suricata
source-af-packet.c
Go to the documentation of this file.
1 /* Copyright (C) 2011-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup afppacket AF_PACKET running mode
20  *
21  * @{
22  */
23 
24 /**
25  * \file
26  *
27  * \author Eric Leblond <eric@regit.org>
28  *
29  * AF_PACKET socket acquisition support
30  *
31  */
32 
33 #define SC_PCAP_DONT_INCLUDE_PCAP_H 1
34 #include "suricata-common.h"
35 #include "suricata.h"
36 #include "packet.h"
37 #include "decode.h"
38 #include "packet-queue.h"
39 #include "threads.h"
40 #include "threadvars.h"
41 #include "tm-queuehandlers.h"
42 #include "tm-modules.h"
43 #include "tm-threads.h"
44 #include "tm-threads-common.h"
45 #include "conf.h"
46 #include "util-cpu.h"
47 #include "util-datalink.h"
48 #include "util-debug.h"
49 #include "util-device.h"
50 #include "util-ebpf.h"
51 #include "util-error.h"
52 #include "util-privs.h"
53 #include "util-optimize.h"
54 #include "util-checksum.h"
55 #include "util-ioctl.h"
56 #include "util-host-info.h"
57 #include "tmqh-packetpool.h"
58 #include "source-af-packet.h"
59 #include "runmodes.h"
60 #include "flow-storage.h"
61 #include "util-validate.h"
62 #include "action-globals.h"
63 
64 #ifdef HAVE_AF_PACKET
65 
66 #if HAVE_SYS_IOCTL_H
67 #include <sys/ioctl.h>
68 #endif
69 
70 #if HAVE_LINUX_SOCKIOS_H
71 #include <linux/sockios.h>
72 #endif
73 
74 #ifdef HAVE_PACKET_EBPF
75 #define PCAP_DONT_INCLUDE_PCAP_BPF_H 1
76 #include <bpf/libbpf.h>
77 #include <bpf/bpf.h>
78 
79 struct bpf_program {
80  unsigned int bf_len;
81  struct bpf_insn *bf_insns;
82 };
83 #endif
84 
85 #ifdef HAVE_PCAP_H
86 #include <pcap.h>
87 #endif
88 
89 #ifdef HAVE_PCAP_PCAP_H
90 #include <pcap/pcap.h>
91 #endif
92 
93 #include "util-bpf.h"
94 
95 #if HAVE_LINUX_IF_ETHER_H
96 #include <linux/if_ether.h>
97 #endif
98 
99 #if HAVE_LINUX_IF_PACKET_H
100 #include <linux/if_packet.h>
101 #endif
102 
103 #if HAVE_LINUX_IF_ARP_H
104 #include <linux/if_arp.h>
105 #endif
106 
107 #if HAVE_LINUX_FILTER_H
108 #include <linux/filter.h>
109 #endif
110 
111 #if HAVE_SYS_MMAN_H
112 #include <sys/mman.h>
113 #endif
114 
115 #ifdef HAVE_HW_TIMESTAMPING
116 #include <linux/net_tstamp.h>
117 #endif
118 
119 #endif /* HAVE_AF_PACKET */
120 
121 extern uint32_t max_pending_packets;
122 
123 #ifndef HAVE_AF_PACKET
124 
125 TmEcode NoAFPSupportExit(ThreadVars *, const void *, void **);
126 
127 void TmModuleReceiveAFPRegister (void)
128 {
129  tmm_modules[TMM_RECEIVEAFP].name = "ReceiveAFP";
130  tmm_modules[TMM_RECEIVEAFP].ThreadInit = NoAFPSupportExit;
131  tmm_modules[TMM_RECEIVEAFP].Func = NULL;
132  tmm_modules[TMM_RECEIVEAFP].ThreadExitPrintStats = NULL;
133  tmm_modules[TMM_RECEIVEAFP].ThreadDeinit = NULL;
134  tmm_modules[TMM_RECEIVEAFP].cap_flags = 0;
135  tmm_modules[TMM_RECEIVEAFP].flags = TM_FLAG_RECEIVE_TM;
136 }
137 
138 /**
139  * \brief Registration Function for DecodeAFP.
140  */
141 void TmModuleDecodeAFPRegister (void)
142 {
143  tmm_modules[TMM_DECODEAFP].name = "DecodeAFP";
144  tmm_modules[TMM_DECODEAFP].ThreadInit = NoAFPSupportExit;
145  tmm_modules[TMM_DECODEAFP].Func = NULL;
146  tmm_modules[TMM_DECODEAFP].ThreadExitPrintStats = NULL;
147  tmm_modules[TMM_DECODEAFP].ThreadDeinit = NULL;
148  tmm_modules[TMM_DECODEAFP].cap_flags = 0;
149  tmm_modules[TMM_DECODEAFP].flags = TM_FLAG_DECODE_TM;
150 }
151 
152 /**
153  * \brief this function prints an error message and exits.
154  */
155 TmEcode NoAFPSupportExit(ThreadVars *tv, const void *initdata, void **data)
156 {
157  SCLogError("Error creating thread %s: you do not have "
158  "support for AF_PACKET enabled, on Linux host please recompile "
159  "with --enable-af-packet",
160  tv->name);
161  exit(EXIT_FAILURE);
162 }
163 
164 #else /* We have AF_PACKET support */
165 
166 #define AFP_IFACE_NAME_LENGTH 48
167 
168 #define AFP_STATE_DOWN 0
169 #define AFP_STATE_UP 1
170 
171 #define AFP_RECONNECT_TIMEOUT 500000
172 #define AFP_DOWN_COUNTER_INTERVAL 40
173 
174 #define POLL_TIMEOUT 100
175 
176 /* kernel flags defined for RX ring tp_status */
177 #ifndef TP_STATUS_KERNEL
178 #define TP_STATUS_KERNEL 0
179 #endif
180 #ifndef TP_STATUS_USER
181 #define TP_STATUS_USER BIT_U32(0)
182 #endif
183 #ifndef TP_STATUS_COPY
184 #define TP_STATUS_COPY BIT_U32(1)
185 #endif
186 #ifndef TP_STATUS_LOSING
187 #define TP_STATUS_LOSING BIT_U32(2)
188 #endif
189 #ifndef TP_STATUS_CSUMNOTREADY
190 #define TP_STATUS_CSUMNOTREADY BIT_U32(3)
191 #endif
192 #ifndef TP_STATUS_VLAN_VALID
193 #define TP_STATUS_VLAN_VALID BIT_U32(4)
194 #endif
195 #ifndef TP_STATUS_BLK_TMO
196 #define TP_STATUS_BLK_TMO BIT_U32(5)
197 #endif
198 #ifndef TP_STATUS_VLAN_TPID_VALID
199 #define TP_STATUS_VLAN_TPID_VALID BIT_U32(6)
200 #endif
201 #ifndef TP_STATUS_CSUM_VALID
202 #define TP_STATUS_CSUM_VALID BIT_U32(7)
203 #endif
204 
205 #ifndef TP_STATUS_TS_SOFTWARE
206 #define TP_STATUS_TS_SOFTWARE BIT_U32(29)
207 #endif
208 #ifndef TP_STATUS_TS_SYS_HARDWARE
209 #define TP_STATUS_TS_SYS_HARDWARE BIT_U32(30) /* kernel comment says: "deprecated, never set" */
210 #endif
211 #ifndef TP_STATUS_TS_RAW_HARDWARE
212 #define TP_STATUS_TS_RAW_HARDWARE BIT_U32(31)
213 #endif
214 
215 #ifndef TP_STATUS_USER_BUSY
216 /* HACK special setting in the tp_status field for frames we are
217  * still working on. This can happen in autofp mode where the
218  * capture thread goes around the ring and finds a frame that still
219  * hasn't been released by a worker thread.
220  *
221  * We use bits 29, 30, 31. 29 and 31 are software and hardware
222  * timestamps. 30 should not be set by the kernel at all. Combined
223  * they should never be set on the rx-ring together.
224  *
225  * The excessive casting is for handling the fact that the kernel
226  * defines almost all of these as int flags, not unsigned ints. */
227 #define TP_STATUS_USER_BUSY \
228  (uint32_t)((uint32_t)TP_STATUS_TS_SOFTWARE | (uint32_t)TP_STATUS_TS_SYS_HARDWARE | \
229  (uint32_t)TP_STATUS_TS_RAW_HARDWARE)
230 #endif
231 #define FRAME_BUSY(tp_status) \
232  (((uint32_t)(tp_status) & (uint32_t)TP_STATUS_USER_BUSY) == (uint32_t)TP_STATUS_USER_BUSY)
233 
234 enum {
235  AFP_READ_OK,
236  AFP_READ_FAILURE,
237  /** Error during treatment by other functions of Suricata */
238  AFP_SURI_FAILURE,
239  AFP_KERNEL_DROP,
240 };
241 
242 enum {
243  AFP_FATAL_ERROR = 1,
244  AFP_RECOVERABLE_ERROR,
245 };
246 
247 union thdr {
248  struct tpacket2_hdr *h2;
249 #ifdef HAVE_TPACKET_V3
250  struct tpacket3_hdr *h3;
251 #endif
252  void *raw;
253 };
254 
255 #ifdef HAVE_PACKET_EBPF
256 static int AFPBypassCallback(Packet *p);
257 static int AFPXDPBypassCallback(Packet *p);
258 #endif
259 
260 /**
261  * \brief Structure to hold thread specific variables.
262  */
263 typedef struct AFPThreadVars_
264 {
265  union AFPRing {
266  union thdr **v2;
267  struct iovec *v3;
268  } ring;
269 
270  /* counters */
271  uint64_t pkts;
272 
273  ThreadVars *tv;
274  TmSlot *slot;
275  LiveDevice *livedev;
276  /* data link type for the thread */
277  uint32_t datalink;
278 
279 #ifdef HAVE_PACKET_EBPF
280  /* File descriptor of the IPv4 flow bypass table maps */
281  int v4_map_fd;
282  /* File descriptor of the IPv6 flow bypass table maps */
283  int v6_map_fd;
284 #endif
285 
286  unsigned int frame_offset;
287 
288  ChecksumValidationMode checksum_mode;
289 
290  /* references to packet and drop counters */
291  uint16_t capture_kernel_packets;
292  uint16_t capture_kernel_drops;
293  uint16_t capture_errors;
294  uint16_t afpacket_spin;
295  uint16_t capture_afp_poll;
296  uint16_t capture_afp_poll_signal;
297  uint16_t capture_afp_poll_timeout;
298  uint16_t capture_afp_poll_data;
299  uint16_t capture_afp_poll_err;
300  uint16_t capture_afp_send_err;
301 
302  uint64_t send_errors_logged; /**< snapshot of send errors logged. */
303 
304  /* handle state */
305  uint8_t afp_state;
306  uint8_t copy_mode;
307  unsigned int flags;
308 
309  /* IPS peer */
310  AFPPeer *mpeer;
311 
312  /*
313  * Init related members
314  */
315 
316  /* thread specific socket */
317  int socket;
318 
319  int ring_size;
320  int block_size;
321  int block_timeout;
322  /* socket buffer size */
323  int buffer_size;
324  /* Filter */
325  const char *bpf_filter;
326 
327  int promisc;
328 
329  /* bitmask of ignored ssl_pkttypes */
330  uint32_t pkttype_filter_mask;
331 
332  int down_count;
333 
334  uint16_t cluster_id;
335  int cluster_type;
336 
337  int threads;
338 
339  union AFPTpacketReq {
340  struct tpacket_req v2;
341 #ifdef HAVE_TPACKET_V3
342  struct tpacket_req3 v3;
343 #endif
344  } req;
345 
346  char iface[AFP_IFACE_NAME_LENGTH];
347  /* IPS output iface */
348  char out_iface[AFP_IFACE_NAME_LENGTH];
349 
350  /* mmap'ed ring buffer */
351  unsigned int ring_buflen;
352  uint8_t *ring_buf;
353 
354 #ifdef HAVE_PACKET_EBPF
355  uint8_t xdp_mode;
356  int ebpf_lb_fd;
357  int ebpf_filter_fd;
358  struct ebpf_timeout_config ebpf_t_config;
359 #endif
360 
361 } AFPThreadVars;
362 
363 static TmEcode ReceiveAFPThreadInit(ThreadVars *, const void *, void **);
364 static void ReceiveAFPThreadExitStats(ThreadVars *, void *);
365 static TmEcode ReceiveAFPThreadDeinit(ThreadVars *, void *);
366 static TmEcode ReceiveAFPLoop(ThreadVars *tv, void *data, void *slot);
367 
368 static TmEcode DecodeAFPThreadInit(ThreadVars *, const void *, void **);
369 static TmEcode DecodeAFPThreadDeinit(ThreadVars *tv, void *data);
370 static TmEcode DecodeAFP(ThreadVars *, Packet *, void *);
371 
372 static TmEcode AFPSetBPFFilter(AFPThreadVars *ptv);
373 static int AFPGetIfnumByDev(int fd, const char *ifname, int verbose);
374 static int AFPGetDevFlags(int fd, const char *ifname);
375 static int AFPDerefSocket(AFPPeer* peer);
376 static int AFPRefSocket(AFPPeer* peer);
377 
378 
379 /**
380  * \brief Registration Function for RecieveAFP.
381  * \todo Unit tests are needed for this module.
382  */
383 void TmModuleReceiveAFPRegister (void)
384 {
385  tmm_modules[TMM_RECEIVEAFP].name = "ReceiveAFP";
386  tmm_modules[TMM_RECEIVEAFP].ThreadInit = ReceiveAFPThreadInit;
387  tmm_modules[TMM_RECEIVEAFP].Func = NULL;
388  tmm_modules[TMM_RECEIVEAFP].PktAcqLoop = ReceiveAFPLoop;
389  tmm_modules[TMM_RECEIVEAFP].PktAcqBreakLoop = NULL;
390  tmm_modules[TMM_RECEIVEAFP].ThreadExitPrintStats = ReceiveAFPThreadExitStats;
391  tmm_modules[TMM_RECEIVEAFP].ThreadDeinit = ReceiveAFPThreadDeinit;
392  tmm_modules[TMM_RECEIVEAFP].cap_flags = SC_CAP_NET_RAW;
393  tmm_modules[TMM_RECEIVEAFP].flags = TM_FLAG_RECEIVE_TM;
394 
395 }
396 
397 /**
398  * \defgroup afppeers AFP peers list
399  *
400  * AF_PACKET has an IPS mode were interface are peered: packet from
401  * on interface are sent the peered interface and the other way. The ::AFPPeer
402  * list is maintaining the list of peers. Each ::AFPPeer is storing the needed
403  * information to be able to send packet on the interface.
404  * A element of the list must not be destroyed during the run of Suricata as it
405  * is used by ::Packet and other threads.
406  *
407  * @{
408  */
409 
410 typedef struct AFPPeersList_ {
411  TAILQ_HEAD(, AFPPeer_) peers; /**< Head of list of fragments. */
412  int cnt;
413  int peered;
414  int turn; /**< Next value for initialisation order */
415  SC_ATOMIC_DECLARE(int, reached); /**< Counter used to synchronize start */
416 } AFPPeersList;
417 
418 /**
419  * \brief Update the peer.
420  *
421  * Update the AFPPeer of a thread ie set new state, socket number
422  * or iface index.
423  *
424  */
425 static void AFPPeerUpdate(AFPThreadVars *ptv)
426 {
427  if (ptv->mpeer == NULL) {
428  return;
429  }
430  (void)SC_ATOMIC_SET(ptv->mpeer->if_idx, AFPGetIfnumByDev(ptv->socket, ptv->iface, 0));
431  (void)SC_ATOMIC_SET(ptv->mpeer->socket, ptv->socket);
432  (void)SC_ATOMIC_SET(ptv->mpeer->state, ptv->afp_state);
433 }
434 
435 /**
436  * \brief Clean and free ressource used by an ::AFPPeer
437  */
438 static void AFPPeerClean(AFPPeer *peer)
439 {
440  if (peer->flags & AFP_SOCK_PROTECT)
441  SCMutexDestroy(&peer->sock_protect);
442  SCFree(peer);
443 }
444 
445 AFPPeersList peerslist;
446 
447 
448 /**
449  * \brief Init the global list of ::AFPPeer
450  */
451 TmEcode AFPPeersListInit(void)
452 {
453  SCEnter();
454  TAILQ_INIT(&peerslist.peers);
455  peerslist.peered = 0;
456  peerslist.cnt = 0;
457  peerslist.turn = 0;
458  SC_ATOMIC_INIT(peerslist.reached);
459  (void) SC_ATOMIC_SET(peerslist.reached, 0);
460  SCReturnInt(TM_ECODE_OK);
461 }
462 
463 /**
464  * \brief Check that all ::AFPPeer got a peer
465  *
466  * \retval TM_ECODE_FAILED if some threads are not peered or TM_ECODE_OK else.
467  */
468 TmEcode AFPPeersListCheck(void)
469 {
470 #define AFP_PEERS_MAX_TRY 4
471 #define AFP_PEERS_WAIT 20000
472  int try = 0;
473  SCEnter();
474  while (try < AFP_PEERS_MAX_TRY) {
475  if (peerslist.cnt != peerslist.peered) {
476  usleep(AFP_PEERS_WAIT);
477  } else {
478  SCReturnInt(TM_ECODE_OK);
479  }
480  try++;
481  }
482  SCLogError("thread number not equal");
483  SCReturnInt(TM_ECODE_FAILED);
484 }
485 
486 /**
487  * \brief Declare a new AFP thread to AFP peers list.
