suricata
source-af-packet.c
Go to the documentation of this file.
1 /* Copyright (C) 2011-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup afppacket AF_PACKET running mode
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Eric Leblond <eric@regit.org>
28  *
29  * AF_PACKET socket acquisition support
30  *
31  */
32 
33 #define SC_PCAP_DONT_INCLUDE_PCAP_H 1
35 #include "suricata.h"
36 #include "packet.h"
37 #include "decode.h"
38 #include "packet-queue.h"
39 #include "threads.h"
40 #include "threadvars.h"
41 #include "tm-queuehandlers.h"
42 #include "tm-modules.h"
43 #include "tm-threads.h"
44 #include "tm-threads-common.h"
45 #include "conf.h"
46 #include "util-cpu.h"
47 #include "util-datalink.h"
48 #include "util-debug.h"
49 #include "util-device.h"
50 #include "util-ebpf.h"
51 #include "util-error.h"
52 #include "util-privs.h"
53 #include "util-optimize.h"
54 #include "util-checksum.h"
55 #include "util-ioctl.h"
56 #include "util-host-info.h"
57 #include "tmqh-packetpool.h"
58 #include "source-af-packet.h"
59 #include "runmodes.h"
60 #include "flow-storage.h"
61 #include "util-validate.h"
62 #include "action-globals.h"
63 
64 #ifdef HAVE_AF_PACKET
65 
66 #if HAVE_SYS_IOCTL_H
67 #include <sys/ioctl.h>
68 #endif
69 
70 #if HAVE_LINUX_SOCKIOS_H
71 #include <linux/sockios.h>
72 #endif
73 
74 #ifdef HAVE_PACKET_EBPF
75 #define PCAP_DONT_INCLUDE_PCAP_BPF_H 1
76 #include <bpf/libbpf.h>
77 #include <bpf/bpf.h>
78 
79 struct bpf_program {
80  unsigned int bf_len;
81  struct bpf_insn *bf_insns;
82 };
83 #endif
84 
85 #ifdef HAVE_PCAP_H
86 #include <pcap.h>
87 #endif
88 
89 #ifdef HAVE_PCAP_PCAP_H
90 #include <pcap/pcap.h>
91 #endif
92 
93 #include "util-bpf.h"
94 
95 #if HAVE_LINUX_IF_ETHER_H
96 #include <linux/if_ether.h>
97 #endif
98 
99 #if HAVE_LINUX_IF_PACKET_H
100 #include <linux/if_packet.h>
101 #endif
102 
103 #if HAVE_LINUX_IF_ARP_H
104 #include <linux/if_arp.h>
105 #endif
106 
107 #if HAVE_LINUX_FILTER_H
108 #include <linux/filter.h>
109 #endif
110 
111 #if HAVE_SYS_MMAN_H
112 #include <sys/mman.h>
113 #endif
114 
115 #ifdef HAVE_HW_TIMESTAMPING
116 #include <linux/net_tstamp.h>
117 #endif
118 
119 #endif /* HAVE_AF_PACKET */
120 
121 extern uint32_t max_pending_packets;
122 
123 #ifndef HAVE_AF_PACKET
124 
125 TmEcode NoAFPSupportExit(ThreadVars *, const void *, void **);
126 
127 void TmModuleReceiveAFPRegister (void)
128 {
129  tmm_modules[TMM_RECEIVEAFP].name = "ReceiveAFP";
130  tmm_modules[TMM_RECEIVEAFP].ThreadInit = NoAFPSupportExit;
136 }
137 
138 /**
139  * \brief Registration Function for DecodeAFP.
140  */
141 void TmModuleDecodeAFPRegister (void)
142 {
143  tmm_modules[TMM_DECODEAFP].name = "DecodeAFP";
144  tmm_modules[TMM_DECODEAFP].ThreadInit = NoAFPSupportExit;
150 }
151 
152 /**
153  * \brief this function prints an error message and exits.
154  */
155 TmEcode NoAFPSupportExit(ThreadVars *tv, const void *initdata, void **data)
156 {
157  SCLogError("Error creating thread %s: you do not have "
158  "support for AF_PACKET enabled, on Linux host please recompile "
159  "with --enable-af-packet",
160  tv->name);
161  exit(EXIT_FAILURE);
162 }
163 
164 #else /* We have AF_PACKET support */
165 
166 #define AFP_IFACE_NAME_LENGTH 48
167 
168 #define AFP_STATE_DOWN 0
169 #define AFP_STATE_UP 1
170 
171 #define AFP_RECONNECT_TIMEOUT 500000
172 #define AFP_DOWN_COUNTER_INTERVAL 40
173 
174 #define POLL_TIMEOUT 100
175 
176 /* kernel flags defined for RX ring tp_status */
177 #ifndef TP_STATUS_KERNEL
178 #define TP_STATUS_KERNEL 0
179 #endif
180 #ifndef TP_STATUS_USER
181 #define TP_STATUS_USER BIT_U32(0)
182 #endif
183 #ifndef TP_STATUS_COPY
184 #define TP_STATUS_COPY BIT_U32(1)
185 #endif
186 #ifndef TP_STATUS_LOSING
187 #define TP_STATUS_LOSING BIT_U32(2)
188 #endif
189 #ifndef TP_STATUS_CSUMNOTREADY
190 #define TP_STATUS_CSUMNOTREADY BIT_U32(3)
191 #endif
192 #ifndef TP_STATUS_VLAN_VALID
193 #define TP_STATUS_VLAN_VALID BIT_U32(4)
194 #endif
195 #ifndef TP_STATUS_BLK_TMO
196 #define TP_STATUS_BLK_TMO BIT_U32(5)
197 #endif
198 #ifndef TP_STATUS_VLAN_TPID_VALID
199 #define TP_STATUS_VLAN_TPID_VALID BIT_U32(6)
200 #endif
201 #ifndef TP_STATUS_CSUM_VALID
202 #define TP_STATUS_CSUM_VALID BIT_U32(7)
203 #endif
204 
205 #ifndef TP_STATUS_TS_SOFTWARE
206 #define TP_STATUS_TS_SOFTWARE BIT_U32(29)
207 #endif
208 #ifndef TP_STATUS_TS_SYS_HARDWARE
209 #define TP_STATUS_TS_SYS_HARDWARE BIT_U32(30) /* kernel comment says: "deprecated, never set" */
210 #endif
211 #ifndef TP_STATUS_TS_RAW_HARDWARE
212 #define TP_STATUS_TS_RAW_HARDWARE BIT_U32(31)
213 #endif
214 
215 #ifndef TP_STATUS_USER_BUSY
216 /* HACK special setting in the tp_status field for frames we are
217  * still working on. This can happen in autofp mode where the
218  * capture thread goes around the ring and finds a frame that still
219  * hasn't been released by a worker thread.
220  *
221  * We use bits 29, 30, 31. 29 and 31 are software and hardware
222  * timestamps. 30 should not be set by the kernel at all. Combined
223  * they should never be set on the rx-ring together.
224  *
225  * The excessive casting is for handling the fact that the kernel
226  * defines almost all of these as int flags, not unsigned ints. */
227 #define TP_STATUS_USER_BUSY \
228  (uint32_t)((uint32_t)TP_STATUS_TS_SOFTWARE | (uint32_t)TP_STATUS_TS_SYS_HARDWARE | \
229  (uint32_t)TP_STATUS_TS_RAW_HARDWARE)
230 #endif
231 #define FRAME_BUSY(tp_status) \
232  (((uint32_t)(tp_status) & (uint32_t)TP_STATUS_USER_BUSY) == (uint32_t)TP_STATUS_USER_BUSY)
233 
234 enum {
237  /** Error during treatment by other functions of Suricata */
240 };
241 
242 enum {
245 };
246 
247 union thdr {
248  struct tpacket2_hdr *h2;
249  struct tpacket3_hdr *h3;
250  void *raw;
251 };
252 
253 #ifdef HAVE_PACKET_EBPF
254 static int AFPBypassCallback(Packet *p);
255 static int AFPXDPBypassCallback(Packet *p);
256 #endif
257 
258 /**
259  * \brief Structure to hold thread specific variables.
260  */
261 typedef struct AFPThreadVars_
262 {
263  union AFPRing {
264  union thdr **v2;
265  struct iovec *v3;
266  } ring;
267 
268  /* counters */
269  uint64_t pkts;
270 
274  /* data link type for the thread */
275  uint32_t datalink;
276 
277 #ifdef HAVE_PACKET_EBPF
278  /* File descriptor of the IPv4 flow bypass table maps */
279  int v4_map_fd;
280  /* File descriptor of the IPv6 flow bypass table maps */
281  int v6_map_fd;
282 #endif
283 
284  unsigned int frame_offset;
285 
287 
288  /* references to packet and drop counters */
291  uint16_t capture_errors;
292  uint16_t afpacket_spin;
299 
300  uint64_t send_errors_logged; /**< snapshot of send errors logged. */
301 
302  /* handle state */
303  uint8_t afp_state;
304  uint8_t copy_mode;
305  unsigned int flags;
306 
307  /* IPS peer */
309 
310  /*
311  * Init related members
312  */
313 
314  /* thread specific socket */
315  int socket;
316 
321  /* socket buffer size */
323  /* Filter */
324  const char *bpf_filter;
325 
326  int promisc;
327 
328  /* bitmask of ignored ssl_pkttypes */
330 
332 
333  uint16_t cluster_id;
335 
336  int threads;
337 
339  struct tpacket_req v2;
340  struct tpacket_req3 v3;
341  } req;
342 
344  /* IPS output iface */
346 
347  /* mmap'ed ring buffer */
348  unsigned int ring_buflen;
349  uint8_t *ring_buf;
350 
351  int snaplen; /**< snaplen in use for passing on to bpf */
352 #ifdef HAVE_PACKET_EBPF
353  uint8_t xdp_mode;
354  int ebpf_lb_fd;
355  int ebpf_filter_fd;
356  struct ebpf_timeout_config ebpf_t_config;
357 #endif
358 
360 
361 static TmEcode ReceiveAFPThreadInit(ThreadVars *, const void *, void **);
362 static void ReceiveAFPThreadExitStats(ThreadVars *, void *);
363 static TmEcode ReceiveAFPThreadDeinit(ThreadVars *, void *);
364 static TmEcode ReceiveAFPLoop(ThreadVars *tv, void *data, void *slot);
365 
366 static TmEcode DecodeAFPThreadInit(ThreadVars *, const void *, void **);
367 static TmEcode DecodeAFPThreadDeinit(ThreadVars *tv, void *data);
368 static TmEcode DecodeAFP(ThreadVars *, Packet *, void *);
369 
370 static TmEcode AFPSetBPFFilter(AFPThreadVars *ptv);
371 static int AFPGetIfnumByDev(int fd, const char *ifname, int verbose);
372 static int AFPGetDevFlags(int fd, const char *ifname);
373 static int AFPDerefSocket(AFPPeer* peer);
374 static int AFPRefSocket(AFPPeer* peer);
375 
376 
377 /**
378  * \brief Registration Function for RecieveAFP.
379  * \todo Unit tests are needed for this module.
380  */
382 {
383  tmm_modules[TMM_RECEIVEAFP].name = "ReceiveAFP";
384  tmm_modules[TMM_RECEIVEAFP].ThreadInit = ReceiveAFPThreadInit;
386  tmm_modules[TMM_RECEIVEAFP].PktAcqLoop = ReceiveAFPLoop;
388  tmm_modules[TMM_RECEIVEAFP].ThreadExitPrintStats = ReceiveAFPThreadExitStats;
389  tmm_modules[TMM_RECEIVEAFP].ThreadDeinit = ReceiveAFPThreadDeinit;
392 
393 }
394 
395 /**
396  * \defgroup afppeers AFP peers list
397  *
398  * AF_PACKET has an IPS mode were interface are peered: packet from
399  * on interface are sent the peered interface and the other way. The ::AFPPeer
400  * list is maintaining the list of peers. Each ::AFPPeer is storing the needed
401  * information to be able to send packet on the interface.
402  * A element of the list must not be destroyed during the run of Suricata as it
403  * is used by ::Packet and other threads.
404  *
405  * @{
406  */
407 
408 typedef struct AFPPeersList_ {
409  TAILQ_HEAD(, AFPPeer_) peers; /**< Head of list of fragments. */
410  int cnt;
411  int peered;
412  int turn; /**< Next value for initialisation order */
413  SC_ATOMIC_DECLARE(int, reached); /**< Counter used to synchronize start */
415 
416 /**
417  * \brief Update the peer.
418  *
419  * Update the AFPPeer of a thread ie set new state, socket number
420  * or iface index.
421  *
422  */
423 static void AFPPeerUpdate(AFPThreadVars *ptv)
424 {
425  if (ptv->mpeer == NULL) {
426  return;
427  }
428  (void)SC_ATOMIC_SET(ptv->mpeer->if_idx, AFPGetIfnumByDev(ptv->socket, ptv->iface, 0));
429  (void)SC_ATOMIC_SET(ptv->mpeer->socket, ptv->socket);
430  (void)SC_ATOMIC_SET(ptv->mpeer->state, ptv->afp_state);
431 }
432 
433 /**
434  * \brief Clean and free ressource used by an ::AFPPeer
435  */
436 static void AFPPeerClean(AFPPeer *peer)
437 {
438  if (peer->flags & AFP_SOCK_PROTECT)
440  SCFree(peer);
441 }
442 
444 
445 
446 /**
447  * \brief Init the global list of ::AFPPeer
448  */
450 {
451  SCEnter();
452  TAILQ_INIT(&peerslist.peers);
453  peerslist.peered = 0;
454  peerslist.cnt = 0;
455  peerslist.turn = 0;
456  SC_ATOMIC_INIT(peerslist.reached);
457  (void) SC_ATOMIC_SET(peerslist.reached, 0);
459 }
460 
461 /**
462  * \brief Check that all ::AFPPeer got a peer
463  *
464  * \retval TM_ECODE_FAILED if some threads are not peered or TM_ECODE_OK else.
465  */
467 {
468 #define AFP_PEERS_MAX_TRY 4
469 #define AFP_PEERS_WAIT 20000
470  int try = 0;
471  SCEnter();
472  while (try < AFP_PEERS_MAX_TRY) {
473  if (peerslist.cnt != peerslist.peered) {
474  usleep(AFP_PEERS_WAIT);
475  } else {
477  }
478  try++;
479  }
480  SCLogError("thread number not equal");
482 }
483 
484 /**
485  * \brief Declare a new AFP thread to AFP peers list.
486  */
487 static TmEcode AFPPeersListAdd(AFPThreadVars *ptv)
488 {
489  SCEnter();
490  AFPPeer *peer = SCCalloc(1, sizeof(AFPPeer));
491  AFPPeer *pitem;
492 
493  if (unlikely(peer == NULL)) {
495  }
496  SC_ATOMIC_INIT(peer->socket);
497  SC_ATOMIC_INIT(peer->sock_usage);
498  SC_ATOMIC_INIT(peer->if_idx);
499  SC_ATOMIC_INIT(peer->state);
500  peer->flags = ptv->flags;
501  peer->turn = peerslist.turn++;
502 
503  if (peer->flags & AFP_SOCK_PROTECT) {
504  SCMutexInit(&peer->sock_protect, NULL);
505  }
506 
507  (void)SC_ATOMIC_SET(peer->sock_usage, 0);
508  (void)SC_ATOMIC_SET(peer->state, AFP_STATE_DOWN);
510  ptv->mpeer = peer;
511  /* add element to iface list */
512  TAILQ_INSERT_TAIL(&peerslist.peers, peer, next);
513 
514  if (ptv->copy_mode != AFP_COPY_MODE_NONE) {
515  peerslist.cnt++;
516 
517  /* Iter to find a peer */
518  TAILQ_FOREACH(pitem, &peerslist.peers, next) {
519  if (pitem->peer)
520  continue;
521  if (strcmp(pitem->iface, ptv->out_iface))
522  continue;
523  peer->peer = pitem;
524  pitem->peer = peer;
525 
526  LiveDevice *iface = ptv->livedev;
527  DEBUG_VALIDATE_BUG_ON(iface == NULL);
528  DEBUG_VALIDATE_BUG_ON(strcmp(iface->dev, ptv->iface) != 0);
529  LiveDevice *out_iface = LiveGetDevice(ptv->out_iface);
530  if (out_iface == NULL)
531  FatalError("AF_PACKET device %s not found. Aborting..", ptv->out_iface);
532  if (iface->mtu != out_iface->mtu) {
533  SCLogWarning("MTU on %s (%d) and %s (%d) are not equal, transmission of packets "
534  "bigger than %d will fail.",
535  iface->dev, iface->mtu, out_iface->dev, out_iface->mtu,
536  MIN(out_iface->mtu, iface->mtu));
537  }
538  peerslist.peered += 2;
539  break;
540  }
541  }
542 
543  AFPPeerUpdate(ptv);
544 
546 }
547 
548 static int AFPPeersListWaitTurn(AFPPeer *peer)
549 {
550  /* If turn is zero, we already have started threads once */
551  if (peerslist.turn == 0)
552  return 0;
553 
554  if (peer->turn == SC_ATOMIC_GET(peerslist.reached))
555  return 0;
556  return 1;
557 }
558 
559 static void AFPPeersListReachedInc(void)
560 {
561  if (peerslist.turn == 0)
562  return;
563 
564  if ((SC_ATOMIC_ADD(peerslist.reached, 1) + 1) == peerslist.turn) {
565  (void)SC_ATOMIC_SET(peerslist.reached, 0);
566  /* Set turn to 0 to skip synchronization when ReceiveAFPLoop is
567  * restarted.
