
972  if (p->afp_v.copy_mode != AFP_COPY_MODE_NONE) {
973  p->afp_v.peer = ptv->mpeer->peer;
974  } else {
975  p->afp_v.peer = NULL;
976  }
977  }
978  } else {
979  if (PacketCopyData(p, (unsigned char*)h.raw + h.h2->tp_mac, h.h2->tp_snaplen) == -1) {
980  /* As we can possibly fail to copy the data due to invalid data, let's
981  * skip this packet and switch to the next one.
982  */
983  h.h2->tp_status = TP_STATUS_KERNEL;
984  if (++ptv->frame_offset >= ptv->req.v2.tp_frame_nr) {
985  ptv->frame_offset = 0;
986  }
987  TmqhOutputPacketpool(ptv->tv, p);
988  SCReturnInt(AFP_SURI_FAILURE);
989  }
990  }
991 
992  /* Timestamp */
993  p->ts.tv_sec = h.h2->tp_sec;
994  p->ts.tv_usec = h.h2->tp_nsec/1000;
995  SCLogDebug("pktlen: %" PRIu32 " (pkt %p, pkt data %p)",
996  GET_PKT_LEN(p), p, GET_PKT_DATA(p));
997 
998  /* We only check for checksum disable */
999  if (ptv->checksum_mode == CHECKSUM_VALIDATION_DISABLE) {
1000  p->flags |= PKT_IGNORE_CHECKSUM;
1001  } else if (ptv->checksum_mode == CHECKSUM_VALIDATION_AUTO) {
1002  if (ptv->livedev->ignore_checksum) {
1003  p->flags |= PKT_IGNORE_CHECKSUM;
1004  } else if (ChecksumAutoModeCheck(ptv->pkts,
1005  SC_ATOMIC_GET(ptv->livedev->pkts),
1006  SC_ATOMIC_GET(ptv->livedev->invalid_checksums))) {
1007  ptv->livedev->ignore_checksum = 1;
1008  p->flags |= PKT_IGNORE_CHECKSUM;
1009  }
1010  } else {
1011  if (h.h2->tp_status & TP_STATUS_CSUMNOTREADY) {
1012  p->flags |= PKT_IGNORE_CHECKSUM;
1013  }
1014  }
1015  if (h.h2->tp_status & TP_STATUS_LOSING) {
1016  emergency_flush = 1;
1017  AFPDumpCounters(ptv);
1018  }
1019 
1020  /* release frame if not in zero copy mode */
1021  if (!(ptv->flags & AFP_ZERO_COPY)) {
1022  h.h2->tp_status = TP_STATUS_KERNEL;
1023  }
1024 
1025  if (TmThreadsSlotProcessPkt(ptv->tv, ptv->slot, p) != TM_ECODE_OK) {
1026  h.h2->tp_status = TP_STATUS_KERNEL;
1027  if (++ptv->frame_offset >= ptv->req.v2.tp_frame_nr) {
1028  ptv->frame_offset = 0;
1029  }
1030  TmqhOutputPacketpool(ptv->tv, p);
1031  SCReturnInt(AFP_SURI_FAILURE);
1032  }
1033 
1034 next_frame:
1035  if (++ptv->frame_offset >= ptv->req.v2.tp_frame_nr) {
1036  ptv->frame_offset = 0;
1037  /* Get out of loop to be sure we will reach maintenance tasks */
1038  SCReturnInt(AFP_READ_OK);
1039  }
1040  }
1041 
1042  SCReturnInt(AFP_READ_OK);
1043 }
1044 
1045 #ifdef HAVE_TPACKET_V3
1046 static inline void AFPFlushBlock(struct tpacket_block_desc *pbd)
1047 {
1048  pbd->hdr.bh1.block_status = TP_STATUS_KERNEL;
1049 }
1050 
1051 static inline int AFPParsePacketV3(AFPThreadVars *ptv, struct tpacket_block_desc *pbd, struct tpacket3_hdr *ppd)
1052 {
1053  Packet *p = PacketGetFromQueueOrAlloc();
1054  if (p == NULL) {
1055  SCReturnInt(AFP_SURI_FAILURE);
1056  }
1057  PKT_SET_SRC(p, PKT_SRC_WIRE);
1058  if (ptv->flags & AFP_BYPASS) {
1059  p->BypassPacketsFlow = AFPBypassCallback;
1060 #ifdef HAVE_PACKET_EBPF
1061  p->afp_v.v4_map_fd = ptv->v4_map_fd;
1062  p->afp_v.v6_map_fd = ptv->v6_map_fd;
1063  p->afp_v.nr_cpus = ptv->ebpf_t_config.cpus_count;
1064 #endif
1065  } else if (ptv->flags & AFP_XDPBYPASS) {
1066  p->BypassPacketsFlow = AFPXDPBypassCallback;
1067 #ifdef HAVE_PACKET_EBPF
1068  p->afp_v.v4_map_fd = ptv->v4_map_fd;
1069  p->afp_v.v6_map_fd = ptv->v6_map_fd;
1070  p->afp_v.nr_cpus = ptv->ebpf_t_config.cpus_count;
1071 #endif
1072  }
1073 
1074  ptv->pkts++;
1075  p->livedev = ptv->livedev;
1076  p->datalink = ptv->datalink;
1077 
1078  if ((ptv->flags & AFP_VLAN_IN_HEADER) &&
1079  (ppd->tp_status & TP_STATUS_VLAN_VALID || ppd->hv1.tp_vlan_tci)) {
1080  p->vlan_id[0] = ppd->hv1.tp_vlan_tci & 0x0fff;
1081  p->vlan_idx = 1;
1082  }
1083 
1084  if (ptv->flags & AFP_ZERO_COPY) {
1085  if (PacketSetData(p, (unsigned char*)ppd + ppd->tp_mac, ppd->tp_snaplen) == -1) {
1086  TmqhOutputPacketpool(ptv->tv, p);
1087  SCReturnInt(AFP_SURI_FAILURE);
1088  }
1089  p->afp_v.relptr = ppd;
1090  p->ReleasePacket = AFPReleasePacketV3;
1091  p->afp_v.mpeer = ptv->mpeer;
1092  AFPRefSocket(ptv->mpeer);
1093 
1094  p->afp_v.copy_mode = ptv->copy_mode;
1095  if (p->afp_v.copy_mode != AFP_COPY_MODE_NONE) {
1096  p->afp_v.peer = ptv->mpeer->peer;
1097  } else {
1098  p->afp_v.peer = NULL;
1099  }
1100  } else {
1101  if (PacketCopyData(p, (unsigned char*)ppd + ppd->tp_mac, ppd->tp_snaplen) == -1) {
1102  TmqhOutputPacketpool(ptv->tv, p);
1103  SCReturnInt(AFP_SURI_FAILURE);
1104  }
1105  }
1106  /* Timestamp */
1107  p->ts.tv_sec = ppd->tp_sec;
1108  p->ts.tv_usec = ppd->tp_nsec/1000;
1109  SCLogDebug("pktlen: %" PRIu32 " (pkt %p, pkt data %p)",
1110  GET_PKT_LEN(p), p, GET_PKT_DATA(p));
1111 
1112  /* We only check for checksum disable */
1113  if (ptv->checksum_mode == CHECKSUM_VALIDATION_DISABLE) {
1114  p->flags |= PKT_IGNORE_CHECKSUM;
1115  } else if (ptv->checksum_mode == CHECKSUM_VALIDATION_AUTO) {
1116  if (ptv->livedev->ignore_checksum) {
1117  p->flags |= PKT_IGNORE_CHECKSUM;
1118  } else if (ChecksumAutoModeCheck(ptv->pkts,
1119  SC_ATOMIC_GET(ptv->livedev->pkts),
1120  SC_ATOMIC_GET(ptv->livedev->invalid_checksums))) {
1121  ptv->livedev->ignore_checksum = 1;
1122  p->flags |= PKT_IGNORE_CHECKSUM;
1123  }
1124  } else {
1125  if (ppd->tp_status & TP_STATUS_CSUMNOTREADY) {
1126  p->flags |= PKT_IGNORE_CHECKSUM;
1127  }
1128  }
1129 
1130  if (TmThreadsSlotProcessPkt(ptv->tv, ptv->slot, p) != TM_ECODE_OK) {
1131  TmqhOutputPacketpool(ptv->tv, p);
1132  SCReturnInt(AFP_SURI_FAILURE);
1133  }
1134 
1135  SCReturnInt(AFP_READ_OK);
1136 }
1137 
1138 static inline int AFPWalkBlock(AFPThreadVars *ptv, struct tpacket_block_desc *pbd)
1139 {
1140  int num_pkts = pbd->hdr.bh1.num_pkts, i;
1141  uint8_t *ppd;
1142  int ret = 0;
1143 
1144  ppd = (uint8_t *)pbd + pbd->hdr.bh1.offset_to_first_pkt;
1145  for (i = 0; i < num_pkts; ++i) {
1146  ret = AFPParsePacketV3(ptv, pbd,
1147  (struct tpacket3_hdr *)ppd);
1148  switch (ret) {
1149  case AFP_READ_OK:
1150  break;
1151  case AFP_SURI_FAILURE:
1152  /* Internal error but let's just continue and
1153  * treat thenext packet */
1154  break;
1155  case AFP_READ_FAILURE:
1156  SCReturnInt(AFP_READ_FAILURE);
1157  default:
1158  SCReturnInt(ret);
1159  }
1160  ppd = ppd + ((struct tpacket3_hdr *)ppd)->tp_next_offset;
1161  }
1162 
1163  SCReturnInt(AFP_READ_OK);
1164 }
1165 #endif /* HAVE_TPACKET_V3 */
1166 
1167 /**
1168  * \brief AF packet read function for ring
1169  *
1170  * This function fills
1171  * From here the packets are picked up by the DecodeAFP thread.