488  */
489 static TmEcode AFPPeersListAdd(AFPThreadVars *ptv)
490 {
491  SCEnter();
492  AFPPeer *peer = SCCalloc(1, sizeof(AFPPeer));
493  AFPPeer *pitem;
494 
495  if (unlikely(peer == NULL)) {
496  SCReturnInt(TM_ECODE_FAILED);
497  }
498  SC_ATOMIC_INIT(peer->socket);
499  SC_ATOMIC_INIT(peer->sock_usage);
500  SC_ATOMIC_INIT(peer->if_idx);
501  SC_ATOMIC_INIT(peer->state);
502  peer->flags = ptv->flags;
503  peer->turn = peerslist.turn++;
504 
505  if (peer->flags & AFP_SOCK_PROTECT) {
506  SCMutexInit(&peer->sock_protect, NULL);
507  }
508 
509  (void)SC_ATOMIC_SET(peer->sock_usage, 0);
510  (void)SC_ATOMIC_SET(peer->state, AFP_STATE_DOWN);
511  strlcpy(peer->iface, ptv->iface, AFP_IFACE_NAME_LENGTH);
512  ptv->mpeer = peer;
513  /* add element to iface list */
514  TAILQ_INSERT_TAIL(&peerslist.peers, peer, next);
515 
516  if (ptv->copy_mode != AFP_COPY_MODE_NONE) {
517  peerslist.cnt++;
518 
519  /* Iter to find a peer */
520  TAILQ_FOREACH(pitem, &peerslist.peers, next) {
521  if (pitem->peer)
522  continue;
523  if (strcmp(pitem->iface, ptv->out_iface))
524  continue;
525  peer->peer = pitem;
526  pitem->peer = peer;
527 
528  LiveDevice *iface = ptv->livedev;
529  DEBUG_VALIDATE_BUG_ON(iface == NULL);
530  DEBUG_VALIDATE_BUG_ON(strcmp(iface->dev, ptv->iface) != 0);
531  LiveDevice *out_iface = LiveGetDevice(ptv->out_iface);
532  if (out_iface == NULL)
533  FatalError("AF_PACKET device %s not found. Aborting..", ptv->out_iface);
534  if (iface->mtu != out_iface->mtu) {
535  SCLogWarning("MTU on %s (%d) and %s (%d) are not equal, transmission of packets "
536  "bigger than %d will fail.",
537  iface->dev, iface->mtu, out_iface->dev, out_iface->mtu,
538  MIN(out_iface->mtu, iface->mtu));
539  }
540  peerslist.peered += 2;
541  break;
542  }
543  }
544 
545  AFPPeerUpdate(ptv);
546 
547  SCReturnInt(TM_ECODE_OK);
548 }
549 
550 static int AFPPeersListWaitTurn(AFPPeer *peer)
551 {
552  /* If turn is zero, we already have started threads once */
553  if (peerslist.turn == 0)
554  return 0;
555 
556  if (peer->turn == SC_ATOMIC_GET(peerslist.reached))
557  return 0;
558  return 1;
559 }
560 
561 static void AFPPeersListReachedInc(void)
562 {
563  if (peerslist.turn == 0)
564  return;
565 
566  if ((SC_ATOMIC_ADD(peerslist.reached, 1) + 1) == peerslist.turn) {
567  (void)SC_ATOMIC_SET(peerslist.reached, 0);
568  /* Set turn to 0 to skip synchronization when ReceiveAFPLoop is
569  * restarted.
570  */
571  peerslist.turn = 0;
572  }
573 }
574 
575 static int AFPPeersListStarted(void)
576 {
577  return !peerslist.turn;
578 }
579 
580 /**
581  * \brief Clean the global peers list.
582  */
583 void AFPPeersListClean(void)
584 {
585  AFPPeer *pitem;
586 
587  while ((pitem = TAILQ_FIRST(&peerslist.peers))) {
588  TAILQ_REMOVE(&peerslist.peers, pitem, next);
589  AFPPeerClean(pitem);
590  }
591 }
592 
593 /**
594  * @}
595  */
596 
597 /**
598  * \brief Registration Function for DecodeAFP.
599  * \todo Unit tests are needed for this module.
600  */
601 void TmModuleDecodeAFPRegister (void)
602 {
603  tmm_modules[TMM_DECODEAFP].name = "DecodeAFP";
604  tmm_modules[TMM_DECODEAFP].ThreadInit = DecodeAFPThreadInit;
605  tmm_modules[TMM_DECODEAFP].Func = DecodeAFP;
606  tmm_modules[TMM_DECODEAFP].ThreadExitPrintStats = NULL;
607  tmm_modules[TMM_DECODEAFP].ThreadDeinit = DecodeAFPThreadDeinit;
608  tmm_modules[TMM_DECODEAFP].cap_flags = 0;
609  tmm_modules[TMM_DECODEAFP].flags = TM_FLAG_DECODE_TM;
610 }
611 
612 static int AFPCreateSocket(AFPThreadVars *ptv, char *devname, int verbose, const bool peer_update);
613 
614 static inline void AFPDumpCounters(AFPThreadVars *ptv)
615 {
616 #ifdef PACKET_STATISTICS
617  struct tpacket_stats kstats;
618  socklen_t len = sizeof (struct tpacket_stats);
619  if (getsockopt(ptv->socket, SOL_PACKET, PACKET_STATISTICS,
620  &kstats, &len) > -1) {
621  SCLogDebug("(%s) Kernel: Packets %" PRIu32 ", dropped %" PRIu32 "",
622  ptv->tv->name,
623  kstats.tp_packets, kstats.tp_drops);
624  StatsAddUI64(ptv->tv, ptv->capture_kernel_packets, kstats.tp_packets);
625  StatsAddUI64(ptv->tv, ptv->capture_kernel_drops, kstats.tp_drops);
626  (void) SC_ATOMIC_ADD(ptv->livedev->drop, (uint64_t) kstats.tp_drops);
627  (void) SC_ATOMIC_ADD(ptv->livedev->pkts, (uint64_t) kstats.tp_packets);
628 
629  const uint64_t value = SC_ATOMIC_GET(ptv->mpeer->send_errors);
630  if (value > ptv->send_errors_logged) {
631  StatsAddUI64(ptv->tv, ptv->capture_afp_send_err, value - ptv->send_errors_logged);
632  ptv->send_errors_logged = value;
633  }
634  }
635 #endif
636 }
637 
638 /**
639  * \brief AF packet write function.
640  *
641  * This function has to be called before the memory
642  * related to Packet in ring buffer is released.
643  *
644  * \param pointer to Packet
645  * \param version of capture: TPACKET_V2 or TPACKET_V3
646  * \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success
647  *
648  */
649 static void AFPWritePacket(Packet *p, int version)
650 {
651  struct sockaddr_ll socket_address;
652  int socket;
653 
654  if (p->afp_v.copy_mode == AFP_COPY_MODE_IPS) {
655  if (PacketCheckAction(p, ACTION_DROP)) {
656  return;
657  }
658  }
659 
660  if (!PacketIsEthernet(p)) {
661  SCLogWarning("packet should have an ethernet header");
662  return;
663  }
664 
665  const EthernetHdr *ethh = PacketGetEthernet(p);
666  /* Index of the network device */
667  socket_address.sll_ifindex = SC_ATOMIC_GET(p->afp_v.peer->if_idx);
668  /* Address length*/
669  socket_address.sll_halen = ETH_ALEN;
670  /* Destination MAC */
671  memcpy(socket_address.sll_addr, ethh, 6);
672 
673  /* Send packet, locking the socket if necessary */
674  if (p->afp_v.peer->flags & AFP_SOCK_PROTECT)
675  SCMutexLock(&p->afp_v.peer->sock_protect);
676  socket = SC_ATOMIC_GET(p->afp_v.peer->socket);
677 
678  if (sendto(socket, GET_PKT_DATA(p), GET_PKT_LEN(p), 0, (struct sockaddr *)&socket_address,
679  sizeof(struct sockaddr_ll)) < 0) {
680  if (SC_ATOMIC_ADD(p->afp_v.peer->send_errors, 1) == 0) {
681  SCLogWarning("%s: sending packet failed on socket %d: %s", p->afp_v.peer->iface, socket,
682  strerror(errno));
683  }
684  }
685  if (p->afp_v.peer->flags & AFP_SOCK_PROTECT)
686  SCMutexUnlock(&p->afp_v.peer->sock_protect);
687 }
688 
689 static void AFPReleaseDataFromRing(Packet *p)
690 {
691  DEBUG_VALIDATE_BUG_ON(PKT_IS_PSEUDOPKT(p));
692 
693  /* Need to be in copy mode and need to detect early release
694  where Ethernet header could not be set (and pseudo packet) */
695  if (p->afp_v.copy_mode != AFP_COPY_MODE_NONE) {
696  AFPWritePacket(p, TPACKET_V2);
697  }
698 
699  BUG_ON(p->afp_v.relptr == NULL);
700 
701  union thdr h;
702  h.raw = p->afp_v.relptr;
703  h.h2->tp_status = TP_STATUS_KERNEL;
704 
705  (void)AFPDerefSocket(p->afp_v.mpeer);
706 
707  AFPV_CLEANUP(&p->afp_v);
708 }
709 
710 #ifdef HAVE_TPACKET_V3
711 static void AFPReleasePacketV3(Packet *p)
712 {
713  DEBUG_VALIDATE_BUG_ON(PKT_IS_PSEUDOPKT(p));
714 
715  /* Need to be in copy mode and need to detect early release
716  where Ethernet header could not be set (and pseudo packet) */
717  if (p->afp_v.copy_mode != AFP_COPY_MODE_NONE) {
718  AFPWritePacket(p, TPACKET_V3);
719  }
720  PacketFreeOrRelease(p);
721 }
722 #endif
723 
724 static void AFPReleasePacket(Packet *p)
725 {
726  AFPReleaseDataFromRing(p);
727  PacketFreeOrRelease(p);
728 }
729 
730 /** \internal
731  * \brief recoverable error - release packet and
732  * return AFP_SURI_FAILURE
733  */
734 static inline int AFPSuriFailure(AFPThreadVars *ptv, union thdr h)
735 {
736  h.h2->tp_status = TP_STATUS_KERNEL;
737  if (++ptv->frame_offset >= ptv->req.v2.tp_frame_nr) {
738  ptv->frame_offset = 0;
739  }
740  SCReturnInt(AFP_SURI_FAILURE);
741 }
742 
743 static inline void AFPReadApplyBypass(const AFPThreadVars *ptv, Packet *p)
744 {
745 #ifdef HAVE_PACKET_EBPF
746  if (ptv->flags & AFP_BYPASS) {
747  p->BypassPacketsFlow = AFPBypassCallback;
748  p->afp_v.v4_map_fd = ptv->v4_map_fd;
749  p->afp_v.v6_map_fd = ptv->v6_map_fd;
750  p->afp_v.nr_cpus = ptv->ebpf_t_config.cpus_count;
751  }
752  if (ptv->flags & AFP_XDPBYPASS) {
753  p->BypassPacketsFlow = AFPXDPBypassCallback;
754  p->afp_v.v4_map_fd = ptv->v4_map_fd;
755  p->afp_v.v6_map_fd = ptv->v6_map_fd;
756  p->afp_v.nr_cpus = ptv->ebpf_t_config.cpus_count;
757  }
758 #endif
759 }
760 
761 /** \internal
762  * \brief setup packet for AFPReadFromRing
763  */
764 static void AFPReadFromRingSetupPacket(
765  AFPThreadVars *ptv, union thdr h, const unsigned int tp_status, Packet *p)
766 {
767  PKT_SET_SRC(p, PKT_SRC_WIRE);
768 
769  /* flag the packet as TP_STATUS_USER_BUSY, which is ignore by the kernel, but
770  * acts as an indicator that we've reached a frame that is not yet released by
771  * us in autofp mode. It will be cleared when the frame gets released to the kernel. */
772  h.h2->tp_status |= TP_STATUS_USER_BUSY;
773  p->livedev = ptv->livedev;
774  p->datalink = ptv->datalink;
775  ptv->pkts++;
776 
777  AFPReadApplyBypass(ptv, p);
778 
779  if (h.h2->tp_len > h.h2->tp_snaplen) {
780  SCLogDebug("Packet length (%d) > snaplen (%d), truncating", h.h2->tp_len, h.h2->tp_snaplen);
781  }
782 
783  /* get vlan id from header */
784  if ((ptv->flags & AFP_VLAN_IN_HEADER) &&
785  (tp_status & TP_STATUS_VLAN_VALID || h.h2->tp_vlan_tci)) {
786  p->vlan_id[0] = h.h2->tp_vlan_tci & 0x0fff;
787  p->vlan_idx = 1;
788  p->afp_v.vlan_tci = h.h2->tp_vlan_tci;
789  }
790 
791  (void)PacketSetData(p, (unsigned char *)h.raw + h.h2->tp_mac, h.h2->tp_snaplen);
792 
793  p->ReleasePacket = AFPReleasePacket;
794  p->afp_v.relptr = h.raw;
795  if (ptv->flags & AFP_NEED_PEER) {
796  p->afp_v.mpeer = ptv->mpeer;
797  AFPRefSocket(ptv->mpeer);
798  } else {
799  p->afp_v.mpeer = NULL;
800  }
801  p->afp_v.copy_mode = ptv->copy_mode;
802  p->afp_v.peer = (p->afp_v.copy_mode == AFP_COPY_MODE_NONE) ? NULL : ptv->mpeer->peer;
803 
804  /* Timestamp */
805  p->ts = (SCTime_t){ .secs = h.h2->tp_sec, .usecs = h.h2->tp_nsec / 1000 };
806  SCLogDebug("pktlen: %" PRIu32 " (pkt %p, pkt data %p)", GET_PKT_LEN(p), p, GET_PKT_DATA(p));
807 
808  /* We only check for checksum disable */
809  if (ptv->checksum_mode == CHECKSUM_VALIDATION_DISABLE) {
810  p->flags |= PKT_IGNORE_CHECKSUM;
811  } else if (ptv->checksum_mode == CHECKSUM_VALIDATION_AUTO) {
812  if (ChecksumAutoModeCheck(ptv->pkts, SC_ATOMIC_GET(ptv->livedev->pkts),
813  SC_ATOMIC_GET(ptv->livedev->invalid_checksums))) {
814  ptv->checksum_mode = CHECKSUM_VALIDATION_DISABLE;
815  p->flags |= PKT_IGNORE_CHECKSUM;
816  }
817  } else {
818  if (tp_status & TP_STATUS_CSUMNOTREADY) {
819  p->flags |= PKT_IGNORE_CHECKSUM;
820  }
821  }
822 }
823 
824 static inline int AFPReadFromRingWaitForPacket(AFPThreadVars *ptv)
825 {
826  union thdr h;
827  struct timeval start_time;
828  gettimeofday(&start_time, NULL);
829  uint64_t busy_loop_iter = 0;
830 
831  /* busy wait loop until we have packets available */
832  while (1) {
833  if (unlikely(suricata_ctl_flags != 0)) {
834  break;
835  }
836  h.raw = (((union thdr **)ptv->ring.v2)[ptv->frame_offset]);
837  if (unlikely(h.raw == NULL)) {
838  return AFP_READ_FAILURE;
839  }
840  const unsigned int tp_status = h.h2->tp_status;
841  if (tp_status == TP_STATUS_KERNEL) {
842  busy_loop_iter++;
843 
844  struct timeval cur_time;
845  memset(&cur_time, 0, sizeof(cur_time));
846  uint64_t milliseconds =
847  ((cur_time.tv_sec - start_time.tv_sec) * 1000) +
848  (((1000000 + cur_time.tv_usec - start_time.tv_usec) / 1000) - 1000);
849  if (milliseconds > 1000) {
850  break;
851  }
852  continue;
853  }
854  break;
855  }
856  if (busy_loop_iter) {
857  StatsAddUI64(ptv->tv, ptv->afpacket_spin, busy_loop_iter);
858  }
859  return AFP_READ_OK;
860 }
861 
862 /**
863  * \brief AF packet frame ignore logic
864  *
865  * Given a sockaddr_ll of a frame, use the pkttype_filter_mask to decide if the
866  * frame should be ignored. Protect from undefined behavior if there's ever
867  * a sll_pkttype that would shift by too much. At this point, only outgoing
868  * packets (4) are ignored. The highest value in if_linux.h is PACKET_KERNEL (7),
869  * this extra check is being overly cautious.
870  *
871  * \retval true if the frame should be ignored
872  */
873 static inline bool AFPShouldIgnoreFrame(AFPThreadVars *ptv, const struct sockaddr_ll *sll)
874 {
875  if (unlikely(sll->sll_pkttype > 31))
876  return false;
877 
878  return (ptv->pkttype_filter_mask & BIT_U32(sll->sll_pkttype)) != 0;
879 }
880 
881 /**
882  * \brief AF packet read function for ring
883  *
884  * This function fills
885  * From here the packets are picked up by the DecodeAFP thread.