568  */
569  peerslist.turn = 0;
570  }
571 }
572 
573 static int AFPPeersListStarted(void)
574 {
575  return !peerslist.turn;
576 }
577 
578 /**
579  * \brief Clean the global peers list.
580  */
582 {
583  AFPPeer *pitem;
584 
585  while ((pitem = TAILQ_FIRST(&peerslist.peers))) {
586  TAILQ_REMOVE(&peerslist.peers, pitem, next);
587  AFPPeerClean(pitem);
588  }
589 }
590 
591 /**
592  * @}
593  */
594 
595 /**
596  * \brief Registration Function for DecodeAFP.
597  * \todo Unit tests are needed for this module.
598  */
600 {
601  tmm_modules[TMM_DECODEAFP].name = "DecodeAFP";
602  tmm_modules[TMM_DECODEAFP].ThreadInit = DecodeAFPThreadInit;
603  tmm_modules[TMM_DECODEAFP].Func = DecodeAFP;
605  tmm_modules[TMM_DECODEAFP].ThreadDeinit = DecodeAFPThreadDeinit;
608 }
609 
610 static int AFPCreateSocket(AFPThreadVars *ptv, char *devname, int verbose, const bool peer_update);
611 
612 static inline void AFPDumpCounters(AFPThreadVars *ptv)
613 {
614 #ifdef PACKET_STATISTICS
615  struct tpacket_stats kstats;
616  socklen_t len = sizeof (struct tpacket_stats);
617  if (getsockopt(ptv->socket, SOL_PACKET, PACKET_STATISTICS,
618  &kstats, &len) > -1) {
619  SCLogDebug("(%s) Kernel: Packets %" PRIu32 ", dropped %" PRIu32 "",
620  ptv->tv->name,
621  kstats.tp_packets, kstats.tp_drops);
622  StatsAddUI64(ptv->tv, ptv->capture_kernel_packets, kstats.tp_packets);
623  StatsAddUI64(ptv->tv, ptv->capture_kernel_drops, kstats.tp_drops);
624  (void) SC_ATOMIC_ADD(ptv->livedev->drop, (uint64_t) kstats.tp_drops);
625  (void) SC_ATOMIC_ADD(ptv->livedev->pkts, (uint64_t) kstats.tp_packets);
626 
627  const uint64_t value = SC_ATOMIC_GET(ptv->mpeer->send_errors);
628  if (value > ptv->send_errors_logged) {
629  StatsAddUI64(ptv->tv, ptv->capture_afp_send_err, value - ptv->send_errors_logged);
630  ptv->send_errors_logged = value;
631  }
632  }
633 #endif
634 }
635 
636 /**
637  * \brief AF packet write function.
638  *
639  * This function has to be called before the memory
640  * related to Packet in ring buffer is released.
641  *
642  * \param pointer to Packet
643  * \param version of capture: TPACKET_V2 or TPACKET_V3
644  * \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success
645  *
646  */
647 static void AFPWritePacket(Packet *p, int version)
648 {
649  struct sockaddr_ll socket_address;
650  int socket;
651 
652  if (p->afp_v.copy_mode == AFP_COPY_MODE_IPS) {
653  if (PacketCheckAction(p, ACTION_DROP)) {
654  return;
655  }
656  }
657 
658  if (!PacketIsEthernet(p)) {
659  SCLogWarning("packet should have an ethernet header");
660  return;
661  }
662 
663  const EthernetHdr *ethh = PacketGetEthernet(p);
664  /* Index of the network device */
665  socket_address.sll_ifindex = SC_ATOMIC_GET(p->afp_v.peer->if_idx);
666  /* Address length*/
667  socket_address.sll_halen = ETH_ALEN;
668  /* Destination MAC */
669  memcpy(socket_address.sll_addr, ethh, 6);
670 
671  /* Send packet, locking the socket if necessary */
672  if (p->afp_v.peer->flags & AFP_SOCK_PROTECT)
673  SCMutexLock(&p->afp_v.peer->sock_protect);
674  socket = SC_ATOMIC_GET(p->afp_v.peer->socket);
675 
676  if (sendto(socket, GET_PKT_DATA(p), GET_PKT_LEN(p), 0, (struct sockaddr *)&socket_address,
677  sizeof(struct sockaddr_ll)) < 0) {
678  if (SC_ATOMIC_ADD(p->afp_v.peer->send_errors, 1) == 0) {
679  SCLogWarning("%s: sending packet failed on socket %d: %s", p->afp_v.peer->iface, socket,
680  strerror(errno));
681  }
682  }
683  if (p->afp_v.peer->flags & AFP_SOCK_PROTECT)
684  SCMutexUnlock(&p->afp_v.peer->sock_protect);
685 }
686 
687 static void AFPReleaseDataFromRing(Packet *p)
688 {
690 
691  /* Need to be in copy mode and need to detect early release
692  where Ethernet header could not be set (and pseudo packet) */
693  if (p->afp_v.copy_mode != AFP_COPY_MODE_NONE) {
694  AFPWritePacket(p, TPACKET_V2);
695  }
696 
697  BUG_ON(p->afp_v.relptr == NULL);
698 
699  union thdr h;
700  h.raw = p->afp_v.relptr;
701  h.h2->tp_status = TP_STATUS_KERNEL;
702 
703  (void)AFPDerefSocket(p->afp_v.mpeer);
704 
705  AFPV_CLEANUP(&p->afp_v);
706 }
707 
708 static void AFPReleasePacketV3(Packet *p)
709 {
711 
712  /* Need to be in copy mode and need to detect early release
713  where Ethernet header could not be set (and pseudo packet) */
714  if (p->afp_v.copy_mode != AFP_COPY_MODE_NONE) {
715  AFPWritePacket(p, TPACKET_V3);
716  }
718 }
719 
720 static void AFPReleasePacket(Packet *p)
721 {
722  AFPReleaseDataFromRing(p);
724 }
725 
726 /** \internal
727  * \brief recoverable error - release packet and
728  * return AFP_SURI_FAILURE
729  */
730 static inline int AFPSuriFailure(AFPThreadVars *ptv, union thdr h)
731 {
732  h.h2->tp_status = TP_STATUS_KERNEL;
733  if (++ptv->frame_offset >= ptv->req.v2.tp_frame_nr) {
734  ptv->frame_offset = 0;
735  }
737 }
738 
739 static inline void AFPReadApplyBypass(const AFPThreadVars *ptv, Packet *p)
740 {
741 #ifdef HAVE_PACKET_EBPF
742  if (ptv->flags & AFP_BYPASS) {
743  p->BypassPacketsFlow = AFPBypassCallback;
744  p->afp_v.v4_map_fd = ptv->v4_map_fd;
745  p->afp_v.v6_map_fd = ptv->v6_map_fd;
746  p->afp_v.nr_cpus = ptv->ebpf_t_config.cpus_count;
747  }
748  if (ptv->flags & AFP_XDPBYPASS) {
749  p->BypassPacketsFlow = AFPXDPBypassCallback;
750  p->afp_v.v4_map_fd = ptv->v4_map_fd;
751  p->afp_v.v6_map_fd = ptv->v6_map_fd;
752  p->afp_v.nr_cpus = ptv->ebpf_t_config.cpus_count;
753  }
754 #endif
755 }
756 
757 /** \internal
758  * \brief setup packet for AFPReadFromRing
759  */
760 static void AFPReadFromRingSetupPacket(
761  AFPThreadVars *ptv, union thdr h, const unsigned int tp_status, Packet *p)
762 {
764 
765  /* flag the packet as TP_STATUS_USER_BUSY, which is ignore by the kernel, but
766  * acts as an indicator that we've reached a frame that is not yet released by
767  * us in autofp mode. It will be cleared when the frame gets released to the kernel. */
768  h.h2->tp_status |= TP_STATUS_USER_BUSY;
769  p->livedev = ptv->livedev;
770  p->datalink = ptv->datalink;
771  ptv->pkts++;
772 
773  AFPReadApplyBypass(ptv, p);
774 
775  if (h.h2->tp_len > h.h2->tp_snaplen) {
776  SCLogDebug("Packet length (%d) > snaplen (%d), truncating", h.h2->tp_len, h.h2->tp_snaplen);
778  }
779 
780  /* get vlan id from header */
781  if ((ptv->flags & AFP_VLAN_IN_HEADER) &&
782  (tp_status & TP_STATUS_VLAN_VALID || h.h2->tp_vlan_tci)) {
783  p->vlan_id[0] = h.h2->tp_vlan_tci & 0x0fff;
784  p->vlan_idx = 1;
785  p->afp_v.vlan_tci = h.h2->tp_vlan_tci;
786  }
787 
788  (void)PacketSetData(p, (unsigned char *)h.raw + h.h2->tp_mac, h.h2->tp_snaplen);
789 
790  p->ReleasePacket = AFPReleasePacket;
791  p->afp_v.relptr = h.raw;
792  if (ptv->flags & AFP_NEED_PEER) {
793  p->afp_v.mpeer = ptv->mpeer;
794  AFPRefSocket(ptv->mpeer);
795  } else {
796  p->afp_v.mpeer = NULL;
797  }
798  p->afp_v.copy_mode = ptv->copy_mode;
799  p->afp_v.peer = (p->afp_v.copy_mode == AFP_COPY_MODE_NONE) ? NULL : ptv->mpeer->peer;
800 
801  /* Timestamp */
802  p->ts = (SCTime_t){ .secs = h.h2->tp_sec, .usecs = h.h2->tp_nsec / 1000 };
803  SCLogDebug("pktlen: %" PRIu32 " (pkt %p, pkt data %p)", GET_PKT_LEN(p), p, GET_PKT_DATA(p));
804 
805  /* We only check for checksum disable */
808  } else if (ptv->checksum_mode == CHECKSUM_VALIDATION_AUTO) {
809  if (ChecksumAutoModeCheck(ptv->pkts, SC_ATOMIC_GET(ptv->livedev->pkts),
810  SC_ATOMIC_GET(ptv->livedev->invalid_checksums))) {
813  }
814  } else {
815  if (tp_status & TP_STATUS_CSUMNOTREADY) {
817  }
818  }
819 }
820 
821 static inline int AFPReadFromRingWaitForPacket(AFPThreadVars *ptv)
822 {
823  union thdr h;
824  struct timeval start_time;
825  gettimeofday(&start_time, NULL);
826  uint64_t busy_loop_iter = 0;
827 
828  /* busy wait loop until we have packets available */
829  while (1) {
830  if (unlikely(suricata_ctl_flags != 0)) {
831  break;
832  }
833  h.raw = (((union thdr **)ptv->ring.v2)[ptv->frame_offset]);
834  if (unlikely(h.raw == NULL)) {
835  return AFP_READ_FAILURE;
836  }
837  const unsigned int tp_status = h.h2->tp_status;
838  if (tp_status == TP_STATUS_KERNEL) {
839  busy_loop_iter++;
840 
841  struct timeval cur_time;
842  memset(&cur_time, 0, sizeof(cur_time));
843  uint64_t milliseconds =
844  ((cur_time.tv_sec - start_time.tv_sec) * 1000) +
845  (((1000000 + cur_time.tv_usec - start_time.tv_usec) / 1000) - 1000);
846  if (milliseconds > 1000) {
847  break;
848  }
849  continue;
850  }
851  break;
852  }
853  if (busy_loop_iter) {
854  StatsAddUI64(ptv->tv, ptv->afpacket_spin, busy_loop_iter);
855  }
856  return AFP_READ_OK;
857 }
858 
859 /**
860  * \brief AF packet frame ignore logic
861  *
862  * Given a sockaddr_ll of a frame, use the pkttype_filter_mask to decide if the
863  * frame should be ignored. Protect from undefined behavior if there's ever
864  * a sll_pkttype that would shift by too much. At this point, only outgoing
865  * packets (4) are ignored. The highest value in if_linux.h is PACKET_KERNEL (7),
866  * this extra check is being overly cautious.
867  *
868  * \retval true if the frame should be ignored
869  */
870 static inline bool AFPShouldIgnoreFrame(AFPThreadVars *ptv, const struct sockaddr_ll *sll)
871 {
872  if (unlikely(sll->sll_pkttype > 31))
873  return false;
874 
875  return (ptv->pkttype_filter_mask & BIT_U32(sll->sll_pkttype)) != 0;
876 }
877 
878 /**
879  * \brief AF packet read function for ring
880  *
881  * This function fills
882  * From here the packets are picked up by the DecodeAFP thread.
883  *
884  * \param user pointer to AFPThreadVars
885  * \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success
886  */
887 static int AFPReadFromRing(AFPThreadVars *ptv)
888 {
889  union thdr h;
890  bool emergency_flush = false;
891  const unsigned int start_pos = ptv->frame_offset;
892 
893  /* poll() told us there are frames, so lets wait for at least
894  * one frame to become available. */
895  if (AFPReadFromRingWaitForPacket(ptv) != AFP_READ_OK)
896  return AFP_READ_FAILURE;
897 
898  /* process the frames in the ring */
899  while (1) {
900  if (unlikely(suricata_ctl_flags != 0)) {
901  break;
902  }
903  h.raw = (((union thdr **)ptv->ring.v2)[ptv->frame_offset]);
904  if (unlikely(h.raw == NULL)) {
905  return AFP_READ_FAILURE;
906  }
907  const unsigned int tp_status = h.h2->tp_status;
908  /* if we find a kernel frame we are done */
909  if (unlikely(tp_status == TP_STATUS_KERNEL)) {
910  break;
911  }
912  /* if in autofp mode the frame is still busy, return to poll */
913  if (unlikely(FRAME_BUSY(tp_status))) {
914  break;
915  }
916  emergency_flush |= ((tp_status & TP_STATUS_LOSING) != 0);
917 
918  if ((ptv->flags & AFP_EMERGENCY_MODE) && emergency_flush) {
919  h.h2->tp_status = TP_STATUS_KERNEL;
920  goto next_frame;
921  }
922 
923  const struct sockaddr_ll *sll =
924  (const struct sockaddr_ll *)((uint8_t *)h.h2 +
925  TPACKET_ALIGN(sizeof(struct tpacket2_hdr)));
926  if (unlikely(AFPShouldIgnoreFrame(ptv, sll)))
927  goto next_frame;
928 
930  if (p == NULL) {
931  return AFPSuriFailure(ptv, h);
932  }
933  AFPReadFromRingSetupPacket(ptv, h, tp_status, p);
934 
935  if (TmThreadsSlotProcessPkt(ptv->tv, ptv->slot, p) != TM_ECODE_OK) {
936  return AFPSuriFailure(ptv, h);
937  }
938 next_frame:
939  if (++ptv->frame_offset >= ptv->req.v2.tp_frame_nr) {
940  ptv->frame_offset = 0;
941  /* Get out of loop to be sure we will reach maintenance tasks */
942  if (ptv->frame_offset == start_pos)
943  break;
944  }
945  }
946  if (emergency_flush) {
947  AFPDumpCounters(ptv);
948  }
950 }
951 
952 static inline void AFPFlushBlock(struct tpacket_block_desc *pbd)
953 {
954  pbd->hdr.bh1.block_status = TP_STATUS_KERNEL;
955 }
956 
957 static inline int AFPParsePacketV3(AFPThreadVars *ptv, struct tpacket_block_desc *pbd, struct tpacket3_hdr *ppd)
958 {
960  if (p == NULL) {
962  }
964 
965  AFPReadApplyBypass(ptv, p);
966 
967  ptv->pkts++;
968  p->livedev = ptv->livedev;
969  p->datalink = ptv->datalink;
970 
971  if ((ptv->flags & AFP_VLAN_IN_HEADER) &&
972  (ppd->tp_status & TP_STATUS_VLAN_VALID || ppd->hv1.tp_vlan_tci)) {
973  p->vlan_id[0] = ppd->hv1.tp_vlan_tci & 0x0fff;
974  p->vlan_idx = 1;
975  p->afp_v.vlan_tci = (uint16_t)ppd->hv1.tp_vlan_tci;
976  }
977 
978  if (ppd->tp_len > ppd->tp_snaplen) {
979  SCLogDebug("Packet length (%d) > snaplen (%d), truncating", ppd->tp_len, ppd->tp_snaplen);
981  }
982 
983  (void)PacketSetData(p, (unsigned char *)ppd + ppd->tp_mac, ppd->tp_snaplen);
984 
985  p->ReleasePacket = AFPReleasePacketV3;
986  p->afp_v.relptr = NULL;
987  p->afp_v.mpeer = NULL;
988  p->afp_v.copy_mode = ptv->copy_mode;
989  p->afp_v.peer = (p->afp_v.copy_mode == AFP_COPY_MODE_NONE) ? NULL : ptv->mpeer->peer;
990 
991  /* Timestamp */
992  p->ts = (SCTime_t){ .secs = ppd->tp_sec, .usecs = ppd->tp_nsec / 1000 };
993  SCLogDebug("pktlen: %" PRIu32 " (pkt %p, pkt data %p)",
994  GET_PKT_LEN(p), p, GET_PKT_DATA(p));
995 
996  /* We only check for checksum disable */
999  } else if (ptv->checksum_mode == CHECKSUM_VALIDATION_AUTO) {
1000  if (ChecksumAutoModeCheck(ptv->pkts,
1001  SC_ATOMIC_GET(ptv->livedev->pkts),
1002  SC_ATOMIC_GET(ptv->livedev->invalid_checksums))) {
1004  p->flags |= PKT_IGNORE_CHECKSUM;
1005  }
1006  } else {
1007  if (ppd->tp_status & TP_STATUS_CSUMNOTREADY) {
1008  p->flags |= PKT_IGNORE_CHECKSUM;
1009  }
1010  }
1011 
1012  if (TmThreadsSlotProcessPkt(ptv->tv, ptv->slot, p) != TM_ECODE_OK) {
1014  }
1015 
1017 }
1018 
1019 static inline int AFPWalkBlock(AFPThreadVars *ptv, struct tpacket_block_desc *pbd)
1020 {
1021  const int num_pkts = pbd->hdr.bh1.num_pkts;
1022  uint8_t *ppd = (uint8_t *)pbd + pbd->hdr.bh1.offset_to_first_pkt;
1023 
1024  for (int i = 0; i < num_pkts; ++i) {
1025  const struct sockaddr_ll *sll =
1026  (const struct sockaddr_ll *)(ppd + TPACKET_ALIGN(sizeof(struct tpacket3_hdr)));
1027  if (unlikely(AFPShouldIgnoreFrame(ptv, sll))) {
1028  ppd = ppd + ((struct tpacket3_hdr *)ppd)->tp_next_offset;
1029  continue;
1030  }
1031  int ret = AFPParsePacketV3(ptv, pbd, (struct tpacket3_hdr *)ppd);
1032  switch (ret) {
1033  case AFP_READ_OK:
1034  break;
1035  case AFP_SURI_FAILURE:
1036  /* Internal error but let's just continue and
1037  * treat thenext packet */
1038  break;
1039  case AFP_READ_FAILURE:
1041  default:
1042  SCReturnInt(ret);
1043  }
1044  ppd = ppd + ((struct tpacket3_hdr *)ppd)->tp_next_offset;
1045  }
1046 
1048 }
1049 
1050 /**
1051  * \brief AF packet read function for ring
1052  *
1053  * This function fills
1054  * From here the packets are picked up by the DecodeAFP thread.