1172  *
1173  * \param user pointer to AFPThreadVars
1174  * \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success
1175  */
1176 static int AFPReadFromRingV3(AFPThreadVars *ptv)
1177 {
1178 #ifdef HAVE_TPACKET_V3
1179  struct tpacket_block_desc *pbd;
1180  int ret = 0;
1181 
1182  /* Loop till we have packets available */
1183  while (1) {
1184  if (unlikely(suricata_ctl_flags != 0)) {
1185  SCLogInfo("Exiting AFP V3 read loop");
1186  break;
1187  }
1188 
1189  pbd = (struct tpacket_block_desc *) ptv->ring.v3[ptv->frame_offset].iov_base;
1190 
1191  /* block is not ready to be read */
1192  if ((pbd->hdr.bh1.block_status & TP_STATUS_USER) == 0) {
1193  SCReturnInt(AFP_READ_OK);
1194  }
1195 
1196  ret = AFPWalkBlock(ptv, pbd);
1197  if (unlikely(ret != AFP_READ_OK)) {
1198  AFPFlushBlock(pbd);
1199  SCReturnInt(ret);
1200  }
1201 
1202  AFPFlushBlock(pbd);
1203  ptv->frame_offset = (ptv->frame_offset + 1) % ptv->req.v3.tp_block_nr;
1204  /* return to maintenance task after one loop on the ring */
1205  if (ptv->frame_offset == 0) {
1206  SCReturnInt(AFP_READ_OK);
1207  }
1208  }
1209 #endif
1210  SCReturnInt(AFP_READ_OK);
1211 }
1212 
1213 /**
1214  * \brief Reference socket
1215  *
1216  * \retval O in case of failure, 1 in case of success
1217  */
1218 static int AFPRefSocket(AFPPeer* peer)
1219 {
1220  if (unlikely(peer == NULL))
1221  return 0;
1222 
1223  (void)SC_ATOMIC_ADD(peer->sock_usage, 1);
1224  return 1;
1225 }
1226 
1227 
1228 /**
1229  * \brief Dereference socket
1230  *
1231  * \retval 1 if socket is still alive, 0 if not
1232  */
1233 static int AFPDerefSocket(AFPPeer* peer)
1234 {
1235  if (peer == NULL)
1236  return 1;
1237 
1238  if (SC_ATOMIC_SUB(peer->sock_usage, 1) == 0) {
1239  if (SC_ATOMIC_GET(peer->state) == AFP_STATE_DOWN) {
1240  SCLogInfo("Cleaning socket connected to '%s'", peer->iface);
1241  close(SC_ATOMIC_GET(peer->socket));
1242  return 0;
1243  }
1244  }
1245  return 1;
1246 }
1247 
1248 static void AFPSwitchState(AFPThreadVars *ptv, int state)
1249 {
1250  ptv->afp_state = state;
1251  ptv->down_count = 0;
1252 
1253  AFPPeerUpdate(ptv);
1254 
1255  /* Do cleaning if switching to down state */
1256  if (state == AFP_STATE_DOWN) {
1257 #ifdef HAVE_TPACKET_V3
1258  if (ptv->flags & AFP_TPACKET_V3) {
1259  if (!ptv->ring.v3) {
1260  SCFree(ptv->ring.v3);
1261  ptv->ring.v3 = NULL;
1262  }
1263  } else {
1264 #endif
1265  if (ptv->ring.v2) {
1266  /* only used in reading phase, we can free it */
1267  SCFree(ptv->ring.v2);
1268  ptv->ring.v2 = NULL;
1269  }
1270 #ifdef HAVE_TPACKET_V3
1271  }
1272 #endif
1273  if (ptv->socket != -1) {
1274  /* we need to wait for all packets to return data */
1275  if (SC_ATOMIC_SUB(ptv->mpeer->sock_usage, 1) == 0) {
1276  SCLogDebug("Cleaning socket connected to '%s'", ptv->iface);
1277  munmap(ptv->ring_buf, ptv->ring_buflen);
1278  close(ptv->socket);
1279  ptv->socket = -1;
1280  }
1281  }
1282  }
1283  if (state == AFP_STATE_UP) {
1284  (void)SC_ATOMIC_SET(ptv->mpeer->sock_usage, 1);
1285  }
1286 }
1287 
1288 static int AFPReadAndDiscard(AFPThreadVars *ptv, struct timeval *synctv,
1289  uint64_t *discarded_pkts)
1290 {
1291  struct sockaddr_ll from;
1292  struct iovec iov;
1293  struct msghdr msg;
1294  struct timeval ts;
1295  union {
1296  struct cmsghdr cmsg;
1297  char buf[CMSG_SPACE(sizeof(struct tpacket_auxdata))];
1298  } cmsg_buf;
1299 
1300 
1301  if (unlikely(suricata_ctl_flags != 0)) {
1302  return 1;
1303  }
1304 
1305  msg.msg_name = &from;
1306  msg.msg_namelen = sizeof(from);
1307  msg.msg_iov = &iov;
1308  msg.msg_iovlen = 1;
1309  msg.msg_control = &cmsg_buf;
1310  msg.msg_controllen = sizeof(cmsg_buf);
1311  msg.msg_flags = 0;
1312 
1313  iov.iov_len = ptv->datalen;
1314  iov.iov_base = ptv->data;
1315 
1316  (void)recvmsg(ptv->socket, &msg, MSG_TRUNC);
1317 
1318  if (ioctl(ptv->socket, SIOCGSTAMP, &ts) == -1) {
1319  /* FIXME */
1320  return -1;
1321  }
1322 
1323  if ((ts.tv_sec > synctv->tv_sec) ||
1324  (ts.tv_sec >= synctv->tv_sec &&
1325  ts.tv_usec > synctv->tv_usec)) {
1326  return 1;
1327  }
1328  return 0;
1329 }
1330 
1331 static int AFPReadAndDiscardFromRing(AFPThreadVars *ptv, struct timeval *synctv,
1332  uint64_t *discarded_pkts)
1333 {
1334  union thdr h;
1335 
1336  if (unlikely(suricata_ctl_flags != 0)) {
1337  return 1;
1338  }
1339 
1340 #ifdef HAVE_TPACKET_V3
1341  if (ptv->flags & AFP_TPACKET_V3) {
1342  int ret = 0;
1343  struct tpacket_block_desc *pbd;
1344  pbd = (struct tpacket_block_desc *) ptv->ring.v3[ptv->frame_offset].iov_base;
1345  *discarded_pkts += pbd->hdr.bh1.num_pkts;
1346  struct tpacket3_hdr *ppd =
1347  (struct tpacket3_hdr *)((uint8_t *)pbd + pbd->hdr.bh1.offset_to_first_pkt);
1348  if (((time_t)ppd->tp_sec > synctv->tv_sec) ||
1349  ((time_t)ppd->tp_sec == synctv->tv_sec &&
1350  (suseconds_t) (ppd->tp_nsec / 1000) > (suseconds_t)synctv->tv_usec)) {
1351  ret = 1;
1352  }
1353  AFPFlushBlock(pbd);
1354  ptv->frame_offset = (ptv->frame_offset + 1) % ptv->req.v3.tp_block_nr;
1355  return ret;
1356 
1357  } else
1358 #endif
1359  {
1360  /* Read packet from ring */
1361  h.raw = (((union thdr **)ptv->ring.v2)[ptv->frame_offset]);
1362  if (h.raw == NULL) {
1363  return -1;
1364  }
1365  (*discarded_pkts)++;
1366  if (((time_t)h.h2->tp_sec > synctv->tv_sec) ||
1367  ((time_t)h.h2->tp_sec == synctv->tv_sec &&
1368  (suseconds_t) (h.h2->tp_nsec / 1000) > synctv->tv_usec)) {
1369  return 1;
1370  }
1371 
1372  h.h2->tp_status = TP_STATUS_KERNEL;
1373  if (++ptv->frame_offset >= ptv->req.v2.tp_frame_nr) {
1374  ptv->frame_offset = 0;
1375  }
1376  }
1377 
1378 
1379  return 0;
1380 }
1381 
1382 /** \brief wait for all afpacket threads to fully init
1383  *
1384  * Discard packets before all threads are ready, as the cluster
1385  * setup is not complete yet.
1386  *
1387  * if AFPPeersListStarted() returns true init is complete
1388  *
1389  * \retval r 1 = happy, otherwise unhappy
1390  */
1391 static int AFPSynchronizeStart(AFPThreadVars *ptv, uint64_t *discarded_pkts)
1392 {
1393  struct timeval synctv;
1394  struct pollfd fds;
1395 
1396  fds.fd = ptv->socket;
1397  fds.events = POLLIN;
1398 
1399  /* Set timeval to end of the world */
1400  synctv.tv_sec = 0xffffffff;
1401  synctv.tv_usec = 0xffffffff;
1402 
1403  while (1) {
1404  int r = poll(&fds, 1, POLL_TIMEOUT);
1405  if (r > 0 &&
1406  (fds.revents & (POLLHUP|POLLRDHUP|POLLERR|POLLNVAL))) {
1407  SCLogWarning(SC_ERR_AFP_READ, "poll failed %02x",
1408  fds.revents & (POLLHUP|POLLRDHUP|POLLERR|POLLNVAL));
1409  return 0;
1410  } else if (r > 0) {
1411  if (AFPPeersListStarted() && synctv.tv_sec == (time_t) 0xffffffff) {
1412  gettimeofday(&synctv, NULL);
1413  }
1414  if (ptv->flags & AFP_RING_MODE) {
1415  r = AFPReadAndDiscardFromRing(ptv, &synctv, discarded_pkts);
1416  } else {
1417  r = AFPReadAndDiscard(ptv, &synctv, discarded_pkts);
1418  }
1419  SCLogDebug("Discarding on %s", ptv->tv->name);
1420  switch (r) {
1421  case 1:
1422  SCLogDebug("Starting to read on %s", ptv->tv->name);
1423  return 1;
1424  case -1:
1425  return r;
1426  }
1427  /* no packets */
1428  } else if (r == 0 && AFPPeersListStarted()) {
1429  SCLogDebug("Starting to read on %s", ptv->tv->name);
1430  return 1;
1431  } else if (r < 0) { /* only exit on error */
1432  SCLogWarning(SC_ERR_AFP_READ, "poll failed with retval %d", r);
1433  return 0;
1434  }
1435  }
1436  return 1;
1437 }
1438 
1439 /**
1440  * \brief Try to reopen socket
1441  *
1442  * \retval 0 in case of success, negative if error occurs or a condition
1443  * is not met.
1444  */
1445 static int AFPTryReopen(AFPThreadVars *ptv)
1446 {
1447  ptv->down_count++;
1448 
1449  /* Don't reconnect till we have packet that did not release data */
1450  if (SC_ATOMIC_GET(ptv->mpeer->sock_usage) != 0) {
1451  return -1;
1452  }
1453 
1454  int afp_activate_r = AFPCreateSocket(ptv, ptv->iface, 0);
1455  if (afp_activate_r != 0) {
1456  if (ptv->down_count % AFP_DOWN_COUNTER_INTERVAL == 0) {
1457  SCLogWarning(SC_ERR_AFP_CREATE, "Can not open iface '%s'",
1458  ptv->iface);
1459  }
1460  return afp_activate_r;
1461  }
1462 
1463  SCLogInfo("Interface '%s' is back", ptv->iface);
1464  return 0;
1465 }
1466 
1467 /**
1468  * \brief Main AF_PACKET reading Loop function
1469  */
1470 TmEcode ReceiveAFPLoop(ThreadVars *tv, void *data, void *slot)
1471 {
1472  SCEnter();
1473 
1474  AFPThreadVars *ptv = (AFPThreadVars *)data;
1475  struct pollfd fds;
1476  int r;
1477  TmSlot *s = (TmSlot *)slot;
1478  time_t last_dump = 0;
1479  time_t current_time;
1480  int (*AFPReadFunc) (AFPThreadVars *);
1481  uint64_t discarded_pkts = 0;
1482 
1483  ptv->slot = s->slot_next;
1484 
1485  if (ptv->flags & AFP_RING_MODE) {
1486  if (ptv->flags & AFP_TPACKET_V3) {
1487  AFPReadFunc = AFPReadFromRingV3;
1488  } else {
1489  AFPReadFunc = AFPReadFromRing;
1490  }
1491  } else {
1492  AFPReadFunc = AFPRead;
1493  }
1494 
1495  if (ptv->afp_state == AFP_STATE_DOWN) {
1496  /* Wait for our turn, threads before us must have opened the socket */
1497  while (AFPPeersListWaitTurn(ptv->mpeer)) {
1498  usleep(1000);
1499  if (suricata_ctl_flags != 0) {
1500  break;
1501  }
1502  }
1503  r = AFPCreateSocket(ptv, ptv->iface, 1);
1504  if (r < 0) {
1505  switch (-r) {
1506  case AFP_FATAL_ERROR:
1507  SCLogError(SC_ERR_AFP_CREATE, "Couldn't init AF_PACKET socket, fatal error");
1508  SCReturnInt(TM_ECODE_FAILED);
1509  case AFP_RECOVERABLE_ERROR:
1510  SCLogWarning(SC_ERR_AFP_CREATE, "Couldn't init AF_PACKET socket, retrying soon");
1511  }
1512  }
1513  AFPPeersListReachedInc();
1514  }
1515  if (ptv->afp_state == AFP_STATE_UP) {
1516  SCLogDebug("Thread %s using socket %d", tv->name, ptv->socket);
1517  AFPSynchronizeStart(ptv, &discarded_pkts);
1518  /* let's reset counter as we will start the capture at the
1519  * next function call */
1520 #ifdef PACKET_STATISTICS
1521  struct tpacket_stats kstats;
1522  socklen_t len = sizeof (struct tpacket_stats);
1523  if (getsockopt(ptv->socket, SOL_PACKET, PACKET_STATISTICS,
1524  &kstats, &len) > -1) {
1525  uint64_t pkts = 0;
1526  SCLogDebug("(%s) Kernel socket startup: Packets %" PRIu32
1527  ", dropped %" PRIu32 "",
1528  ptv->tv->name,
1529  kstats.tp_packets, kstats.tp_drops);
1530  pkts = kstats.tp_packets - discarded_pkts - kstats.tp_drops;
1531  StatsAddUI64(ptv->tv, ptv->capture_kernel_packets, pkts);
1532  (void) SC_ATOMIC_ADD(ptv->livedev->pkts, pkts);
1533  }
1534 #endif
1535  }
1536 
1537  fds.fd = ptv->socket;
1538  fds.events = POLLIN;
1539 
1540  while (1) {
1541  /* Start by checking the state of our interface */
1542  if (unlikely(ptv->afp_state == AFP_STATE_DOWN)) {
1543  int dbreak = 0;
1544 
1545  do {
1546  usleep(AFP_RECONNECT_TIMEOUT);
1547  if (suricata_ctl_flags != 0) {
1548  dbreak = 1;
1549  break;
1550  }
1551  r = AFPTryReopen(ptv);
1552  fds.fd = ptv->socket;
1553  } while (r < 0);
1554  if (dbreak == 1)
1555  break;
1556  }
1557 
1558  /* make sure we have at least one packet in the packet pool, to prevent
1559  * us from alloc'ing packets at line rate */
1560  PacketPoolWait();
1561 
1562  r = poll(&fds, 1, POLL_TIMEOUT);
1563 
1564  if (suricata_ctl_flags != 0) {
1565  break;
1566  }
1567 
1568  if (r > 0 &&
1569  (fds.revents & (POLLHUP|POLLRDHUP|POLLERR|POLLNVAL))) {
1570  if (fds.revents & (POLLHUP | POLLRDHUP)) {
1571  AFPSwitchState(ptv, AFP_STATE_DOWN);
1572  continue;
1573  } else if (fds.revents & POLLERR) {
1574  char c;
1575  /* Do a recv to get errno */
1576  if (recv(ptv->socket, &c, sizeof c, MSG_PEEK) != -1)
1577  continue; /* what, no error? */
1578  SCLogError(SC_ERR_AFP_READ,
1579  "Error reading data from iface '%s': (%d) %s",
1580  ptv->iface, errno, strerror(errno));
1581  AFPSwitchState(ptv, AFP_STATE_DOWN);
1582  continue;
1583  } else if (fds.revents & POLLNVAL) {
1584  SCLogError(SC_ERR_AFP_READ, "Invalid polling request");
1585  AFPSwitchState(ptv, AFP_STATE_DOWN);
1586  continue;
1587  }
1588  } else if (r > 0) {
1589  r = AFPReadFunc(ptv);
1590  switch (r) {
1591  case AFP_READ_OK:
1592  /* Trigger one dump of stats every second */
1593  current_time = time(NULL);
1594  if (current_time != last_dump) {
1595  AFPDumpCounters(ptv);
1596  last_dump = current_time;
1597  }
1598  break;
1599  case AFP_READ_FAILURE:
1600  /* AFPRead in error: best to reset the socket */
1601  SCLogError(SC_ERR_AFP_READ,
1602  "AFPRead error reading data from iface '%s': (%d) %s",
1603  ptv->iface, errno, strerror(errno));
1604  AFPSwitchState(ptv, AFP_STATE_DOWN);
1605  continue;
1606  case AFP_SURI_FAILURE:
1607  StatsIncr(ptv->tv, ptv->capture_errors);
1608  break;
1609  case AFP_KERNEL_DROP:
1610  AFPDumpCounters(ptv);
1611  break;
1612  }
1613  } else if (unlikely(r == 0)) {
1614  /* Trigger one dump of stats every second */
1615  current_time = time(NULL);
1616  if (current_time != last_dump) {
1617  AFPDumpCounters(ptv);
1618  last_dump = current_time;
1619  }
1620  /* poll timed out, lets see handle our timeout path */
1621  TmThreadsCaptureHandleTimeout(tv, ptv->slot, NULL);
1622 
1623  } else if ((r < 0) && (errno != EINTR)) {
1624  SCLogError(SC_ERR_AFP_READ, "Error reading data from iface '%s': (%d) %s",
1625  ptv->iface,
1626  errno, strerror(errno));
1627  AFPSwitchState(ptv, AFP_STATE_DOWN);
1628  continue;
1629  }
1630  StatsSyncCountersIfSignalled(tv);
1631  }
1632 
1633  AFPDumpCounters(ptv);
1634  StatsSyncCountersIfSignalled(tv);
1635  SCReturnInt(TM_ECODE_OK);
1636 }
1637 
1638 static int AFPGetDevFlags(int fd, const char *ifname)
1639 {
1640  struct ifreq ifr;
1641 
1642  memset(&ifr, 0, sizeof(ifr));
1643  strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
1644 
1645  if (ioctl(fd, SIOCGIFFLAGS, &ifr) == -1) {
1646  SCLogError(SC_ERR_AFP_CREATE, "Unable to find type for iface \"%s\": %s",
1647  ifname, strerror(errno));
1648  return -1;
1649  }
1650 
1651  return ifr.ifr_flags;
1652 }
1653 
1654 
1655 static int AFPGetIfnumByDev(int fd, const char *ifname, int verbose)
1656 {
1657  struct ifreq ifr;
1658 
1659  memset(&ifr, 0, sizeof(ifr));
1660  strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
1661 
1662  if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) {
1663  if (verbose)
1664  SCLogError(SC_ERR_AFP_CREATE, "Unable to find iface %s: %s",
1665  ifname, strerror(errno));
1666  return -1;
1667  }
1668 
1669  return ifr.ifr_ifindex;
1670 }
1671 
1672 static int AFPGetDevLinktype(int fd, const char *ifname)
1673 {
1674  struct ifreq ifr;
1675 
1676  memset(&ifr, 0, sizeof(ifr));
1677  strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
1678 
1679  if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) {
1680  SCLogError(SC_ERR_AFP_CREATE, "Unable to find type for iface \"%s\": %s",
1681  ifname, strerror(errno));
1682  return -1;
1683  }
1684 
1685  switch (ifr.ifr_hwaddr.sa_family) {
1686  case ARPHRD_LOOPBACK:
1687  return LINKTYPE_ETHERNET;
1688  case ARPHRD_PPP:
1689  case ARPHRD_NONE:
1690  return LINKTYPE_RAW;
1691  default:
1692  return ifr.ifr_hwaddr.sa_family;
1693  }
1694 }
1695 
1696 int AFPGetLinkType(const char *ifname)
1697 {
1698  int ltype;
1699 
1700  int fd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
1701  if (fd == -1) {
1702  SCLogError(SC_ERR_AFP_CREATE, "Couldn't create a AF_PACKET socket, error %s", strerror(errno));
1703  return LINKTYPE_RAW;
1704  }
1705 
1706  ltype = AFPGetDevLinktype(fd, ifname);
1707  close(fd);
1708 
1709  return ltype;
1710 }
1711 
1712 static int AFPComputeRingParams(AFPThreadVars *ptv, int order)
1713 {
1714  /* Compute structure:
1715  Target is to store all pending packets
1716  with a size equal to MTU + auxdata
1717  And we keep a decent number of block
1718 
1719  To do so:
1720  Compute frame_size (aligned to be able to fit in block
1721  Check which block size we need. Blocksize is a 2^n * pagesize
1722  We then need to get order, big enough to have
1723  frame_size < block size
1724  Find number of frame per block (divide)
1725  Fill in packet_req
1726 
1727  Compute frame size:
1728  described in packet_mmap.txt
1729  dependant on snaplen (need to use a variable ?)