886  *
887  * \param user pointer to AFPThreadVars
888  * \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success
889  */
890 static int AFPReadFromRing(AFPThreadVars *ptv)
891 {
892  union thdr h;
893  bool emergency_flush = false;
894  const unsigned int start_pos = ptv->frame_offset;
895 
896  /* poll() told us there are frames, so lets wait for at least
897  * one frame to become available. */
898  if (AFPReadFromRingWaitForPacket(ptv) != AFP_READ_OK)
899  return AFP_READ_FAILURE;
900 
901  /* process the frames in the ring */
902  while (1) {
903  if (unlikely(suricata_ctl_flags != 0)) {
904  break;
905  }
906  h.raw = (((union thdr **)ptv->ring.v2)[ptv->frame_offset]);
907  if (unlikely(h.raw == NULL)) {
908  return AFP_READ_FAILURE;
909  }
910  const unsigned int tp_status = h.h2->tp_status;
911  /* if we find a kernel frame we are done */
912  if (unlikely(tp_status == TP_STATUS_KERNEL)) {
913  break;
914  }
915  /* if in autofp mode the frame is still busy, return to poll */
916  if (unlikely(FRAME_BUSY(tp_status))) {
917  break;
918  }
919  emergency_flush |= ((tp_status & TP_STATUS_LOSING) != 0);
920 
921  if ((ptv->flags & AFP_EMERGENCY_MODE) && emergency_flush) {
922  h.h2->tp_status = TP_STATUS_KERNEL;
923  goto next_frame;
924  }
925 
926  const struct sockaddr_ll *sll =
927  (const struct sockaddr_ll *)((uint8_t *)h.h2 +
928  TPACKET_ALIGN(sizeof(struct tpacket2_hdr)));
929  if (unlikely(AFPShouldIgnoreFrame(ptv, sll)))
930  goto next_frame;
931 
932  Packet *p = PacketGetFromQueueOrAlloc();
933  if (p == NULL) {
934  return AFPSuriFailure(ptv, h);
935  }
936  AFPReadFromRingSetupPacket(ptv, h, tp_status, p);
937 
938  if (TmThreadsSlotProcessPkt(ptv->tv, ptv->slot, p) != TM_ECODE_OK) {
939  return AFPSuriFailure(ptv, h);
940  }
941 next_frame:
942  if (++ptv->frame_offset >= ptv->req.v2.tp_frame_nr) {
943  ptv->frame_offset = 0;
944  /* Get out of loop to be sure we will reach maintenance tasks */
945  if (ptv->frame_offset == start_pos)
946  break;
947  }
948  }
949  if (emergency_flush) {
950  AFPDumpCounters(ptv);
951  }
952  SCReturnInt(AFP_READ_OK);
953 }
954 
955 #ifdef HAVE_TPACKET_V3
956 static inline void AFPFlushBlock(struct tpacket_block_desc *pbd)
957 {
958  pbd->hdr.bh1.block_status = TP_STATUS_KERNEL;
959 }
960 
961 static inline int AFPParsePacketV3(AFPThreadVars *ptv, struct tpacket_block_desc *pbd, struct tpacket3_hdr *ppd)
962 {
963  Packet *p = PacketGetFromQueueOrAlloc();
964  if (p == NULL) {
965  SCReturnInt(AFP_SURI_FAILURE);
966  }
967  PKT_SET_SRC(p, PKT_SRC_WIRE);
968 
969  AFPReadApplyBypass(ptv, p);
970 
971  ptv->pkts++;
972  p->livedev = ptv->livedev;
973  p->datalink = ptv->datalink;
974 
975  if ((ptv->flags & AFP_VLAN_IN_HEADER) &&
976  (ppd->tp_status & TP_STATUS_VLAN_VALID || ppd->hv1.tp_vlan_tci)) {
977  p->vlan_id[0] = ppd->hv1.tp_vlan_tci & 0x0fff;
978  p->vlan_idx = 1;
979  p->afp_v.vlan_tci = (uint16_t)ppd->hv1.tp_vlan_tci;
980  }
981 
982  (void)PacketSetData(p, (unsigned char *)ppd + ppd->tp_mac, ppd->tp_snaplen);
983 
984  p->ReleasePacket = AFPReleasePacketV3;
985  p->afp_v.relptr = NULL;
986  p->afp_v.mpeer = NULL;
987  p->afp_v.copy_mode = ptv->copy_mode;
988  p->afp_v.peer = (p->afp_v.copy_mode == AFP_COPY_MODE_NONE) ? NULL : ptv->mpeer->peer;
989 
990  /* Timestamp */
991  p->ts = (SCTime_t){ .secs = ppd->tp_sec, .usecs = ppd->tp_nsec / 1000 };
992  SCLogDebug("pktlen: %" PRIu32 " (pkt %p, pkt data %p)",
993  GET_PKT_LEN(p), p, GET_PKT_DATA(p));
994 
995  /* We only check for checksum disable */
996  if (ptv->checksum_mode == CHECKSUM_VALIDATION_DISABLE) {
997  p->flags |= PKT_IGNORE_CHECKSUM;
998  } else if (ptv->checksum_mode == CHECKSUM_VALIDATION_AUTO) {
999  if (ChecksumAutoModeCheck(ptv->pkts,
1000  SC_ATOMIC_GET(ptv->livedev->pkts),
1001  SC_ATOMIC_GET(ptv->livedev->invalid_checksums))) {
1002  ptv->checksum_mode = CHECKSUM_VALIDATION_DISABLE;
1003  p->flags |= PKT_IGNORE_CHECKSUM;
1004  }
1005  } else {
1006  if (ppd->tp_status & TP_STATUS_CSUMNOTREADY) {
1007  p->flags |= PKT_IGNORE_CHECKSUM;
1008  }
1009  }
1010 
1011  if (TmThreadsSlotProcessPkt(ptv->tv, ptv->slot, p) != TM_ECODE_OK) {
1012  SCReturnInt(AFP_SURI_FAILURE);
1013  }
1014 
1015  SCReturnInt(AFP_READ_OK);
1016 }
1017 
1018 static inline int AFPWalkBlock(AFPThreadVars *ptv, struct tpacket_block_desc *pbd)
1019 {
1020  const int num_pkts = pbd->hdr.bh1.num_pkts;
1021  uint8_t *ppd = (uint8_t *)pbd + pbd->hdr.bh1.offset_to_first_pkt;
1022 
1023  for (int i = 0; i < num_pkts; ++i) {
1024  const struct sockaddr_ll *sll =
1025  (const struct sockaddr_ll *)(ppd + TPACKET_ALIGN(sizeof(struct tpacket3_hdr)));
1026  if (unlikely(AFPShouldIgnoreFrame(ptv, sll))) {
1027  ppd = ppd + ((struct tpacket3_hdr *)ppd)->tp_next_offset;
1028  continue;
1029  }
1030  int ret = AFPParsePacketV3(ptv, pbd, (struct tpacket3_hdr *)ppd);
1031  switch (ret) {
1032  case AFP_READ_OK:
1033  break;
1034  case AFP_SURI_FAILURE:
1035  /* Internal error but let's just continue and
1036  * treat thenext packet */
1037  break;
1038  case AFP_READ_FAILURE:
1039  SCReturnInt(AFP_READ_FAILURE);
1040  default:
1041  SCReturnInt(ret);
1042  }
1043  ppd = ppd + ((struct tpacket3_hdr *)ppd)->tp_next_offset;
1044  }
1045 
1046  SCReturnInt(AFP_READ_OK);
1047 }
1048 #endif /* HAVE_TPACKET_V3 */
1049 
1050 /**
1051  * \brief AF packet read function for ring
1052  *
1053  * This function fills
1054  * From here the packets are picked up by the DecodeAFP thread.
1055  *
1056  * \param user pointer to AFPThreadVars
1057  * \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success
1058  */
1059 static int AFPReadFromRingV3(AFPThreadVars *ptv)
1060 {
1061 #ifdef HAVE_TPACKET_V3
1062  /* Loop till we have packets available */
1063  while (1) {
1064  if (unlikely(suricata_ctl_flags != 0)) {
1065  SCLogDebug("Exiting AFP V3 read loop");
1066  break;
1067  }
1068 
1069  struct tpacket_block_desc *pbd =
1070  (struct tpacket_block_desc *)ptv->ring.v3[ptv->frame_offset].iov_base;
1071 
1072  /* block is not ready to be read */
1073  if ((pbd->hdr.bh1.block_status & TP_STATUS_USER) == 0) {
1074  SCReturnInt(AFP_READ_OK);
1075  }
1076 
1077  int ret = AFPWalkBlock(ptv, pbd);
1078  if (unlikely(ret != AFP_READ_OK)) {
1079  AFPFlushBlock(pbd);
1080  SCReturnInt(ret);
1081  }
1082 
1083  AFPFlushBlock(pbd);
1084  ptv->frame_offset = (ptv->frame_offset + 1) % ptv->req.v3.tp_block_nr;
1085  /* return to maintenance task after one loop on the ring */
1086  if (ptv->frame_offset == 0) {
1087  SCReturnInt(AFP_READ_OK);
1088  }
1089  }
1090 #endif
1091  SCReturnInt(AFP_READ_OK);
1092 }
1093 
1094 /**
1095  * \brief Reference socket
1096  *
1097  * \retval O in case of failure, 1 in case of success
1098  */
1099 static int AFPRefSocket(AFPPeer* peer)
1100 {
1101  if (unlikely(peer == NULL))
1102  return 0;
1103 
1104  (void)SC_ATOMIC_ADD(peer->sock_usage, 1);
1105  return 1;
1106 }
1107 
1108 
1109 /**
1110  * \brief Dereference socket
1111  *
1112  * \retval 1 if socket is still alive, 0 if not
1113  */
1114 static int AFPDerefSocket(AFPPeer* peer)
1115 {
1116  if (peer == NULL)
1117  return 1;
1118 
1119  if (SC_ATOMIC_SUB(peer->sock_usage, 1) == 1) {
1120  return 0;
1121  }
1122  return 1;
1123 }
1124 
1125 static void AFPCloseSocket(AFPThreadVars *ptv)
1126 {
1127  if (ptv->mpeer != NULL)
1128  BUG_ON(SC_ATOMIC_GET(ptv->mpeer->sock_usage) != 0);
1129 
1130  if (ptv->flags & AFP_TPACKET_V3) {
1131 #ifdef HAVE_TPACKET_V3
1132  if (ptv->ring.v3) {
1133  SCFree(ptv->ring.v3);
1134  ptv->ring.v3 = NULL;
1135  }
1136 #endif
1137  } else {
1138  if (ptv->ring.v2) {
1139  /* only used in reading phase, we can free it */
1140  SCFree(ptv->ring.v2);
1141  ptv->ring.v2 = NULL;
1142  }
1143  }
1144  if (ptv->socket != -1) {
1145  SCLogDebug("Cleaning socket connected to '%s'", ptv->iface);
1146  munmap(ptv->ring_buf, ptv->ring_buflen);
1147  close(ptv->socket);
1148  ptv->socket = -1;
1149  }
1150 }
1151 
1152 static void AFPSwitchState(AFPThreadVars *ptv, uint8_t state)
1153 {
1154  ptv->afp_state = state;
1155  ptv->down_count = 0;
1156 
1157  if (state == AFP_STATE_DOWN) {
1158  /* cleanup is done on thread cleanup or try reopen
1159  * as there may still be packets in autofp that
1160  * are referencing us */
1161  (void)SC_ATOMIC_SUB(ptv->mpeer->sock_usage, 1);
1162  }
1163  if (state == AFP_STATE_UP) {
1164  AFPPeerUpdate(ptv);
1165  (void)SC_ATOMIC_SET(ptv->mpeer->sock_usage, 1);
1166  }
1167 }
1168 
1169 static int AFPReadAndDiscardFromRing(AFPThreadVars *ptv, struct timeval *synctv,
1170  uint64_t *discarded_pkts)
1171 {
1172  if (unlikely(suricata_ctl_flags != 0)) {
1173  return 1;
1174  }
1175 
1176 #ifdef HAVE_TPACKET_V3
1177  if (ptv->flags & AFP_TPACKET_V3) {
1178  int ret = 0;
1179  struct tpacket_block_desc *pbd =
1180  (struct tpacket_block_desc *)ptv->ring.v3[ptv->frame_offset].iov_base;
1181  *discarded_pkts += pbd->hdr.bh1.num_pkts;
1182  struct tpacket3_hdr *ppd =
1183  (struct tpacket3_hdr *)((uint8_t *)pbd + pbd->hdr.bh1.offset_to_first_pkt);
1184  if (((time_t)ppd->tp_sec > synctv->tv_sec) ||
1185  ((time_t)ppd->tp_sec == synctv->tv_sec &&
1186  (suseconds_t) (ppd->tp_nsec / 1000) > (suseconds_t)synctv->tv_usec)) {
1187  ret = 1;
1188  }
1189  AFPFlushBlock(pbd);
1190  ptv->frame_offset = (ptv->frame_offset + 1) % ptv->req.v3.tp_block_nr;
1191  return ret;
1192 
1193  } else
1194 #endif
1195  {
1196  /* Read packet from ring */
1197  union thdr h;
1198  h.raw = (((union thdr **)ptv->ring.v2)[ptv->frame_offset]);
1199  if (h.raw == NULL) {
1200  return -1;
1201  }
1202  if (h.h2->tp_status == TP_STATUS_KERNEL)
1203  return 0;
1204 
1205  if (((time_t)h.h2->tp_sec > synctv->tv_sec) ||
1206  ((time_t)h.h2->tp_sec == synctv->tv_sec &&
1207  (suseconds_t) (h.h2->tp_nsec / 1000) > synctv->tv_usec)) {
1208  return 1;
1209  }
1210 
1211  (*discarded_pkts)++;
1212  h.h2->tp_status = TP_STATUS_KERNEL;
1213  if (++ptv->frame_offset >= ptv->req.v2.tp_frame_nr) {
1214  ptv->frame_offset = 0;
1215  }
1216  }
1217 
1218  return 0;
1219 }
1220 
1221 /** \brief wait for all afpacket threads to fully init
1222  *
1223  * Discard packets before all threads are ready, as the cluster
1224  * setup is not complete yet.
1225  *
1226  * if AFPPeersListStarted() returns true init is complete
1227  *
1228  * \retval r 1 = happy, otherwise unhappy
1229  */
1230 static int AFPSynchronizeStart(AFPThreadVars *ptv, uint64_t *discarded_pkts)
1231 {
1232  struct timeval synctv;
1233  struct pollfd fds;
1234 
1235  fds.fd = ptv->socket;
1236  fds.events = POLLIN;
1237 
1238  /* Set timeval to end of the world */
1239  synctv.tv_sec = 0xffffffff;
1240  synctv.tv_usec = 0xffffffff;
1241 
1242  while (1) {
1243  int r = poll(&fds, 1, POLL_TIMEOUT);
1244  if (r > 0 &&
1245  (fds.revents & (POLLHUP|POLLRDHUP|POLLERR|POLLNVAL))) {
1246  SCLogWarning("%s: poll failed %02x", ptv->iface,
1247  fds.revents & (POLLHUP | POLLRDHUP | POLLERR | POLLNVAL));
1248  return 0;
1249  } else if (r > 0) {
1250  if (AFPPeersListStarted() && synctv.tv_sec == (time_t) 0xffffffff) {
1251  gettimeofday(&synctv, NULL);
1252  }
1253  r = AFPReadAndDiscardFromRing(ptv, &synctv, discarded_pkts);
1254  SCLogDebug("Discarding on %s", ptv->tv->name);
1255  switch (r) {
1256  case 1:
1257  SCLogDebug("Starting to read on %s", ptv->tv->name);
1258  return 1;
1259  case -1:
1260  return r;
1261  }
1262  /* no packets */
1263  } else if (r == 0 && AFPPeersListStarted()) {
1264  SCLogDebug("Starting to read on %s", ptv->tv->name);
1265  return 1;
1266  } else if (r < 0) { /* only exit on error */
1267  SCLogWarning("poll failed with retval %d", r);
1268  return 0;
1269  }
1270  }
1271  return 1;
1272 }
1273 
1274 /**
1275  * \brief Try to reopen socket
1276  *
1277  * \retval 0 in case of success, negative if error occurs or a condition
1278  * is not met.