1055  *
1056  * \param user pointer to AFPThreadVars
1057  * \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success
1058  */
1059 static int AFPReadFromRingV3(AFPThreadVars *ptv)
1060 {
1061  /* Loop till we have packets available */
1062  while (1) {
1063  if (unlikely(suricata_ctl_flags != 0)) {
1064  SCLogDebug("Exiting AFP V3 read loop");
1065  break;
1066  }
1067 
1068  struct tpacket_block_desc *pbd =
1069  (struct tpacket_block_desc *)ptv->ring.v3[ptv->frame_offset].iov_base;
1070 
1071  /* block is not ready to be read */
1072  if ((pbd->hdr.bh1.block_status & TP_STATUS_USER) == 0) {
1074  }
1075 
1076  int ret = AFPWalkBlock(ptv, pbd);
1077  if (unlikely(ret != AFP_READ_OK)) {
1078  AFPFlushBlock(pbd);
1079  SCReturnInt(ret);
1080  }
1081 
1082  AFPFlushBlock(pbd);
1083  ptv->frame_offset = (ptv->frame_offset + 1) % ptv->req.v3.tp_block_nr;
1084  /* return to maintenance task after one loop on the ring */
1085  if (ptv->frame_offset == 0) {
1087  }
1088  }
1090 }
1091 
1092 /**
1093  * \brief Reference socket
1094  *
1095  * \retval O in case of failure, 1 in case of success
1096  */
1097 static int AFPRefSocket(AFPPeer* peer)
1098 {
1099  if (unlikely(peer == NULL))
1100  return 0;
1101 
1102  (void)SC_ATOMIC_ADD(peer->sock_usage, 1);
1103  return 1;
1104 }
1105 
1106 
1107 /**
1108  * \brief Dereference socket
1109  *
1110  * \retval 1 if socket is still alive, 0 if not
1111  */
1112 static int AFPDerefSocket(AFPPeer* peer)
1113 {
1114  if (peer == NULL)
1115  return 1;
1116 
1117  if (SC_ATOMIC_SUB(peer->sock_usage, 1) == 1) {
1118  return 0;
1119  }
1120  return 1;
1121 }
1122 
1123 static void AFPCloseSocket(AFPThreadVars *ptv)
1124 {
1125  if (ptv->mpeer != NULL)
1126  BUG_ON(SC_ATOMIC_GET(ptv->mpeer->sock_usage) != 0);
1127 
1128  if (ptv->flags & AFP_TPACKET_V3) {
1129  if (ptv->ring.v3) {
1130  SCFree(ptv->ring.v3);
1131  ptv->ring.v3 = NULL;
1132  }
1133  } else {
1134  if (ptv->ring.v2) {
1135  /* only used in reading phase, we can free it */
1136  SCFree(ptv->ring.v2);
1137  ptv->ring.v2 = NULL;
1138  }
1139  }
1140  if (ptv->socket != -1) {
1141  SCLogDebug("Cleaning socket connected to '%s'", ptv->iface);
1142  munmap(ptv->ring_buf, ptv->ring_buflen);
1143  close(ptv->socket);
1144  ptv->socket = -1;
1145  }
1146 }
1147 
1148 static void AFPSwitchState(AFPThreadVars *ptv, uint8_t state)
1149 {
1150  ptv->afp_state = state;
1151  ptv->down_count = 0;
1152 
1153  if (state == AFP_STATE_DOWN) {
1154  /* cleanup is done on thread cleanup or try reopen
1155  * as there may still be packets in autofp that
1156  * are referencing us */
1157  (void)SC_ATOMIC_SUB(ptv->mpeer->sock_usage, 1);
1158  }
1159  if (state == AFP_STATE_UP) {
1160  AFPPeerUpdate(ptv);
1161  (void)SC_ATOMIC_SET(ptv->mpeer->sock_usage, 1);
1162  }
1163 }
1164 
1165 static int AFPReadAndDiscardFromRing(AFPThreadVars *ptv, struct timeval *synctv,
1166  uint64_t *discarded_pkts)
1167 {
1168  if (unlikely(suricata_ctl_flags != 0)) {
1169  return 1;
1170  }
1171 
1172  if (ptv->flags & AFP_TPACKET_V3) {
1173  int ret = 0;
1174  struct tpacket_block_desc *pbd =
1175  (struct tpacket_block_desc *)ptv->ring.v3[ptv->frame_offset].iov_base;
1176  *discarded_pkts += pbd->hdr.bh1.num_pkts;
1177  struct tpacket3_hdr *ppd =
1178  (struct tpacket3_hdr *)((uint8_t *)pbd + pbd->hdr.bh1.offset_to_first_pkt);
1179  if (((time_t)ppd->tp_sec > synctv->tv_sec) ||
1180  ((time_t)ppd->tp_sec == synctv->tv_sec &&
1181  (suseconds_t) (ppd->tp_nsec / 1000) > (suseconds_t)synctv->tv_usec)) {
1182  ret = 1;
1183  }
1184  AFPFlushBlock(pbd);
1185  ptv->frame_offset = (ptv->frame_offset + 1) % ptv->req.v3.tp_block_nr;
1186  return ret;
1187 
1188  } else {
1189  /* Read packet from ring */
1190  union thdr h;
1191  h.raw = (((union thdr **)ptv->ring.v2)[ptv->frame_offset]);
1192  if (h.raw == NULL) {
1193  return -1;
1194  }
1195  if (h.h2->tp_status == TP_STATUS_KERNEL)
1196  return 0;
1197 
1198  if (((time_t)h.h2->tp_sec > synctv->tv_sec) ||
1199  ((time_t)h.h2->tp_sec == synctv->tv_sec &&
1200  (suseconds_t) (h.h2->tp_nsec / 1000) > synctv->tv_usec)) {
1201  return 1;
1202  }
1203 
1204  (*discarded_pkts)++;
1205  h.h2->tp_status = TP_STATUS_KERNEL;
1206  if (++ptv->frame_offset >= ptv->req.v2.tp_frame_nr) {
1207  ptv->frame_offset = 0;
1208  }
1209  }
1210 
1211  return 0;
1212 }
1213 
1214 /** \brief wait for all afpacket threads to fully init
1215  *
1216  * Discard packets before all threads are ready, as the cluster
1217  * setup is not complete yet.
1218  *
1219  * if AFPPeersListStarted() returns true init is complete
1220  *
1221  * \retval r 1 = happy, otherwise unhappy
1222  */
1223 static int AFPSynchronizeStart(AFPThreadVars *ptv, uint64_t *discarded_pkts)
1224 {
1225  struct timeval synctv;
1226  struct pollfd fds;
1227 
1228  fds.fd = ptv->socket;
1229  fds.events = POLLIN;
1230 
1231  /* Set timeval to end of the world */
1232  synctv.tv_sec = 0xffffffff;
1233  synctv.tv_usec = 0xffffffff;
1234 
1235  while (1) {
1236  int r = poll(&fds, 1, POLL_TIMEOUT);
1237  if (r > 0 &&
1238  (fds.revents & (POLLHUP|POLLRDHUP|POLLERR|POLLNVAL))) {
1239  SCLogWarning("%s: poll failed %02x", ptv->iface,
1240  fds.revents & (POLLHUP | POLLRDHUP | POLLERR | POLLNVAL));
1241  return 0;
1242  } else if (r > 0) {
1243  if (AFPPeersListStarted() && synctv.tv_sec == (time_t) 0xffffffff) {
1244  gettimeofday(&synctv, NULL);
1245  }
1246  r = AFPReadAndDiscardFromRing(ptv, &synctv, discarded_pkts);
1247  SCLogDebug("Discarding on %s", ptv->tv->name);
1248  switch (r) {
1249  case 1:
1250  SCLogDebug("Starting to read on %s", ptv->tv->name);
1251  return 1;
1252  case -1:
1253  return r;
1254  }
1255  /* no packets */
1256  } else if (r == 0 && AFPPeersListStarted()) {
1257  SCLogDebug("Starting to read on %s", ptv->tv->name);
1258  return 1;
1259  } else if (r < 0) { /* only exit on error */
1260  SCLogWarning("poll failed with retval %d", r);
1261  return 0;
1262  }
1263  }
1264  return 1;
1265 }
1266 
1267 /**
1268  * \brief Try to reopen socket
1269  *
1270  * \retval 0 in case of success, negative if error occurs or a condition
1271  * is not met.
1272  */
1273 static int AFPTryReopen(AFPThreadVars *ptv)
1274 {
1275  ptv->down_count++;
1276 
1277  /* Don't reconnect till we have packet that did not release data */
1278  if (SC_ATOMIC_GET(ptv->mpeer->sock_usage) != 0) {
1279  return -1;
1280  }
1281 
1282  /* ref cnt 0, we can close the old socket */
1283  AFPCloseSocket(ptv);
1284 
1285  int afp_activate_r = AFPCreateSocket(ptv, ptv->iface, 0, false);
1286  if (afp_activate_r != 0) {
1287  if (ptv->down_count % AFP_DOWN_COUNTER_INTERVAL == 0) {
1288  SCLogWarning("%s: can't reopen interface", ptv->iface);
1289  }
1290  return afp_activate_r;
1291  }
1292 
1293  SCLogInfo("%s: interface is back up", ptv->iface);
1294  return 0;
1295 }
1296 
1297 /**
1298  * \brief Main AF_PACKET reading Loop function
1299  */
1300 TmEcode ReceiveAFPLoop(ThreadVars *tv, void *data, void *slot)
1301 {
1302  SCEnter();
1303 
1304  AFPThreadVars *ptv = (AFPThreadVars *)data;
1305  struct pollfd fds;
1306  int r;
1307  TmSlot *s = (TmSlot *)slot;
1308  time_t last_dump = 0;
1309  time_t current_time;
1310  int (*AFPReadFunc) (AFPThreadVars *);
1311  uint64_t discarded_pkts = 0;
1312 
1313  ptv->slot = s->slot_next;
1314 
1315  if (ptv->flags & AFP_TPACKET_V3) {
1316  AFPReadFunc = AFPReadFromRingV3;
1317  } else {
1318  AFPReadFunc = AFPReadFromRing;
1319  }
1320 
1321  if (ptv->afp_state == AFP_STATE_DOWN) {
1322  /* Wait for our turn, threads before us must have opened the socket */
1323  while (AFPPeersListWaitTurn(ptv->mpeer)) {
1324  usleep(1000);
1325  if (suricata_ctl_flags != 0) {
1326  break;
1327  }
1328  }
1329  r = AFPCreateSocket(ptv, ptv->iface, 1, true);
1330  if (r < 0) {
1331  switch (-r) {
1332  case AFP_FATAL_ERROR:
1333  SCLogError("%s: failed to init socket for interface", ptv->iface);
1335  case AFP_RECOVERABLE_ERROR:
1336  SCLogWarning(
1337  "%s: failed to init socket for interface, retrying soon", ptv->iface);
1338  }
1339  }
1340  }
1341  if (ptv->afp_state == AFP_STATE_UP) {
1342  SCLogDebug("Thread %s using socket %d", tv->name, ptv->socket);
1343  AFPSynchronizeStart(ptv, &discarded_pkts);
1344  /* let's reset counter as we will start the capture at the
1345  * next function call */
1346 #ifdef PACKET_STATISTICS
1347  struct tpacket_stats kstats;
1348  socklen_t len = sizeof (struct tpacket_stats);
1349  if (getsockopt(ptv->socket, SOL_PACKET, PACKET_STATISTICS,
1350  &kstats, &len) > -1) {
1351  uint64_t pkts = 0;
1352  SCLogDebug("(%s) Kernel socket startup: Packets %" PRIu32
1353  ", dropped %" PRIu32 "",
1354  ptv->tv->name,
1355  kstats.tp_packets, kstats.tp_drops);
1356  pkts = kstats.tp_packets - discarded_pkts - kstats.tp_drops;
1357  StatsAddUI64(ptv->tv, ptv->capture_kernel_packets, pkts);
1358  (void) SC_ATOMIC_ADD(ptv->livedev->pkts, pkts);
1359  }
1360 #endif
1361  }
1362 
1363  fds.fd = ptv->socket;
1364  fds.events = POLLIN;
1365 
1366  // Indicate that the thread is actually running its application level code (i.e., it can poll
1367  // packets)
1369 
1370  while (1) {
1371  /* Start by checking the state of our interface */
1372  if (unlikely(ptv->afp_state == AFP_STATE_DOWN)) {
1373  int dbreak = 0;
1374 
1375  do {
1376  usleep(AFP_RECONNECT_TIMEOUT);
1377  if (suricata_ctl_flags != 0) {
1378  dbreak = 1;
1379  break;
1380  }
1381  r = AFPTryReopen(ptv);
1382  fds.fd = ptv->socket;
1383  } while (r < 0);
1384  if (dbreak == 1)
1385  break;
1386  }
1387 
1388  /* make sure we have at least one packet in the packet pool, to prevent
1389  * us from alloc'ing packets at line rate */
1390  PacketPoolWait();
1391 
1392  StatsIncr(ptv->tv, ptv->capture_afp_poll);
1393 
1394  r = poll(&fds, 1, POLL_TIMEOUT);
1395 
1396  if (suricata_ctl_flags != 0) {
1397  break;
1398  }
1399 
1400  if (r > 0 &&
1401  (fds.revents & (POLLHUP|POLLRDHUP|POLLERR|POLLNVAL))) {
1402  StatsIncr(ptv->tv, ptv->capture_afp_poll_signal);
1403  if (fds.revents & (POLLHUP | POLLRDHUP)) {
1404  AFPSwitchState(ptv, AFP_STATE_DOWN);
1405  continue;
1406  } else if (fds.revents & POLLERR) {
1407  char c;
1408  /* Do a recv to get errno */
1409  if (recv(ptv->socket, &c, sizeof c, MSG_PEEK) != -1)
1410  continue; /* what, no error? */
1411  SCLogWarning("%s: failed to poll interface: %s", ptv->iface, strerror(errno));
1412  AFPSwitchState(ptv, AFP_STATE_DOWN);
1413  continue;
1414  } else if (fds.revents & POLLNVAL) {
1415  SCLogWarning("%s: invalid poll request: %s", ptv->iface, strerror(errno));
1416  AFPSwitchState(ptv, AFP_STATE_DOWN);
1417  continue;
1418  }
1419  } else if (r > 0) {
1420  StatsIncr(ptv->tv, ptv->capture_afp_poll_data);
1421  r = AFPReadFunc(ptv);
1422  switch (r) {
1423  case AFP_READ_OK:
1424  /* Trigger one dump of stats every second */
1425  current_time = time(NULL);
1426  if (current_time != last_dump) {
1427  AFPDumpCounters(ptv);
1428  last_dump = current_time;
1429  }
1430  break;
1431  case AFP_READ_FAILURE:
1432  /* AFPRead in error: best to reset the socket */
1433  SCLogWarning("%s: read failure: %s", ptv->iface, strerror(errno));
1434  AFPSwitchState(ptv, AFP_STATE_DOWN);
1435  continue;
1436  case AFP_SURI_FAILURE:
1437  StatsIncr(ptv->tv, ptv->capture_errors);
1438  break;
1439  case AFP_KERNEL_DROP:
1440  AFPDumpCounters(ptv);
1441  break;
1442  }
1443  } else if (unlikely(r == 0)) {
1445  /* Trigger one dump of stats every second */
1446  current_time = time(NULL);
1447  if (current_time != last_dump) {
1448  AFPDumpCounters(ptv);
1449  last_dump = current_time;
1450  }
1451  /* poll timed out, lets see handle our timeout path */
1452  TmThreadsCaptureHandleTimeout(tv, NULL);
1453 
1454  } else if ((r < 0) && (errno != EINTR)) {
1455  StatsIncr(ptv->tv, ptv->capture_afp_poll_err);
1456  SCLogWarning("%s: poll failure: %s", ptv->iface, strerror(errno));
1457  AFPSwitchState(ptv, AFP_STATE_DOWN);
1458  continue;
1459  }
1461  }
1462 
1463  AFPDumpCounters(ptv);
1466 }
1467 
1468 static int AFPGetDevFlags(int fd, const char *ifname)
1469 {
1470  struct ifreq ifr;
1471 
1472  memset(&ifr, 0, sizeof(ifr));
1473  strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
1474 
1475  if (ioctl(fd, SIOCGIFFLAGS, &ifr) == -1) {
1476  SCLogError("%s: failed to get interface flags: %s", ifname, strerror(errno));