1730 snaplen: MTU ?
1731 tp_hdrlen determine_version in daq_afpacket
1732 in V1: sizeof(struct tpacket_hdr);
1733 in V2: val in getsockopt(instance->fd, SOL_PACKET, PACKET_HDRLEN, &val, &len)
1734 frame size: TPACKET_ALIGN(snaplen + TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
1735 
1736  */
1737  int tp_hdrlen = sizeof(struct tpacket_hdr);
1738  int snaplen = default_packet_size;
1739 
1740  if (snaplen == 0) {
1741  snaplen = GetIfaceMaxPacketSize(ptv->iface);
1742  if (snaplen <= 0) {
1743  SCLogWarning(SC_ERR_INVALID_VALUE,
1744  "Unable to get MTU, setting snaplen to sane default of 1514");
1745  snaplen = 1514;
1746  }
1747  }
1748 
1749  ptv->req.v2.tp_frame_size = TPACKET_ALIGN(snaplen +TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
1750  ptv->req.v2.tp_block_size = getpagesize() << order;
1751  int frames_per_block = ptv->req.v2.tp_block_size / ptv->req.v2.tp_frame_size;
1752  if (frames_per_block == 0) {
1753  SCLogError(SC_ERR_INVALID_VALUE, "Frame size bigger than block size");
1754  return -1;
1755  }
1756  ptv->req.v2.tp_frame_nr = ptv->ring_size;
1757  ptv->req.v2.tp_block_nr = ptv->req.v2.tp_frame_nr / frames_per_block + 1;
1758  /* exact division */
1759  ptv->req.v2.tp_frame_nr = ptv->req.v2.tp_block_nr * frames_per_block;
1760  SCLogPerf("AF_PACKET RX Ring params: block_size=%d block_nr=%d frame_size=%d frame_nr=%d",
1761  ptv->req.v2.tp_block_size, ptv->req.v2.tp_block_nr,
1762  ptv->req.v2.tp_frame_size, ptv->req.v2.tp_frame_nr);
1763  return 1;
1764 }
1765 
1766 #ifdef HAVE_TPACKET_V3
1767 static int AFPComputeRingParamsV3(AFPThreadVars *ptv)
1768 {
1769  ptv->req.v3.tp_block_size = ptv->block_size;
1770  ptv->req.v3.tp_frame_size = 2048;
1771  int frames_per_block = 0;
1772  int tp_hdrlen = sizeof(struct tpacket3_hdr);
1773  int snaplen = default_packet_size;
1774 
1775  if (snaplen == 0) {
1776  snaplen = GetIfaceMaxPacketSize(ptv->iface);
1777  if (snaplen <= 0) {
1778  SCLogWarning(SC_ERR_INVALID_VALUE,
1779  "Unable to get MTU, setting snaplen to sane default of 1514");
1780  snaplen = 1514;
1781  }
1782  }
1783 
1784  ptv->req.v3.tp_frame_size = TPACKET_ALIGN(snaplen +TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
1785  frames_per_block = ptv->req.v3.tp_block_size / ptv->req.v3.tp_frame_size;
1786 
1787  if (frames_per_block == 0) {
1788  SCLogError(SC_ERR_INVALID_VALUE,
1789  "Block size is too small, it should be at least %d",
1790  ptv->req.v3.tp_frame_size);
1791  return -1;
1792  }
1793  ptv->req.v3.tp_block_nr = ptv->ring_size / frames_per_block + 1;
1794  /* exact division */
1795  ptv->req.v3.tp_frame_nr = ptv->req.v3.tp_block_nr * frames_per_block;
1796  ptv->req.v3.tp_retire_blk_tov = ptv->block_timeout;
1797  ptv->req.v3.tp_feature_req_word = TP_FT_REQ_FILL_RXHASH;
1798  SCLogPerf("AF_PACKET V3 RX Ring params: block_size=%d block_nr=%d frame_size=%d frame_nr=%d (mem: %d)",
1799  ptv->req.v3.tp_block_size, ptv->req.v3.tp_block_nr,
1800  ptv->req.v3.tp_frame_size, ptv->req.v3.tp_frame_nr,
1801  ptv->req.v3.tp_block_size * ptv->req.v3.tp_block_nr
1802  );
1803  return 1;
1804 }
1805 #endif
1806 
1807 static int AFPSetupRing(AFPThreadVars *ptv, char *devname)
1808 {
1809  int val;
1810  unsigned int len = sizeof(val), i;
1811  int order;
1812  int r, mmap_flag;
1813 
1814 #ifdef HAVE_TPACKET_V3
1815  if (ptv->flags & AFP_TPACKET_V3) {
1816  val = TPACKET_V3;
1817  } else
1818 #endif
1819  {
1820  val = TPACKET_V2;
1821  }
1822  if (getsockopt(ptv->socket, SOL_PACKET, PACKET_HDRLEN, &val, &len) < 0) {
1823  if (errno == ENOPROTOOPT) {
1824  if (ptv->flags & AFP_TPACKET_V3) {
1825  SCLogError(SC_ERR_AFP_CREATE,
1826  "Too old kernel giving up (need 3.2 for TPACKET_V3)");
1827  } else {
1828  SCLogError(SC_ERR_AFP_CREATE,
1829  "Too old kernel giving up (need 2.6.27 at least)");
1830  }
1831  }
1832  SCLogError(SC_ERR_AFP_CREATE, "Error when retrieving packet header len");
1833  return AFP_FATAL_ERROR;
1834  }
1835 
1836  val = TPACKET_V2;
1837 #ifdef HAVE_TPACKET_V3
1838  if (ptv->flags & AFP_TPACKET_V3) {
1839  val = TPACKET_V3;
1840  }
1841 #endif
1842  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_VERSION, &val,
1843  sizeof(val)) < 0) {
1844  SCLogError(SC_ERR_AFP_CREATE,
1845  "Can't activate TPACKET_V2/TPACKET_V3 on packet socket: %s",
1846  strerror(errno));
1847  return AFP_FATAL_ERROR;
1848  }
1849 
1850 #ifdef HAVE_HW_TIMESTAMPING
1851  int req = SOF_TIMESTAMPING_RAW_HARDWARE;
1852  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_TIMESTAMP, (void *) &req,
1853  sizeof(req)) < 0) {
1854  SCLogWarning(SC_ERR_AFP_CREATE,
1855  "Can't activate hardware timestamping on packet socket: %s",
1856  strerror(errno));
1857  }
1858 #endif
1859 
1860  /* Let's reserve head room so we can add the VLAN header in IPS
1861  * or TAP mode before write the packet */
1862  if (ptv->copy_mode != AFP_COPY_MODE_NONE) {
1863  /* Only one vlan is extracted from AFP header so
1864  * one VLAN header length is enough. */
1865  int reserve = VLAN_HEADER_LEN;
1866  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_RESERVE, (void *) &reserve,
1867  sizeof(reserve)) < 0) {
1868  SCLogError(SC_ERR_AFP_CREATE,
1869  "Can't activate reserve on packet socket: %s",
1870  strerror(errno));
1871  return AFP_FATAL_ERROR;
1872  }
1873  }
1874 
1875  /* Allocate RX ring */
1876 #ifdef HAVE_TPACKET_V3
1877  if (ptv->flags & AFP_TPACKET_V3) {
1878  if (AFPComputeRingParamsV3(ptv) != 1) {
1879  return AFP_FATAL_ERROR;
1880  }
1881  r = setsockopt(ptv->socket, SOL_PACKET, PACKET_RX_RING,
1882  (void *) &ptv->req.v3, sizeof(ptv->req.v3));
1883  if (r < 0) {
1884  SCLogError(SC_ERR_MEM_ALLOC,
1885  "Unable to allocate RX Ring for iface %s: (%d) %s",
1886  devname,
1887  errno,
1888  strerror(errno));
1889  return AFP_FATAL_ERROR;
1890  }
1891  } else {
1892 #endif
1893  for (order = AFP_BLOCK_SIZE_DEFAULT_ORDER; order >= 0; order--) {
1894  if (AFPComputeRingParams(ptv, order) != 1) {
1895  SCLogInfo("Ring parameter are incorrect. Please correct the devel");
1896  return AFP_FATAL_ERROR;
1897  }
1898 
1899  r = setsockopt(ptv->socket, SOL_PACKET, PACKET_RX_RING,
1900  (void *) &ptv->req, sizeof(ptv->req));
1901 
1902  if (r < 0) {
1903  if (errno == ENOMEM) {
1904  SCLogInfo("Memory issue with ring parameters. Retrying.");
1905  continue;
1906  }
1907  SCLogError(SC_ERR_MEM_ALLOC,
1908  "Unable to allocate RX Ring for iface %s: (%d) %s",
1909  devname,
1910  errno,
1911  strerror(errno));
1912  return AFP_FATAL_ERROR;
1913  } else {
1914  break;
1915  }
1916  }
1917  if (order < 0) {
1918  SCLogError(SC_ERR_MEM_ALLOC,
1919  "Unable to allocate RX Ring for iface %s (order 0 failed)",
1920  devname);
1921  return AFP_FATAL_ERROR;
1922  }
1923 #ifdef HAVE_TPACKET_V3
1924  }
1925 #endif
1926 
1927  /* Allocate the Ring */
1928 #ifdef HAVE_TPACKET_V3
1929  if (ptv->flags & AFP_TPACKET_V3) {
1930  ptv->ring_buflen = ptv->req.v3.tp_block_nr * ptv->req.v3.tp_block_size;
1931  } else {
1932 #endif
1933  ptv->ring_buflen = ptv->req.v2.tp_block_nr * ptv->req.v2.tp_block_size;
1934 #ifdef HAVE_TPACKET_V3
1935  }
1936 #endif
1937  mmap_flag = MAP_SHARED;
1938  if (ptv->flags & AFP_MMAP_LOCKED)
1939  mmap_flag |= MAP_LOCKED;
1940  ptv->ring_buf = mmap(0, ptv->ring_buflen, PROT_READ|PROT_WRITE,
1941  mmap_flag, ptv->socket, 0);
1942  if (ptv->ring_buf == MAP_FAILED) {
1943  SCLogError(SC_ERR_MEM_ALLOC, "Unable to mmap, error %s",
1944  strerror(errno));
1945  goto mmap_err;
1946  }
1947 #ifdef HAVE_TPACKET_V3
1948  if (ptv->flags & AFP_TPACKET_V3) {
1949  ptv->ring.v3 = SCMalloc(ptv->req.v3.tp_block_nr * sizeof(*ptv->ring.v3));
1950  if (!ptv->ring.v3) {
1951  SCLogError(SC_ERR_MEM_ALLOC, "Unable to malloc ptv ring.v3");
1952  goto postmmap_err;
1953  }
1954  for (i = 0; i < ptv->req.v3.tp_block_nr; ++i) {
1955  ptv->ring.v3[i].iov_base = ptv->ring_buf + (i * ptv->req.v3.tp_block_size);
1956  ptv->ring.v3[i].iov_len = ptv->req.v3.tp_block_size;
1957  }
1958  } else {
1959 #endif
1960  /* allocate a ring for each frame header pointer*/
1961  ptv->ring.v2 = SCMalloc(ptv->req.v2.tp_frame_nr * sizeof (union thdr *));
1962  if (ptv->ring.v2 == NULL) {
1963  SCLogError(SC_ERR_MEM_ALLOC, "Unable to allocate frame buf");
1964  goto postmmap_err;
1965  }
1966  memset(ptv->ring.v2, 0, ptv->req.v2.tp_frame_nr * sizeof (union thdr *));
1967  /* fill the header ring with proper frame ptr*/
1968  ptv->frame_offset = 0;
1969  for (i = 0; i < ptv->req.v2.tp_block_nr; ++i) {
1970  void *base = &(ptv->ring_buf[i * ptv->req.v2.tp_block_size]);
1971  unsigned int j;
1972  for (j = 0; j < ptv->req.v2.tp_block_size / ptv->req.v2.tp_frame_size; ++j, ++ptv->frame_offset) {
1973  (((union thdr **)ptv->ring.v2)[ptv->frame_offset]) = base;
1974  base += ptv->req.v2.tp_frame_size;
1975  }
1976  }
1977  ptv->frame_offset = 0;
1978 #ifdef HAVE_TPACKET_V3
1979  }
1980 #endif
1981 
1982  return 0;
1983 
1984 postmmap_err:
1985  munmap(ptv->ring_buf, ptv->ring_buflen);
1986  if (ptv->ring.v2)
1987  SCFree(ptv->ring.v2);
1988  if (ptv->ring.v3)
1989  SCFree(ptv->ring.v3);
1990 mmap_err:
1991  /* Packet mmap does the cleaning when socket is closed */
1992  return AFP_FATAL_ERROR;
1993 }
1994 
1995 /** \brief test if we can use FANOUT. Older kernels like those in
1996  * CentOS6 have HAVE_PACKET_FANOUT defined but fail to work
1997  */
1998 int AFPIsFanoutSupported(void)
1999 {
2000 #ifdef HAVE_PACKET_FANOUT
2001  int fd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
2002  if (fd < 0)
2003  return 0;
2004 
2005  uint16_t mode = PACKET_FANOUT_HASH | PACKET_FANOUT_FLAG_DEFRAG;
2006  uint16_t id = 1;
2007  uint32_t option = (mode << 16) | (id & 0xffff);
2008  int r = setsockopt(fd, SOL_PACKET, PACKET_FANOUT,(void *)&option, sizeof(option));
2009  close(fd);
2010 
2011  if (r < 0) {
2012  SCLogPerf("fanout not supported by kernel: %s", strerror(errno));
2013  return 0;
2014  }
2015  return 1;
2016 #else
2017  return 0;
2018 #endif
2019 }
2020 
2021 #ifdef HAVE_PACKET_EBPF
2022 
2023 static int SockFanoutSeteBPF(AFPThreadVars *ptv)
2024 {
2025  int pfd = ptv->ebpf_lb_fd;
2026  if (pfd == -1) {
2027  SCLogError(SC_ERR_INVALID_VALUE,