1279  */
1280 static int AFPTryReopen(AFPThreadVars *ptv)
1281 {
1282  ptv->down_count++;
1283 
1284  /* Don't reconnect till we have packet that did not release data */
1285  if (SC_ATOMIC_GET(ptv->mpeer->sock_usage) != 0) {
1286  return -1;
1287  }
1288 
1289  /* ref cnt 0, we can close the old socket */
1290  AFPCloseSocket(ptv);
1291 
1292  int afp_activate_r = AFPCreateSocket(ptv, ptv->iface, 0, false);
1293  if (afp_activate_r != 0) {
1294  if (ptv->down_count % AFP_DOWN_COUNTER_INTERVAL == 0) {
1295  SCLogWarning("%s: can't reopen interface", ptv->iface);
1296  }
1297  return afp_activate_r;
1298  }
1299 
1300  SCLogInfo("%s: interface is back up", ptv->iface);
1301  return 0;
1302 }
1303 
1304 /**
1305  * \brief Main AF_PACKET reading Loop function
1306  */
1307 TmEcode ReceiveAFPLoop(ThreadVars *tv, void *data, void *slot)
1308 {
1309  SCEnter();
1310 
1311  AFPThreadVars *ptv = (AFPThreadVars *)data;
1312  struct pollfd fds;
1313  int r;
1314  TmSlot *s = (TmSlot *)slot;
1315  time_t last_dump = 0;
1316  time_t current_time;
1317  int (*AFPReadFunc) (AFPThreadVars *);
1318  uint64_t discarded_pkts = 0;
1319 
1320  ptv->slot = s->slot_next;
1321 
1322  if (ptv->flags & AFP_TPACKET_V3) {
1323  AFPReadFunc = AFPReadFromRingV3;
1324  } else {
1325  AFPReadFunc = AFPReadFromRing;
1326  }
1327 
1328  if (ptv->afp_state == AFP_STATE_DOWN) {
1329  /* Wait for our turn, threads before us must have opened the socket */
1330  while (AFPPeersListWaitTurn(ptv->mpeer)) {
1331  usleep(1000);
1332  if (suricata_ctl_flags != 0) {
1333  break;
1334  }
1335  }
1336  r = AFPCreateSocket(ptv, ptv->iface, 1, true);
1337  if (r < 0) {
1338  switch (-r) {
1339  case AFP_FATAL_ERROR:
1340  SCLogError("%s: failed to init socket for interface", ptv->iface);
1341  SCReturnInt(TM_ECODE_FAILED);
1342  case AFP_RECOVERABLE_ERROR:
1343  SCLogWarning(
1344  "%s: failed to init socket for interface, retrying soon", ptv->iface);
1345  }
1346  }
1347  }
1348  if (ptv->afp_state == AFP_STATE_UP) {
1349  SCLogDebug("Thread %s using socket %d", tv->name, ptv->socket);
1350  AFPSynchronizeStart(ptv, &discarded_pkts);
1351  /* let's reset counter as we will start the capture at the
1352  * next function call */
1353 #ifdef PACKET_STATISTICS
1354  struct tpacket_stats kstats;
1355  socklen_t len = sizeof (struct tpacket_stats);
1356  if (getsockopt(ptv->socket, SOL_PACKET, PACKET_STATISTICS,
1357  &kstats, &len) > -1) {
1358  uint64_t pkts = 0;
1359  SCLogDebug("(%s) Kernel socket startup: Packets %" PRIu32
1360  ", dropped %" PRIu32 "",
1361  ptv->tv->name,
1362  kstats.tp_packets, kstats.tp_drops);
1363  pkts = kstats.tp_packets - discarded_pkts - kstats.tp_drops;
1364  StatsAddUI64(ptv->tv, ptv->capture_kernel_packets, pkts);
1365  (void) SC_ATOMIC_ADD(ptv->livedev->pkts, pkts);
1366  }
1367 #endif
1368  }
1369 
1370  fds.fd = ptv->socket;
1371  fds.events = POLLIN;
1372 
1373  // Indicate that the thread is actually running its application level code (i.e., it can poll
1374  // packets)
1375  TmThreadsSetFlag(tv, THV_RUNNING);
1376 
1377  while (1) {
1378  /* Start by checking the state of our interface */
1379  if (unlikely(ptv->afp_state == AFP_STATE_DOWN)) {
1380  int dbreak = 0;
1381 
1382  do {
1383  usleep(AFP_RECONNECT_TIMEOUT);
1384  if (suricata_ctl_flags != 0) {
1385  dbreak = 1;
1386  break;
1387  }
1388  r = AFPTryReopen(ptv);
1389  fds.fd = ptv->socket;
1390  } while (r < 0);
1391  if (dbreak == 1)
1392  break;
1393  }
1394 
1395  /* make sure we have at least one packet in the packet pool, to prevent
1396  * us from alloc'ing packets at line rate */
1397  PacketPoolWait();
1398 
1399  StatsIncr(ptv->tv, ptv->capture_afp_poll);
1400 
1401  r = poll(&fds, 1, POLL_TIMEOUT);
1402 
1403  if (suricata_ctl_flags != 0) {
1404  break;
1405  }
1406 
1407  if (r > 0 &&
1408  (fds.revents & (POLLHUP|POLLRDHUP|POLLERR|POLLNVAL))) {
1409  StatsIncr(ptv->tv, ptv->capture_afp_poll_signal);
1410  if (fds.revents & (POLLHUP | POLLRDHUP)) {
1411  AFPSwitchState(ptv, AFP_STATE_DOWN);
1412  continue;
1413  } else if (fds.revents & POLLERR) {
1414  char c;
1415  /* Do a recv to get errno */
1416  if (recv(ptv->socket, &c, sizeof c, MSG_PEEK) != -1)
1417  continue; /* what, no error? */
1418  SCLogWarning("%s: failed to poll interface: %s", ptv->iface, strerror(errno));
1419  AFPSwitchState(ptv, AFP_STATE_DOWN);
1420  continue;
1421  } else if (fds.revents & POLLNVAL) {
1422  SCLogWarning("%s: invalid poll request: %s", ptv->iface, strerror(errno));
1423  AFPSwitchState(ptv, AFP_STATE_DOWN);
1424  continue;
1425  }
1426  } else if (r > 0) {
1427  StatsIncr(ptv->tv, ptv->capture_afp_poll_data);
1428  r = AFPReadFunc(ptv);
1429  switch (r) {
1430  case AFP_READ_OK:
1431  /* Trigger one dump of stats every second */
1432  current_time = time(NULL);
1433  if (current_time != last_dump) {
1434  AFPDumpCounters(ptv);
1435  last_dump = current_time;
1436  }
1437  break;
1438  case AFP_READ_FAILURE:
1439  /* AFPRead in error: best to reset the socket */
1440  SCLogWarning("%s: read failure: %s", ptv->iface, strerror(errno));
1441  AFPSwitchState(ptv, AFP_STATE_DOWN);
1442  continue;
1443  case AFP_SURI_FAILURE:
1444  StatsIncr(ptv->tv, ptv->capture_errors);
1445  break;
1446  case AFP_KERNEL_DROP:
1447  AFPDumpCounters(ptv);
1448  break;
1449  }
1450  } else if (unlikely(r == 0)) {
1451  StatsIncr(ptv->tv, ptv->capture_afp_poll_timeout);
1452  /* Trigger one dump of stats every second */
1453  current_time = time(NULL);
1454  if (current_time != last_dump) {
1455  AFPDumpCounters(ptv);
1456  last_dump = current_time;
1457  }
1458  /* poll timed out, lets see handle our timeout path */
1459  TmThreadsCaptureHandleTimeout(tv, NULL);
1460 
1461  } else if ((r < 0) && (errno != EINTR)) {
1462  StatsIncr(ptv->tv, ptv->capture_afp_poll_err);
1463  SCLogWarning("%s: poll failure: %s", ptv->iface, strerror(errno));
1464  AFPSwitchState(ptv, AFP_STATE_DOWN);
1465  continue;
1466  }
1467  StatsSyncCountersIfSignalled(tv);
1468  }
1469 
1470  AFPDumpCounters(ptv);
1471  StatsSyncCountersIfSignalled(tv);
1472  SCReturnInt(TM_ECODE_OK);
1473 }
1474 
1475 static int AFPGetDevFlags(int fd, const char *ifname)
1476 {
1477  struct ifreq ifr;
1478 
1479  memset(&ifr, 0, sizeof(ifr));
1480  strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
1481 
1482  if (ioctl(fd, SIOCGIFFLAGS, &ifr) == -1) {
1483  SCLogError("%s: failed to get interface flags: %s", ifname, strerror(errno));
1484  return -1;
1485  }
1486 
1487  return ifr.ifr_flags;
1488 }
1489 
1490 
1491 static int AFPGetIfnumByDev(int fd, const char *ifname, int verbose)
1492 {
1493  struct ifreq ifr;
1494 
1495  memset(&ifr, 0, sizeof(ifr));
1496  strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
1497 
1498  if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) {
1499  if (verbose)
1500  SCLogError("%s: failed to find interface: %s", ifname, strerror(errno));
1501  return -1;
1502  }
1503 
1504  return ifr.ifr_ifindex;
1505 }
1506 
1507 static int AFPGetDevLinktype(int fd, const char *ifname)
1508 {
1509  struct ifreq ifr;
1510 
1511  memset(&ifr, 0, sizeof(ifr));
1512  strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
1513 
1514  if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) {
1515  SCLogError("%s: failed to find interface type: %s", ifname, strerror(errno));
1516  return -1;
1517  }
1518 
1519  switch (ifr.ifr_hwaddr.sa_family) {
1520  case ARPHRD_LOOPBACK:
1521  return LINKTYPE_ETHERNET;
1522  case ARPHRD_PPP:
1523  case ARPHRD_NONE:
1524  return LINKTYPE_RAW;
1525  default:
1526  return ifr.ifr_hwaddr.sa_family;
1527  }
1528 }
1529 
1530 int AFPGetLinkType(const char *ifname)
1531 {
1532  int ltype;
1533 
1534  int fd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
1535  if (fd == -1) {
1536  SCLogError("%s: failed to create AF_PACKET socket: %s", ifname, strerror(errno));
1537  return LINKTYPE_RAW;
1538  }
1539 
1540  ltype = AFPGetDevLinktype(fd, ifname);
1541  close(fd);
1542 
1543  DatalinkSetGlobalType(ltype);
1544 
1545  return ltype;
1546 }
1547 
1548 static int AFPComputeRingParams(AFPThreadVars *ptv, int order)
1549 {
1550  /* Compute structure:
1551  Target is to store all pending packets
1552  with a size equal to MTU + auxdata
1553  And we keep a decent number of block
1554 
1555  To do so:
1556  Compute frame_size (aligned to be able to fit in block
1557  Check which block size we need. Blocksize is a 2^n * pagesize
1558  We then need to get order, big enough to have
1559  frame_size < block size
1560  Find number of frame per block (divide)
1561  Fill in packet_req
1562 
1563  Compute frame size:
1564  described in packet_mmap.txt
1565  dependent on snaplen (need to use a variable ?)
1566 snaplen: MTU ?
1567 tp_hdrlen determine_version in daq_afpacket
1568 in V1: sizeof(struct tpacket_hdr);
1569 in V2: val in getsockopt(instance->fd, SOL_PACKET, PACKET_HDRLEN, &val, &len)
1570 frame size: TPACKET_ALIGN(snaplen + TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct
1571 sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
1572 
1573  */
1574  int tp_hdrlen = sizeof(struct tpacket_hdr);
1575  int snaplen = default_packet_size;
1576 
1577  if (snaplen == 0) {
1578  snaplen = GetIfaceMaxPacketSize(ptv->livedev);
1579  if (snaplen <= 0) {
1580  SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface);
1581  snaplen = 1514;
1582  }
1583  }
1584 
1585  ptv->req.v2.tp_frame_size = TPACKET_ALIGN(snaplen +TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
1586  ptv->req.v2.tp_block_size = getpagesize() << order;
1587  int frames_per_block = ptv->req.v2.tp_block_size / ptv->req.v2.tp_frame_size;
1588  if (frames_per_block == 0) {
1589  SCLogError("%s: Frame size bigger than block size", ptv->iface);
1590  return -1;
1591  }
1592  ptv->req.v2.tp_frame_nr = ptv->ring_size;
1593  ptv->req.v2.tp_block_nr = ptv->req.v2.tp_frame_nr / frames_per_block + 1;
1594  /* exact division */
1595  ptv->req.v2.tp_frame_nr = ptv->req.v2.tp_block_nr * frames_per_block;
1596  SCLogPerf("%s: rx ring: block_size=%d block_nr=%d frame_size=%d frame_nr=%d", ptv->iface,
1597  ptv->req.v2.tp_block_size, ptv->req.v2.tp_block_nr, ptv->req.v2.tp_frame_size,
1598  ptv->req.v2.tp_frame_nr);
1599  return 1;
1600 }
1601 
1602 #ifdef HAVE_TPACKET_V3
1603 static int AFPComputeRingParamsV3(AFPThreadVars *ptv)
1604 {
1605  ptv->req.v3.tp_block_size = ptv->block_size;
1606  ptv->req.v3.tp_frame_size = 2048;
1607  int frames_per_block = 0;
1608  int tp_hdrlen = sizeof(struct tpacket3_hdr);
1609  int snaplen = default_packet_size;
1610 
1611  if (snaplen == 0) {
1612  snaplen = GetIfaceMaxPacketSize(ptv->livedev);
1613  if (snaplen <= 0) {
1614  SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface);
1615  snaplen = 1514;
1616  }
1617  }
1618 
1619  ptv->req.v3.tp_frame_size = TPACKET_ALIGN(snaplen +TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + sizeof(struct sockaddr_ll) + ETH_HLEN) - ETH_HLEN);
1620  frames_per_block = ptv->req.v3.tp_block_size / ptv->req.v3.tp_frame_size;
1621 
1622  if (frames_per_block == 0) {
1623  SCLogError("%s: block size is too small, it should be at least %d", ptv->iface,
1624  ptv->req.v3.tp_frame_size);
1625  return -1;
1626  }
1627  ptv->req.v3.tp_block_nr = ptv->ring_size / frames_per_block + 1;
1628  /* exact division */
1629  ptv->req.v3.tp_frame_nr = ptv->req.v3.tp_block_nr * frames_per_block;
1630  ptv->req.v3.tp_retire_blk_tov = ptv->block_timeout;
1631  ptv->req.v3.tp_feature_req_word = TP_FT_REQ_FILL_RXHASH;
1632  SCLogPerf("%s: rx ring params: block_size=%d block_nr=%d frame_size=%d frame_nr=%d (mem: %d)",
1633  ptv->iface, ptv->req.v3.tp_block_size, ptv->req.v3.tp_block_nr,
1634  ptv->req.v3.tp_frame_size, ptv->req.v3.tp_frame_nr,
1635  ptv->req.v3.tp_block_size * ptv->req.v3.tp_block_nr);
1636  return 1;
1637 }
1638 #endif
1639 
1640 static int AFPSetupRing(AFPThreadVars *ptv, char *devname)
1641 {
1642  int val;
1643  unsigned int len = sizeof(val), i;
1644  int order;
1645  int r, mmap_flag;
1646 
1647 #ifdef HAVE_TPACKET_V3
1648  if (ptv->flags & AFP_TPACKET_V3) {
1649  val = TPACKET_V3;
1650  } else
1651 #endif
1652  {
1653  val = TPACKET_V2;
1654  }
1655  if (getsockopt(ptv->socket, SOL_PACKET, PACKET_HDRLEN, &val, &len) < 0) {
1656  if (errno == ENOPROTOOPT) {
1657  if (ptv->flags & AFP_TPACKET_V3) {
1658  SCLogError("%s: kernel too old for TPACKET_V3 (need 3.2+)", devname);
1659  } else {
1660  SCLogError("%s: kernel too old (need 2.6.27+)", devname);
1661  }
1662  }
1663  SCLogError("%s: failed to retrieve packet header len", devname);
1664  return AFP_FATAL_ERROR;
1665  }
1666 
1667  val = TPACKET_V2;
1668 #ifdef HAVE_TPACKET_V3
1669  if (ptv->flags & AFP_TPACKET_V3) {
1670  val = TPACKET_V3;
1671  }
1672 #endif
1673  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_VERSION, &val,
1674  sizeof(val)) < 0) {
1675  SCLogError("%s: failed to activate TPACKET_V2/TPACKET_V3 on packet socket: %s", devname,
1676  strerror(errno));
1677  return AFP_FATAL_ERROR;
1678  }
1679 
1680 #ifdef HAVE_HW_TIMESTAMPING
1681  int req = SOF_TIMESTAMPING_RAW_HARDWARE;
1682  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_TIMESTAMP, (void *) &req,
1683  sizeof(req)) < 0) {
1684  SCLogWarning("%s: failed to activate hardware timestamping on packet socket: %s", devname,
1685  strerror(errno));
1686  }
1687 #endif
1688 
1689  /* Reserve head room for a VLAN header. One vlan is extracted from AFP header
1690  * so one VLAN header length is enough. */
1691  int reserve = VLAN_HEADER_LEN;
1692  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_RESERVE, (void *)&reserve, sizeof(reserve)) <
1693  0) {
1694  SCLogError("%s: failed to activate reserve on packet socket: %s", devname, strerror(errno));
1695  return AFP_FATAL_ERROR;
1696  }
1697 
1698  /* Allocate RX ring */
1699 #ifdef HAVE_TPACKET_V3
1700  if (ptv->flags & AFP_TPACKET_V3) {
1701  if (AFPComputeRingParamsV3(ptv) != 1) {
1702  return AFP_FATAL_ERROR;
1703  }
1704  r = setsockopt(ptv->socket, SOL_PACKET, PACKET_RX_RING,
1705  (void *) &ptv->req.v3, sizeof(ptv->req.v3));
1706  if (r < 0) {
1707  SCLogError("%s: failed to allocate RX Ring: %s", devname, strerror(errno));
1708  return AFP_FATAL_ERROR;
1709  }
1710  } else {
1711 #endif