1477  return -1;
1478  }
1479 
1480  return ifr.ifr_flags;
1481 }
1482 
1483 
1484 static int AFPGetIfnumByDev(int fd, const char *ifname, int verbose)
1485 {
1486  struct ifreq ifr;
1487 
1488  memset(&ifr, 0, sizeof(ifr));
1489  strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
1490 
1491  if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) {
1492  if (verbose)
1493  SCLogError("%s: failed to find interface: %s", ifname, strerror(errno));
1494  return -1;
1495  }
1496 
1497  return ifr.ifr_ifindex;
1498 }
1499 
1500 static int AFPGetDevLinktype(int fd, const char *ifname)
1501 {
1502  struct ifreq ifr;
1503 
1504  memset(&ifr, 0, sizeof(ifr));
1505  strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
1506 
1507  if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) {
1508  SCLogError("%s: failed to find interface type: %s", ifname, strerror(errno));
1509  return -1;
1510  }
1511 
1512  switch (ifr.ifr_hwaddr.sa_family) {
1513  case ARPHRD_LOOPBACK:
1514  return LINKTYPE_ETHERNET;
1515  case ARPHRD_PPP:
1516  case ARPHRD_NONE:
1517  return LINKTYPE_RAW;
1518  default:
1519  return ifr.ifr_hwaddr.sa_family;
1520  }
1521 }
1522 
1523 int AFPGetLinkType(const char *ifname)
1524 {
1525  int ltype;
1526 
1527  int fd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
1528  if (fd == -1) {
1529  SCLogError("%s: failed to create AF_PACKET socket: %s", ifname, strerror(errno));
1530  return LINKTYPE_RAW;
1531  }
1532 
1533  ltype = AFPGetDevLinktype(fd, ifname);
1534  close(fd);
1535 
1536  DatalinkSetGlobalType(ltype);
1537 
1538  return ltype;
1539 }
1540 
1541 static int AFPComputeRingParams(AFPThreadVars *ptv, int order)
1542 {
1543  /* Compute structure:
1544  Target is to store all pending packets
1545  with a size equal to MTU + auxdata
1546  And we keep a decent number of block
1547 
1548  To do so:
1549  Compute frame_size (aligned to be able to fit in block
1550  Check which block size we need. Blocksize is a 2^n * pagesize
1551  We then need to get order, big enough to have
1552  frame_size < block size
1553  Find number of frame per block (divide)
1554  Fill in packet_req
1555 
1556  Compute frame size:
1557  described in packet_mmap.txt
1558  dependent on snaplen (need to use a variable ?)
1559 snaplen: MTU ?
1560 tp_hdrlen determine_version in daq_afpacket
1561 in V1: sizeof(struct tpacket_hdr);
1562 in V2: val in getsockopt(instance->fd, SOL_PACKET, PACKET_HDRLEN, &val, &len)
1563 frame size: TPACKET_ALIGN(snaplen + TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct
1564 sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
1565 
1566  */
1567  int tp_hdrlen = sizeof(struct tpacket_hdr);
1568  int snaplen = default_packet_size;
1569 
1570  if (snaplen == 0) {
1572  SCLogConfig("%s: defrag enabled, setting snaplen to %d", ptv->iface,
1575  } else {
1576  snaplen = GetIfaceMaxPacketSize(ptv->livedev);
1577  if (snaplen <= 0) {
1578  SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface);
1579  snaplen = 1514;
1580  }
1581  }
1582  }
1583  ptv->snaplen = snaplen;
1584 
1585  ptv->req.v2.tp_frame_size = TPACKET_ALIGN(snaplen +TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
1586  ptv->req.v2.tp_block_size = getpagesize() << order;
1587  int frames_per_block = ptv->req.v2.tp_block_size / ptv->req.v2.tp_frame_size;
1588  if (frames_per_block == 0) {
1589  SCLogError("%s: Frame size bigger than block size", ptv->iface);
1590  return -1;
1591  }
1592  ptv->req.v2.tp_frame_nr = ptv->ring_size;
1593  ptv->req.v2.tp_block_nr = ptv->req.v2.tp_frame_nr / frames_per_block + 1;
1594  /* exact division */
1595  ptv->req.v2.tp_frame_nr = ptv->req.v2.tp_block_nr * frames_per_block;
1596  SCLogPerf("%s: rx ring: block_size=%d block_nr=%d frame_size=%d frame_nr=%d", ptv->iface,
1597  ptv->req.v2.tp_block_size, ptv->req.v2.tp_block_nr, ptv->req.v2.tp_frame_size,
1598  ptv->req.v2.tp_frame_nr);
1599  return 1;
1600 }
1601 
1602 static int AFPComputeRingParamsWithBlockSize(AFPThreadVars *ptv, unsigned int block_size)
1603 {
1604  /* Compute structure:
1605  Target is to store all pending packets
1606  with a size equal to MTU + auxdata
1607  And we keep a decent number of block
1608 
1609  To do so:
1610  Compute frame_size (aligned to be able to fit in block
1611  Check which block size we need. Blocksize is a 2^n * pagesize
1612  We then need to get order, big enough to have
1613  frame_size < block size
1614  Find number of frame per block (divide)
1615  Fill in packet_req
1616 
1617  Compute frame size:
1618  described in packet_mmap.txt
1619  dependent on snaplen (need to use a variable ?)
1620 snaplen: MTU ?
1621 tp_hdrlen determine_version in daq_afpacket
1622 in V1: sizeof(struct tpacket_hdr);
1623 in V2: val in getsockopt(instance->fd, SOL_PACKET, PACKET_HDRLEN, &val, &len)
1624 frame size: TPACKET_ALIGN(snaplen + TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct
1625 sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
1626 
1627  */
1628  int tp_hdrlen = sizeof(struct tpacket_hdr);
1629  int snaplen = default_packet_size;
1630 
1631  if (snaplen == 0) {
1633  SCLogConfig("%s: defrag enabled, setting snaplen to %d", ptv->iface,
1636  } else {
1637  snaplen = GetIfaceMaxPacketSize(ptv->livedev);
1638  if (snaplen <= 0) {
1639  SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface);
1640  snaplen = 1514;
1641  }
1642  }
1643  }
1644  ptv->snaplen = snaplen;
1645 
1646  ptv->req.v2.tp_frame_size = TPACKET_ALIGN(
1647  snaplen +
1648  TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct sockaddr_ll) + ETH_HLEN) -
1649  ETH_HLEN);
1650  ptv->req.v2.tp_block_size = block_size;
1651  int frames_per_block = ptv->req.v2.tp_block_size / ptv->req.v2.tp_frame_size;
1652  if (frames_per_block == 0) {
1653  SCLogError("%s: Frame size bigger than block size", ptv->iface);
1654  return -1;
1655  }
1656  ptv->req.v2.tp_frame_nr = ptv->ring_size;
1657  ptv->req.v2.tp_block_nr = ptv->req.v2.tp_frame_nr / frames_per_block + 1;
1658  /* exact division */
1659  ptv->req.v2.tp_frame_nr = ptv->req.v2.tp_block_nr * frames_per_block;
1660  SCLogPerf("%s: rx ring: block_size=%d block_nr=%d frame_size=%d frame_nr=%d", ptv->iface,
1661  ptv->req.v2.tp_block_size, ptv->req.v2.tp_block_nr, ptv->req.v2.tp_frame_size,
1662  ptv->req.v2.tp_frame_nr);
1663  return 1;
1664 }
1665 
1666 static int AFPComputeRingParamsV3(AFPThreadVars *ptv)
1667 {
1668  ptv->req.v3.tp_block_size = ptv->block_size;
1669  ptv->req.v3.tp_frame_size = 2048;
1670  int frames_per_block = 0;
1671  int tp_hdrlen = sizeof(struct tpacket3_hdr);
1672  int snaplen = default_packet_size;
1673 
1674  if (snaplen == 0) {
1675  snaplen = GetIfaceMaxPacketSize(ptv->livedev);
1676  if (snaplen <= 0) {
1677  SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface);
1678  snaplen = 1514;
1679  }
1680  }
1681  ptv->snaplen = snaplen;
1682 
1683  ptv->req.v3.tp_frame_size = TPACKET_ALIGN(snaplen +TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
1684  frames_per_block = ptv->req.v3.tp_block_size / ptv->req.v3.tp_frame_size;
1685 
1686  if (frames_per_block == 0) {
1687  SCLogError("%s: block size is too small, it should be at least %d", ptv->iface,
1688  ptv->req.v3.tp_frame_size);
1689  return -1;
1690  }
1691  ptv->req.v3.tp_block_nr = ptv->ring_size / frames_per_block + 1;
1692  /* exact division */
1693  ptv->req.v3.tp_frame_nr = ptv->req.v3.tp_block_nr * frames_per_block;
1694  ptv->req.v3.tp_retire_blk_tov = ptv->block_timeout;
1695  ptv->req.v3.tp_feature_req_word = TP_FT_REQ_FILL_RXHASH;
1696  SCLogPerf("%s: rx ring params: block_size=%d block_nr=%d frame_size=%d frame_nr=%d (mem: %d)",
1697  ptv->iface, ptv->req.v3.tp_block_size, ptv->req.v3.tp_block_nr,
1698  ptv->req.v3.tp_frame_size, ptv->req.v3.tp_frame_nr,
1699  ptv->req.v3.tp_block_size * ptv->req.v3.tp_block_nr);
1700  return 1;
1701 }
1702 
1703 static int AFPSetupRing(AFPThreadVars *ptv, char *devname)
1704 {
1705  int val;
1706  unsigned int len = sizeof(val), i;
1707  int order;
1708  int r, mmap_flag;
1709 
1710  if (ptv->flags & AFP_TPACKET_V3) {
1711  val = TPACKET_V3;
1712  } else {
1713  val = TPACKET_V2;
1714  }
1715  if (getsockopt(ptv->socket, SOL_PACKET, PACKET_HDRLEN, &val, &len) < 0) {
1716  if (errno == ENOPROTOOPT) {
1717  if (ptv->flags & AFP_TPACKET_V3) {
1718  SCLogError("%s: kernel too old for TPACKET_V3 (need 3.2+)", devname);
1719  } else {
1720  SCLogError("%s: kernel too old (need 2.6.27+)", devname);
1721  }
1722  }
1723  SCLogError("%s: failed to retrieve packet header len", devname);
1724  return AFP_FATAL_ERROR;
1725  }
1726 
1727  val = TPACKET_V2;
1728  if (ptv->flags & AFP_TPACKET_V3) {
1729  val = TPACKET_V3;
1730  }
1731  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_VERSION, &val,
1732  sizeof(val)) < 0) {
1733  SCLogError("%s: failed to activate TPACKET_V2/TPACKET_V3 on packet socket: %s", devname,
1734  strerror(errno));
1735  return AFP_FATAL_ERROR;
1736  }
1737 
1738 #ifdef HAVE_HW_TIMESTAMPING
1739  int req = SOF_TIMESTAMPING_RAW_HARDWARE;
1740  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_TIMESTAMP, (void *) &req,
1741  sizeof(req)) < 0) {
1742  SCLogWarning("%s: failed to activate hardware timestamping on packet socket: %s", devname,
1743  strerror(errno));
1744  }
1745 #endif
1746 
1747  /* Reserve head room for a VLAN header. One vlan is extracted from AFP header
1748  * so one VLAN header length is enough. */
1749  int reserve = VLAN_HEADER_LEN;
1750  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_RESERVE, (void *)&reserve, sizeof(reserve)) <
1751  0) {
1752  SCLogError("%s: failed to activate reserve on packet socket: %s", devname, strerror(errno));
1753  return AFP_FATAL_ERROR;
1754  }
1755 
1756  /* Allocate RX ring */
1757  if (ptv->flags & AFP_TPACKET_V3) {
1758  if (AFPComputeRingParamsV3(ptv) != 1) {
1759  return AFP_FATAL_ERROR;
1760  }
1761  r = setsockopt(ptv->socket, SOL_PACKET, PACKET_RX_RING,
1762  (void *) &ptv->req.v3, sizeof(ptv->req.v3));
1763  if (r < 0) {
1764  SCLogError("%s: failed to allocate RX Ring: %s", devname, strerror(errno));
1765  return AFP_FATAL_ERROR;
1766  }
1767  } else {
1768  if (ptv->v2_block_size) {
1769 
1770  if (AFPComputeRingParamsWithBlockSize(ptv, ptv->v2_block_size) != 1) {
1771  SCLogError("%s: ring parameters are incorrect. Please file a bug report", devname);
1772  return AFP_FATAL_ERROR;
1773  }
1774 
1775  r = setsockopt(
1776  ptv->socket, SOL_PACKET, PACKET_RX_RING, (void *)&ptv->req, sizeof(ptv->req));
1777 
1778  if (r < 0) {
1779  if (errno == ENOMEM) {
1780  SCLogError("%s: memory issue with ring parameters", devname);
1781  return AFP_FATAL_ERROR;
1782  }
1783  SCLogError("%s: failed to setup RX Ring: %s", devname, strerror(errno));
1784  return AFP_FATAL_ERROR;
1785  }
1786 
1787  } else {
1788  for (order = AFP_BLOCK_SIZE_DEFAULT_ORDER; order >= 0; order--) {
1789  if (AFPComputeRingParams(ptv, order) != 1) {
1790  SCLogError(
1791  "%s: ring parameters are incorrect. Please file a bug report", devname);
1792  return AFP_FATAL_ERROR;
1793  }
1794 
1795  r = setsockopt(ptv->socket, SOL_PACKET, PACKET_RX_RING, (void *)&ptv->req,
1796  sizeof(ptv->req));
1797 
1798  if (r < 0) {
1799  if (errno == ENOMEM) {
1800  SCLogWarning("%s: memory issue with ring parameters. Retrying", devname);
1801  continue;
1802  }
1803  SCLogError("%s: failed to setup RX Ring: %s", devname, strerror(errno));
1804  return AFP_FATAL_ERROR;
1805  } else {
1806  break;
1807  }
1808  }
1809  if (order < 0) {
1810  SCLogError("%s: failed to setup RX Ring (order 0 failed)", devname);
1811  return AFP_FATAL_ERROR;
1812  }
1813  }
1814  }
1815 
1816  /* Allocate the Ring */
1817  if (ptv->flags & AFP_TPACKET_V3) {
1818  ptv->ring_buflen = ptv->req.v3.tp_block_nr * ptv->req.v3.tp_block_size;
1819  } else {
1820  ptv->ring_buflen = ptv->req.v2.tp_block_nr * ptv->req.v2.tp_block_size;
1821  }
1822  mmap_flag = MAP_SHARED;
1823  if (ptv->flags & AFP_MMAP_LOCKED)
1824  mmap_flag |= MAP_LOCKED;
1825  ptv->ring_buf = mmap(0, ptv->ring_buflen, PROT_READ|PROT_WRITE,
1826  mmap_flag, ptv->socket, 0);
1827  if (ptv->ring_buf == MAP_FAILED) {
1828  SCLogError("%s: failed to mmap: %s", devname, strerror(errno));
1829  goto mmap_err;
1830  }
1831  if (ptv->flags & AFP_TPACKET_V3) {