2028  "Fanout file descriptor is invalid");
2029  return -1;
2030  }
2031 
2032  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_FANOUT_DATA, &pfd, sizeof(pfd))) {
2033  SCLogError(SC_ERR_INVALID_VALUE, "Error setting ebpf");
2034  return -1;
2035  }
2036  SCLogInfo("Activated eBPF on socket");
2037 
2038  return 0;
2039 }
2040 
2041 static int SetEbpfFilter(AFPThreadVars *ptv)
2042 {
2043  int pfd = ptv->ebpf_filter_fd;
2044  if (pfd == -1) {
2045  SCLogError(SC_ERR_INVALID_VALUE,
2046  "Filter file descriptor is invalid");
2047  return -1;
2048  }
2049 
2050  if (setsockopt(ptv->socket, SOL_SOCKET, SO_ATTACH_BPF, &pfd, sizeof(pfd))) {
2051  SCLogError(SC_ERR_INVALID_VALUE, "Error setting ebpf: %s", strerror(errno));
2052  return -1;
2053  }
2054  SCLogInfo("Activated eBPF filter on socket");
2055 
2056  return 0;
2057 }
2058 #endif
2059 
2060 static int AFPCreateSocket(AFPThreadVars *ptv, char *devname, int verbose)
2061 {
2062  int r;
2063  int ret = AFP_FATAL_ERROR;
2064  struct packet_mreq sock_params;
2065  struct sockaddr_ll bind_address;
2066  int if_idx;
2067 
2068  /* open socket */
2069  ptv->socket = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
2070  if (ptv->socket == -1) {
2071  SCLogError(SC_ERR_AFP_CREATE, "Couldn't create a AF_PACKET socket, error %s", strerror(errno));
2072  goto error;
2073  }
2074 
2075  if_idx = AFPGetIfnumByDev(ptv->socket, devname, verbose);
2076 
2077  if (if_idx == -1) {
2078  goto socket_err;
2079  }
2080 
2081  /* bind socket */
2082  memset(&bind_address, 0, sizeof(bind_address));
2083  bind_address.sll_family = AF_PACKET;
2084  bind_address.sll_protocol = htons(ETH_P_ALL);
2085  bind_address.sll_ifindex = if_idx;
2086  if (bind_address.sll_ifindex == -1) {
2087  if (verbose)
2088  SCLogError(SC_ERR_AFP_CREATE, "Couldn't find iface %s", devname);
2089  ret = AFP_RECOVERABLE_ERROR;
2090  goto socket_err;
2091  }
2092 
2093  int if_flags = AFPGetDevFlags(ptv->socket, ptv->iface);
2094  if (if_flags == -1) {
2095  if (verbose) {
2096  SCLogError(SC_ERR_AFP_READ,
2097  "Couldn't get flags for interface '%s'",
2098  ptv->iface);
2099  }
2100  ret = AFP_RECOVERABLE_ERROR;
2101  goto socket_err;
2102  } else if ((if_flags & (IFF_UP | IFF_RUNNING)) == 0) {
2103  if (verbose) {
2104  SCLogError(SC_ERR_AFP_READ,
2105  "Interface '%s' is down",
2106  ptv->iface);
2107  }
2108  ret = AFP_RECOVERABLE_ERROR;
2109  goto socket_err;
2110  }
2111 
2112  if (ptv->promisc != 0) {
2113  /* Force promiscuous mode */
2114  memset(&sock_params, 0, sizeof(sock_params));
2115  sock_params.mr_type = PACKET_MR_PROMISC;
2116  sock_params.mr_ifindex = bind_address.sll_ifindex;
2117  r = setsockopt(ptv->socket, SOL_PACKET, PACKET_ADD_MEMBERSHIP,(void *)&sock_params, sizeof(sock_params));
2118  if (r < 0) {
2119  SCLogError(SC_ERR_AFP_CREATE,
2120  "Couldn't switch iface %s to promiscuous, error %s",
2121  devname, strerror(errno));
2122  goto socket_err;
2123  }
2124  }
2125 
2126  if (ptv->checksum_mode == CHECKSUM_VALIDATION_KERNEL) {
2127  int val = 1;
2128  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_AUXDATA, &val,
2129  sizeof(val)) == -1 && errno != ENOPROTOOPT) {
2130  SCLogWarning(SC_ERR_NO_AF_PACKET,
2131  "'kernel' checksum mode not supported, falling back to full mode.");
2132  ptv->checksum_mode = CHECKSUM_VALIDATION_ENABLE;
2133  }
2134  }
2135 
2136  /* set socket recv buffer size */
2137  if (ptv->buffer_size != 0) {
2138  /*
2139  * Set the socket buffer size to the specified value.
2140  */
2141  SCLogPerf("Setting AF_PACKET socket buffer to %d", ptv->buffer_size);
2142  if (setsockopt(ptv->socket, SOL_SOCKET, SO_RCVBUF,
2143  &ptv->buffer_size,
2144  sizeof(ptv->buffer_size)) == -1) {
2145  SCLogError(SC_ERR_AFP_CREATE,
2146  "Couldn't set buffer size to %d on iface %s, error %s",
2147  ptv->buffer_size, devname, strerror(errno));
2148  goto socket_err;
2149  }
2150  }
2151 
2152  r = bind(ptv->socket, (struct sockaddr *)&bind_address, sizeof(bind_address));
2153  if (r < 0) {
2154  if (verbose) {
2155  if (errno == ENETDOWN) {
2156  SCLogError(SC_ERR_AFP_CREATE,
2157  "Couldn't bind AF_PACKET socket, iface %s is down",
2158  devname);
2159  } else {
2160  SCLogError(SC_ERR_AFP_CREATE,
2161  "Couldn't bind AF_PACKET socket to iface %s, error %s",
2162  devname, strerror(errno));
2163  }
2164  }
2165  ret = AFP_RECOVERABLE_ERROR;
2166  goto socket_err;
2167  }
2168 
2169 
2170 #ifdef HAVE_PACKET_FANOUT
2171  /* add binded socket to fanout group */
2172  if (ptv->threads > 1) {
2173  uint16_t mode = ptv->cluster_type;
2174  uint16_t id = ptv->cluster_id;
2175  uint32_t option = (mode << 16) | (id & 0xffff);
2176  r = setsockopt(ptv->socket, SOL_PACKET, PACKET_FANOUT,(void *)&option, sizeof(option));
2177  if (r < 0) {
2178  SCLogError(SC_ERR_AFP_CREATE,
2179  "Couldn't set fanout mode, error %s",
2180  strerror(errno));
2181  goto socket_err;
2182  }
2183  }
2184 #endif
2185 
2186 #ifdef HAVE_PACKET_EBPF
2187  if (ptv->cluster_type == PACKET_FANOUT_EBPF) {
2188  r = SockFanoutSeteBPF(ptv);
2189  if (r < 0) {
2190  SCLogError(SC_ERR_AFP_CREATE,
2191  "Coudn't set EBPF, error %s",
2192  strerror(errno));
2193  goto socket_err;
2194  }
2195  }
2196 #endif
2197 
2198  if (ptv->flags & AFP_RING_MODE) {
2199  ret = AFPSetupRing(ptv, devname);
2200  if (ret != 0)
2201  goto socket_err;
2202  }
2203 
2204  SCLogDebug("Using interface '%s' via socket %d", (char *)devname, ptv->socket);
2205 
2206  ptv->datalink = AFPGetDevLinktype(ptv->socket, ptv->iface);
2207  switch (ptv->datalink) {
2208  case ARPHRD_PPP:
2209  case ARPHRD_ATM:
2210  ptv->cooked = 1;
2211  break;
2212  }
2213 
2214  TmEcode rc = AFPSetBPFFilter(ptv);
2215  if (rc == TM_ECODE_FAILED) {
2216  ret = AFP_FATAL_ERROR;
2217  goto socket_err;
2218  }
2219 
2220  /* Init is ok */
2221  AFPSwitchState(ptv, AFP_STATE_UP);
2222  return 0;
2223 
2224 socket_err:
2225  close(ptv->socket);
2226  ptv->socket = -1;
2227  if (ptv->flags & AFP_TPACKET_V3) {
2228  if (ptv->ring.v3) {
2229  SCFree(ptv->ring.v3);
2230  ptv->ring.v3 = NULL;
2231  }
2232  } else {
2233  if (ptv->ring.v2) {
2234  SCFree(ptv->ring.v2);
2235  ptv->ring.v2 = NULL;
2236  }
2237  }
2238 
2239 error:
2240  return -ret;
2241 }
2242 
2243 TmEcode AFPSetBPFFilter(AFPThreadVars *ptv)
2244 {
2245  struct bpf_program filter;
2246  struct sock_fprog fcode;
2247  int rc;
2248 
2249 #ifdef HAVE_PACKET_EBPF
2250  if (ptv->ebpf_filter_fd != -1) {
2251  return SetEbpfFilter(ptv);
2252  }
2253 #endif
2254 
2255  if (!ptv->bpf_filter)
2256  return TM_ECODE_OK;
2257 
2258  SCLogInfo("Using BPF '%s' on iface '%s'",
2259  ptv->bpf_filter,
2260  ptv->iface);
2261 
2262  char errbuf[PCAP_ERRBUF_SIZE];
2263  if (SCBPFCompile(default_packet_size, /* snaplen_arg */
2264  ptv->datalink, /* linktype_arg */
2265  &filter, /* program */
2266  ptv->bpf_filter, /* const char *buf */
2267  1, /* optimize */
2268  0, /* mask */
2269  errbuf,
2270  sizeof(errbuf)) == -1) {
2271  SCLogError(SC_ERR_AFP_CREATE, "Failed to compile BPF \"%s\": %s",
2272  ptv->bpf_filter,
2273  errbuf);
2274  return TM_ECODE_FAILED;
2275  }
2276 
2277  fcode.len = filter.bf_len;
2278  fcode.filter = (struct sock_filter*)filter.bf_insns;
2279 
2280  rc = setsockopt(ptv->socket, SOL_SOCKET, SO_ATTACH_FILTER, &fcode, sizeof(fcode));
2281 
2282  SCBPFFree(&filter);
2283  if(rc == -1) {
2284  SCLogError(SC_ERR_AFP_CREATE, "Failed to attach filter: %s", strerror(errno));
2285  return TM_ECODE_FAILED;
2286  }
2287 
2288  return TM_ECODE_OK;
2289 }
2290 
2291 #ifdef HAVE_PACKET_EBPF
2292 /**
2293  * Insert a half flow in the kernel bypass table
2294  *
2295  * \param mapfd file descriptor of the protocol bypass table
2296  * \param key data to use as key in the table
2297  * \return 0 in case of error, 1 if success
2298  */
2299 static int AFPInsertHalfFlow(int mapd, void *key, unsigned int nr_cpus)
2300 {
2301  BPF_DECLARE_PERCPU(struct pair, value, nr_cpus);
2302  unsigned int i;
2303 
2304  if (mapd == -1) {
2305  return 0;
2306  }
2307 
2308  /* We use a per CPU structure so we have to set an array of values as the kernel
2309  * is not duplicating the data on each CPU by itself. */
2310  for (i = 0; i < nr_cpus; i++) {
2311  BPF_PERCPU(value, i).packets = 0;
2312  BPF_PERCPU(value, i).bytes = 0;
2313  }
2314  if (bpf_map_update_elem(mapd, key, value, BPF_NOEXIST) != 0) {
2315  switch (errno) {
2316  /* no more place in the hash */
2317  case E2BIG:
2318  return 0;
2319  /* no more place in the hash for some hardware bypass */
2320  case EAGAIN:
2321  return 0;
2322  /* if we already have the key then bypass is a success */
2323  case EEXIST:
2324  return 1;
2325  /* Not supposed to be there so issue a error */
2326  default:
2327  SCLogError(SC_ERR_BPF, "Can't update eBPF map: %s (%d)",
2328  strerror(errno),
2329  errno);
2330  return 0;
2331  }
2332  }
2333  return 1;
2334 }
2335 
2336 static int AFPSetFlowStorage(Packet *p, int map_fd, void *key0, void* key1,
2337  int family)
2338 {
2339  FlowBypassInfo *fc = FlowGetStorageById(p->flow, GetFlowBypassInfoID());
2340  if (fc) {
2341  EBPFBypassData *eb = SCCalloc(1, sizeof(EBPFBypassData));
2342  if (eb == NULL) {
2343  EBPFDeleteKey(map_fd, key0);
2344  EBPFDeleteKey(map_fd, key1);
2345  LiveDevAddBypassFail(p->livedev, 1, family);
2346  SCFree(key0);
2347  SCFree(key1);
2348  return 0;
2349  }
2350  eb->key[0] = key0;
2351  eb->key[1] = key1;
2352  eb->mapfd = map_fd;
2353  eb->cpus_count = p->afp_v.nr_cpus;
2354  fc->BypassUpdate = EBPFBypassUpdate;
2355  fc->BypassFree = EBPFBypassFree;
2356  fc->bypass_data = eb;
2357  } else {
2358  EBPFDeleteKey(map_fd, key0);
2359  EBPFDeleteKey(map_fd, key1);
2360  LiveDevAddBypassFail(p->livedev, 1, family);
2361  SCFree(key0);
2362  SCFree(key1);
2363  return 0;
2364  }
2365 
2366  LiveDevAddBypassStats(p->livedev, 1, family);
2367  LiveDevAddBypassSuccess(p->livedev, 1, family);
2368  return 1;
2369 }
2370 
2371 #endif
2372 
2373 /**
2374  * Bypass function for AF_PACKET capture in eBPF mode
2375  *
2376  * This function creates two half flows in the map shared with the kernel
2377  * to trigger bypass.