1712  for (order = AFP_BLOCK_SIZE_DEFAULT_ORDER; order >= 0; order--) {
1713  if (AFPComputeRingParams(ptv, order) != 1) {
1714  SCLogError("%s: ring parameters are incorrect. Please file a bug report", devname);
1715  return AFP_FATAL_ERROR;
1716  }
1717 
1718  r = setsockopt(ptv->socket, SOL_PACKET, PACKET_RX_RING,
1719  (void *) &ptv->req, sizeof(ptv->req));
1720 
1721  if (r < 0) {
1722  if (errno == ENOMEM) {
1723  SCLogWarning("%s: memory issue with ring parameters. Retrying", devname);
1724  continue;
1725  }
1726  SCLogError("%s: failed to setup RX Ring: %s", devname, strerror(errno));
1727  return AFP_FATAL_ERROR;
1728  } else {
1729  break;
1730  }
1731  }
1732  if (order < 0) {
1733  SCLogError("%s: failed to setup RX Ring (order 0 failed)", devname);
1734  return AFP_FATAL_ERROR;
1735  }
1736 #ifdef HAVE_TPACKET_V3
1737  }
1738 #endif
1739 
1740  /* Allocate the Ring */
1741 #ifdef HAVE_TPACKET_V3
1742  if (ptv->flags & AFP_TPACKET_V3) {
1743  ptv->ring_buflen = ptv->req.v3.tp_block_nr * ptv->req.v3.tp_block_size;
1744  } else {
1745 #endif
1746  ptv->ring_buflen = ptv->req.v2.tp_block_nr * ptv->req.v2.tp_block_size;
1747 #ifdef HAVE_TPACKET_V3
1748  }
1749 #endif
1750  mmap_flag = MAP_SHARED;
1751  if (ptv->flags & AFP_MMAP_LOCKED)
1752  mmap_flag |= MAP_LOCKED;
1753  ptv->ring_buf = mmap(0, ptv->ring_buflen, PROT_READ|PROT_WRITE,
1754  mmap_flag, ptv->socket, 0);
1755  if (ptv->ring_buf == MAP_FAILED) {
1756  SCLogError("%s: failed to mmap: %s", devname, strerror(errno));
1757  goto mmap_err;
1758  }
1759 #ifdef HAVE_TPACKET_V3
1760  if (ptv->flags & AFP_TPACKET_V3) {
1761  ptv->ring.v3 = SCMalloc(ptv->req.v3.tp_block_nr * sizeof(*ptv->ring.v3));
1762  if (!ptv->ring.v3) {
1763  SCLogError("%s: failed to alloc ring: %s", devname, strerror(errno));
1764  goto postmmap_err;
1765  }
1766  for (i = 0; i < ptv->req.v3.tp_block_nr; ++i) {
1767  ptv->ring.v3[i].iov_base = ptv->ring_buf + (i * ptv->req.v3.tp_block_size);
1768  ptv->ring.v3[i].iov_len = ptv->req.v3.tp_block_size;
1769  }
1770  } else {
1771 #endif
1772  /* allocate a ring for each frame header pointer*/
1773  ptv->ring.v2 = SCCalloc(ptv->req.v2.tp_frame_nr, sizeof(union thdr *));
1774  if (ptv->ring.v2 == NULL) {
1775  SCLogError("%s: failed to alloc ring: %s", devname, strerror(errno));
1776  goto postmmap_err;
1777  }
1778  /* fill the header ring with proper frame ptr*/
1779  ptv->frame_offset = 0;
1780  for (i = 0; i < ptv->req.v2.tp_block_nr; ++i) {
1781  void *base = &(ptv->ring_buf[i * ptv->req.v2.tp_block_size]);
1782  unsigned int j;
1783  for (j = 0; j < ptv->req.v2.tp_block_size / ptv->req.v2.tp_frame_size; ++j, ++ptv->frame_offset) {
1784  (((union thdr **)ptv->ring.v2)[ptv->frame_offset]) = base;
1785  base += ptv->req.v2.tp_frame_size;
1786  }
1787  }
1788  ptv->frame_offset = 0;
1789 #ifdef HAVE_TPACKET_V3
1790  }
1791 #endif
1792 
1793  return 0;
1794 
1795 postmmap_err:
1796  munmap(ptv->ring_buf, ptv->ring_buflen);
1797  if (ptv->ring.v2)
1798  SCFree(ptv->ring.v2);
1799  if (ptv->ring.v3)
1800  SCFree(ptv->ring.v3);
1801 mmap_err:
1802  /* Packet mmap does the cleaning when socket is closed */
1803  return AFP_FATAL_ERROR;
1804 }
1805 
1806 /** \brief test if we can use FANOUT. Older kernels like those in
1807  * CentOS6 have HAVE_PACKET_FANOUT defined but fail to work
1808  */
1809 int AFPIsFanoutSupported(uint16_t cluster_id)
1810 {
1811 #ifdef HAVE_PACKET_FANOUT
1812  int fd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
1813  if (fd < 0)
1814  return 0;
1815 
1816  uint32_t mode = PACKET_FANOUT_HASH | PACKET_FANOUT_FLAG_DEFRAG;
1817  uint32_t option = (mode << 16) | cluster_id;
1818  int r = setsockopt(fd, SOL_PACKET, PACKET_FANOUT,(void *)&option, sizeof(option));
1819  close(fd);
1820 
1821  if (r < 0) {
1822  SCLogError("fanout not supported by kernel: "
1823  "Kernel too old or cluster-id %d already in use.",
1824  cluster_id);
1825  return 0;
1826  }
1827  return 1;
1828 #else
1829  return 0;
1830 #endif
1831 }
1832 
1833 #ifdef HAVE_PACKET_EBPF
1834 
1835 static int SockFanoutSeteBPF(AFPThreadVars *ptv)
1836 {
1837  int pfd = ptv->ebpf_lb_fd;
1838  if (pfd == -1) {
1839  SCLogError("Fanout file descriptor is invalid");
1840  return -1;
1841  }
1842 
1843  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_FANOUT_DATA, &pfd, sizeof(pfd))) {
1844  SCLogError("Error setting ebpf");
1845  return -1;
1846  }
1847  SCLogInfo("Activated eBPF on socket");
1848 
1849  return 0;
1850 }
1851 
1852 static TmEcode SetEbpfFilter(AFPThreadVars *ptv)
1853 {
1854  int pfd = ptv->ebpf_filter_fd;
1855  if (pfd == -1) {
1856  SCLogError("Filter file descriptor is invalid");
1857  return TM_ECODE_FAILED;
1858  }
1859 
1860  if (setsockopt(ptv->socket, SOL_SOCKET, SO_ATTACH_BPF, &pfd, sizeof(pfd))) {
1861  SCLogError("Error setting ebpf: %s", strerror(errno));
1862  return TM_ECODE_FAILED;
1863  }
1864  SCLogInfo("Activated eBPF filter on socket");
1865 
1866  return TM_ECODE_OK;
1867 }
1868 #endif
1869 
1870 /** \param peer_update increment peers reached */
1871 static int AFPCreateSocket(AFPThreadVars *ptv, char *devname, int verbose, const bool peer_update)
1872 {
1873  int r;
1874  int ret = AFP_FATAL_ERROR;
1875  struct packet_mreq sock_params;
1876  struct sockaddr_ll bind_address;
1877  int if_idx;
1878 
1879  /* open socket */
1880  ptv->socket = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
1881  if (ptv->socket == -1) {
1882  SCLogError("%s: failed to create socket: %s", devname, strerror(errno));
1883  goto error;
1884  }
1885 
1886  if_idx = AFPGetIfnumByDev(ptv->socket, devname, verbose);
1887  if (if_idx == -1) {
1888  goto socket_err;
1889  }
1890 
1891  /* bind socket */
1892  memset(&bind_address, 0, sizeof(bind_address));
1893  bind_address.sll_family = AF_PACKET;
1894  bind_address.sll_protocol = htons(ETH_P_ALL);
1895  bind_address.sll_ifindex = if_idx;
1896  if (bind_address.sll_ifindex == -1) {
1897  if (verbose)
1898  SCLogWarning("%s: device for found", devname);
1899  ret = AFP_RECOVERABLE_ERROR;
1900  goto socket_err;
1901  }
1902 
1903  int if_flags = AFPGetDevFlags(ptv->socket, ptv->iface);
1904  if (if_flags == -1) {
1905  if (verbose) {
1906  SCLogWarning("%s: failed to get interface flags", ptv->iface);
1907  }
1908  ret = AFP_RECOVERABLE_ERROR;
1909  goto socket_err;
1910  } else if ((if_flags & (IFF_UP | IFF_RUNNING)) == 0) {
1911  if (verbose) {
1912  SCLogWarning("%s: interface is down", ptv->iface);
1913  }
1914  ret = AFP_RECOVERABLE_ERROR;
1915  goto socket_err;
1916  }
1917 
1918  /* ignore outgoing packets on loopback interfaces */
1919  if (if_flags & IFF_LOOPBACK)
1920  ptv->pkttype_filter_mask |= BIT_U32(PACKET_OUTGOING);
1921 
1922  if (ptv->promisc != 0) {
1923  /* Force promiscuous mode */
1924  memset(&sock_params, 0, sizeof(sock_params));
1925  sock_params.mr_type = PACKET_MR_PROMISC;
1926  sock_params.mr_ifindex = bind_address.sll_ifindex;
1927  r = setsockopt(ptv->socket, SOL_PACKET, PACKET_ADD_MEMBERSHIP,(void *)&sock_params, sizeof(sock_params));
1928  if (r < 0) {
1929  SCLogError("%s: failed to set promisc mode: %s", devname, strerror(errno));
1930  goto socket_err;
1931  }
1932  }
1933 
1934  if (ptv->checksum_mode == CHECKSUM_VALIDATION_KERNEL) {
1935  int val = 1;
1936  if (setsockopt(ptv->socket, SOL_PACKET, PACKET_AUXDATA, &val,
1937  sizeof(val)) == -1 && errno != ENOPROTOOPT) {
1938  SCLogWarning(
1939  "%s: 'kernel' checksum mode not supported, falling back to full mode", devname);
1940  ptv->checksum_mode = CHECKSUM_VALIDATION_ENABLE;
1941  }
1942  }
1943 
1944  /* set socket recv buffer size */
1945  if (ptv->buffer_size != 0) {
1946  /*
1947  * Set the socket buffer size to the specified value.
1948  */
1949  SCLogPerf("%s: setting socket buffer to %d", devname, ptv->buffer_size);
1950  if (setsockopt(ptv->socket, SOL_SOCKET, SO_RCVBUF,
1951  &ptv->buffer_size,
1952  sizeof(ptv->buffer_size)) == -1) {
1953  SCLogError("%s: failed to set buffer size to %d: %s", devname, ptv->buffer_size,
1954  strerror(errno));
1955  goto socket_err;
1956  }
1957  }
1958 
1959  r = bind(ptv->socket, (struct sockaddr *)&bind_address, sizeof(bind_address));
1960  if (r < 0) {
1961  if (verbose) {
1962  if (errno == ENETDOWN) {
1963  SCLogWarning("%s: failed to bind socket, iface is down", devname);
1964  } else {
1965  SCLogWarning("%s: failed to bind socket: %s", devname, strerror(errno));
1966  }
1967  }
1968  ret = AFP_RECOVERABLE_ERROR;
1969  goto socket_err;
1970  }
1971 
1972 
1973 #ifdef HAVE_PACKET_FANOUT
1974  /* add bound socket to fanout group */
1975  if (ptv->threads > 1) {
1976  uint32_t mode = ptv->cluster_type;
1977  uint16_t id = ptv->cluster_id;
1978  uint32_t option = (mode << 16) | (id & 0xffff);
1979  r = setsockopt(ptv->socket, SOL_PACKET, PACKET_FANOUT,(void *)&option, sizeof(option));
1980  if (r < 0) {
1981  SCLogError("%s: failed to set fanout mode: %s", devname, strerror(errno));
1982  goto socket_err;
1983  }
1984  }
1985 #endif
1986 
1987 #ifdef HAVE_PACKET_EBPF
1988  if (ptv->cluster_type == PACKET_FANOUT_EBPF) {
1989  r = SockFanoutSeteBPF(ptv);
1990  if (r < 0) {
1991  SCLogError("%s: failed to set eBPF: %s", devname, strerror(errno));
1992  goto socket_err;
1993  }
1994  }
1995 #endif
1996  /* bind() done, allow next thread to continue */
1997  if (peer_update) {
1998  AFPPeersListReachedInc();
1999  }
2000  ret = AFPSetupRing(ptv, devname);
2001  if (ret != 0)
2002  goto socket_err;
2003 
2004  SCLogDebug("Using interface '%s' via socket %d", (char *)devname, ptv->socket);
2005 
2006  ptv->datalink = AFPGetDevLinktype(ptv->socket, ptv->iface);
2007 
2008  TmEcode rc = AFPSetBPFFilter(ptv);
2009  if (rc == TM_ECODE_FAILED) {
2010  ret = AFP_FATAL_ERROR;
2011  goto socket_err;
2012  }
2013 
2014  /* Init is ok */
2015  AFPSwitchState(ptv, AFP_STATE_UP);
2016  return 0;
2017 
2018 socket_err:
2019  close(ptv->socket);
2020  ptv->socket = -1;
2021  if (ptv->flags & AFP_TPACKET_V3) {
2022  if (ptv->ring.v3) {
2023  SCFree(ptv->ring.v3);
2024  ptv->ring.v3 = NULL;
2025  }
2026  } else {
2027  if (ptv->ring.v2) {
2028  SCFree(ptv->ring.v2);
2029  ptv->ring.v2 = NULL;
2030  }
2031  }
2032 
2033 error:
2034  return -ret;
2035 }
2036 
2037 TmEcode AFPSetBPFFilter(AFPThreadVars *ptv)
2038 {
2039  struct bpf_program filter;
2040  struct sock_fprog fcode;
2041  int rc;
2042 
2043 #ifdef HAVE_PACKET_EBPF
2044  if (ptv->ebpf_filter_fd != -1) {
2045  return SetEbpfFilter(ptv);
2046  }
2047 #endif
2048 
2049  if (!ptv->bpf_filter)
2050  return TM_ECODE_OK;
2051 
2052  SCLogInfo("%s: using BPF '%s'", ptv->iface, ptv->bpf_filter);
2053 
2054  char errbuf[PCAP_ERRBUF_SIZE];
2055  if (SCBPFCompile(default_packet_size, /* snaplen_arg */
2056  ptv->datalink, /* linktype_arg */
2057  &filter, /* program */
2058  ptv->bpf_filter, /* const char *buf */
2059  1, /* optimize */
2060  0, /* mask */
2061  errbuf,
2062  sizeof(errbuf)) == -1) {
2063  SCLogError("%s: failed to compile BPF \"%s\": %s", ptv->iface, ptv->bpf_filter, errbuf);
2064  return TM_ECODE_FAILED;
2065  }
2066 
2067  if (filter.bf_len > USHRT_MAX) {
2068  return TM_ECODE_FAILED;
2069  }
2070  fcode.len = (unsigned short)filter.bf_len;
2071  fcode.filter = (struct sock_filter*)filter.bf_insns;
2072 
2073  rc = setsockopt(ptv->socket, SOL_SOCKET, SO_ATTACH_FILTER, &fcode, sizeof(fcode));
2074 
2075  SCBPFFree(&filter);
2076  if(rc == -1) {
2077  SCLogError("%s: failed to attach filter: %s", ptv->iface, strerror(errno));
2078  return TM_ECODE_FAILED;
2079  }
2080 
2081  return TM_ECODE_OK;
2082 }
2083 
2084 #ifdef HAVE_PACKET_EBPF
2085 /**
2086  * Insert a half flow in the kernel bypass table
2087  *
2088  * \param mapfd file descriptor of the protocol bypass table
2089  * \param key data to use as key in the table
2090  * \return 0 in case of error, 1 if success
2091  */
2092 static int AFPInsertHalfFlow(int mapd, void *key, unsigned int nr_cpus)
2093 {
2094  BPF_DECLARE_PERCPU(struct pair, value, nr_cpus);
2095  unsigned int i;
2096 
2097  if (mapd == -1) {
2098  return 0;
2099  }
2100 
2101  /* We use a per CPU structure so we have to set an array of values as the kernel
2102  * is not duplicating the data on each CPU by itself. */
2103  for (i = 0; i < nr_cpus; i++) {
2104  BPF_PERCPU(value, i).packets = 0;
2105  BPF_PERCPU(value, i).bytes = 0;
2106  }
2107  if (bpf_map_update_elem(mapd, key, value, BPF_NOEXIST) != 0) {
2108  switch (errno) {
2109  /* no more place in the hash */
2110  case E2BIG:
2111  return 0;
2112  /* no more place in the hash for some hardware bypass */
2113  case EAGAIN:
2114  return 0;
2115  /* if we already have the key then bypass is a success */
2116  case EEXIST:
2117  return 1;
2118  /* Not supposed to be there so issue a error */
2119  default:
2120  SCLogError("Can't update eBPF map: %s (%d)", strerror(errno), errno);
2121  return 0;
2122  }
2123  }
2124  return 1;
2125 }
2126 
2127 static int AFPSetFlowStorage(Packet *p, int map_fd, void *key0, void* key1,
2128  int family)
2129 {
2130  FlowBypassInfo *fc = FlowGetStorageById(p->flow, GetFlowBypassInfoID());
2131  if (fc) {
2132  if (fc->bypass_data != NULL) {
2133  // bypass already activated
2134  SCFree(key0);
2135  SCFree(key1);
2136  return 1;
2137  }
2138  EBPFBypassData *eb = SCCalloc(1, sizeof(EBPFBypassData));
2139  if (eb == NULL) {
2140  EBPFDeleteKey(map_fd, key0);
2141  EBPFDeleteKey(map_fd, key1);
2142  LiveDevAddBypassFail(p->livedev, 1, family);
2143  SCFree(key0);
2144  SCFree(key1);
2145  return 0;
2146  }
2147  eb->key[0] = key0;
2148  eb->key[1] = key1;
2149  eb->mapfd = map_fd;
2150  eb->cpus_count = p->afp_v.nr_cpus;
2151  fc->BypassUpdate = EBPFBypassUpdate;
2152  fc->BypassFree = EBPFBypassFree;
2153  fc->bypass_data = eb;
2154  } else {
2155  EBPFDeleteKey(map_fd, key0);
2156  EBPFDeleteKey(map_fd, key1);
2157  LiveDevAddBypassFail(p->livedev, 1, family);
2158  SCFree(key0);
2159  SCFree(key1);
2160  return 0;
2161  }
2162 
2163  LiveDevAddBypassStats(p->livedev, 1, family);
2164  LiveDevAddBypassSuccess(p->livedev, 1, family);
2165  return 1;
2166 }
2167 
2168 /**
2169  * Bypass function for AF_PACKET capture in eBPF mode
2170  *
2171  * This function creates two half flows in the map shared with the kernel
2172  * to trigger bypass.