1832  ptv->ring.v3 = SCMalloc(ptv->req.v3.tp_block_nr * sizeof(*ptv->ring.v3));
1833  if (!ptv->ring.v3) {
1834  SCLogError("%s: failed to alloc ring: %s", devname, strerror(errno));
1835  goto postmmap_err;
1836  }
1837  for (i = 0; i < ptv->req.v3.tp_block_nr; ++i) {
1838  ptv->ring.v3[i].iov_base = ptv->ring_buf + (i * ptv->req.v3.tp_block_size);
1839  ptv->ring.v3[i].iov_len = ptv->req.v3.tp_block_size;
1840  }
1841  } else {
1842  /* allocate a ring for each frame header pointer*/
1843  ptv->ring.v2 = SCCalloc(ptv->req.v2.tp_frame_nr, sizeof(union thdr *));
1844  if (ptv->ring.v2 == NULL) {
1845  SCLogError("%s: failed to alloc ring: %s", devname, strerror(errno));
1846  goto postmmap_err;
1847  }
1848  /* fill the header ring with proper frame ptr*/
1849  ptv->frame_offset = 0;
1850  for (i = 0; i < ptv->req.v2.tp_block_nr; ++i) {
1851  void *base = &(ptv->ring_buf[i * ptv->req.v2.tp_block_size]);
1852  unsigned int j;
1853  for (j = 0; j < ptv->req.v2.tp_block_size / ptv->req.v2.tp_frame_size; ++j, ++ptv->frame_offset) {
1854  (((union thdr **)ptv->ring.v2)[ptv->frame_offset]) = base;
1855  base += ptv->req.v2.tp_frame_size;
1856  }
1857  }
1858  ptv->frame_offset = 0;
1859  }
1860 
1861  return 0;
1862 
1863 postmmap_err:
1864  munmap(ptv->ring_buf, ptv->ring_buflen);
1865  if (ptv->ring.v2)
1866  SCFree(ptv->ring.v2);
1867  if (ptv->ring.v3)
1868  SCFree(ptv->ring.v3);
1869 mmap_err:
1870  /* Packet mmap does the cleaning when socket is closed */
1871  return AFP_FATAL_ERROR;
1872 }
1873 
1874 /** \brief test if we can use FANOUT. Older kernels like those in
1875  * CentOS6 have HAVE_PACKET_FANOUT defined but fail to work
1876  */
1877 int AFPIsFanoutSupported(uint16_t cluster_id)
1878 {
1879 #ifdef HAVE_PACKET_FANOUT
1880  int fd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
1881  if (fd < 0)
1882  return 0;
1883 
1885  uint32_t option = (mode << 16) | cluster_id;
1886  int r = setsockopt(fd, SOL_PACKET, PACKET_FANOUT,(void *)&option, sizeof(option));
1887  close(fd);
1888 
1889  if (r < 0) {
1890  SCLogError("fanout not supported by kernel: "
1891  "Kernel too old or cluster-id %d already in use.",
1892  cluster_id);
1893  return 0;
1894  }
1895  return 1;
1896 #else
1897  return 0;
1898 #endif
1899 }
1900 
1901 #ifdef HAVE_PACKET_EBPF
1902 
1903 static int SockFanoutSeteBPF(AFPThreadVars *ptv)
1904 {
1905  int pfd = ptv->ebpf_lb_fd;
1906  if (pfd == -1) {
1907  SCLogError("Fanout file descriptor is invalid");
1908  return -1;
1909  }
1910 
1911  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_FANOUT_DATA, &pfd, sizeof(pfd))) {
1912  SCLogError("Error setting ebpf");
1913  return -1;
1914  }
1915  SCLogInfo("Activated eBPF on socket");
1916 
1917  return 0;
1918 }
1919 
1920 static TmEcode SetEbpfFilter(AFPThreadVars *ptv)
1921 {
1922  int pfd = ptv->ebpf_filter_fd;
1923  if (pfd == -1) {
1924  SCLogError("Filter file descriptor is invalid");
1925  return TM_ECODE_FAILED;
1926  }
1927 
1928  if (setsockopt(ptv->socket, SOL_SOCKET, SO_ATTACH_BPF, &pfd, sizeof(pfd))) {
1929  SCLogError("Error setting ebpf: %s", strerror(errno));
1930  return TM_ECODE_FAILED;
1931  }
1932  SCLogInfo("Activated eBPF filter on socket");
1933 
1934  return TM_ECODE_OK;
1935 }
1936 #endif
1937 
1938 /** \param peer_update increment peers reached */
1939 static int AFPCreateSocket(AFPThreadVars *ptv, char *devname, int verbose, const bool peer_update)
1940 {
1941  int r;
1942  int ret = AFP_FATAL_ERROR;
1943  struct packet_mreq sock_params;
1944  struct sockaddr_ll bind_address;
1945  int if_idx;
1946 
1947  /* open socket */
1948  ptv->socket = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
1949  if (ptv->socket == -1) {
1950  SCLogError("%s: failed to create socket: %s", devname, strerror(errno));
1951  goto error;
1952  }
1953 
1954  if_idx = AFPGetIfnumByDev(ptv->socket, devname, verbose);
1955  if (if_idx == -1) {
1956  goto socket_err;
1957  }
1958 
1959  /* bind socket */
1960  memset(&bind_address, 0, sizeof(bind_address));
1961  bind_address.sll_family = AF_PACKET;
1962  bind_address.sll_protocol = htons(ETH_P_ALL);
1963  bind_address.sll_ifindex = if_idx;
1964  if (bind_address.sll_ifindex == -1) {
1965  if (verbose)
1966  SCLogWarning("%s: device for found", devname);
1967  ret = AFP_RECOVERABLE_ERROR;
1968  goto socket_err;
1969  }
1970 
1971  int if_flags = AFPGetDevFlags(ptv->socket, ptv->iface);
1972  if (if_flags == -1) {
1973  if (verbose) {
1974  SCLogWarning("%s: failed to get interface flags", ptv->iface);
1975  }
1976  ret = AFP_RECOVERABLE_ERROR;
1977  goto socket_err;
1978  } else if ((if_flags & (IFF_UP | IFF_RUNNING)) == 0) {
1979  if (verbose) {
1980  SCLogWarning("%s: interface is down", ptv->iface);
1981  }
1982  ret = AFP_RECOVERABLE_ERROR;
1983  goto socket_err;
1984  }
1985 
1986  /* ignore outgoing packets on loopback interfaces */
1987  if (if_flags & IFF_LOOPBACK)
1988  ptv->pkttype_filter_mask |= BIT_U32(PACKET_OUTGOING);
1989 
1990  if (ptv->promisc != 0) {
1991  /* Force promiscuous mode */
1992  memset(&sock_params, 0, sizeof(sock_params));
1993  sock_params.mr_type = PACKET_MR_PROMISC;
1994  sock_params.mr_ifindex = bind_address.sll_ifindex;
1995  r = setsockopt(ptv->socket, SOL_PACKET, PACKET_ADD_MEMBERSHIP,(void *)&sock_params, sizeof(sock_params));
1996  if (r < 0) {
1997  SCLogError("%s: failed to set promisc mode: %s", devname, strerror(errno));
1998  goto socket_err;
1999  }
2000  }
2001 
2003  int val = 1;
2004  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_AUXDATA, &val,
2005  sizeof(val)) == -1 && errno != ENOPROTOOPT) {
2006  SCLogWarning(
2007  "%s: 'kernel' checksum mode not supported, falling back to full mode", devname);
2009  }
2010  }
2011 
2012  /* set socket recv buffer size */
2013  if (ptv->buffer_size != 0) {
2014  /*
2015  * Set the socket buffer size to the specified value.
2016  */
2017  SCLogPerf("%s: setting socket buffer to %d", devname, ptv->buffer_size);
2018  if (setsockopt(ptv->socket, SOL_SOCKET, SO_RCVBUF,
2019  &ptv->buffer_size,
2020  sizeof(ptv->buffer_size)) == -1) {
2021  SCLogError("%s: failed to set buffer size to %d: %s", devname, ptv->buffer_size,
2022  strerror(errno));
2023  goto socket_err;
2024  }
2025  }
2026 
2027  r = bind(ptv->socket, (struct sockaddr *)&bind_address, sizeof(bind_address));
2028  if (r < 0) {
2029  if (verbose) {
2030  if (errno == ENETDOWN) {
2031  SCLogWarning("%s: failed to bind socket, iface is down", devname);
2032  } else {
2033  SCLogWarning("%s: failed to bind socket: %s", devname, strerror(errno));
2034  }
2035  }
2036  ret = AFP_RECOVERABLE_ERROR;
2037  goto socket_err;
2038  }
2039 
2040 
2041 #ifdef HAVE_PACKET_FANOUT
2042  /* add bound socket to fanout group */
2043  if (ptv->threads > 1) {
2044  uint32_t mode = ptv->cluster_type;
2045  uint16_t id = ptv->cluster_id;
2046  uint32_t option = (mode << 16) | (id & 0xffff);
2047  r = setsockopt(ptv->socket, SOL_PACKET, PACKET_FANOUT,(void *)&option, sizeof(option));
2048  if (r < 0) {
2049  SCLogError("%s: failed to set fanout mode: %s", devname, strerror(errno));
2050  goto socket_err;
2051  }
2052  }
2053 #endif
2054 
2055 #ifdef HAVE_PACKET_EBPF
2056  if (ptv->cluster_type == PACKET_FANOUT_EBPF) {
2057  r = SockFanoutSeteBPF(ptv);
2058  if (r < 0) {
2059  SCLogError("%s: failed to set eBPF: %s", devname, strerror(errno));
2060  goto socket_err;
2061  }
2062  }
2063 #endif
2064  /* bind() done, allow next thread to continue */
2065  if (peer_update) {
2066  AFPPeersListReachedInc();
2067  }
2068  ret = AFPSetupRing(ptv, devname);
2069  if (ret != 0)
2070  goto socket_err;
2071 
2072  SCLogDebug("Using interface '%s' via socket %d", (char *)devname, ptv->socket);
2073 
2074  ptv->datalink = AFPGetDevLinktype(ptv->socket, ptv->iface);
2075 
2076  TmEcode rc = AFPSetBPFFilter(ptv);
2077  if (rc == TM_ECODE_FAILED) {
2078  ret = AFP_FATAL_ERROR;
2079  goto socket_err;
2080  }
2081 
2082  /* Init is ok */
2083  AFPSwitchState(ptv, AFP_STATE_UP);
2084  return 0;
2085 
2086 socket_err:
2087  close(ptv->socket);
2088  ptv->socket = -1;
2089  if (ptv->flags & AFP_TPACKET_V3) {
2090  if (ptv->ring.v3) {
2091  SCFree(ptv->ring.v3);
2092  ptv->ring.v3 = NULL;
2093  }
2094  } else {
2095  if (ptv->ring.v2) {
2096  SCFree(ptv->ring.v2);
2097  ptv->ring.v2 = NULL;
2098  }
2099  }
2100 
2101 error:
2102  return -ret;
2103 }
2104 
2105 TmEcode AFPSetBPFFilter(AFPThreadVars *ptv)
2106 {
2107  struct bpf_program filter;
2108  struct sock_fprog fcode;
2109  int rc;
2110 
2111 #ifdef HAVE_PACKET_EBPF
2112  if (ptv->ebpf_filter_fd != -1) {
2113  return SetEbpfFilter(ptv);
2114  }
2115 #endif
2116 
2117  if (!ptv->bpf_filter)
2118  return TM_ECODE_OK;
2119 
2120  SCLogInfo("%s: using BPF '%s'", ptv->iface, ptv->bpf_filter);
2121 
2122  char errbuf[PCAP_ERRBUF_SIZE];
2123  if (SCBPFCompile(ptv->snaplen, /* snaplen_arg */
2124  ptv->datalink, /* linktype_arg */
2125  &filter, /* program */
2126  ptv->bpf_filter, /* const char *buf */
2127  1, /* optimize */
2128  0, /* mask */
2129  errbuf, sizeof(errbuf)) == -1) {
2130  SCLogError("%s: failed to compile BPF \"%s\": %s", ptv->iface, ptv->bpf_filter, errbuf);
2131  return TM_ECODE_FAILED;
2132  }
2133 
2134  if (filter.bf_len > USHRT_MAX) {
2135  return TM_ECODE_FAILED;
2136  }
2137  fcode.len = (unsigned short)filter.bf_len;
2138  fcode.filter = (struct sock_filter*)filter.bf_insns;
2139 
2140  rc = setsockopt(ptv->socket, SOL_SOCKET, SO_ATTACH_FILTER, &fcode, sizeof(fcode));
2141 
2142  SCBPFFree(&filter);
2143  if(rc == -1) {
2144  SCLogError("%s: failed to attach filter: %s", ptv->iface, strerror(errno));
2145  return TM_ECODE_FAILED;
2146  }
2147 
2148  return TM_ECODE_OK;
2149 }
2150 
2151 #ifdef HAVE_PACKET_EBPF
2152 /**
2153  * Insert a half flow in the kernel bypass table
2154  *
2155  * \param mapfd file descriptor of the protocol bypass table
2156  * \param key data to use as key in the table
2157  * \return 0 in case of error, 1 if success
2158  */
2159 static int AFPInsertHalfFlow(int mapd, void *key, unsigned int nr_cpus)
2160 {
2161  BPF_DECLARE_PERCPU(struct pair, value, nr_cpus);
2162  unsigned int i;
2163 
2164  if (mapd == -1) {
2165  return 0;
2166  }
2167 
2168  /* We use a per CPU structure so we have to set an array of values as the kernel
2169  * is not duplicating the data on each CPU by itself. */
2170  for (i = 0; i < nr_cpus; i++) {
2171  BPF_PERCPU(value, i).packets = 0;
2172  BPF_PERCPU(value, i).bytes = 0;
2173  }
2174  if (bpf_map_update_elem(mapd, key, value, BPF_NOEXIST) != 0) {
2175  switch (errno) {
2176  /* no more place in the hash */
2177  case E2BIG:
2178  return 0;
2179  /* no more place in the hash for some hardware bypass */
2180  case EAGAIN:
2181  return 0;
2182  /* if we already have the key then bypass is a success */
2183  case EEXIST:
2184  return 1;
2185  /* Not supposed to be there so issue a error */
2186  default:
2187  SCLogError("Can't update eBPF map: %s (%d)", strerror(errno), errno);
2188  return 0;
2189  }
2190  }
2191  return 1;
2192 }
2193 
2194 static int AFPSetFlowStorage(Packet *p, int map_fd, void *key0, void* key1,
2195  int family)
2196 {
2198  if (fc) {
2199  if (fc->bypass_data != NULL) {
2200  // bypass already activated
2201  SCFree(key0);
2202  SCFree(key1);
2203  return 1;
2204  }
2205  EBPFBypassData *eb = SCCalloc(1, sizeof(EBPFBypassData));
2206  if (eb == NULL) {
2207  EBPFDeleteKey(map_fd, key0);
2208  EBPFDeleteKey(map_fd, key1);
2209  LiveDevAddBypassFail(p->livedev, 1, family);
2210  SCFree(key0);
2211  SCFree(key1);
2212  return 0;
2213  }
2214  eb->key[0] = key0;
2215  eb->key[1] = key1;
2216  eb->mapfd = map_fd;
2217  eb->cpus_count = p->afp_v.nr_cpus;
2218  fc->BypassUpdate = EBPFBypassUpdate;
2219  fc->BypassFree = EBPFBypassFree;
2220  fc->bypass_data = eb;
2221  } else {
2222  EBPFDeleteKey(map_fd, key0);
2223  EBPFDeleteKey(map_fd, key1);
2224  LiveDevAddBypassFail(p->livedev, 1, family);
2225  SCFree(key0);
2226  SCFree(key1);
2227  return 0;
2228  }
2229 
2230  LiveDevAddBypassStats(p->livedev, 1, family);
2231  LiveDevAddBypassSuccess(p->livedev, 1, family);
2232  return 1;
2233 }
2234 
2235 /**
2236  * Bypass function for AF_PACKET capture in eBPF mode
2237  *
2238  * This function creates two half flows in the map shared with the kernel
2239  * to trigger bypass.