2378  *
2379  * The implementation of bypass is done via an IPv4 and an IPv6 flow table.
2380  * This table contains the list of half flows to bypass. The in-kernel filter
2381  * will skip/drop the packet if they belong to a flow in one of the flows
2382  * table.
2383  *
2384  * \param p the packet belonging to the flow to bypass
2385  * \return 0 if unable to bypass, 1 if success
2386  */
2387 static int AFPBypassCallback(Packet *p)
2388 {
2389 #ifdef HAVE_PACKET_EBPF
2390  SCLogDebug("Calling af_packet callback function");
2391  /* Only bypass TCP and UDP */
2392  if (!(PKT_IS_TCP(p) || PKT_IS_UDP(p))) {
2393  return 0;
2394  }
2395 
2396  /* If we don't have a flow attached to packet the eBPF map entries
2397  * will be destroyed at first flow bypass manager pass as we won't
2398  * find any associated entry */
2399  if (p->flow == NULL) {
2400  return 0;
2401  }
2402  /* Bypassing tunneled packets is currently not supported
2403  * because we can't discard the inner packet only due to
2404  * primitive parsing in eBPF */
2405  if (IS_TUNNEL_PKT(p)) {
2406  return 0;
2407  }
2408  if (PKT_IS_IPV4(p)) {
2409  SCLogDebug("add an IPv4");
2410  if (p->afp_v.v4_map_fd == -1) {
2411  return 0;
2412  }
2413  struct flowv4_keys *keys[2];
2414  keys[0] = SCCalloc(1, sizeof(struct flowv4_keys));
2415  if (keys[0] == NULL) {
2416  return 0;
2417  }
2418  keys[0]->src = htonl(GET_IPV4_SRC_ADDR_U32(p));
2419  keys[0]->dst = htonl(GET_IPV4_DST_ADDR_U32(p));
2420  keys[0]->port16[0] = GET_TCP_SRC_PORT(p);
2421  keys[0]->port16[1] = GET_TCP_DST_PORT(p);
2422  keys[0]->vlan0 = p->vlan_id[0];
2423  keys[0]->vlan1 = p->vlan_id[1];
2424 
2425  if (IPV4_GET_IPPROTO(p) == IPPROTO_TCP) {
2426  keys[0]->ip_proto = 1;
2427  } else {
2428  keys[0]->ip_proto = 0;
2429  }
2430  if (AFPInsertHalfFlow(p->afp_v.v4_map_fd, keys[0],
2431  p->afp_v.nr_cpus) == 0) {
2432  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2433  SCFree(keys[0]);
2434  return 0;
2435  }
2436  keys[1]= SCCalloc(1, sizeof(struct flowv4_keys));
2437  if (keys[1] == NULL) {
2438  EBPFDeleteKey(p->afp_v.v4_map_fd, keys[0]);
2439  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2440  SCFree(keys[0]);
2441  return 0;
2442  }
2443  keys[1]->src = htonl(GET_IPV4_DST_ADDR_U32(p));
2444  keys[1]->dst = htonl(GET_IPV4_SRC_ADDR_U32(p));
2445  keys[1]->port16[0] = GET_TCP_DST_PORT(p);
2446  keys[1]->port16[1] = GET_TCP_SRC_PORT(p);
2447  keys[1]->vlan0 = p->vlan_id[0];
2448  keys[1]->vlan1 = p->vlan_id[1];
2449 
2450  keys[1]->ip_proto = keys[0]->ip_proto;
2451  if (AFPInsertHalfFlow(p->afp_v.v4_map_fd, keys[1],
2452  p->afp_v.nr_cpus) == 0) {
2453  EBPFDeleteKey(p->afp_v.v4_map_fd, keys[0]);
2454  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2455  SCFree(keys[0]);
2456  SCFree(keys[1]);
2457  return 0;
2458  }
2459  EBPFUpdateFlow(p->flow, p, NULL);
2460  return AFPSetFlowStorage(p, p->afp_v.v4_map_fd, keys[0], keys[1], AF_INET);
2461  }
2462  /* For IPv6 case we don't handle extended header in eBPF */
2463  if (PKT_IS_IPV6(p) &&
2464  ((IPV6_GET_NH(p) == IPPROTO_TCP) || (IPV6_GET_NH(p) == IPPROTO_UDP))) {
2465  int i;
2466  if (p->afp_v.v6_map_fd == -1) {
2467  return 0;
2468  }
2469  SCLogDebug("add an IPv6");
2470  struct flowv6_keys *keys[2];
2471  keys[0] = SCCalloc(1, sizeof(struct flowv6_keys));
2472  if (keys[0] == NULL) {
2473  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2474  return 0;
2475  }
2476  for (i = 0; i < 4; i++) {
2477  keys[0]->src[i] = ntohl(GET_IPV6_SRC_ADDR(p)[i]);
2478  keys[0]->dst[i] = ntohl(GET_IPV6_DST_ADDR(p)[i]);
2479  }
2480  keys[0]->port16[0] = GET_TCP_SRC_PORT(p);
2481  keys[0]->port16[1] = GET_TCP_DST_PORT(p);
2482  keys[0]->vlan0 = p->vlan_id[0];
2483  keys[0]->vlan1 = p->vlan_id[1];
2484 
2485  if (IPV6_GET_NH(p) == IPPROTO_TCP) {
2486  keys[0]->ip_proto = 1;
2487  } else {
2488  keys[0]->ip_proto = 0;
2489  }
2490  if (AFPInsertHalfFlow(p->afp_v.v6_map_fd, keys[0],
2491  p->afp_v.nr_cpus) == 0) {
2492  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2493  SCFree(keys[0]);
2494  return 0;
2495  }
2496  keys[1]= SCCalloc(1, sizeof(struct flowv6_keys));
2497  if (keys[1] == NULL) {
2498  EBPFDeleteKey(p->afp_v.v6_map_fd, keys[0]);
2499  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2500  SCFree(keys[0]);
2501  return 0;
2502  }
2503  for (i = 0; i < 4; i++) {
2504  keys[1]->src[i] = ntohl(GET_IPV6_DST_ADDR(p)[i]);
2505  keys[1]->dst[i] = ntohl(GET_IPV6_SRC_ADDR(p)[i]);
2506  }
2507  keys[1]->port16[0] = GET_TCP_DST_PORT(p);
2508  keys[1]->port16[1] = GET_TCP_SRC_PORT(p);
2509  keys[1]->vlan0 = p->vlan_id[0];
2510  keys[1]->vlan1 = p->vlan_id[1];
2511 
2512  keys[1]->ip_proto = keys[0]->ip_proto;
2513  if (AFPInsertHalfFlow(p->afp_v.v6_map_fd, keys[1],
2514  p->afp_v.nr_cpus) == 0) {
2515  EBPFDeleteKey(p->afp_v.v6_map_fd, keys[0]);
2516  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2517  SCFree(keys[0]);
2518  SCFree(keys[1]);
2519  return 0;
2520  }
2521  if (p->flow)
2522  EBPFUpdateFlow(p->flow, p, NULL);
2523  return AFPSetFlowStorage(p, p->afp_v.v6_map_fd, keys[0], keys[1], AF_INET6);
2524  }
2525 #endif
2526  return 0;
2527 }
2528 
2529 /**
2530  * Bypass function for AF_PACKET capture in XDP mode
2531  *
2532  * This function creates two half flows in the map shared with the kernel
2533  * to trigger bypass. This function is similar to AFPBypassCallback() but
2534  * the bytes order is changed for some data due to the way we get the data
2535  * in the XDP case.