2173  *
2174  * The implementation of bypass is done via an IPv4 and an IPv6 flow table.
2175  * This table contains the list of half flows to bypass. The in-kernel filter
2176  * will skip/drop the packet if they belong to a flow in one of the flows
2177  * table.
2178  *
2179  * \param p the packet belonging to the flow to bypass
2180  * \return 0 if unable to bypass, 1 if success
2181  */
2182 static int AFPBypassCallback(Packet *p)
2183 {
2184  SCLogDebug("Calling af_packet callback function");
2185  /* Only bypass TCP and UDP */
2186  if (!(PacketIsTCP(p) || PacketIsUDP(p))) {
2187  return 0;
2188  }
2189 
2190  /* If we don't have a flow attached to packet the eBPF map entries
2191  * will be destroyed at first flow bypass manager pass as we won't
2192  * find any associated entry */
2193  if (p->flow == NULL) {
2194  return 0;
2195  }
2196  /* Bypassing tunneled packets is currently not supported
2197  * because we can't discard the inner packet only due to
2198  * primitive parsing in eBPF */
2199  if (PacketIsTunnel(p)) {
2200  return 0;
2201  }
2202  if (PacketIsIPv4(p)) {
2203  SCLogDebug("add an IPv4");
2204  if (p->afp_v.v4_map_fd == -1) {
2205  return 0;
2206  }
2207  struct flowv4_keys *keys[2];
2208  keys[0] = SCCalloc(1, sizeof(struct flowv4_keys));
2209  if (keys[0] == NULL) {
2210  return 0;
2211  }
2212  keys[0]->src = htonl(GET_IPV4_SRC_ADDR_U32(p));
2213  keys[0]->dst = htonl(GET_IPV4_DST_ADDR_U32(p));
2214  keys[0]->port16[0] = p->sp;
2215  keys[0]->port16[1] = p->dp;
2216  keys[0]->vlan0 = p->vlan_id[0];
2217  keys[0]->vlan1 = p->vlan_id[1];
2218  keys[0]->vlan2 = p->vlan_id[2];
2219 
2220  if (p->proto == IPPROTO_TCP) {
2221  keys[0]->ip_proto = 1;
2222  } else {
2223  keys[0]->ip_proto = 0;
2224  }
2225  if (AFPInsertHalfFlow(p->afp_v.v4_map_fd, keys[0],
2226  p->afp_v.nr_cpus) == 0) {
2227  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2228  SCFree(keys[0]);
2229  return 0;
2230  }
2231  keys[1]= SCCalloc(1, sizeof(struct flowv4_keys));
2232  if (keys[1] == NULL) {
2233  EBPFDeleteKey(p->afp_v.v4_map_fd, keys[0]);
2234  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2235  SCFree(keys[0]);
2236  return 0;
2237  }
2238  keys[1]->src = htonl(GET_IPV4_DST_ADDR_U32(p));
2239  keys[1]->dst = htonl(GET_IPV4_SRC_ADDR_U32(p));
2240  keys[1]->port16[0] = p->dp;
2241  keys[1]->port16[1] = p->sp;
2242  keys[1]->vlan0 = p->vlan_id[0];
2243  keys[1]->vlan1 = p->vlan_id[1];
2244  keys[1]->vlan2 = p->vlan_id[2];
2245 
2246  keys[1]->ip_proto = keys[0]->ip_proto;
2247  if (AFPInsertHalfFlow(p->afp_v.v4_map_fd, keys[1],
2248  p->afp_v.nr_cpus) == 0) {
2249  EBPFDeleteKey(p->afp_v.v4_map_fd, keys[0]);
2250  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2251  SCFree(keys[0]);
2252  SCFree(keys[1]);
2253  return 0;
2254  }
2255  EBPFUpdateFlow(p->flow, p, NULL);
2256  return AFPSetFlowStorage(p, p->afp_v.v4_map_fd, keys[0], keys[1], AF_INET);
2257  }
2258  /* For IPv6 case we don't handle extended header in eBPF */
2259  if (PacketIsIPv6(p) && ((p->proto == IPPROTO_TCP) || (p->proto == IPPROTO_UDP))) {
2260  int i;
2261  if (p->afp_v.v6_map_fd == -1) {
2262  return 0;
2263  }
2264  SCLogDebug("add an IPv6");
2265  struct flowv6_keys *keys[2];
2266  keys[0] = SCCalloc(1, sizeof(struct flowv6_keys));
2267  if (keys[0] == NULL) {
2268  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2269  return 0;
2270  }
2271  for (i = 0; i < 4; i++) {
2272  keys[0]->src[i] = ntohl(GET_IPV6_SRC_ADDR(p)[i]);
2273  keys[0]->dst[i] = ntohl(GET_IPV6_DST_ADDR(p)[i]);
2274  }
2275  keys[0]->port16[0] = p->sp;
2276  keys[0]->port16[1] = p->dp;
2277  keys[0]->vlan0 = p->vlan_id[0];
2278  keys[0]->vlan1 = p->vlan_id[1];
2279  keys[0]->vlan2 = p->vlan_id[2];
2280 
2281  if (p->proto == IPPROTO_TCP) {
2282  keys[0]->ip_proto = 1;
2283  } else {
2284  keys[0]->ip_proto = 0;
2285  }
2286  if (AFPInsertHalfFlow(p->afp_v.v6_map_fd, keys[0],
2287  p->afp_v.nr_cpus) == 0) {
2288  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2289  SCFree(keys[0]);
2290  return 0;
2291  }
2292  keys[1]= SCCalloc(1, sizeof(struct flowv6_keys));
2293  if (keys[1] == NULL) {
2294  EBPFDeleteKey(p->afp_v.v6_map_fd, keys[0]);
2295  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2296  SCFree(keys[0]);
2297  return 0;
2298  }
2299  for (i = 0; i < 4; i++) {
2300  keys[1]->src[i] = ntohl(GET_IPV6_DST_ADDR(p)[i]);
2301  keys[1]->dst[i] = ntohl(GET_IPV6_SRC_ADDR(p)[i]);
2302  }
2303  keys[1]->port16[0] = p->dp;
2304  keys[1]->port16[1] = p->sp;
2305  keys[1]->vlan0 = p->vlan_id[0];
2306  keys[1]->vlan1 = p->vlan_id[1];
2307  keys[1]->vlan2 = p->vlan_id[2];
2308 
2309  keys[1]->ip_proto = keys[0]->ip_proto;
2310  if (AFPInsertHalfFlow(p->afp_v.v6_map_fd, keys[1],
2311  p->afp_v.nr_cpus) == 0) {
2312  EBPFDeleteKey(p->afp_v.v6_map_fd, keys[0]);
2313  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2314  SCFree(keys[0]);
2315  SCFree(keys[1]);
2316  return 0;
2317  }
2318  if (p->flow)
2319  EBPFUpdateFlow(p->flow, p, NULL);
2320  return AFPSetFlowStorage(p, p->afp_v.v6_map_fd, keys[0], keys[1], AF_INET6);
2321  }
2322  return 0;
2323 }
2324 
2325 /**
2326  * Bypass function for AF_PACKET capture in XDP mode
2327  *
2328  * This function creates two half flows in the map shared with the kernel
2329  * to trigger bypass. This function is similar to AFPBypassCallback() but
2330  * the bytes order is changed for some data due to the way we get the data
2331  * in the XDP case.
2332  *
2333  * \param p the packet belonging to the flow to bypass
2334  * \return 0 if unable to bypass, 1 if success
2335  */
2336 static int AFPXDPBypassCallback(Packet *p)
2337 {
2338  SCLogDebug("Calling af_packet callback function");
2339  /* Only bypass TCP and UDP */
2340  if (!(PacketIsTCP(p) || PacketIsUDP(p))) {
2341  return 0;
2342  }
2343 
2344  /* If we don't have a flow attached to packet the eBPF map entries
2345  * will be destroyed at first flow bypass manager pass as we won't
2346  * find any associated entry */
2347  if (p->flow == NULL) {
2348  return 0;
2349  }
2350  /* Bypassing tunneled packets is currently not supported
2351  * because we can't discard the inner packet only due to
2352  * primitive parsing in eBPF */
2353  if (PacketIsTunnel(p)) {
2354  return 0;
2355  }
2356  if (PacketIsIPv4(p)) {
2357  struct flowv4_keys *keys[2];
2358  keys[0]= SCCalloc(1, sizeof(struct flowv4_keys));
2359  if (keys[0] == NULL) {
2360  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2361  return 0;
2362  }
2363  if (p->afp_v.v4_map_fd == -1) {
2364  SCFree(keys[0]);
2365  return 0;
2366  }
2367  keys[0]->src = p->src.addr_data32[0];
2368  keys[0]->dst = p->dst.addr_data32[0];
2369  /* In the XDP filter we get port from parsing of packet and not from skb
2370  * (as in eBPF filter) so we need to pass from host to network order */
2371  keys[0]->port16[0] = htons(p->sp);
2372  keys[0]->port16[1] = htons(p->dp);
2373  keys[0]->vlan0 = p->vlan_id[0];
2374  keys[0]->vlan1 = p->vlan_id[1];
2375  keys[0]->vlan2 = p->vlan_id[2];
2376  if (p->proto == IPPROTO_TCP) {
2377  keys[0]->ip_proto = 1;
2378  } else {
2379  keys[0]->ip_proto = 0;
2380  }
2381  if (AFPInsertHalfFlow(p->afp_v.v4_map_fd, keys[0],
2382  p->afp_v.nr_cpus) == 0) {
2383  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2384  SCFree(keys[0]);
2385  return 0;
2386  }
2387  keys[1]= SCCalloc(1, sizeof(struct flowv4_keys));
2388  if (keys[1] == NULL) {
2389  EBPFDeleteKey(p->afp_v.v4_map_fd, keys[0]);
2390  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2391  SCFree(keys[0]);
2392  return 0;
2393  }
2394  keys[1]->src = p->dst.addr_data32[0];
2395  keys[1]->dst = p->src.addr_data32[0];
2396  keys[1]->port16[0] = htons(p->dp);
2397  keys[1]->port16[1] = htons(p->sp);
2398  keys[1]->vlan0 = p->vlan_id[0];
2399  keys[1]->vlan1 = p->vlan_id[1];
2400  keys[1]->vlan2 = p->vlan_id[2];
2401  keys[1]->ip_proto = keys[0]->ip_proto;
2402  if (AFPInsertHalfFlow(p->afp_v.v4_map_fd, keys[1],
2403  p->afp_v.nr_cpus) == 0) {
2404  EBPFDeleteKey(p->afp_v.v4_map_fd, keys[0]);
2405  LiveDevAddBypassFail(p->livedev, 1, AF_INET);
2406  SCFree(keys[0]);
2407  SCFree(keys[1]);
2408  return 0;
2409  }
2410  return AFPSetFlowStorage(p, p->afp_v.v4_map_fd, keys[0], keys[1], AF_INET);
2411  }
2412  /* For IPv6 case we don't handle extended header in eBPF */
2413  if (PacketIsIPv6(p) && ((p->proto == IPPROTO_TCP) || (p->proto == IPPROTO_UDP))) {
2414  SCLogDebug("add an IPv6");
2415  if (p->afp_v.v6_map_fd == -1) {
2416  return 0;
2417  }
2418  int i;
2419  struct flowv6_keys *keys[2];
2420  keys[0] = SCCalloc(1, sizeof(struct flowv6_keys));
2421  if (keys[0] == NULL) {
2422  return 0;
2423  }
2424 
2425  for (i = 0; i < 4; i++) {
2426  keys[0]->src[i] = GET_IPV6_SRC_ADDR(p)[i];
2427  keys[0]->dst[i] = GET_IPV6_DST_ADDR(p)[i];
2428  }
2429  keys[0]->port16[0] = htons(p->sp);
2430  keys[0]->port16[1] = htons(p->dp);
2431  keys[0]->vlan0 = p->vlan_id[0];
2432  keys[0]->vlan1 = p->vlan_id[1];
2433  keys[0]->vlan2 = p->vlan_id[2];
2434  if (p->proto == IPPROTO_TCP) {
2435  keys[0]->ip_proto = 1;
2436  } else {
2437  keys[0]->ip_proto = 0;
2438  }
2439  if (AFPInsertHalfFlow(p->afp_v.v6_map_fd, keys[0],
2440  p->afp_v.nr_cpus) == 0) {
2441  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2442  SCFree(keys[0]);
2443  return 0;
2444  }
2445  keys[1]= SCCalloc(1, sizeof(struct flowv6_keys));
2446  if (keys[1] == NULL) {
2447  EBPFDeleteKey(p->afp_v.v6_map_fd, keys[0]);
2448  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2449  SCFree(keys[0]);
2450  return 0;
2451  }
2452  for (i = 0; i < 4; i++) {
2453  keys[1]->src[i] = GET_IPV6_DST_ADDR(p)[i];
2454  keys[1]->dst[i] = GET_IPV6_SRC_ADDR(p)[i];
2455  }
2456  keys[1]->port16[0] = htons(p->dp);
2457  keys[1]->port16[1] = htons(p->sp);
2458  keys[1]->vlan0 = p->vlan_id[0];
2459  keys[1]->vlan1 = p->vlan_id[1];
2460  keys[1]->vlan2 = p->vlan_id[2];
2461  keys[1]->ip_proto = keys[0]->ip_proto;
2462  if (AFPInsertHalfFlow(p->afp_v.v6_map_fd, keys[1],
2463  p->afp_v.nr_cpus) == 0) {
2464  EBPFDeleteKey(p->afp_v.v6_map_fd, keys[0]);
2465  LiveDevAddBypassFail(p->livedev, 1, AF_INET6);
2466  SCFree(keys[0]);
2467  SCFree(keys[1]);
2468  return 0;
2469  }
2470  return AFPSetFlowStorage(p, p->afp_v.v6_map_fd, keys[0], keys[1], AF_INET6);
2471  }
2472  return 0;
2473 }
2474 
2475 bool g_flowv4_ok = true;
2476 bool g_flowv6_ok = true;
2477 
2478 #endif /* HAVE_PACKET_EBPF */
2479 
2480 /**
2481  * \brief Init function for ReceiveAFP.
2482  *
2483  * \param tv pointer to ThreadVars
2484  * \param initdata pointer to the interface passed from the user
2485  * \param data pointer gets populated with AFPThreadVars
2486  *
2487  * \todo Create a general AFP setup function.