2240  *
2241  * The implementation of bypass is done via an IPv4 and an IPv6 flow table.
2242  * This table contains the list of half flows to bypass. The in-kernel filter
2243  * will skip/drop the packet if they belong to a flow in one of the flows
2244  * table.
2245  *
2246  * \param p the packet belonging to the flow to bypass
2247  * \return 0 if unable to bypass, 1 if success
2248  */
2249 static int AFPBypassCallback(Packet *p)
2250 {
2251  SCLogDebug("Calling af_packet callback function");
2252  /* Only bypass TCP and UDP */
2253  if (!(PacketIsTCP(p) || PacketIsUDP(p))) {
2254  return 0;
2255  }
2256 
2257  /* If we don't have a flow attached to packet the eBPF map entries
2258  * will be destroyed at first flow bypass manager pass as we won't
2259  * find any associated entry */
2260  if (p->flow == NULL) {
2261  return 0;
2262  }
2263  /* Bypassing tunneled packets is currently not supported
2264  * because we can't discard the inner packet only due to
2265  * primitive parsing in eBPF */
2266  if (PacketIsTunnel(p)) {
2267  return 0;
2268  }
2269  if (PacketIsIPv4(p)) {
2270  SCLogDebug("add an IPv4");
2271  if (p->afp_v.v4_map_fd == -1) {
2272  return 0;
2273  }
2274  struct flowv4_keys *keys[2];
2275  keys[0] = SCCalloc(1, sizeof(struct flowv4_keys));
2276  if (keys[0] == NULL) {
2277  return 0;
2278  }
2279  keys[0]->src = htonl(GET_IPV4_SRC_ADDR_U32(p));
2280  keys[0]->dst = htonl(GET_IPV4_DST_ADDR_U32(p));
2281  keys[0]->port16[0] = p->sp;
2282  keys[0]->port16[1] = p->dp;
2283  keys[0]->vlan0 = p->vlan_id[0];
2284  keys[0]->vlan1 = p->vlan_id[1];
2285  keys[0]->vlan2 = p->vlan_id[2];
2286 
2287  if (p->proto == IPPROTO_TCP) {
2288  keys[0]->ip_proto = 1;
2289  } else {
2290  keys[0]->ip_proto = 0;
2291  }
2292  if (AFPInsertHalfFlow(p->afp_v.v4_map_fd, keys[0],
2293  p->afp_v.nr_cpus) == 0) {
2294  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2295  SCFree(keys[0]);
2296  return 0;
2297  }
2298  keys[1]= SCCalloc(1, sizeof(struct flowv4_keys));
2299  if (keys[1] == NULL) {
2300  EBPFDeleteKey(p->afp_v.v4_map_fd, keys[0]);
2301  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2302  SCFree(keys[0]);
2303  return 0;
2304  }
2305  keys[1]->src = htonl(GET_IPV4_DST_ADDR_U32(p));
2306  keys[1]->dst = htonl(GET_IPV4_SRC_ADDR_U32(p));
2307  keys[1]->port16[0] = p->dp;
2308  keys[1]->port16[1] = p->sp;
2309  keys[1]->vlan0 = p->vlan_id[0];
2310  keys[1]->vlan1 = p->vlan_id[1];
2311  keys[1]->vlan2 = p->vlan_id[2];
2312 
2313  keys[1]->ip_proto = keys[0]->ip_proto;
2314  if (AFPInsertHalfFlow(p->afp_v.v4_map_fd, keys[1],
2315  p->afp_v.nr_cpus) == 0) {
2316  EBPFDeleteKey(p->afp_v.v4_map_fd, keys[0]);
2317  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2318  SCFree(keys[0]);
2319  SCFree(keys[1]);
2320  return 0;
2321  }
2322  EBPFUpdateFlow(p->flow, p, NULL);
2323  return AFPSetFlowStorage(p, p->afp_v.v4_map_fd, keys[0], keys[1], AF_INET);
2324  }
2325  /* For IPv6 case we don't handle extended header in eBPF */
2326  if (PacketIsIPv6(p) && ((p->proto == IPPROTO_TCP) || (p->proto == IPPROTO_UDP))) {
2327  int i;
2328  if (p->afp_v.v6_map_fd == -1) {
2329  return 0;
2330  }
2331  SCLogDebug("add an IPv6");
2332  struct flowv6_keys *keys[2];
2333  keys[0] = SCCalloc(1, sizeof(struct flowv6_keys));
2334  if (keys[0] == NULL) {
2335  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2336  return 0;
2337  }
2338  for (i = 0; i < 4; i++) {
2339  keys[0]->src[i] = ntohl(GET_IPV6_SRC_ADDR(p)[i]);
2340  keys[0]->dst[i] = ntohl(GET_IPV6_DST_ADDR(p)[i]);
2341  }
2342  keys[0]->port16[0] = p->sp;
2343  keys[0]->port16[1] = p->dp;
2344  keys[0]->vlan0 = p->vlan_id[0];
2345  keys[0]->vlan1 = p->vlan_id[1];
2346  keys[0]->vlan2 = p->vlan_id[2];
2347 
2348  if (p->proto == IPPROTO_TCP) {
2349  keys[0]->ip_proto = 1;
2350  } else {
2351  keys[0]->ip_proto = 0;
2352  }
2353  if (AFPInsertHalfFlow(p->afp_v.v6_map_fd, keys[0],
2354  p->afp_v.nr_cpus) == 0) {
2355  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2356  SCFree(keys[0]);
2357  return 0;
2358  }
2359  keys[1]= SCCalloc(1, sizeof(struct flowv6_keys));
2360  if (keys[1] == NULL) {
2361  EBPFDeleteKey(p->afp_v.v6_map_fd, keys[0]);
2362  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2363  SCFree(keys[0]);
2364  return 0;
2365  }
2366  for (i = 0; i < 4; i++) {
2367  keys[1]->src[i] = ntohl(GET_IPV6_DST_ADDR(p)[i]);
2368  keys[1]->dst[i] = ntohl(GET_IPV6_SRC_ADDR(p)[i]);
2369  }
2370  keys[1]->port16[0] = p->dp;
2371  keys[1]->port16[1] = p->sp;
2372  keys[1]->vlan0 = p->vlan_id[0];
2373  keys[1]->vlan1 = p->vlan_id[1];
2374  keys[1]->vlan2 = p->vlan_id[2];
2375 
2376  keys[1]->ip_proto = keys[0]->ip_proto;
2377  if (AFPInsertHalfFlow(p->afp_v.v6_map_fd, keys[1],
2378  p->afp_v.nr_cpus) == 0) {
2379  EBPFDeleteKey(p->afp_v.v6_map_fd, keys[0]);
2380  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2381  SCFree(keys[0]);
2382  SCFree(keys[1]);
2383  return 0;
2384  }
2385  if (p->flow)
2386  EBPFUpdateFlow(p->flow, p, NULL);
2387  return AFPSetFlowStorage(p, p->afp_v.v6_map_fd, keys[0], keys[1], AF_INET6);
2388  }
2389  return 0;
2390 }
2391 
2392 /**
2393  * Bypass function for AF_PACKET capture in XDP mode
2394  *
2395  * This function creates two half flows in the map shared with the kernel
2396  * to trigger bypass. This function is similar to AFPBypassCallback() but
2397  * the bytes order is changed for some data due to the way we get the data
2398  * in the XDP case.
2399  *
2400  * \param p the packet belonging to the flow to bypass
2401  * \return 0 if unable to bypass, 1 if success
2402  */
2403 static int AFPXDPBypassCallback(Packet *p)
2404 {
2405  SCLogDebug("Calling af_packet callback function");
2406  /* Only bypass TCP and UDP */
2407  if (!(PacketIsTCP(p) || PacketIsUDP(p))) {
2408  return 0;
2409  }
2410 
2411  /* If we don't have a flow attached to packet the eBPF map entries
2412  * will be destroyed at first flow bypass manager pass as we won't
2413  * find any associated entry */
2414  if (p->flow == NULL) {
2415  return 0;
2416  }
2417  /* Bypassing tunneled packets is currently not supported
2418  * because we can't discard the inner packet only due to
2419  * primitive parsing in eBPF */
2420  if (PacketIsTunnel(p)) {
2421  return 0;
2422  }
2423  if (PacketIsIPv4(p)) {
2424  struct flowv4_keys *keys[2];
2425  keys[0]= SCCalloc(1, sizeof(struct flowv4_keys));
2426  if (keys[0] == NULL) {
2427  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2428  return 0;
2429  }
2430  if (p->afp_v.v4_map_fd == -1) {
2431  SCFree(keys[0]);
2432  return 0;
2433  }
2434  keys[0]->src = p->src.addr_data32[0];
2435  keys[0]->dst = p->dst.addr_data32[0];
2436  /* In the XDP filter we get port from parsing of packet and not from skb
2437  * (as in eBPF filter) so we need to pass from host to network order */
2438  keys[0]->port16[0] = htons(p->sp);
2439  keys[0]->port16[1] = htons(p->dp);
2440  keys[0]->vlan0 = p->vlan_id[0];
2441  keys[0]->vlan1 = p->vlan_id[1];
2442  keys[0]->vlan2 = p->vlan_id[2];
2443  if (p->proto == IPPROTO_TCP) {
2444  keys[0]->ip_proto = 1;
2445  } else {
2446  keys[0]->ip_proto = 0;
2447  }
2448  if (AFPInsertHalfFlow(p->afp_v.v4_map_fd, keys[0],
2449  p->afp_v.nr_cpus) == 0) {
2450  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2451  SCFree(keys[0]);
2452  return 0;
2453  }
2454  keys[1]= SCCalloc(1, sizeof(struct flowv4_keys));
2455  if (keys[1] == NULL) {
2456  EBPFDeleteKey(p->afp_v.v4_map_fd, keys[0]);
2457  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2458  SCFree(keys[0]);
2459  return 0;
2460  }
2461  keys[1]->src = p->dst.addr_data32[0];
2462  keys[1]->dst = p->src.addr_data32[0];
2463  keys[1]->port16[0] = htons(p->dp);
2464  keys[1]->port16[1] = htons(p->sp);
2465  keys[1]->vlan0 = p->vlan_id[0];
2466  keys[1]->vlan1 = p->vlan_id[1];
2467  keys[1]->vlan2 = p->vlan_id[2];
2468  keys[1]->ip_proto = keys[0]->ip_proto;
2469  if (AFPInsertHalfFlow(p->afp_v.v4_map_fd, keys[1],
2470  p->afp_v.nr_cpus) == 0) {
2471  EBPFDeleteKey(p->afp_v.v4_map_fd, keys[0]);
2472  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2473  SCFree(keys[0]);
2474  SCFree(keys[1]);
2475  return 0;
2476  }
2477  return AFPSetFlowStorage(p, p->afp_v.v4_map_fd, keys[0], keys[1], AF_INET);
2478  }
2479  /* For IPv6 case we don't handle extended header in eBPF */
2480  if (PacketIsIPv6(p) && ((p->proto == IPPROTO_TCP) || (p->proto == IPPROTO_UDP))) {
2481  SCLogDebug("add an IPv6");
2482  if (p->afp_v.v6_map_fd == -1) {
2483  return 0;
2484  }
2485  int i;
2486  struct flowv6_keys *keys[2];
2487  keys[0] = SCCalloc(1, sizeof(struct flowv6_keys));
2488  if (keys[0] == NULL) {
2489  return 0;
2490  }
2491 
2492  for (i = 0; i < 4; i++) {
2493  keys[0]->src[i] = GET_IPV6_SRC_ADDR(p)[i];
2494  keys[0]->dst[i] = GET_IPV6_DST_ADDR(p)[i];
2495  }
2496  keys[0]->port16[0] = htons(p->sp);
2497  keys[0]->port16[1] = htons(p->dp);
2498  keys[0]->vlan0 = p->vlan_id[0];
2499  keys[0]->vlan1 = p->vlan_id[1];
2500  keys[0]->vlan2 = p->vlan_id[2];
2501  if (p->proto == IPPROTO_TCP) {
2502  keys[0]->ip_proto = 1;
2503  } else {
2504  keys[0]->ip_proto = 0;
2505  }
2506  if (AFPInsertHalfFlow(p->afp_v.v6_map_fd, keys[0],
2507  p->afp_v.nr_cpus) == 0) {
2508  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2509  SCFree(keys[0]);
2510  return 0;
2511  }
2512  keys[1]= SCCalloc(1, sizeof(struct flowv6_keys));
2513  if (keys[1] == NULL) {
2514  EBPFDeleteKey(p->afp_v.v6_map_fd, keys[0]);
2515  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2516  SCFree(keys[0]);
2517  return 0;
2518  }
2519  for (i = 0; i < 4; i++) {
2520  keys[1]->src[i] = GET_IPV6_DST_ADDR(p)[i];
2521  keys[1]->dst[i] = GET_IPV6_SRC_ADDR(p)[i];
2522  }
2523  keys[1]->port16[0] = htons(p->dp);
2524  keys[1]->port16[1] = htons(p->sp);
2525  keys[1]->vlan0 = p->vlan_id[0];
2526  keys[1]->vlan1 = p->vlan_id[1];
2527  keys[1]->vlan2 = p->vlan_id[2];
2528  keys[1]->ip_proto = keys[0]->ip_proto;
2529  if (AFPInsertHalfFlow(p->afp_v.v6_map_fd, keys[1],
2530  p->afp_v.nr_cpus) == 0) {
2531  EBPFDeleteKey(p->afp_v.v6_map_fd, keys[0]);
2532  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2533  SCFree(keys[0]);
2534  SCFree(keys[1]);
2535  return 0;
2536  }
2537  return AFPSetFlowStorage(p, p->afp_v.v6_map_fd, keys[0], keys[1], AF_INET6);
2538  }
2539  return 0;
2540 }
2541 
2542 bool g_flowv4_ok = true;
2543 bool g_flowv6_ok = true;
2544 
2545 #endif /* HAVE_PACKET_EBPF */
2546 
2547 /**
2548  * \brief Init function for ReceiveAFP.
2549  *
2550  * \param tv pointer to ThreadVars
2551  * \param initdata pointer to the interface passed from the user
2552  * \param data pointer gets populated with AFPThreadVars
2553  *
2554  * \todo Create a general AFP setup function.