2536  *
2537  * \param p the packet belonging to the flow to bypass
2538  * \return 0 if unable to bypass, 1 if success
2539  */
2540 static int AFPXDPBypassCallback(Packet *p)
2541 {
2542 #ifdef HAVE_PACKET_XDP
2543  SCLogDebug("Calling af_packet callback function");
2544  /* Only bypass TCP and UDP */
2545  if (!(PKT_IS_TCP(p) || PKT_IS_UDP(p))) {
2546  return 0;
2547  }
2548 
2549  /* If we don't have a flow attached to packet the eBPF map entries
2550  * will be destroyed at first flow bypass manager pass as we won't
2551  * find any associated entry */
2552  if (p->flow == NULL) {
2553  return 0;
2554  }
2555  /* Bypassing tunneled packets is currently not supported
2556  * because we can't discard the inner packet only due to
2557  * primitive parsing in eBPF */
2558  if (IS_TUNNEL_PKT(p)) {
2559  return 0;
2560  }
2561  if (PKT_IS_IPV4(p)) {
2562  struct flowv4_keys *keys[2];
2563  keys[0]= SCCalloc(1, sizeof(struct flowv4_keys));
2564  if (keys[0] == NULL) {
2565  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2566  return 0;
2567  }
2568  if (p->afp_v.v4_map_fd == -1) {
2569  SCFree(keys[0]);
2570  return 0;
2571  }
2572  keys[0]->src = p->src.addr_data32[0];
2573  keys[0]->dst = p->dst.addr_data32[0];
2574  /* In the XDP filter we get port from parsing of packet and not from skb
2575  * (as in eBPF filter) so we need to pass from host to network order */
2576  keys[0]->port16[0] = htons(p->sp);
2577  keys[0]->port16[1] = htons(p->dp);
2578  keys[0]->vlan0 = p->vlan_id[0];
2579  keys[0]->vlan1 = p->vlan_id[1];
2580  if (IPV4_GET_IPPROTO(p) == IPPROTO_TCP) {
2581  keys[0]->ip_proto = 1;
2582  } else {
2583  keys[0]->ip_proto = 0;
2584  }
2585  if (AFPInsertHalfFlow(p->afp_v.v4_map_fd, keys[0],
2586  p->afp_v.nr_cpus) == 0) {
2587  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2588  SCFree(keys[0]);
2589  return 0;
2590  }
2591  keys[1]= SCCalloc(1, sizeof(struct flowv4_keys));
2592  if (keys[1] == NULL) {
2593  EBPFDeleteKey(p->afp_v.v4_map_fd, keys[0]);
2594  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2595  SCFree(keys[0]);
2596  return 0;
2597  }
2598  keys[1]->src = p->dst.addr_data32[0];
2599  keys[1]->dst = p->src.addr_data32[0];
2600  keys[1]->port16[0] = htons(p->dp);
2601  keys[1]->port16[1] = htons(p->sp);
2602  keys[1]->vlan0 = p->vlan_id[0];
2603  keys[1]->vlan1 = p->vlan_id[1];
2604  keys[1]->ip_proto = keys[0]->ip_proto;
2605  if (AFPInsertHalfFlow(p->afp_v.v4_map_fd, keys[1],
2606  p->afp_v.nr_cpus) == 0) {
2607  EBPFDeleteKey(p->afp_v.v4_map_fd, keys[0]);
2608  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2609  SCFree(keys[0]);
2610  SCFree(keys[1]);
2611  return 0;
2612  }
2613  return AFPSetFlowStorage(p, p->afp_v.v4_map_fd, keys[0], keys[1], AF_INET);
2614  }
2615  /* For IPv6 case we don't handle extended header in eBPF */
2616  if (PKT_IS_IPV6(p) &&
2617  ((IPV6_GET_NH(p) == IPPROTO_TCP) || (IPV6_GET_NH(p) == IPPROTO_UDP))) {
2618  SCLogDebug("add an IPv6");
2619  if (p->afp_v.v6_map_fd == -1) {
2620  return 0;
2621  }
2622  int i;
2623  struct flowv6_keys *keys[2];
2624  keys[0] = SCCalloc(1, sizeof(struct flowv6_keys));
2625  if (keys[0] == NULL) {
2626  return 0;
2627  }
2628 
2629  for (i = 0; i < 4; i++) {
2630  keys[0]->src[i] = GET_IPV6_SRC_ADDR(p)[i];
2631  keys[0]->dst[i] = GET_IPV6_DST_ADDR(p)[i];
2632  }
2633  keys[0]->port16[0] = htons(GET_TCP_SRC_PORT(p));
2634  keys[0]->port16[1] = htons(GET_TCP_DST_PORT(p));
2635  keys[0]->vlan0 = p->vlan_id[0];
2636  keys[0]->vlan1 = p->vlan_id[1];
2637  if (IPV6_GET_NH(p) == IPPROTO_TCP) {
2638  keys[0]->ip_proto = 1;
2639  } else {
2640  keys[0]->ip_proto = 0;
2641  }
2642  if (AFPInsertHalfFlow(p->afp_v.v6_map_fd, keys[0],
2643  p->afp_v.nr_cpus) == 0) {
2644  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2645  SCFree(keys[0]);
2646  return 0;
2647  }
2648  keys[1]= SCCalloc(1, sizeof(struct flowv6_keys));
2649  if (keys[1] == NULL) {
2650  EBPFDeleteKey(p->afp_v.v6_map_fd, keys[0]);
2651  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2652  SCFree(keys[0]);
2653  return 0;
2654  }
2655  for (i = 0; i < 4; i++) {
2656  keys[1]->src[i] = GET_IPV6_DST_ADDR(p)[i];
2657  keys[1]->dst[i] = GET_IPV6_SRC_ADDR(p)[i];
2658  }
2659  keys[1]->port16[0] = htons(GET_TCP_DST_PORT(p));
2660  keys[1]->port16[1] = htons(GET_TCP_SRC_PORT(p));
2661  keys[1]->vlan0 = p->vlan_id[0];
2662  keys[1]->vlan1 = p->vlan_id[1];
2663  keys[1]->ip_proto = keys[0]->ip_proto;
2664  if (AFPInsertHalfFlow(p->afp_v.v6_map_fd, keys[1],
2665  p->afp_v.nr_cpus) == 0) {
2666  EBPFDeleteKey(p->afp_v.v6_map_fd, keys[0]);
2667  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2668  SCFree(keys[0]);
2669  SCFree(keys[1]);
2670  return 0;
2671  }
2672  return AFPSetFlowStorage(p, p->afp_v.v6_map_fd, keys[0], keys[1], AF_INET6);
2673  }
2674 #endif
2675  return 0;
2676 }
2677 
2678 
2679 bool g_flowv4_ok = true;
2680 bool g_flowv6_ok = true;
2681 
2682 /**
2683  * \brief Init function for ReceiveAFP.
2684  *
2685  * \param tv pointer to ThreadVars
2686  * \param initdata pointer to the interface passed from the user
2687  * \param data pointer gets populated with AFPThreadVars
2688  *
2689  * \todo Create a general AFP setup function.
2690  */
2691 TmEcode ReceiveAFPThreadInit(ThreadVars *tv, const void *initdata, void **data)
2692 {
2693  SCEnter();
2694  AFPIfaceConfig *afpconfig = (AFPIfaceConfig *)initdata;
2695 
2696  if (initdata == NULL) {
2697  SCLogError(SC_ERR_INVALID_ARGUMENT, "initdata == NULL");
2698  SCReturnInt(TM_ECODE_FAILED);
2699  }
2700 
2701  AFPThreadVars *ptv = SCMalloc(sizeof(AFPThreadVars));
2702  if (unlikely(ptv == NULL)) {
2703  afpconfig->DerefFunc(afpconfig);
2704  SCReturnInt(TM_ECODE_FAILED);
2705  }
2706  memset(ptv, 0, sizeof(AFPThreadVars));
2707 
2708  ptv->tv = tv;
2709  ptv->cooked = 0;
2710 
2711  strlcpy(ptv->iface, afpconfig->iface, AFP_IFACE_NAME_LENGTH);
2712  ptv->iface[AFP_IFACE_NAME_LENGTH - 1]= '\0';
2713 
2714  ptv->livedev = LiveGetDevice(ptv->iface);
2715  if (ptv->livedev == NULL) {
2716  SCLogError(SC_ERR_INVALID_VALUE, "Unable to find Live device");
2717  SCFree(ptv);
2718  SCReturnInt(TM_ECODE_FAILED);
2719  }
2720 
2721  ptv->buffer_size = afpconfig->buffer_size;
2722  ptv->ring_size = afpconfig->ring_size;
2723  ptv->block_size = afpconfig->block_size;
2724  ptv->block_timeout = afpconfig->block_timeout;
2725 
2726  ptv->promisc = afpconfig->promisc;
2727  ptv->checksum_mode = afpconfig->checksum_mode;
2728  ptv->bpf_filter = NULL;
2729 
2730  ptv->threads = 1;
2731 #ifdef HAVE_PACKET_FANOUT
2732  ptv->cluster_type = PACKET_FANOUT_LB;
2733  ptv->cluster_id = 1;
2734  /* We only set cluster info if the number of reader threads is greater than 1 */
2735  if (afpconfig->threads > 1) {
2736  ptv->cluster_id = afpconfig->cluster_id;
2737  ptv->cluster_type = afpconfig->cluster_type;
2738  ptv->threads = afpconfig->threads;
2739  }
2740 #endif
2741  ptv->flags = afpconfig->flags;
2742 
2743  if (afpconfig->bpf_filter) {
2744  ptv->bpf_filter = afpconfig->bpf_filter;
2745  }
2746  ptv->ebpf_lb_fd = afpconfig->ebpf_lb_fd;
2747  ptv->ebpf_filter_fd = afpconfig->ebpf_filter_fd;
2748  ptv->xdp_mode = afpconfig->xdp_mode;
2749 #ifdef HAVE_PACKET_EBPF
2750  ptv->ebpf_t_config.cpus_count = UtilCpuGetNumProcessorsConfigured();
2751 
2752  if (ptv->flags & (AFP_BYPASS|AFP_XDPBYPASS)) {
2753  ptv->v4_map_fd = EBPFGetMapFDByName(ptv->iface, "flow_table_v4");
2754  if (ptv->v4_map_fd == -1) {
2755  if (g_flowv4_ok == false) {
2756  SCLogError(SC_ERR_INVALID_VALUE, "Can't find eBPF map fd for '%s'",
2757  "flow_table_v4");
2758  g_flowv4_ok = true;
2759  }
2760  }
2761  ptv->v6_map_fd = EBPFGetMapFDByName(ptv->iface, "flow_table_v6");
2762  if (ptv->v6_map_fd == -1) {
2763  if (g_flowv6_ok) {
2764  SCLogError(SC_ERR_INVALID_VALUE, "Can't find eBPF map fd for '%s'",
2765  "flow_table_v6");
2766  g_flowv6_ok = false;
2767  }
2768  }
2769  }
2770  ptv->ebpf_t_config = afpconfig->ebpf_t_config;
2771 #endif
2772 
2773 #ifdef PACKET_STATISTICS
2774  ptv->capture_kernel_packets = StatsRegisterCounter("capture.kernel_packets",
2775  ptv->tv);
2776  ptv->capture_kernel_drops = StatsRegisterCounter("capture.kernel_drops",
2777  ptv->tv);
2778  ptv->capture_errors = StatsRegisterCounter("capture.errors",
2779  ptv->tv);
2780 #endif
2781 
2782  ptv->copy_mode = afpconfig->copy_mode;
2783  if (ptv->copy_mode != AFP_COPY_MODE_NONE) {
2784  strlcpy(ptv->out_iface, afpconfig->out_iface, AFP_IFACE_NAME_LENGTH);
2785  ptv->out_iface[AFP_IFACE_NAME_LENGTH - 1]= '\0';
2786  /* Warn about BPF filter consequence */
2787  if (ptv->bpf_filter) {
2788  SCLogWarning(SC_WARN_UNCOMMON, "Enabling a BPF filter in IPS mode result"
2789  " in dropping all non matching packets.");
2790  }
2791  }
2792 
2793 
2794  if (AFPPeersListAdd(ptv) == TM_ECODE_FAILED) {
2795  SCFree(ptv);
2796  afpconfig->DerefFunc(afpconfig);
2797  SCReturnInt(TM_ECODE_FAILED);
2798  }
2799 
2800 #define T_DATA_SIZE 70000
2801  ptv->data = SCMalloc(T_DATA_SIZE);
2802  if (ptv->data == NULL) {
2803  afpconfig->DerefFunc(afpconfig);
2804  SCFree(ptv);
2805  SCReturnInt(TM_ECODE_FAILED);
2806  }
2807  ptv->datalen = T_DATA_SIZE;
2808 #undef T_DATA_SIZE
2809 
2810  *data = (void *)ptv;
2811 
2812  afpconfig->DerefFunc(afpconfig);
2813 
2814  /* If kernel is older than 3.0, VLAN is not stripped so we don't
2815  * get the info from packet extended header but we will use a standard
2816  * parsing of packet data (See Linux commit bcc6d47903612c3861201cc3a866fb604f26b8b2) */
2817  if (SCKernelVersionIsAtLeast(3, 0)) {
2818  ptv->flags |= AFP_VLAN_IN_HEADER;
2819  }
2820 
2821  SCReturnInt(TM_ECODE_OK);
2822 }
2823 
2824 /**
2825  * \brief This function prints stats to the screen at exit.
2826  * \param tv pointer to ThreadVars
2827  * \param data pointer that gets cast into AFPThreadVars for ptv
2828  */
2829 void ReceiveAFPThreadExitStats(ThreadVars *tv, void *data)
2830 {
2831  SCEnter();
2832  AFPThreadVars *ptv = (AFPThreadVars *)data;
2833 
2834 #ifdef PACKET_STATISTICS
2835  AFPDumpCounters(ptv);
2836  SCLogPerf("(%s) Kernel: Packets %" PRIu64 ", dropped %" PRIu64 "",
2837  tv->name,
2838  StatsGetLocalCounterValue(tv, ptv->capture_kernel_packets),
2839  StatsGetLocalCounterValue(tv, ptv->capture_kernel_drops));
2840 #endif
2841 }
2842 
2843 /**
2844  * \brief DeInit function closes af packet socket at exit.
2845  * \param tv pointer to ThreadVars
2846  * \param data pointer that gets cast into AFPThreadVars for ptv
2847  */
2848 TmEcode ReceiveAFPThreadDeinit(ThreadVars *tv, void *data)
2849 {
2850  AFPThreadVars *ptv = (AFPThreadVars *)data;
2851 
2852  AFPSwitchState(ptv, AFP_STATE_DOWN);
2853 
2854 #ifdef HAVE_PACKET_XDP
2855  if ((ptv->ebpf_t_config.flags & EBPF_XDP_CODE) &&
2856  (!(ptv->ebpf_t_config.flags & EBPF_PINNED_MAPS))) {
2857  EBPFSetupXDP(ptv->iface, -1, ptv->xdp_mode);
2858  }
2859 #endif
2860  if (ptv->data != NULL) {
2861  SCFree(ptv->data);
2862  ptv->data = NULL;
2863  }
2864  ptv->datalen = 0;
2865 
2866  ptv->bpf_filter = NULL;
2867  if ((ptv->flags & AFP_TPACKET_V3) && ptv->ring.v3) {
2868  SCFree(ptv->ring.v3);
2869  } else {
2870  if (ptv->ring.v2)
2871  SCFree(ptv->ring.v2);
2872  }
2873 
2874  SCFree(ptv);
2875  SCReturnInt(TM_ECODE_OK);
2876 }
2877 
2878 /**
2879  * \brief This function passes off to link type decoders.
2880  *
2881  * DecodeAFP reads packets from the PacketQueue and passes
2882  * them off to the proper link type decoder.