2488  */
2489 TmEcode ReceiveAFPThreadInit(ThreadVars *tv, const void *initdata, void **data)
2490 {
2491  SCEnter();
2492  AFPIfaceConfig *afpconfig = (AFPIfaceConfig *)initdata;
2493 
2494  if (initdata == NULL) {
2495  SCLogError("initdata == NULL");
2496  SCReturnInt(TM_ECODE_FAILED);
2497  }
2498 
2499  AFPThreadVars *ptv = SCCalloc(1, sizeof(AFPThreadVars));
2500  if (unlikely(ptv == NULL)) {
2501  afpconfig->DerefFunc(afpconfig);
2502  SCReturnInt(TM_ECODE_FAILED);
2503  }
2504 
2505  ptv->tv = tv;
2506 
2507  strlcpy(ptv->iface, afpconfig->iface, AFP_IFACE_NAME_LENGTH);
2508  ptv->iface[AFP_IFACE_NAME_LENGTH - 1]= '\0';
2509 
2510  ptv->livedev = LiveGetDevice(ptv->iface);
2511  if (ptv->livedev == NULL) {
2512  SCLogError("Unable to find Live device");
2513  SCFree(ptv);
2514  SCReturnInt(TM_ECODE_FAILED);
2515  }
2516 
2517  ptv->buffer_size = afpconfig->buffer_size;
2518  ptv->ring_size = afpconfig->ring_size;
2519  ptv->block_size = afpconfig->block_size;
2520  ptv->block_timeout = afpconfig->block_timeout;
2521 
2522  ptv->promisc = afpconfig->promisc;
2523  ptv->checksum_mode = afpconfig->checksum_mode;
2524  ptv->bpf_filter = NULL;
2525 
2526  ptv->threads = 1;
2527 #ifdef HAVE_PACKET_FANOUT
2528  ptv->cluster_type = PACKET_FANOUT_LB;
2529  ptv->cluster_id = 1;
2530  /* We only set cluster info if the number of reader threads is greater than 1 */
2531  if (afpconfig->threads > 1) {
2532  ptv->cluster_id = afpconfig->cluster_id;
2533  ptv->cluster_type = afpconfig->cluster_type;
2534  ptv->threads = afpconfig->threads;
2535  }
2536 #endif
2537  ptv->flags = afpconfig->flags;
2538 
2539  if (afpconfig->bpf_filter) {
2540  ptv->bpf_filter = afpconfig->bpf_filter;
2541  }
2542 #ifdef HAVE_PACKET_EBPF
2543  ptv->ebpf_lb_fd = afpconfig->ebpf_lb_fd;
2544  ptv->ebpf_filter_fd = afpconfig->ebpf_filter_fd;
2545  ptv->xdp_mode = afpconfig->xdp_mode;
2546  ptv->ebpf_t_config.cpus_count = UtilCpuGetNumProcessorsConfigured();
2547 
2548  if (ptv->flags & (AFP_BYPASS|AFP_XDPBYPASS)) {
2549  ptv->v4_map_fd = EBPFGetMapFDByName(ptv->iface, "flow_table_v4");
2550  if (ptv->v4_map_fd == -1) {
2551  if (!g_flowv4_ok) {
2552  SCLogError("Can't find eBPF map fd for '%s'", "flow_table_v4");
2553  g_flowv4_ok = true;
2554  }
2555  }
2556  ptv->v6_map_fd = EBPFGetMapFDByName(ptv->iface, "flow_table_v6");
2557  if (ptv->v6_map_fd == -1) {
2558  if (g_flowv6_ok) {
2559  SCLogError("Can't find eBPF map fd for '%s'", "flow_table_v6");
2560  g_flowv6_ok = false;
2561  }
2562  }
2563  }
2564  ptv->ebpf_t_config = afpconfig->ebpf_t_config;
2565 #endif
2566 
2567 #ifdef PACKET_STATISTICS
2568  ptv->capture_kernel_packets = StatsRegisterCounter("capture.kernel_packets",
2569  ptv->tv);
2570  ptv->capture_kernel_drops = StatsRegisterCounter("capture.kernel_drops",
2571  ptv->tv);
2572  ptv->capture_errors = StatsRegisterCounter("capture.errors",
2573  ptv->tv);
2574 
2575  ptv->afpacket_spin = StatsRegisterAvgCounter("capture.afpacket.busy_loop_avg", ptv->tv);
2576 
2577  ptv->capture_afp_poll = StatsRegisterCounter("capture.afpacket.polls", ptv->tv);
2578  ptv->capture_afp_poll_signal = StatsRegisterCounter("capture.afpacket.poll_signal", ptv->tv);
2579  ptv->capture_afp_poll_timeout = StatsRegisterCounter("capture.afpacket.poll_timeout", ptv->tv);
2580  ptv->capture_afp_poll_data = StatsRegisterCounter("capture.afpacket.poll_data", ptv->tv);
2581  ptv->capture_afp_poll_err = StatsRegisterCounter("capture.afpacket.poll_errors", ptv->tv);
2582  ptv->capture_afp_send_err = StatsRegisterCounter("capture.afpacket.send_errors", ptv->tv);
2583 #endif
2584 
2585  ptv->copy_mode = afpconfig->copy_mode;
2586  if (ptv->copy_mode != AFP_COPY_MODE_NONE) {
2587  strlcpy(ptv->out_iface, afpconfig->out_iface, AFP_IFACE_NAME_LENGTH);
2588  ptv->out_iface[AFP_IFACE_NAME_LENGTH - 1]= '\0';
2589  /* Warn about BPF filter consequence */
2590  if (ptv->bpf_filter) {
2591  SCLogWarning("Enabling a BPF filter in IPS mode result"
2592  " in dropping all non matching packets.");
2593  }
2594  }
2595 
2596 
2597  if (AFPPeersListAdd(ptv) == TM_ECODE_FAILED) {
2598  SCFree(ptv);
2599  afpconfig->DerefFunc(afpconfig);
2600  SCReturnInt(TM_ECODE_FAILED);
2601  }
2602 
2603  *data = (void *)ptv;
2604 
2605  afpconfig->DerefFunc(afpconfig);
2606 
2607  /* If kernel is older than 3.0, VLAN is not stripped so we don't
2608  * get the info from packet extended header but we will use a standard
2609  * parsing of packet data (See Linux commit bcc6d47903612c3861201cc3a866fb604f26b8b2) */
2610  if (SCKernelVersionIsAtLeast(3, 0)) {
2611  ptv->flags |= AFP_VLAN_IN_HEADER;
2612  }
2613 
2614  SCReturnInt(TM_ECODE_OK);
2615 }
2616 
2617 /**
2618  * \brief This function prints stats to the screen at exit.
2619  * \param tv pointer to ThreadVars
2620  * \param data pointer that gets cast into AFPThreadVars for ptv
2621  */
2622 void ReceiveAFPThreadExitStats(ThreadVars *tv, void *data)
2623 {
2624  SCEnter();
2625  AFPThreadVars *ptv = (AFPThreadVars *)data;
2626 
2627 #ifdef PACKET_STATISTICS
2628  AFPDumpCounters(ptv);
2629  SCLogPerf("%s: (%s) kernel: Packets %" PRIu64 ", dropped %" PRIu64 "", ptv->iface, tv->name,
2630  StatsGetLocalCounterValue(tv, ptv->capture_kernel_packets),
2631  StatsGetLocalCounterValue(tv, ptv->capture_kernel_drops));
2632 #endif
2633 }
2634 
2635 /**
2636  * \brief DeInit function closes af packet socket at exit.
2637  * \param tv pointer to ThreadVars
2638  * \param data pointer that gets cast into AFPThreadVars for ptv
2639  */
2640 TmEcode ReceiveAFPThreadDeinit(ThreadVars *tv, void *data)
2641 {
2642  AFPThreadVars *ptv = (AFPThreadVars *)data;
2643 
2644  AFPSwitchState(ptv, AFP_STATE_DOWN);
2645 
2646 #ifdef HAVE_PACKET_XDP
2647  if ((ptv->ebpf_t_config.flags & EBPF_XDP_CODE) &&
2648  (!(ptv->ebpf_t_config.flags & EBPF_PINNED_MAPS))) {
2649  EBPFSetupXDP(ptv->iface, -1, ptv->xdp_mode);
2650  }
2651 #endif
2652 
2653  ptv->bpf_filter = NULL;
2654  if ((ptv->flags & AFP_TPACKET_V3) && ptv->ring.v3) {
2655  SCFree(ptv->ring.v3);
2656  } else {
2657  if (ptv->ring.v2)
2658  SCFree(ptv->ring.v2);
2659  }
2660 
2661  SCFree(ptv);
2662  SCReturnInt(TM_ECODE_OK);
2663 }
2664 
2665 /** \internal
2666  * \brief add a VLAN header into the raw data for inspection, logging
2667  * and sending out in IPS mode
2668  *
2669  * The kernel doesn't provide the first VLAN header the raw packet data,
2670  * but instead feeds it to us through meta data. For logging and IPS
2671  * we need to put it back into the raw data. Luckily there is some head
2672  * room in the original data so its enough to move the ethernet header
2673  * a bit to make space for the VLAN header.
2674  */
2675 static void UpdateRawDataForVLANHdr(Packet *p)
2676 {
2677  if (p->afp_v.vlan_tci != 0) {
2678  uint8_t *pstart = GET_PKT_DATA(p) - VLAN_HEADER_LEN;
2679  size_t plen = GET_PKT_LEN(p) + VLAN_HEADER_LEN;
2680  /* move ethernet addresses */
2681  memmove(pstart, GET_PKT_DATA(p), 2 * ETH_ALEN);
2682  /* write vlan info */
2683  *(uint16_t *)(pstart + 2 * ETH_ALEN) = htons(0x8100);
2684  *(uint16_t *)(pstart + 2 * ETH_ALEN + 2) = htons(p->afp_v.vlan_tci);
2685 
2686  /* update the packet raw data pointer to start at the new offset */
2687  (void)PacketSetData(p, pstart, plen);
2688  /* update ethernet header pointer to point to the new start of the data */
2689  p->l2.hdrs.ethh = (void *)pstart;
2690  }
2691 }
2692 
2693 /**
2694  * \brief This function passes off to link type decoders.
2695  *
2696  * DecodeAFP decodes packets from AF_PACKET and passes
2697  * them off to the proper link type decoder.
2698  *
2699  * \param t pointer to ThreadVars
2700  * \param p pointer to the current packet
2701  * \param data pointer that gets cast into AFPThreadVars for ptv
2702  */
2703 TmEcode DecodeAFP(ThreadVars *tv, Packet *p, void *data)
2704 {
2705  SCEnter();
2706 
2707  const bool afp_vlan_hdr = p->vlan_idx != 0;
2708  DecodeThreadVars *dtv = (DecodeThreadVars *)data;
2709 
2710  DEBUG_VALIDATE_BUG_ON(PKT_IS_PSEUDOPKT(p));
2711 
2712  /* update counters */
2713  DecodeUpdatePacketCounters(tv, dtv, p);
2714 
2715  /* call the decoder */
2716  DecodeLinkLayer(tv, dtv, p->datalink, p, GET_PKT_DATA(p), GET_PKT_LEN(p));
2717  /* post-decoding put vlan hdr back into the raw data) */
2718  if (afp_vlan_hdr) {
2719  StatsIncr(tv, dtv->counter_vlan);
2720  UpdateRawDataForVLANHdr(p);
2721  }
2722 
2723  PacketDecodeFinalize(tv, dtv, p);
2724 
2725  SCReturnInt(TM_ECODE_OK);
2726 }
2727 
2728 TmEcode DecodeAFPThreadInit(ThreadVars *tv, const void *initdata, void **data)
2729 {
2730  SCEnter();
2731  DecodeThreadVars *dtv = DecodeThreadVarsAlloc(tv);
2732  if (dtv == NULL)
2733  SCReturnInt(TM_ECODE_FAILED);
2734 
2735  DecodeRegisterPerfCounters(dtv, tv);
2736 
2737  *data = (void *)dtv;
2738 
2739  SCReturnInt(TM_ECODE_OK);
2740 }
2741 
2742 TmEcode DecodeAFPThreadDeinit(ThreadVars *tv, void *data)
2743 {
2744  if (data != NULL)
2745  DecodeThreadVarsFree(tv, data);
2746  SCReturnInt(TM_ECODE_OK);
2747 }
2748 
2749 #endif /* HAVE_AF_PACKET */
2750 /* eof */
2751 /**
2752  * @}
2753  */
TmModule_::cap_flags
uint8_t cap_flags
Definition: tm-modules.h:73
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:49
AFPIfaceConfig_::promisc
int promisc
Definition: source-af-packet.h:97
tm-threads.h
Packet_::proto
uint8_t proto
Definition: decode.h:498
AFPThreadVars_::promisc
int promisc
Definition: source-af-packet.c:327
AFPIfaceConfig_::checksum_mode
ChecksumValidationMode checksum_mode
Definition: source-af-packet.h:101
PACKET_FANOUT_FLAG_DEFRAG
#define PACKET_FANOUT_FLAG_DEFRAG
Definition: source-af-packet.h:40
len
uint8_t len
Definition: app-layer-dnp3.h:2
peerslist
AFPPeersList peerslist
Definition: source-af-packet.c:445
AFPIfaceConfig_::xdp_mode
uint8_t xdp_mode
Definition: source-af-packet.h:109
AFPV_CLEANUP
#define AFPV_CLEANUP(afpv)
Definition: source-af-packet.h:172
AFP_BYPASS
#define AFP_BYPASS
Definition: source-af-packet.h:65
AFPThreadVars_::pkts
uint64_t pkts
Definition: source-af-packet.c:271
TP_STATUS_VLAN_VALID
#define TP_STATUS_VLAN_VALID
Definition: source-af-packet.c:193
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:166
AFPThreadVars_::checksum_mode
ChecksumValidationMode checksum_mode
Definition: source-af-packet.c:288
ThreadVars_::name
char name[16]
Definition: threadvars.h:65
PacketFreeOrRelease
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:250
TAILQ_INIT
#define TAILQ_INIT(head)
Definition: queue.h:262
AFPPeer_::turn
int turn
Definition: source-af-packet.h:130
AFPThreadVars_::AFPRing::v2
union thdr ** v2
Definition: source-af-packet.c:266
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:314
AFPThreadVars_::send_errors_logged
uint64_t send_errors_logged
Definition: source-af-packet.c:302
AFP_COPY_MODE_NONE
#define AFP_COPY_MODE_NONE
Definition: source-af-packet.h:68
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1321
util-bpf.h
AFPThreadVars_::block_size
int block_size
Definition: source-af-packet.c:320
GetFlowBypassInfoID
FlowStorageId GetFlowBypassInfoID(void)
Definition: flow-util.c:212
FlowBypassInfo_
Definition: flow.h:524
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
AFPThreadVars_::afpacket_spin
uint16_t afpacket_spin
Definition: source-af-packet.c:294
AFPThreadVars_
Structure to hold thread specific variables.
Definition: source-af-packet.c:264
AFPPeer_::peer
struct AFPPeer_ * peer
Definition: source-af-packet.h:132
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
TmThreadsSetFlag
void TmThreadsSetFlag(ThreadVars *tv, uint32_t flag)
Set a thread flag.
Definition: tm-threads.c:101
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
AFPIfaceConfig_::ebpf_filter_fd
int ebpf_filter_fd
Definition: source-af-packet.h:106
util-checksum.h
AFPThreadVars_::AFPTpacketReq
Definition: source-af-packet.c:339
AFPThreadVars_::block_timeout
int block_timeout
Definition: source-af-packet.c:321
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:513
threads.h
thdr::raw
void * raw
Definition: source-af-packet.c:252
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:504
AFPThreadVars_::buffer_size
int buffer_size
Definition: source-af-packet.c:323
UtilCpuGetNumProcessorsConfigured
uint16_t UtilCpuGetNumProcessorsConfigured(void)
Get the number of cpus configured in the system.
Definition: util-cpu.c:59
AFP_SOCK_PROTECT
#define AFP_SOCK_PROTECT
Definition: source-af-packet.h:60
PACKET_FANOUT_HASH
#define PACKET_FANOUT_HASH
Definition: source-af-packet.h:32
LiveDevice_
Definition: util-device.h:50
AFPPeersListInit
TmEcode AFPPeersListInit(void)
Init the global list of AFPPeer.
Definition: source-af-packet.c:451
AFPThreadVars
struct AFPThreadVars_ AFPThreadVars
Structure to hold thread specific variables.
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
AFP_DOWN_COUNTER_INTERVAL
#define AFP_DOWN_COUNTER_INTERVAL
Definition: source-af-packet.c:172
AFPThreadVars_::ring_size
int ring_size
Definition: source-af-packet.c:319
AFPThreadVars_::capture_afp_send_err
uint16_t capture_afp_send_err
Definition: source-af-packet.c:300
THV_RUNNING
#define THV_RUNNING
Definition: threadvars.h:55
AFP_READ_FAILURE
@ AFP_READ_FAILURE
Definition: source-af-packet.c:236
AFPIfaceConfig_::threads
int threads
Definition: source-af-packet.h:84
packet-queue.h
AFPIfaceConfig_::ring_size
int ring_size
Definition: source-af-packet.h:88
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
TmModuleDecodeAFPRegister
void TmModuleDecodeAFPRegister(void)
Registration Function for DecodeAFP.
Definition: source-af-packet.c:601
AFPIfaceConfig_::block_timeout
int block_timeout
Definition: source-af-packet.h:92
SCKernelVersionIsAtLeast
int SCKernelVersionIsAtLeast(int major, int minor)
Definition: util-host-info.c:37
AFPThreadVars_::ring
union AFPThreadVars_::AFPRing ring
tm-threads-common.h
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
MIN
#define MIN(x, y)
Definition: suricata-common.h:400
tm-modules.h
util-privs.h
AFP_PEERS_MAX_TRY
#define AFP_PEERS_MAX_TRY
CHECKSUM_VALIDATION_DISABLE
@ CHECKSUM_VALIDATION_DISABLE
Definition: decode.h:42
AFP_IFACE_NAME_LENGTH
#define AFP_IFACE_NAME_LENGTH
Definition: source-af-packet.c:166
AFPIfaceConfig_::out_iface
const char * out_iface
Definition: source-af-packet.h:110
CHECKSUM_VALIDATION_KERNEL
@ CHECKSUM_VALIDATION_KERNEL
Definition: decode.h:46
TAILQ_INSERT_TAIL
#define TAILQ_INSERT_TAIL(head, elm, field)
Definition: queue.h:294
AFP_XDPBYPASS
#define AFP_XDPBYPASS
Definition: source-af-packet.h:66
PacketDecodeFinalize
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Finalize decoding of a packet.
Definition: decode.c:206
AFPIfaceConfig_::flags
unsigned int flags
Definition: source-af-packet.h:99
AFPThreadVars_::capture_kernel_drops
uint16_t capture_kernel_drops
Definition: source-af-packet.c:292
AFPThreadVars_::ring_buf
uint8_t * ring_buf
Definition: source-af-packet.c:352
AFP_STATE_UP
#define AFP_STATE_UP
Definition: source-af-packet.c:169
Packet_::BypassPacketsFlow
int(* BypassPacketsFlow)(struct Packet_ *)
Definition: decode.h:563
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
AFPPeersListClean
void AFPPeersListClean(void)
Clean the global peers list.