2555  */
2556 TmEcode ReceiveAFPThreadInit(ThreadVars *tv, const void *initdata, void **data)
2557 {
2558  SCEnter();
2559  AFPIfaceConfig *afpconfig = (AFPIfaceConfig *)initdata;
2560 
2561  if (initdata == NULL) {
2562  SCLogError("initdata == NULL");
2564  }
2565 
2566  AFPThreadVars *ptv = SCCalloc(1, sizeof(AFPThreadVars));
2567  if (unlikely(ptv == NULL)) {
2568  afpconfig->DerefFunc(afpconfig);
2570  }
2571 
2572  ptv->tv = tv;
2573 
2574  strlcpy(ptv->iface, afpconfig->iface, AFP_IFACE_NAME_LENGTH);
2575  ptv->iface[AFP_IFACE_NAME_LENGTH - 1]= '\0';
2576 
2577  ptv->livedev = LiveGetDevice(ptv->iface);
2578  if (ptv->livedev == NULL) {
2579  SCLogError("Unable to find Live device");
2580  SCFree(ptv);
2582  }
2583 
2584  ptv->buffer_size = afpconfig->buffer_size;
2585  ptv->ring_size = afpconfig->ring_size;
2586  ptv->v2_block_size = afpconfig->v2_block_size;
2587  ptv->block_size = afpconfig->block_size;
2588  ptv->block_timeout = afpconfig->block_timeout;
2589 
2590  ptv->promisc = afpconfig->promisc;
2591  ptv->checksum_mode = afpconfig->checksum_mode;
2592  ptv->bpf_filter = NULL;
2593 
2594  ptv->threads = 1;
2595 #ifdef HAVE_PACKET_FANOUT
2597  ptv->cluster_id = 1;
2598  /* We only set cluster info if the number of reader threads is greater than 1 */
2599  if (afpconfig->threads > 1) {
2600  ptv->cluster_id = afpconfig->cluster_id;
2601  ptv->cluster_type = afpconfig->cluster_type;
2602  ptv->threads = afpconfig->threads;
2603  }
2604 #endif
2605  ptv->flags = afpconfig->flags;
2606 
2607  if (afpconfig->bpf_filter) {
2608  ptv->bpf_filter = afpconfig->bpf_filter;
2609  }
2610 #ifdef HAVE_PACKET_EBPF
2611  ptv->ebpf_lb_fd = afpconfig->ebpf_lb_fd;
2612  ptv->ebpf_filter_fd = afpconfig->ebpf_filter_fd;
2613  ptv->xdp_mode = afpconfig->xdp_mode;
2614  ptv->ebpf_t_config.cpus_count = UtilCpuGetNumProcessorsConfigured();
2615 
2616  if (ptv->flags & (AFP_BYPASS|AFP_XDPBYPASS)) {
2617  ptv->v4_map_fd = EBPFGetMapFDByName(ptv->iface, "flow_table_v4");
2618  if (ptv->v4_map_fd == -1) {
2619  if (!g_flowv4_ok) {
2620  SCLogError("Can't find eBPF map fd for '%s'", "flow_table_v4");
2621  g_flowv4_ok = true;
2622  }
2623  }
2624  ptv->v6_map_fd = EBPFGetMapFDByName(ptv->iface, "flow_table_v6");
2625  if (ptv->v6_map_fd == -1) {
2626  if (g_flowv6_ok) {
2627  SCLogError("Can't find eBPF map fd for '%s'", "flow_table_v6");
2628  g_flowv6_ok = false;
2629  }
2630  }
2631  }
2632  ptv->ebpf_t_config = afpconfig->ebpf_t_config;
2633 #endif
2634 
2635 #ifdef PACKET_STATISTICS
2636  ptv->capture_kernel_packets = StatsRegisterCounter("capture.kernel_packets",
2637  ptv->tv);
2638  ptv->capture_kernel_drops = StatsRegisterCounter("capture.kernel_drops",
2639  ptv->tv);
2640  ptv->capture_errors = StatsRegisterCounter("capture.errors",
2641  ptv->tv);
2642 
2643  ptv->afpacket_spin = StatsRegisterAvgCounter("capture.afpacket.busy_loop_avg", ptv->tv);
2644 
2645  ptv->capture_afp_poll = StatsRegisterCounter("capture.afpacket.polls", ptv->tv);
2646  ptv->capture_afp_poll_signal = StatsRegisterCounter("capture.afpacket.poll_signal", ptv->tv);
2647  ptv->capture_afp_poll_timeout = StatsRegisterCounter("capture.afpacket.poll_timeout", ptv->tv);
2648  ptv->capture_afp_poll_data = StatsRegisterCounter("capture.afpacket.poll_data", ptv->tv);
2649  ptv->capture_afp_poll_err = StatsRegisterCounter("capture.afpacket.poll_errors", ptv->tv);
2650  ptv->capture_afp_send_err = StatsRegisterCounter("capture.afpacket.send_errors", ptv->tv);
2651 #endif
2652 
2653  ptv->copy_mode = afpconfig->copy_mode;
2654  if (ptv->copy_mode != AFP_COPY_MODE_NONE) {
2655  strlcpy(ptv->out_iface, afpconfig->out_iface, AFP_IFACE_NAME_LENGTH);
2656  ptv->out_iface[AFP_IFACE_NAME_LENGTH - 1]= '\0';
2657  /* Warn about BPF filter consequence */
2658  if (ptv->bpf_filter) {
2659  SCLogWarning("Enabling a BPF filter in IPS mode result"
2660  " in dropping all non matching packets.");
2661  }
2662  }
2663 
2664 
2665  if (AFPPeersListAdd(ptv) == TM_ECODE_FAILED) {
2666  SCFree(ptv);
2667  afpconfig->DerefFunc(afpconfig);
2669  }
2670 
2671  *data = (void *)ptv;
2672 
2673  afpconfig->DerefFunc(afpconfig);
2674 
2675  /* If kernel is older than 3.0, VLAN is not stripped so we don't
2676  * get the info from packet extended header but we will use a standard
2677  * parsing of packet data (See Linux commit bcc6d47903612c3861201cc3a866fb604f26b8b2) */
2678  if (SCKernelVersionIsAtLeast(3, 0)) {
2679  ptv->flags |= AFP_VLAN_IN_HEADER;
2680  }
2681 
2683 }
2684 
2685 /**
2686  * \brief This function prints stats to the screen at exit.
2687  * \param tv pointer to ThreadVars
2688  * \param data pointer that gets cast into AFPThreadVars for ptv
2689  */
2690 void ReceiveAFPThreadExitStats(ThreadVars *tv, void *data)
2691 {
2692  SCEnter();
2693  AFPThreadVars *ptv = (AFPThreadVars *)data;
2694 
2695 #ifdef PACKET_STATISTICS
2696  AFPDumpCounters(ptv);
2697  SCLogPerf("%s: (%s) kernel: Packets %" PRIu64 ", dropped %" PRIu64 "", ptv->iface, tv->name,
2700 #endif
2701 }
2702 
2703 /**
2704  * \brief DeInit function closes af packet socket at exit.
2705  * \param tv pointer to ThreadVars
2706  * \param data pointer that gets cast into AFPThreadVars for ptv
2707  */
2708 TmEcode ReceiveAFPThreadDeinit(ThreadVars *tv, void *data)
2709 {
2710  AFPThreadVars *ptv = (AFPThreadVars *)data;
2711 
2712  AFPSwitchState(ptv, AFP_STATE_DOWN);
2713 
2714 #ifdef HAVE_PACKET_XDP
2715  if ((ptv->ebpf_t_config.flags & EBPF_XDP_CODE) &&
2716  (!(ptv->ebpf_t_config.flags & EBPF_PINNED_MAPS))) {
2717  EBPFSetupXDP(ptv->iface, -1, ptv->xdp_mode);
2718  }
2719 #endif
2720 
2721  ptv->bpf_filter = NULL;
2722  if ((ptv->flags & AFP_TPACKET_V3) && ptv->ring.v3) {
2723  SCFree(ptv->ring.v3);
2724  } else {
2725  if (ptv->ring.v2)
2726  SCFree(ptv->ring.v2);
2727  }
2728 
2729  SCFree(ptv);
2731 }
2732 
2733 /** \internal
2734  * \brief add a VLAN header into the raw data for inspection, logging
2735  * and sending out in IPS mode
2736  *
2737  * The kernel doesn't provide the first VLAN header the raw packet data,
2738  * but instead feeds it to us through meta data. For logging and IPS
2739  * we need to put it back into the raw data. Luckily there is some head
2740  * room in the original data so its enough to move the ethernet header
2741  * a bit to make space for the VLAN header.
2742  */
2743 static void UpdateRawDataForVLANHdr(Packet *p)
2744 {
2745  if (p->afp_v.vlan_tci != 0) {
2746  uint8_t *pstart = GET_PKT_DATA(p) - VLAN_HEADER_LEN;
2747  size_t plen = GET_PKT_LEN(p) + VLAN_HEADER_LEN;
2748  /* move ethernet addresses */
2749  memmove(pstart, GET_PKT_DATA(p), 2 * ETH_ALEN);
2750  /* write vlan info */
2751  *(uint16_t *)(pstart + 2 * ETH_ALEN) = htons(0x8100);
2752  *(uint16_t *)(pstart + 2 * ETH_ALEN + 2) = htons(p->afp_v.vlan_tci);
2753 
2754  /* update the packet raw data pointer to start at the new offset */
2755  (void)PacketSetData(p, pstart, plen);
2756  /* update ethernet header pointer to point to the new start of the data */
2757  p->l2.hdrs.ethh = (void *)pstart;
2758  }
2759 }
2760 
2761 /**
2762  * \brief This function passes off to link type decoders.
2763  *
2764  * DecodeAFP decodes packets from AF_PACKET and passes
2765  * them off to the proper link type decoder.
2766  *
2767  * \param t pointer to ThreadVars
2768  * \param p pointer to the current packet
2769  * \param data pointer that gets cast into AFPThreadVars for ptv
2770  */
2771 TmEcode DecodeAFP(ThreadVars *tv, Packet *p, void *data)
2772 {
2773  SCEnter();
2774 
2775  const bool afp_vlan_hdr = p->vlan_idx != 0;
2777 
2779 
2780  /* update counters */
2782 
2783  /* call the decoder */
2784  DecodeLinkLayer(tv, dtv, p->datalink, p, GET_PKT_DATA(p), GET_PKT_LEN(p));
2785  /* post-decoding put vlan hdr back into the raw data) */
2786  if (afp_vlan_hdr) {
2788  UpdateRawDataForVLANHdr(p);
2789  }
2790 
2792 
2794 }
2795 
2796 TmEcode DecodeAFPThreadInit(ThreadVars *tv, const void *initdata, void **data)
2797 {
2798  SCEnter();
2800  if (dtv == NULL)
2802 
2804 
2805  *data = (void *)dtv;
2806 
2808 }
2809 
2810 TmEcode DecodeAFPThreadDeinit(ThreadVars *tv, void *data)
2811 {
2812  if (data != NULL)
2813  DecodeThreadVarsFree(tv, data);
2815 }
2816 
2817 #endif /* HAVE_AF_PACKET */
2818 /* eof */
2819 /**
2820  * @}
2821  */
TmModule_::cap_flags
uint8_t cap_flags
Definition: tm-modules.h:73
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:49
AFPIfaceConfig_::promisc
int promisc
Definition: source-af-packet.h:107
tm-threads.h
Packet_::proto
uint8_t proto
Definition: decode.h:498
AFPThreadVars_::promisc
int promisc
Definition: source-af-packet.c:326
AFPIfaceConfig_::checksum_mode
ChecksumValidationMode checksum_mode
Definition: source-af-packet.h:111
PACKET_FANOUT_FLAG_DEFRAG
#define PACKET_FANOUT_FLAG_DEFRAG
Definition: source-af-packet.h:40
len
uint8_t len
Definition: app-layer-dnp3.h:2
peerslist
AFPPeersList peerslist
Definition: source-af-packet.c:443
AFPIfaceConfig_::xdp_mode
uint8_t xdp_mode
Definition: source-af-packet.h:119
AFPV_CLEANUP
#define AFPV_CLEANUP(afpv)
Definition: source-af-packet.h:182
AFP_BYPASS
#define AFP_BYPASS
Definition: source-af-packet.h:65
AFPThreadVars_::pkts
uint64_t pkts
Definition: source-af-packet.c:269
TP_STATUS_VLAN_VALID
#define TP_STATUS_VLAN_VALID
Definition: source-af-packet.c:193
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:166
AFPThreadVars_::checksum_mode
ChecksumValidationMode checksum_mode
Definition: source-af-packet.c:286
ThreadVars_::name
char name[16]
Definition: threadvars.h:65
PacketFreeOrRelease
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:250
TAILQ_INIT
#define TAILQ_INIT(head)
Definition: queue.h:262
AFPPeer_::turn
int turn
Definition: source-af-packet.h:140
AFPThreadVars_::AFPRing::v2
union thdr ** v2
Definition: source-af-packet.c:264
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:314
AFPThreadVars_::send_errors_logged
uint64_t send_errors_logged
Definition: source-af-packet.c:300
AFP_COPY_MODE_NONE
#define AFP_COPY_MODE_NONE
Definition: source-af-packet.h:68
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1321
util-bpf.h
AFPThreadVars_::block_size
int block_size
Definition: source-af-packet.c:319
GetFlowBypassInfoID
FlowStorageId GetFlowBypassInfoID(void)
Definition: flow-util.c:212
FlowBypassInfo_
Definition: flow.h:527
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
AFPThreadVars_::afpacket_spin
uint16_t afpacket_spin
Definition: source-af-packet.c:292
AFPThreadVars_
Structure to hold thread specific variables.
Definition: source-af-packet.c:262
AFPPeer_::peer
struct AFPPeer_ * peer
Definition: source-af-packet.h:142
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
TmThreadsSetFlag
void TmThreadsSetFlag(ThreadVars *tv, uint32_t flag)
Set a thread flag.
Definition: tm-threads.c:101
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
AFPIfaceConfig_::ebpf_filter_fd
int ebpf_filter_fd
Definition: source-af-packet.h:116
util-checksum.h
AFPThreadVars_::AFPTpacketReq
Definition: source-af-packet.c:338
AFPThreadVars_::block_timeout
int block_timeout
Definition: source-af-packet.c:320
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:513
threads.h
thdr::raw
void * raw
Definition: source-af-packet.c:250
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:504
AFPThreadVars_::buffer_size
int buffer_size
Definition: source-af-packet.c:322
UtilCpuGetNumProcessorsConfigured
uint16_t UtilCpuGetNumProcessorsConfigured(void)
Get the number of cpus configured in the system.
Definition: util-cpu.c:59
AFP_SOCK_PROTECT
#define AFP_SOCK_PROTECT
Definition: source-af-packet.h:60
PACKET_FANOUT_HASH
#define PACKET_FANOUT_HASH
Definition: source-af-packet.h:32
LiveDevice_
Definition: util-device.h:50
AFPPeersListInit
TmEcode AFPPeersListInit(void)
Init the global list of AFPPeer.
Definition: source-af-packet.c:449
AFPThreadVars
struct AFPThreadVars_ AFPThreadVars
Structure to hold thread specific variables.
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
AFP_DOWN_COUNTER_INTERVAL
#define AFP_DOWN_COUNTER_INTERVAL
Definition: source-af-packet.c:172
AFPThreadVars_::ring_size
int ring_size
Definition: source-af-packet.c:317
AFPThreadVars_::capture_afp_send_err
uint16_t capture_afp_send_err
Definition: source-af-packet.c:298
THV_RUNNING
#define THV_RUNNING
Definition: threadvars.h:55
AFP_READ_FAILURE
@ AFP_READ_FAILURE
Definition: source-af-packet.c:236
AFPIfaceConfig_::threads
int threads
Definition: source-af-packet.h:92
packet-queue.h
AFPIfaceConfig_::ring_size
int ring_size
Definition: source-af-packet.h:96
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
TmModuleDecodeAFPRegister
void TmModuleDecodeAFPRegister(void)
Registration Function for DecodeAFP.
Definition: source-af-packet.c:599
AFPIfaceConfig_::block_timeout
int block_timeout
Definition: source-af-packet.h:100
SCKernelVersionIsAtLeast
int SCKernelVersionIsAtLeast(int major, int minor)
Definition: util-host-info.c:37
AFPThreadVars_::ring
union AFPThreadVars_::AFPRing ring
tm-threads-common.h
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
MIN
#define MIN(x, y)
Definition: suricata-common.h:400
tm-modules.h
util-privs.h
AFP_PEERS_MAX_TRY
#define AFP_PEERS_MAX_TRY
CHECKSUM_VALIDATION_DISABLE
@ CHECKSUM_VALIDATION_DISABLE
Definition: decode.h:42
AFP_IFACE_NAME_LENGTH
#define AFP_IFACE_NAME_LENGTH
Definition: source-af-packet.c:166
AFPIfaceConfig_::out_iface
const char * out_iface
Definition: source-af-packet.h:120
AFPThreadVars_::AFPTpacketReq::v3
struct tpacket_req3 v3
Definition: source-af-packet.c:340
CHECKSUM_VALIDATION_KERNEL
@ CHECKSUM_VALIDATION_KERNEL
Definition: decode.h:46
TAILQ_INSERT_TAIL
#define TAILQ_INSERT_TAIL(head, elm, field)
Definition: queue.h:294
AFP_XDPBYPASS
#define AFP_XDPBYPASS
Definition: source-af-packet.h:66
PacketDecodeFinalize
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Finalize decoding of a packet.
Definition: decode.c:206
AFPIfaceConfig_::flags
unsigned int flags
Definition: source-af-packet.h:109
AFPThreadVars_::capture_kernel_drops
uint16_t capture_kernel_drops
Definition: source-af-packet.c:290
AFPThreadVars_::ring_buf
uint8_t * ring_buf
Definition: source-af-packet.c:349
AFP_STATE_UP
#define AFP_STATE_UP
Definition: source-af-packet.c:169
Packet_::BypassPacketsFlow
int(* BypassPacketsFlow)(struct Packet_ *)
Definition: decode.h:563
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
AFPPeersListClean
void AFPPeersListClean(void)
Clean the global peers list.
Definition: source-af-packet.c:581
AFPGetLinkType
int AFPGetLinkType(const char *ifname)
Definition: source-af-packet.c:1523
GET_IPV6_DST_ADDR
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:200
ChecksumAutoModeCheck
int ChecksumAutoModeCheck(uint64_t thread_count, uint64_t iface_count, uint64_t iface_fail)
Check if the number of invalid checksums indicate checksum offloading in place.
Definition: util-checksum.c:69
tmqh-packetpool.h
AFPPeer_::sock_protect
SCMutex sock_protect
Definition: source-af-packet.h:139
AFPPeersListCheck
TmEcode AFPPeersListCheck(void)
Check that all AFPPeer got a peer.