2883  *
2884  * \param t pointer to ThreadVars
2885  * \param p pointer to the current packet
2886  * \param data pointer that gets cast into AFPThreadVars for ptv
2887  * \param pq pointer to the current PacketQueue
2888  */
2889 TmEcode DecodeAFP(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
2890 {
2891  SCEnter();
2892  DecodeThreadVars *dtv = (DecodeThreadVars *)data;
2893 
2894  /* XXX HACK: flow timeout can call us for injected pseudo packets
2895  * see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
2896  if (p->flags & PKT_PSEUDO_STREAM_END)
2897  return TM_ECODE_OK;
2898 
2899  /* update counters */
2900  DecodeUpdatePacketCounters(tv, dtv, p);
2901 
2902  /* If suri has set vlan during reading, we increase vlan counter */
2903  if (p->vlan_idx) {
2904  StatsIncr(tv, dtv->counter_vlan);
2905  }
2906 
2907  /* call the decoder */
2908  switch (p->datalink) {
2909  case LINKTYPE_ETHERNET:
2910  DecodeEthernet(tv, dtv, p,GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2911  break;
2912  case LINKTYPE_LINUX_SLL:
2913  DecodeSll(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2914  break;
2915  case LINKTYPE_PPP:
2916  DecodePPP(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2917  break;
2918  case LINKTYPE_RAW:
2919  case LINKTYPE_GRE_OVER_IP:
2920  DecodeRaw(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2921  break;
2922  case LINKTYPE_NULL:
2923  DecodeNull(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2924  break;
2925  default:
2926  SCLogError(SC_ERR_DATALINK_UNIMPLEMENTED, "Error: datalink type %" PRId32 " not yet supported in module DecodeAFP", p->datalink);
2927  break;
2928  }
2929 
2930  PacketDecodeFinalize(tv, dtv, p);
2931 
2932  SCReturnInt(TM_ECODE_OK);
2933 }
2934 
2935 TmEcode DecodeAFPThreadInit(ThreadVars *tv, const void *initdata, void **data)
2936 {
2937  SCEnter();
2938  DecodeThreadVars *dtv = NULL;
2939 
2940  dtv = DecodeThreadVarsAlloc(tv);
2941 
2942  if (dtv == NULL)
2943  SCReturnInt(TM_ECODE_FAILED);
2944 
2945  DecodeRegisterPerfCounters(dtv, tv);
2946 
2947  *data = (void *)dtv;
2948 
2949  SCReturnInt(TM_ECODE_OK);
2950 }
2951 
2952 TmEcode DecodeAFPThreadDeinit(ThreadVars *tv, void *data)
2953 {
2954  if (data != NULL)
2955  DecodeThreadVarsFree(tv, data);
2956  SCReturnInt(TM_ECODE_OK);
2957 }
2958 
2959 #endif /* HAVE_AF_PACKET */
2960 /* eof */
2961 /**
2962  * @}
2963  */
AFPIfaceConfig_::xdp_mode
uint8_t xdp_mode
Definition: source-af-packet.h:110
AFPThreadVars_::checksum_mode
ChecksumValidationMode checksum_mode
Definition: source-af-packet.c:237
AFPThreadVars_::AFPRing::v2
char * v2
Definition: source-af-packet.c:215
AFPIfaceConfig_::iface
char iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.h:83
Packet_::ethh
EthernetHdr * ethh
Definition: decode.h:493
GET_IPV4_SRC_ADDR_U32
#define GET_IPV4_SRC_ADDR_U32(p)
Definition: decode.h:212
AFPPeersListInit
TmEcode AFPPeersListInit()
Init the global list of AFPPeer.
Definition: source-af-packet.c:400
TM_FLAG_DECODE_TM
#define TM_FLAG_DECODE_TM
Definition: tm-modules.h:32
AFPThreadVars_::copy_mode
uint8_t copy_mode
Definition: source-af-packet.c:246
AFPThreadVars_::ring_size
int ring_size
Definition: source-af-packet.c:264
AFPIfaceConfig_
Definition: source-af-packet.h:81
LiveDevice_
Definition: util-device.h:40
AFPPeer_::sock_protect
SCMutex sock_protect
Definition: source-af-packet.h:129
DecodeThreadVarsAlloc
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *tv)
Alloc and setup DecodeThreadVars.
Definition: decode.c:605
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
TmModuleDecodeAFPRegister
void TmModuleDecodeAFPRegister(void)
Registration Function for DecodeAFP.
Definition: source-af-packet.c:550
Packet_::BypassPacketsFlow
int(* BypassPacketsFlow)(struct Packet_ *)
Definition: decode.h:487
AFP_BLOCK_SIZE_DEFAULT_ORDER
#define AFP_BLOCK_SIZE_DEFAULT_ORDER
Definition: source-af-packet.h:79
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:339
Packet_::flow
struct Flow_ * flow
Definition: decode.h:445
SC_ATOMIC_DECLARE
#define SC_ATOMIC_DECLARE(type, name)
wrapper to declare an atomic variable including a (spin) lock to protect it.
Definition: util-atomic.h:56
UtilCpuGetNumProcessorsConfigured
uint16_t UtilCpuGetNumProcessorsConfigured(void)
Get the number of cpus configured in the system.
Definition: util-cpu.c:58
TmModule_::cap_flags
uint8_t cap_flags
Definition: tm-modules.h:67
AFPThreadVars_::block_timeout
int block_timeout
Definition: source-af-packet.c:266
SLL_HEADER_LEN
#define SLL_HEADER_LEN
Definition: decode-sll.h:27
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:515
AFPThreadVars_::capture_kernel_packets
uint16_t capture_kernel_packets
Definition: source-af-packet.c:240
peerslist
AFPPeersList peerslist
Definition: source-af-packet.c:394
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
LINKTYPE_LINUX_SLL
#define LINKTYPE_LINUX_SLL
Definition: decode.h:1071
DecodePPP
int DecodePPP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-ppp.c:43
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:267
TmModule_::flags
uint8_t flags
Definition: tm-modules.h:70
PACKET_TEST_ACTION
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:857
bpf_program::bf_insns
struct bpf_insn * bf_insns
Definition: source-af-packet.c:80
AFPThreadVars_::ebpf_lb_fd
int ebpf_lb_fd
Definition: source-af-packet.c:271
SET_PKT_LEN
#define SET_PKT_LEN(p, len)
Definition: decode.h:229
AFPPeersListCheck
TmEcode AFPPeersListCheck()
Check that all AFPPeer got a peer.
Definition: source-af-packet.c:417
AFPThreadVars_
Structure to hold thread specific variables.
Definition: source-af-packet.c:212
AFP_RECONNECT_TIMEOUT
#define AFP_RECONNECT_TIMEOUT
Definition: source-af-packet.c:170
PacketDecodeFinalize
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Finalize decoding of a packet.
Definition: decode.c:115
IPV4_GET_IPPROTO
#define IPV4_GET_IPPROTO(p)
Definition: decode-ipv4.h:148
POLL_TIMEOUT
#define POLL_TIMEOUT
Definition: source-af-packet.c:173
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
AFPGetLinkType
int AFPGetLinkType(const char *ifname)
Definition: source-af-packet.c:1696
AFPPeersListClean
void AFPPeersListClean()
Clean the global peers list.
Definition: source-af-packet.c:532
AFPPeersList
struct AFPPeersList_ AFPPeersList
DecodeRaw
int DecodeRaw(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-raw.c:46
TmModule_::Func
TmEcode(* Func)(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *)
Definition: tm-modules.h:52
Packet_::sp
Port sp
Definition: decode.h:415
GET_IPV4_DST_ADDR_U32
#define GET_IPV4_DST_ADDR_U32(p)
Definition: decode.h:213
AFPPeer_::iface
char iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.h:134
AFPIfaceConfig_::ring_size
int ring_size
Definition: source-af-packet.h:89
DecodeRegisterPerfCounters
void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
Definition: decode.c:465
AFPThreadVars_::block_size
int block_size
Definition: source-af-packet.c:265
AFPIfaceConfig_::block_timeout
int block_timeout
Definition: source-af-packet.h:93
AFPThreadVars_::req
union AFPThreadVars_::AFPTpacketReq req
ReceiveAFP
TmEcode ReceiveAFP(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *)
Packet_::dp
Port dp
Definition: decode.h:423
AFPThreadVars_::AFPTpacketReq
Definition: source-af-packet.c:283
AFPThreadVars_::AFPRing::v3
struct iovec * v3
Definition: source-af-packet.c:216
GetIfaceMaxPacketSize
int GetIfaceMaxPacketSize(const char *pcap_dev)
output max packet size for a link
Definition: util-ioctl.c:132
AFPPeer_
Definition: source-af-packet.h:124
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:107
AFPThreadVars_::ring_buf
uint8_t * ring_buf
Definition: source-af-packet.c:296
offset
uint64_t offset
Definition: util-streaming-buffer.h:1478
TP_STATUS_VLAN_VALID
#define TP_STATUS_VLAN_VALID
Definition: source-af-packet.c:181
AFPPeersList_
Definition: source-af-packet.c:356
Packet_::dst
Address dst
Definition: decode.h:413
PACKET_FANOUT_LB
#define PACKET_FANOUT_LB
Definition: source-af-packet.h:33
AFPThreadVars_::capture_kernel_drops
uint16_t capture_kernel_drops
Definition: source-af-packet.c:241
IS_TUNNEL_PKT
#define IS_TUNNEL_PKT(p)
Definition: decode.h:881
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:252
PacketQueue_
Definition: decode.h:620
AFP_ZERO_COPY
#define AFP_ZERO_COPY
Definition: source-af-packet.h:59
VLAN_HEADER_LEN
#define VLAN_HEADER_LEN
Definition: decode-vlan.h:50
AFPIfaceConfig_::ebpf_lb_fd
int ebpf_lb_fd
Definition: source-af-packet.h:105
suricata_ctl_flags
volatile uint8_t suricata_ctl_flags
Definition: suricata.c:201
thdr::h2
struct tpacket2_hdr * h2
Definition: source-af-packet.c:198
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:124
TAILQ_HEAD
#define TAILQ_HEAD(name, type)
Definition: queue.h:321
AFPIsFanoutSupported
int AFPIsFanoutSupported(void)
test if we can use FANOUT. Older kernels like those in CentOS6 have HAVE_PACKET_FANOUT defined but fa...
Definition: source-af-packet.c:1998
AFP_PEERS_WAIT
#define AFP_PEERS_WAIT
DecodeNull
int DecodeNull(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-null.c:48
PacketGetFromQueueOrAlloc
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:177
AFPIfaceConfig_::threads
int threads
Definition: source-af-packet.h:85
AFPThreadVars_::threads
int threads
Definition: source-af-packet.c:281
AFPPeer_::flags
int flags
Definition: source-af-packet.h:128
TmModule_::PktAcqLoop
TmEcode(* PktAcqLoop)(ThreadVars *, void *, void *)
Definition: tm-modules.h:54
Packet_::ReleasePacket
void(* ReleasePacket)(struct Packet_ *)
Definition: decode.h:484
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
AFP_STATE_DOWN
#define AFP_STATE_DOWN
Definition: source-af-packet.c:167
AFPIfaceConfig_::flags
unsigned int flags
Definition: source-af-packet.h:100
PacketFreeOrRelease
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:162
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:251
AFPIfaceConfig_::out_iface
const char * out_iface
Definition: source-af-packet.h:111
SC_ATOMIC_DESTROY
#define SC_ATOMIC_DESTROY(name)
Destroy the lock used to protect this variable.
Definition: util-atomic.h:97
Packet_::vlan_id
uint16_t vlan_id[2]
Definition: decode.h:435
DecodeThreadVars_::counter_vlan
uint16_t counter_vlan
Definition: decode.h:659
AFPThreadVars_::afp_state
uint8_t afp_state
Definition: source-af-packet.c:245
AFPPeer_::turn
int turn
Definition: source-af-packet.h:130
AFPThreadVars_::buffer_size
int buffer_size
Definition: source-af-packet.c:268
PKT_SET_SRC
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1132
SCKernelVersionIsAtLeast
int SCKernelVersionIsAtLeast(int major, int minor)
Definition: util-host-info.c:36
TM_FLAG_RECEIVE_TM
#define TM_FLAG_RECEIVE_TM
Definition: tm-modules.h:31
ChecksumAutoModeCheck
int ChecksumAutoModeCheck(uint64_t thread_count, uint64_t iface_count, uint64_t iface_fail)
Check if the number of invalid checksums indicate checksum offloading in place.
Definition: util-checksum.c:70
TmModule_::PktAcqBreakLoop
TmEcode(* PktAcqBreakLoop)(ThreadVars *, void *)
Definition: tm-modules.h:57
LINKTYPE_PPP
#define LINKTYPE_PPP
Definition: decode.h:1072
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:931
LINKTYPE_NULL
#define LINKTYPE_NULL
Definition: decode.h:1069
bpf_program::bf_len
unsigned int bf_len
Definition: source-af-packet.c:79
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
Initialize the previously declared atomic variable and it&#39;s lock.
Definition: util-atomic.h:81
LiveDevAddBypassFail
void LiveDevAddBypassFail(LiveDevice *dev, uint64_t cnt, int family)
Definition: util-device.c:541
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:253
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
AFP_COPY_MODE_NONE
#define AFP_COPY_MODE_NONE
Definition: source-af-packet.h:68
AFPIfaceConfig_::cluster_type
int cluster_type
Definition: source-af-packet.h:96
AFPIfaceConfig_::copy_mode
int copy_mode
Definition: source-af-packet.h:101
TmqhOutputPacketpool
void TmqhOutputPacketpool(ThreadVars *t, Packet *p)
Definition: tmqh-packetpool.c:449
ReceiveAFPLoop
TmEcode ReceiveAFPLoop(ThreadVars *tv, void *data, void *slot)
Main AF_PACKET reading Loop function.