Definition: source-af-packet.c:583
AFPGetLinkType
int AFPGetLinkType(const char *ifname)
Definition: source-af-packet.c:1530
GET_IPV6_DST_ADDR
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:200
ChecksumAutoModeCheck
int ChecksumAutoModeCheck(uint64_t thread_count, uint64_t iface_count, uint64_t iface_fail)
Check if the number of invalid checksums indicate checksum offloading in place.
Definition: util-checksum.c:69
tmqh-packetpool.h
AFPPeer_::sock_protect
SCMutex sock_protect
Definition: source-af-packet.h:129
AFPPeersListCheck
TmEcode AFPPeersListCheck(void)
Check that all AFPPeer got a peer.
Definition: source-af-packet.c:468
TmModule_::PktAcqLoop
TmEcode(* PktAcqLoop)(ThreadVars *, void *, void *)
Definition: tm-modules.h:54
AFP_PEERS_WAIT
#define AFP_PEERS_WAIT
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
AFPPeersList
struct AFPPeersList_ AFPPeersList
AFP_BLOCK_SIZE_DEFAULT_ORDER
#define AFP_BLOCK_SIZE_DEFAULT_ORDER
Definition: source-af-packet.h:78
AFPIfaceConfig_::cluster_type
int cluster_type
Definition: source-af-packet.h:95
AFPIfaceConfig_::cluster_id
uint16_t cluster_id
Definition: source-af-packet.h:94
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
TmModule_::ThreadDeinit
TmEcode(* ThreadDeinit)(ThreadVars *, void *)
Definition: tm-modules.h:49
Packet_::datalink
int datalink
Definition: decode.h:608
AFPThreadVars_::socket
int socket
Definition: source-af-packet.c:317
AFP_VLAN_IN_HEADER
#define AFP_VLAN_IN_HEADER
Definition: source-af-packet.h:63
AFPIfaceConfig_::block_size
int block_size
Definition: source-af-packet.h:90
PKT_SET_SRC
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1325
CHECKSUM_VALIDATION_ENABLE
@ CHECKSUM_VALIDATION_ENABLE
Definition: decode.h:43
AFPPeersList_
Definition: source-af-packet.c:410
DecodeRegisterPerfCounters
void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
Definition: decode.c:602
CHECKSUM_VALIDATION_AUTO
@ CHECKSUM_VALIDATION_AUTO
Definition: decode.h:44
AFPThreadVars_::frame_offset
unsigned int frame_offset
Definition: source-af-packet.c:286
GetIfaceMaxPacketSize
int GetIfaceMaxPacketSize(LiveDevice *ld)
output max packet size for a link
Definition: util-ioctl.c:120
TAILQ_REMOVE
#define TAILQ_REMOVE(head, elm, field)
Definition: queue.h:312
decode.h
TMM_DECODEAFP
@ TMM_DECODEAFP
Definition: tm-threads-common.h:54
util-device.h
util-debug.h
PKT_SRC_WIRE
@ PKT_SRC_WIRE
Definition: decode.h:51
TAILQ_FIRST
#define TAILQ_FIRST(head)
Definition: queue.h:250
AFPIfaceConfig_::ebpf_lb_fd
int ebpf_lb_fd
Definition: source-af-packet.h:104
util-error.h
AFPThreadVars_::datalink
uint32_t datalink
Definition: source-af-packet.c:277
VLAN_HEADER_LEN
#define VLAN_HEADER_LEN
Definition: decode-vlan.h:46
TmModule_::PktAcqBreakLoop
TmEcode(* PktAcqBreakLoop)(ThreadVars *, void *)
Definition: tm-modules.h:57
FlowBypassInfo_::BypassUpdate
bool(* BypassUpdate)(Flow *f, void *data, time_t tsec)
Definition: flow.h:525
TP_STATUS_CSUMNOTREADY
#define TP_STATUS_CSUMNOTREADY
Definition: source-af-packet.c:190
AFP_MMAP_LOCKED
#define AFP_MMAP_LOCKED
Definition: source-af-packet.h:64
AFPThreadVars_::capture_afp_poll_data
uint16_t capture_afp_poll_data
Definition: source-af-packet.c:298
util-cpu.h
FlowBypassInfo_::BypassFree
void(* BypassFree)(void *data)
Definition: flow.h:526
Packet_::ts
SCTime_t ts
Definition: decode.h:524
BIT_U32
#define BIT_U32(n)
Definition: suricata-common.h:409
TmModuleReceiveAFPRegister
void TmModuleReceiveAFPRegister(void)
Registration Function for RecieveAFP.
Definition: source-af-packet.c:383
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
PACKET_FANOUT_LB
#define PACKET_FANOUT_LB
Definition: source-af-packet.h:33
SCTime_t::secs
uint64_t secs
Definition: util-time.h:41
LiveGetDevice
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
Definition: util-device.c:248
TP_STATUS_USER
#define TP_STATUS_USER
Definition: source-af-packet.c:181
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:205
AFPThreadVars_::threads
int threads
Definition: source-af-packet.c:337
util-ebpf.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
TmModule_::Func
TmEcode(* Func)(ThreadVars *, Packet *, void *)
Definition: tm-modules.h:52
Packet_::sp
Port sp
Definition: decode.h:483
AFP_RECOVERABLE_ERROR
@ AFP_RECOVERABLE_ERROR
Definition: source-af-packet.c:244
AFPThreadVars_::ring_buflen
unsigned int ring_buflen
Definition: source-af-packet.c:351
LiveDevice_::dev
char * dev
Definition: util-device.h:51
FlowBypassInfo_::bypass_data
void * bypass_data
Definition: flow.h:527
AFPIfaceConfig_::DerefFunc
void(* DerefFunc)(void *)
Definition: source-af-packet.h:115
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
AFPThreadVars_::afp_state
uint8_t afp_state
Definition: source-af-packet.c:305
TP_STATUS_USER_BUSY
#define TP_STATUS_USER_BUSY
Definition: source-af-packet.c:227
AFPThreadVars_::iface
char iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.c:346
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:309
AFP_STATE_DOWN
#define AFP_STATE_DOWN
Definition: source-af-packet.c:168
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:341
StatsGetLocalCounterValue
uint64_t StatsGetLocalCounterValue(ThreadVars *tv, uint16_t id)
Get the value of the local copy of the counter that hold this id.
Definition: counters.c:1250
SC_ATOMIC_DECLARE
#define SC_ATOMIC_DECLARE(type, name)
wrapper for declaring atomic variables.
Definition: util-atomic.h:280
PacketPoolWait
void PacketPoolWait(void)
Definition: tmqh-packetpool.c:80
AFPThreadVars_::AFPRing::v3
struct iovec * v3
Definition: source-af-packet.c:267
Packet_
Definition: decode.h:476
TM_FLAG_DECODE_TM
#define TM_FLAG_DECODE_TM
Definition: tm-modules.h:33
tmm_modules
TmModule tmm_modules[TMM_SIZE]
Definition: tm-modules.c:29
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:204
AFPPeer_::flags
int flags
Definition: source-af-packet.h:128
conf.h
TmSlot_
Definition: tm-threads.h:53
PKT_IGNORE_CHECKSUM
#define PKT_IGNORE_CHECKSUM
Definition: decode.h:1282
SCTime_t
Definition: util-time.h:40
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:587
TmEcode
TmEcode
Definition: tm-threads-common.h:79
max_pending_packets
uint32_t max_pending_packets
Definition: suricata.c:180
util-host-info.h
LiveDevice_::mtu
int mtu
Definition: util-device.h:53
TmModule_::name
const char * name
Definition: tm-modules.h:44
AFPThreadVars_::pkttype_filter_mask
uint32_t pkttype_filter_mask
Definition: source-af-packet.c:330
AFPThreadVars_::capture_afp_poll_timeout
uint16_t capture_afp_poll_timeout
Definition: source-af-packet.c:297
LiveDevAddBypassStats
void LiveDevAddBypassStats(LiveDevice *dev, uint64_t cnt, int family)
Definition: util-device.c:496
PacketL2::L2Hdrs::ethh
EthernetHdr * ethh
Definition: decode.h:397
DecodeThreadVars_::counter_vlan
uint16_t counter_vlan
Definition: decode.h:969
runmodes.h
LiveDevAddBypassSuccess
void LiveDevAddBypassSuccess(LiveDevice *dev, uint64_t cnt, int family)
Definition: util-device.c:553
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
FlowGetStorageById
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
Definition: flow-storage.c:40
SCMutexInit
#define SCMutexInit(mut, mutattrs)
Definition: threads-debug.h:116
TM_FLAG_RECEIVE_TM
#define TM_FLAG_RECEIVE_TM
Definition: tm-modules.h:32
AFP_NEED_PEER
#define AFP_NEED_PEER
Definition: source-af-packet.h:58
AFPThreadVars_::down_count
int down_count
Definition: source-af-packet.c:332
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
AFPThreadVars_::cluster_type
int cluster_type
Definition: source-af-packet.c:335
AFPThreadVars_::livedev
LiveDevice * livedev
Definition: source-af-packet.c:275
default_packet_size
uint32_t default_packet_size
Definition: decode.c:77
LINKTYPE_RAW
#define LINKTYPE_RAW
Definition: decode.h:1236
tm-queuehandlers.h
Packet_::l2
struct PacketL2 l2
Definition: decode.h:568
AFPThreadVars_::cluster_id
uint16_t cluster_id
Definition: source-af-packet.c:334
AFPThreadVars_::slot
TmSlot * slot
Definition: source-af-packet.c:274
Packet_::ReleasePacket
void(* ReleasePacket)(struct Packet_ *)
Definition: decode.h:560
flow-storage.h
cnt
uint32_t cnt
Definition: tmqh-packetpool.h:7
TMM_RECEIVEAFP
@ TMM_RECEIVEAFP
Definition: tm-threads-common.h:52
Packet_::flow
struct Flow_ * flow
Definition: decode.h:515
AFPThreadVars_::capture_afp_poll_signal
uint16_t capture_afp_poll_signal
Definition: source-af-packet.c:296
AFPPeer_
Definition: source-af-packet.h:123
DecodeThreadVarsFree
void DecodeThreadVarsFree(ThreadVars *tv, DecodeThreadVars *dtv)
Definition: decode.c:792
AFPThreadVars_::capture_afp_poll_err
uint16_t capture_afp_poll_err
Definition: source-af-packet.c:299
ChecksumValidationMode
ChecksumValidationMode
Definition: decode.h:41
suricata-common.h
packet.h
AFPThreadVars_::flags
unsigned int flags
Definition: source-af-packet.c:307
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
SCLogPerf
#define SCLogPerf(...)
Definition: util-debug.h:230
version
uint8_t version
Definition: decode-gre.h:1
SCBPFFree
void SCBPFFree(struct bpf_program *program)
Definition: util-bpf.c:56
TmModule_::ThreadInit
TmEcode(* ThreadInit)(ThreadVars *, const void *, void **)
Definition: tm-modules.h:47
thdr::h2
struct tpacket2_hdr * h2
Definition: source-af-packet.c:248
AFP_TPACKET_V3
#define AFP_TPACKET_V3
Definition: source-af-packet.h:62
LiveDevAddBypassFail
void LiveDevAddBypassFail(LiveDevice *dev, uint64_t cnt, int family)
Definition: util-device.c:534
FatalError
#define FatalError(...)
Definition: util-debug.h:502
thdr
Definition: source-af-packet.c:247
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
util-optimize.h
TmModule_::ThreadExitPrintStats
void(* ThreadExitPrintStats)(ThreadVars *, void *)
Definition: tm-modules.h:48
threadvars.h
util-validate.h
source-af-packet.h
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
FRAME_BUSY
#define FRAME_BUSY(tp_status)
Definition: source-af-packet.c:231
POLL_TIMEOUT
#define POLL_TIMEOUT
Definition: source-af-packet.c:174
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
GET_IPV6_SRC_ADDR
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:199
SCFree
#define SCFree(p)
Definition: util-mem.h:61
AFP_COPY_MODE_IPS
#define AFP_COPY_MODE_IPS
Definition: source-af-packet.h:70
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:932
AFPThreadVars_::tv
ThreadVars * tv
Definition: source-af-packet.c:273
AFPIfaceConfig_::buffer_size
int buffer_size
Definition: source-af-packet.h:86
AFPThreadVars_::req
union AFPThreadVars_::AFPTpacketReq req
util-ioctl.h
AFP_RECONNECT_TIMEOUT
#define AFP_RECONNECT_TIMEOUT
Definition: source-af-packet.c:171
DecodeThreadVarsAlloc
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *tv)
Alloc and setup DecodeThreadVars.
Definition: decode.c:774
AFP_SURI_FAILURE
@ AFP_SURI_FAILURE
Definition: source-af-packet.c:238
TAILQ_HEAD
#define TAILQ_HEAD(name, type)
Definition: queue.h:230
PacketSetData
int PacketSetData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Set data for Packet and set length when zero copy is used.
Definition: decode.c:812
PacketL2::hdrs
union PacketL2::L2Hdrs hdrs
AFPThreadVars_::out_iface
char out_iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.c:348
TP_STATUS_KERNEL
#define TP_STATUS_KERNEL
Definition: source-af-packet.c:178
AFPIfaceConfig_::iface
char iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.h:82
SCBPFCompile
int SCBPFCompile(int snaplen_arg, int linktype_arg, struct bpf_program *program, const char *buf, int optimize, uint32_t mask, char *errbuf, size_t errbuf_len)
Definition: util-bpf.c:62
suricata.h
Packet_::dst
Address dst
Definition: decode.h:481
AFPThreadVars_::copy_mode
uint8_t copy_mode
Definition: source-af-packet.c:306
AFPIfaceConfig_::copy_mode
uint8_t copy_mode
Definition: source-af-packet.h:100
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:503
AFP_READ_OK
@ AFP_READ_OK
Definition: source-af-packet.c:235
TmSlot_::slot_next
struct TmSlot_ * slot_next
Definition: tm-threads.h:62
AFPIfaceConfig_
Definition: source-af-packet.h:81
AFPIfaceConfig_::bpf_filter
const char * bpf_filter
Definition: source-af-packet.h:102
StatsRegisterAvgCounter
uint16_t StatsRegisterAvgCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the average of all the values assigned to it.
Definition: counters.c:971
GET_IPV4_SRC_ADDR_U32
#define GET_IPV4_SRC_ADDR_U32(p)
Definition: decode.h:192
PACKET_FANOUT
#define PACKET_FANOUT
Definition: source-af-packet.h:30
AFPThreadVars_::AFPRing
Definition: source-af-packet.c:265
StatsSyncCountersIfSignalled
void StatsSyncCountersIfSignalled(ThreadVars *tv)
Definition: counters.c:449
GET_IPV4_DST_ADDR_U32
#define GET_IPV4_DST_ADDR_U32(p)
Definition: decode.h:193
AFPPeer_::iface
char iface[AFP_IFACE_NAME_LENGTH]
Definition: source-af-packet.h:134
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:375
AFPThreadVars_::capture_kernel_packets
uint16_t capture_kernel_packets
Definition: source-af-packet.c:291
Packet_::dp
Port dp
Definition: decode.h:491
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:951
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
SCMutexDestroy
#define SCMutexDestroy
Definition: threads-debug.h:120
AFPThreadVars_::capture_errors
uint16_t capture_errors
Definition: source-af-packet.c:293
AFPThreadVars_::AFPTpacketReq::v2
struct tpacket_req v2
Definition: source-af-packet.c:340
AFPThreadVars_::bpf_filter
const char * bpf_filter
Definition: source-af-packet.c:325
AFPThreadVars_::mpeer
AFPPeer * mpeer
Definition: source-af-packet.c:310
AFP_FATAL_ERROR
@ AFP_FATAL_ERROR
Definition: source-af-packet.c:243
PacketGetFromQueueOrAlloc
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:267
SC_CAP_NET_RAW
#define SC_CAP_NET_RAW
Definition: util-privs.h:32
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Packet_::src
Address src
Definition: decode.h:480
TP_STATUS_LOSING
#define TP_STATUS_LOSING
Definition: source-af-packet.c:187
TmModule_::flags
uint8_t flags
Definition: tm-modules.h:76
AFPIsFanoutSupported
int AFPIsFanoutSupported(uint16_t cluster_id)
test if we can use FANOUT. Older kernels like those in CentOS6 have HAVE_PACKET_FANOUT defined but fa...
Definition: source-af-packet.c:1809
DecodeUpdatePacketCounters
void DecodeUpdatePacketCounters(ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
Definition: decode.c:740
AFP_KERNEL_DROP
@ AFP_KERNEL_DROP
Definition: source-af-packet.c:239
AFPThreadVars_::capture_afp_poll
uint16_t capture_afp_poll
Definition: source-af-packet.c:295
LINKTYPE_ETHERNET
#define LINKTYPE_ETHERNET
Definition: decode.h:1233
suricata_ctl_flags
volatile uint8_t suricata_ctl_flags
Definition: suricata.c:169
AFP_EMERGENCY_MODE
#define AFP_EMERGENCY_MODE
Definition: source-af-packet.h:61