Definition: source-af-packet.c:466
TmModule_::PktAcqLoop
TmEcode(* PktAcqLoop)(ThreadVars *, void *, void *)
Definition: tm-modules.h:54
AFP_PEERS_WAIT
#define AFP_PEERS_WAIT
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
AFPPeersList
struct AFPPeersList_ AFPPeersList
AFP_BLOCK_SIZE_DEFAULT_ORDER
#define AFP_BLOCK_SIZE_DEFAULT_ORDER
Definition: source-af-packet.h:78
AFPIfaceConfig_::cluster_type
int cluster_type
Definition: source-af-packet.h:105
AFPIfaceConfig_::cluster_id
uint16_t cluster_id
Definition: source-af-packet.h:104
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
TmModule_::ThreadDeinit
TmEcode(* ThreadDeinit)(ThreadVars *, void *)
Definition: tm-modules.h:49
Packet_::datalink
int datalink
Definition: decode.h:608
AFPThreadVars_::socket
int socket
Definition: source-af-packet.c:315
AFP_VLAN_IN_HEADER
#define AFP_VLAN_IN_HEADER
Definition: source-af-packet.h:63
AFPIfaceConfig_::block_size
int block_size
Definition: source-af-packet.h:98
PKT_SET_SRC
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1325
CHECKSUM_VALIDATION_ENABLE
@ CHECKSUM_VALIDATION_ENABLE
Definition: decode.h:43
AFPPeersList_
Definition: source-af-packet.c:408
DecodeRegisterPerfCounters
void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
Definition: decode.c:602
CHECKSUM_VALIDATION_AUTO
@ CHECKSUM_VALIDATION_AUTO
Definition: decode.h:44
AFPThreadVars_::frame_offset
unsigned int frame_offset
Definition: source-af-packet.c:284
GetIfaceMaxPacketSize
int GetIfaceMaxPacketSize(LiveDevice *ld)
output max packet size for a link
Definition: util-ioctl.c:120
TAILQ_REMOVE
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:312
decode.h
TMM_DECODEAFP
@ TMM_DECODEAFP
Definition: tm-threads-common.h:54
util-device.h
util-debug.h
PKT_SRC_WIRE
@ PKT_SRC_WIRE
Definition: decode.h:51
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:250
AFPIfaceConfig_::ebpf_lb_fd
int ebpf_lb_fd
Definition: source-af-packet.h:114
util-error.h
AFPThreadVars_::datalink
uint32_t datalink
Definition: source-af-packet.c:275
VLAN_HEADER_LEN
#define VLAN_HEADER_LEN
Definition: decode-vlan.h:46
TmModule_::PktAcqBreakLoop
TmEcode(* PktAcqBreakLoop)(ThreadVars *, void *)
Definition: tm-modules.h:57
FlowBypassInfo_::BypassUpdate
bool(* BypassUpdate)(Flow *f, void *data, time_t tsec)
Definition: flow.h:528
TP_STATUS_CSUMNOTREADY
#define TP_STATUS_CSUMNOTREADY
Definition: source-af-packet.c:190
AFP_MMAP_LOCKED
#define AFP_MMAP_LOCKED
Definition: source-af-packet.h:64
AFPThreadVars_::capture_afp_poll_data
uint16_t capture_afp_poll_data
Definition: source-af-packet.c:296
util-cpu.h
FlowBypassInfo_::BypassFree
void(* BypassFree)(void *data)
Definition: flow.h:529
Packet_::ts
SCTime_t ts
Definition: decode.h:524
AFP_TRUNC_PKT
@ AFP_TRUNC_PKT
Definition: decode-events.h:31
BIT_U32
#define BIT_U32(n)
Definition: suricata-common.h:409
TmModuleReceiveAFPRegister
void TmModuleReceiveAFPRegister(void)
Registration Function for RecieveAFP.
Definition: source-af-packet.c:381
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
PACKET_FANOUT_LB
#define PACKET_FANOUT_LB
Definition: source-af-packet.h:33
SCTime_t::secs
uint64_t secs
Definition: util-time.h:41
LiveGetDevice
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
Definition: util-device.c:248
TP_STATUS_USER
#define TP_STATUS_USER
Definition: source-af-packet.c:181
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:205
AFPThreadVars_::threads
int threads
Definition: source-af-packet.c:336
util-ebpf.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
TmModule_::Func
TmEcode(* Func)(ThreadVars *, Packet *, void *)
Definition: tm-modules.h:52
Packet_::sp
Port sp
Definition: decode.h:483
AFP_RECOVERABLE_ERROR
@ AFP_RECOVERABLE_ERROR
Definition: source-af-packet.c:244
AFPThreadVars_::ring_buflen
unsigned int ring_buflen
Definition: source-af-packet.c:348
LiveDevice_::dev
char * dev
Definition: util-device.h:51
FlowBypassInfo_::bypass_data
void * bypass_data
Definition: flow.h:530
AFPIfaceConfig_::DerefFunc
void(* DerefFunc)(void *)
Definition: source-af-packet.h:125
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
AFPThreadVars_::afp_state
uint8_t afp_state
Definition: source-af-packet.c:303
TP_STATUS_USER_BUSY
#define TP_STATUS_USER_BUSY
Definition: source-af-packet.c:227
AFPThreadVars_::iface
char iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.c:343
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:309
AFP_STATE_DOWN
#define AFP_STATE_DOWN
Definition: source-af-packet.c:168
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:341
StatsGetLocalCounterValue
uint64_t StatsGetLocalCounterValue(ThreadVars *tv, uint16_t id)
Get the value of the local copy of the counter that hold this id.
Definition: counters.c:1250
SC_ATOMIC_DECLARE
#define SC_ATOMIC_DECLARE(type, name)
wrapper for declaring atomic variables.
Definition: util-atomic.h:280
PacketPoolWait
void PacketPoolWait(void)
Definition: tmqh-packetpool.c:80
AFPThreadVars_::AFPRing::v3
struct iovec * v3
Definition: source-af-packet.c:265
Packet_
Definition: decode.h:476
TM_FLAG_DECODE_TM
#define TM_FLAG_DECODE_TM
Definition: tm-modules.h:33
tmm_modules
TmModule tmm_modules[TMM_SIZE]
Definition: tm-modules.c:29
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:204
AFPPeer_::flags
int flags
Definition: source-af-packet.h:138
conf.h
TmSlot_
Definition: tm-threads.h:53
PKT_IGNORE_CHECKSUM
#define PKT_IGNORE_CHECKSUM
Definition: decode.h:1282
SCTime_t
Definition: util-time.h:40
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:587
TmEcode
TmEcode
Definition: tm-threads-common.h:79
max_pending_packets
uint32_t max_pending_packets
Definition: suricata.c:180
util-host-info.h
LiveDevice_::mtu
int mtu
Definition: util-device.h:53
TmModule_::name
const char * name
Definition: tm-modules.h:44
AFPThreadVars_::pkttype_filter_mask
uint32_t pkttype_filter_mask
Definition: source-af-packet.c:329
AFPThreadVars_::capture_afp_poll_timeout
uint16_t capture_afp_poll_timeout
Definition: source-af-packet.c:295
LiveDevAddBypassStats
void LiveDevAddBypassStats(LiveDevice *dev, uint64_t cnt, int family)
Definition: util-device.c:496
PacketL2::L2Hdrs::ethh
EthernetHdr * ethh
Definition: decode.h:397
DecodeThreadVars_::counter_vlan
uint16_t counter_vlan
Definition: decode.h:969
runmodes.h
LiveDevAddBypassSuccess
void LiveDevAddBypassSuccess(LiveDevice *dev, uint64_t cnt, int family)
Definition: util-device.c:553
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
FlowGetStorageById
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
Definition: flow-storage.c:40
SCMutexInit
#define SCMutexInit(mut, mutattrs)
Definition: threads-debug.h:116
TM_FLAG_RECEIVE_TM
#define TM_FLAG_RECEIVE_TM
Definition: tm-modules.h:32
AFP_NEED_PEER
#define AFP_NEED_PEER
Definition: source-af-packet.h:58
AFPThreadVars_::down_count
int down_count
Definition: source-af-packet.c:331
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
AFPThreadVars_::cluster_type
int cluster_type
Definition: source-af-packet.c:334
AFPThreadVars_::livedev
LiveDevice * livedev
Definition: source-af-packet.c:273
default_packet_size
uint32_t default_packet_size
Definition: decode.c:77
LINKTYPE_RAW
#define LINKTYPE_RAW
Definition: decode.h:1236
tm-queuehandlers.h
Packet_::l2
struct PacketL2 l2
Definition: decode.h:568
AFPThreadVars_::cluster_id
uint16_t cluster_id
Definition: source-af-packet.c:333
AFPThreadVars_::slot
TmSlot * slot
Definition: source-af-packet.c:272
Packet_::ReleasePacket
void(* ReleasePacket)(struct Packet_ *)
Definition: decode.h:560
flow-storage.h
cnt
uint32_t cnt
Definition: tmqh-packetpool.h:7
TMM_RECEIVEAFP
@ TMM_RECEIVEAFP
Definition: tm-threads-common.h:52
Packet_::flow
struct Flow_ * flow
Definition: decode.h:515
AFPThreadVars_::capture_afp_poll_signal
uint16_t capture_afp_poll_signal
Definition: source-af-packet.c:294
AFPPeer_
Definition: source-af-packet.h:133
DecodeThreadVarsFree
void DecodeThreadVarsFree(ThreadVars *tv, DecodeThreadVars *dtv)
Definition: decode.c:792
AFPThreadVars_::capture_afp_poll_err
uint16_t capture_afp_poll_err
Definition: source-af-packet.c:297
ChecksumValidationMode
ChecksumValidationMode
Definition: decode.h:41
suricata-common.h
packet.h
AFPThreadVars_::flags
unsigned int flags
Definition: source-af-packet.c:305
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
SCLogPerf
#define SCLogPerf(...)
Definition: util-debug.h:230
version
uint8_t version
Definition: decode-gre.h:1
SCBPFFree
void SCBPFFree(struct bpf_program *program)
Definition: util-bpf.c:56
TmModule_::ThreadInit
TmEcode(* ThreadInit)(ThreadVars *, const void *, void **)
Definition: tm-modules.h:47
thdr::h2
struct tpacket2_hdr * h2
Definition: source-af-packet.c:248
AFP_TPACKET_V3
#define AFP_TPACKET_V3
Definition: source-af-packet.h:62
LiveDevAddBypassFail
void LiveDevAddBypassFail(LiveDevice *dev, uint64_t cnt, int family)
Definition: util-device.c:534
FatalError
#define FatalError(...)
Definition: util-debug.h:502
AFPIfaceConfig_::v2_block_size
int v2_block_size
Definition: source-af-packet.h:102
thdr
Definition: source-af-packet.c:247
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
util-optimize.h
TmModule_::ThreadExitPrintStats
void(* ThreadExitPrintStats)(ThreadVars *, void *)
Definition: tm-modules.h:48
threadvars.h
util-validate.h
source-af-packet.h
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
FRAME_BUSY
#define FRAME_BUSY(tp_status)
Definition: source-af-packet.c:231
AFPThreadVars_::snaplen
int snaplen
Definition: source-af-packet.c:351
POLL_TIMEOUT
#define POLL_TIMEOUT
Definition: source-af-packet.c:174
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
GET_IPV6_SRC_ADDR
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:199
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AFP_COPY_MODE_IPS
#define AFP_COPY_MODE_IPS
Definition: source-af-packet.h:70
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:932
AFPThreadVars_::v2_block_size
int v2_block_size
Definition: source-af-packet.c:318
AFPThreadVars_::tv
ThreadVars * tv
Definition: source-af-packet.c:271
AFPIfaceConfig_::buffer_size
int buffer_size
Definition: source-af-packet.h:94
AFPThreadVars_::req
union AFPThreadVars_::AFPTpacketReq req
util-ioctl.h
AFP_RECONNECT_TIMEOUT
#define AFP_RECONNECT_TIMEOUT
Definition: source-af-packet.c:171
DecodeThreadVarsAlloc
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *tv)
Alloc and setup DecodeThreadVars.
Definition: decode.c:774
AFP_SURI_FAILURE
@ AFP_SURI_FAILURE
Definition: source-af-packet.c:238
TAILQ_HEAD
#define TAILQ_HEAD(name, type)
Definition: queue.h:230
PacketSetData
int PacketSetData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Set data for Packet and set length when zero copy is used.
Definition: decode.c:812
PacketL2::hdrs
union PacketL2::L2Hdrs hdrs
AFPThreadVars_::out_iface
char out_iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.c:345
TP_STATUS_KERNEL
#define TP_STATUS_KERNEL
Definition: source-af-packet.c:178
AFPIfaceConfig_::iface
char iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.h:90
SCBPFCompile
int SCBPFCompile(int snaplen_arg, int linktype_arg, struct bpf_program *program, const char *buf, int optimize, uint32_t mask, char *errbuf, size_t errbuf_len)
Definition: util-bpf.c:62
suricata.h
Packet_::dst
Address dst
Definition: decode.h:481
AFPThreadVars_::copy_mode
uint8_t copy_mode
Definition: source-af-packet.c:304
ENGINE_SET_INVALID_EVENT
#define ENGINE_SET_INVALID_EVENT(p, e)
Definition: decode.h:1158
DEFAULT_TPACKET_DEFRAG_SNAPLEN
#define DEFAULT_TPACKET_DEFRAG_SNAPLEN
Definition: source-af-packet.h:86
AFPIfaceConfig_::copy_mode
uint8_t copy_mode
Definition: source-af-packet.h:110
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:503
AFP_READ_OK
@ AFP_READ_OK
Definition: source-af-packet.c:235
TmSlot_::slot_next
struct TmSlot_ * slot_next
Definition: tm-threads.h:62
thdr::h3
struct tpacket3_hdr * h3
Definition: source-af-packet.c:249
AFPIfaceConfig_
Definition: source-af-packet.h:89
AFPIfaceConfig_::bpf_filter
const char * bpf_filter
Definition: source-af-packet.h:112
StatsRegisterAvgCounter
uint16_t StatsRegisterAvgCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the average of all the values assigned to it.
Definition: counters.c:971
GET_IPV4_SRC_ADDR_U32
#define GET_IPV4_SRC_ADDR_U32(p)
Definition: decode.h:192
PACKET_FANOUT
#define PACKET_FANOUT
Definition: source-af-packet.h:30
AFPThreadVars_::AFPRing
Definition: source-af-packet.c:263
StatsSyncCountersIfSignalled
void StatsSyncCountersIfSignalled(ThreadVars *tv)
Definition: counters.c:449
GET_IPV4_DST_ADDR_U32
#define GET_IPV4_DST_ADDR_U32(p)
Definition: decode.h:193
AFPPeer_::iface
char iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.h:144
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:375
AFPThreadVars_::capture_kernel_packets
uint16_t capture_kernel_packets
Definition: source-af-packet.c:289
Packet_::dp
Port dp
Definition: decode.h:491
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:951
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
SCMutexDestroy
#define SCMutexDestroy
Definition: threads-debug.h:120
AFPThreadVars_::capture_errors
uint16_t capture_errors
Definition: source-af-packet.c:291
AFPThreadVars_::AFPTpacketReq::v2
struct tpacket_req v2
Definition: source-af-packet.c:339
AFPThreadVars_::bpf_filter
const char * bpf_filter
Definition: source-af-packet.c:324
AFPThreadVars_::mpeer
AFPPeer * mpeer
Definition: source-af-packet.c:308
AFP_FATAL_ERROR
@ AFP_FATAL_ERROR
Definition: source-af-packet.c:243
PacketGetFromQueueOrAlloc
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:267
SC_CAP_NET_RAW
#define SC_CAP_NET_RAW
Definition: util-privs.h:32
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Packet_::src
Address src
Definition: decode.h:480
TP_STATUS_LOSING
#define TP_STATUS_LOSING
Definition: source-af-packet.c:187
TmModule_::flags
uint8_t flags
Definition: tm-modules.h:76
AFPIsFanoutSupported
int AFPIsFanoutSupported(uint16_t cluster_id)
test if we can use FANOUT. Older kernels like those in CentOS6 have HAVE_PACKET_FANOUT defined but fa...
Definition: source-af-packet.c:1877
DecodeUpdatePacketCounters
void DecodeUpdatePacketCounters(ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
Definition: decode.c:740
AFP_KERNEL_DROP
@ AFP_KERNEL_DROP
Definition: source-af-packet.c:239
AFPThreadVars_::capture_afp_poll
uint16_t capture_afp_poll
Definition: source-af-packet.c:293
LINKTYPE_ETHERNET
#define LINKTYPE_ETHERNET
Definition: decode.h:1233
suricata_ctl_flags
volatile uint8_t suricata_ctl_flags
Definition: suricata.c:169
AFP_EMERGENCY_MODE
#define AFP_EMERGENCY_MODE
Definition: source-af-packet.h:61