Definition: source-af-packet.c:1470
ReceiveAFPThreadDeinit
TmEcode ReceiveAFPThreadDeinit(ThreadVars *, void *)
DeInit function closes af packet socket at exit.
Definition: source-af-packet.c:2848
AFPIfaceConfig_::block_size
int block_size
Definition: source-af-packet.h:91
PACKET_FANOUT_HASH
#define PACKET_FANOUT_HASH
Definition: source-af-packet.h:32
max_pending_packets
int max_pending_packets
Definition: suricata.c:215
AFPThreadVars_::ring_buflen
unsigned int ring_buflen
Definition: source-af-packet.c:295
Packet_::datalink
int datalink
Definition: decode.h:574
AFP_SURI_FAILURE
Definition: source-af-packet.c:188
GET_IPV6_DST_ADDR
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:220
AFP_KERNEL_DROP
Definition: source-af-packet.c:189
TmModuleReceiveAFPRegister
void TmModuleReceiveAFPRegister(void)
Registration Function for RecieveAFP.
Definition: source-af-packet.c:327
TAILQ_INIT
#define TAILQ_INIT(head)
Definition: queue.h:370
AFPThreadVars_::cooked
int cooked
Definition: source-af-packet.c:255
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-ethernet.c:41
T_DATA_SIZE
#define T_DATA_SIZE
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
ReceiveAFPThreadInit
TmEcode ReceiveAFPThreadInit(ThreadVars *, const void *, void **)
Init function for ReceiveAFP.
Definition: source-af-packet.c:2691
AFPThreadVars_::datalink
uint32_t datalink
Definition: source-af-packet.c:226
AFP_VLAN_IN_HEADER
#define AFP_VLAN_IN_HEADER
Definition: source-af-packet.h:63
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:632
TAILQ_REMOVE
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:412
TmModule_::RegisterTests
void(* RegisterTests)(void)
Definition: tm-modules.h:65
bpf_program
Definition: source-af-packet.c:78
TmModule_::ThreadDeinit
TmEcode(* ThreadDeinit)(ThreadVars *, void *)
Definition: tm-modules.h:49
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
AFP_DOWN_COUNTER_INTERVAL
#define AFP_DOWN_COUNTER_INTERVAL
Definition: source-af-packet.c:171
GetIfaceMTU
int GetIfaceMTU(const char *pcap_dev)
output the link MTU
Definition: util-ioctl.c:91
AFPThreadVars_::socket
int socket
Definition: source-af-packet.c:262
TmSlot_::slot_next
struct TmSlot_ * slot_next
Definition: tm-threads.h:87
AFPThreadVars_::flags
unsigned int flags
Definition: source-af-packet.c:247
SCBPFCompile
int SCBPFCompile(int snaplen_arg, int linktype_arg, struct bpf_program *program, const char *buf, int optimize, uint32_t mask, char *errbuf, size_t errbuf_len)
Definition: util-bpf.c:41
AFPThreadVars_::down_count
int down_count
Definition: source-af-packet.c:276
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:163
PKT_IGNORE_CHECKSUM
#define PKT_IGNORE_CHECKSUM
Definition: decode.h:1099
AFPThreadVars_::frame_offset
unsigned int frame_offset
Definition: source-af-packet.c:235
PKT_PSEUDO_STREAM_END
#define PKT_PSEUDO_STREAM_END
Definition: decode.h:1091
FlowBypassInfo_::bypass_data
void * bypass_data
Definition: flow.h:488
AFPThreadVars_::cluster_type
int cluster_type
Definition: source-af-packet.c:279
IPV6_GET_NH
#define IPV6_GET_NH(p)
Definition: decode-ipv6.h:86
SCMutexInit
#define SCMutexInit(mut, mutattrs)
Definition: threads-debug.h:116
AFPSetBPFFilter
TmEcode AFPSetBPFFilter(AFPThreadVars *ptv)
Definition: source-af-packet.c:2243
g_flowv6_ok
bool g_flowv6_ok
Definition: source-af-packet.c:2680
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
AFPIfaceConfig_::cluster_id
int cluster_id
Definition: source-af-packet.h:95
LiveGetDevice
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
Definition: util-device.c:236
DecodeAFPThreadInit
TmEcode DecodeAFPThreadInit(ThreadVars *, const void *, void **)
Definition: source-af-packet.c:2935
Packet_
Definition: decode.h:407
AFPThreadVars_::datalen
int datalen
Definition: source-af-packet.c:254
TmModule_::ThreadExitPrintStats
void(* ThreadExitPrintStats)(ThreadVars *, void *)
Definition: tm-modules.h:48
LINKTYPE_RAW
#define LINKTYPE_RAW
Definition: decode.h:1073
LiveDevAddBypassStats
void LiveDevAddBypassStats(LiveDevice *dev, uint64_t cnt, int family)
Definition: util-device.c:503
AFPV_CLEANUP
#define AFPV_CLEANUP(afpv)
Definition: source-af-packet.h:169
LINKTYPE_GRE_OVER_IP
#define LINKTYPE_GRE_OVER_IP
Definition: decode.h:1078
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
DecodeAFPThreadDeinit
TmEcode DecodeAFPThreadDeinit(ThreadVars *tv, void *data)
Definition: source-af-packet.c:2952
DecodeSll
int DecodeSll(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-sll.c:39
TAILQ_INSERT_TAIL
#define TAILQ_INSERT_TAIL(head, elm, field)
Definition: queue.h:385
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:436
SC_CAP_NET_RAW
#define SC_CAP_NET_RAW
Definition: util-privs.h:32
thdr::raw
void * raw
Definition: source-af-packet.c:202
PacketPoolWait
void PacketPoolWait(void)
Definition: tmqh-packetpool.c:148
TmModule_::name
const char * name
Definition: tm-modules.h:44
LiveDevice_::ignore_checksum
int ignore_checksum
Definition: util-device.h:45
AFPIfaceConfig_::DerefFunc
void(* DerefFunc)(void *)
Definition: source-af-packet.h:116
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
GET_IPV6_SRC_ADDR
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:219
AFPThreadVars_::iface
char iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.c:290
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:207
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
AFPThreadVars_::AFPTpacketReq::v2
struct tpacket_req v2
Definition: source-af-packet.c:284
PACKET_FANOUT
#define PACKET_FANOUT
Definition: source-af-packet.h:30
PacketSetData
int PacketSetData(Packet *p, uint8_t *pktdata, uint32_t pktlen)
Set data for Packet and set length when zeo copy is used.
Definition: decode.c:644
version
uint8_t version
Definition: decode-gre.h:405
SCFree
#define SCFree(a)
Definition: util-mem.h:322
AFPThreadVars_::livedev
LiveDevice * livedev
Definition: source-af-packet.c:224
PKT_IS_TCP
#define PKT_IS_TCP(p)
Definition: decode.h:253
TmSlot_
Definition: tm-threads.h:53
tmm_modules
TmModule tmm_modules[TMM_SIZE]
Definition: tm-modules.h:73
AFP_SOCK_PROTECT
#define AFP_SOCK_PROTECT
Definition: source-af-packet.h:60
FlowBypassInfo_::BypassFree
void(* BypassFree)(void *data)
Definition: flow.h:487
AFPThreadVars_::data
uint8_t * data
Definition: source-af-packet.c:253
AFPThreadVars_::ebpf_filter_fd
int ebpf_filter_fd
Definition: source-af-packet.c:272
default_packet_size
uint32_t default_packet_size
Definition: decode.h:617
AFPIfaceConfig_::buffer_size
int buffer_size
Definition: source-af-packet.h:87
AFP_XDPBYPASS
#define AFP_XDPBYPASS
Definition: source-af-packet.h:66
SCLogPerf
#define SCLogPerf(...)
Definition: util-debug.h:261
AFP_MMAP_LOCKED
#define AFP_MMAP_LOCKED
Definition: source-af-packet.h:64
AFPPeer_::peer
struct AFPPeer_ * peer
Definition: source-af-packet.h:132
AFPThreadVars
struct AFPThreadVars_ AFPThreadVars
Structure to hold thread specific variables.
StatsSyncCountersIfSignalled
#define StatsSyncCountersIfSignalled(tv)
Definition: counters.h:136
g_flowv4_ok
bool g_flowv4_ok
Definition: source-af-packet.c:2679
AFPThreadVars_::bpf_filter
const char * bpf_filter
Definition: source-af-packet.c:270
AFP_RECOVERABLE_ERROR
Definition: source-af-packet.c:194
TmModule_::ThreadInit
TmEcode(* ThreadInit)(ThreadVars *, const void *, void **)
Definition: tm-modules.h:47
AFP_BYPASS
#define AFP_BYPASS
Definition: source-af-packet.h:65
GET_TCP_DST_PORT
#define GET_TCP_DST_PORT(p)
Definition: decode.h:222
AFP_RING_MODE
#define AFP_RING_MODE
Definition: source-af-packet.h:58
ChecksumValidationMode
ChecksumValidationMode
Definition: decode.h:40
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:192
PACKET_FANOUT_FLAG_DEFRAG
#define PACKET_FANOUT_FLAG_DEFRAG
Definition: source-af-packet.h:40
AFP_READ_OK
Definition: source-af-packet.c:185
FlowGetStorageById
void * FlowGetStorageById(Flow *f, int id)
Definition: flow-storage.c:39
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:225
TP_STATUS_USER_BUSY
#define TP_STATUS_USER_BUSY
Definition: source-af-packet.c:177
AFPThreadVars_::slot
TmSlot * slot
Definition: source-af-packet.c:223
DecodeUpdatePacketCounters
void DecodeUpdatePacketCounters(ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
Definition: decode.c:571
FlowBypassInfo_::BypassUpdate
bool(* BypassUpdate)(Flow *f, void *data, time_t tsec)
Definition: flow.h:486
LiveDevAddBypassSuccess
void LiveDevAddBypassSuccess(LiveDevice *dev, uint64_t cnt, int family)
Definition: util-device.c:560
ThreadVars_::name
char name[16]
Definition: threadvars.h:59
AFP_READ_FAILURE
Definition: source-af-packet.c:186
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1129
AFP_FATAL_ERROR
Definition: source-af-packet.c:193
AFPIfaceConfig_::checksum_mode
ChecksumValidationMode checksum_mode
Definition: source-af-packet.h:102
LINKTYPE_ETHERNET
#define LINKTYPE_ETHERNET
Definition: decode.h:1070
GetFlowBypassInfoID
int GetFlowBypassInfoID(void)
Definition: flow-util.c:209
AFPThreadVars_::AFPRing
Definition: source-af-packet.c:214
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:553
AFP_EMERGENCY_MODE
#define AFP_EMERGENCY_MODE
Definition: source-af-packet.h:61
PKT_IS_UDP
#define PKT_IS_UDP(p)
Definition: decode.h:254
len
uint8_t len
Definition: app-layer-dnp3.h:2649
AFP_PEERS_MAX_TRY
#define AFP_PEERS_MAX_TRY
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
AFPThreadVars_::mpeer
AFPPeer * mpeer
Definition: source-af-packet.c:250
AFPThreadVars_::pkts
uint64_t pkts
Definition: source-af-packet.c:220
Packet_::ts
struct timeval ts
Definition: decode.h:451
ReceiveAFPThreadExitStats
void ReceiveAFPThreadExitStats(ThreadVars *, void *)
This function prints stats to the screen at exit.
Definition: source-af-packet.c:2829
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:224
AFPThreadVars_::cluster_id
int cluster_id
Definition: source-af-packet.c:278
AFP_COPY_MODE_IPS
#define AFP_COPY_MODE_IPS
Definition: source-af-packet.h:70
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
Packet_::flags
uint32_t flags
Definition: decode.h:443
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:142
AFPThreadVars_::ring
union AFPThreadVars_::AFPRing ring
AFPThreadVars_::out_iface
char out_iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.c:292
SCBPFFree
void SCBPFFree(struct bpf_program *program)
Definition: util-bpf.c:35
DecodeThreadVarsFree
void DecodeThreadVarsFree(ThreadVars *tv, DecodeThreadVars *dtv)
Definition: decode.c:624
GET_TCP_SRC_PORT
#define GET_TCP_SRC_PORT(p)
Definition: decode.h:221
AFP_STATE_UP
#define AFP_STATE_UP
Definition: source-af-packet.c:168
AFPThreadVars_::xdp_mode
uint8_t xdp_mode
Definition: source-af-packet.c:298
AFPIfaceConfig_::bpf_filter
const char * bpf_filter
Definition: source-af-packet.h:103
AFP_IFACE_NAME_LENGTH
#define AFP_IFACE_NAME_LENGTH
Definition: source-af-packet.c:165
AFPThreadVars_::tv
ThreadVars * tv
Definition: source-af-packet.c:222
FlowBypassInfo_
Definition: flow.h:485
PacketCopyData
int PacketCopyData(Packet *p, uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:259
AFPIfaceConfig_::promisc
int promisc
Definition: source-af-packet.h:98
AFPThreadVars_::promisc
int promisc
Definition: source-af-packet.c:274
DecodeAFP
TmEcode DecodeAFP(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *)
This function passes off to link type decoders.
Definition: source-af-packet.c:2889
Packet_::src
Address src
Definition: decode.h:412
AFP_TPACKET_V3
#define AFP_TPACKET_V3
Definition: source-af-packet.h:62
AFPIfaceConfig_::ebpf_filter_fd
int ebpf_filter_fd
Definition: source-af-packet.h:107
AFPThreadVars_::capture_errors
uint16_t capture_errors
Definition: source-af-packet.c:242
StatsGetLocalCounterValue
uint64_t StatsGetLocalCounterValue(ThreadVars *tv, uint16_t id)
Get the value of the local copy of the counter that hold this id.
Definition: counters.c:1232
SCMutexDestroy
#define SCMutexDestroy
Definition: threads-debug.h:120