suricata
source-nfq.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Eric Leblond <eric@regit.org>
23  *
24  * Netfilter's netfilter_queue support for reading packets from the
25  * kernel and setting verdicts back to it (inline mode).
26  * Supported on Linux and Windows.
27  *
28  * \todo test if Receive and Verdict if both are present
29  */
30 
31 #include "suricata-common.h"
32 #include "suricata.h"
33 #include "decode.h"
34 #include "packet-queue.h"
35 
36 #include "threads.h"
37 #include "threadvars.h"
38 #include "tm-threads.h"
39 #include "tm-queuehandlers.h"
40 #include "tmqh-packetpool.h"
41 
42 #include "conf.h"
43 #include "config.h"
44 #include "conf-yaml-loader.h"
45 #include "source-nfq-prototypes.h"
46 #include "action-globals.h"
47 
48 #include "util-debug.h"
49 #include "util-error.h"
50 #include "util-byte.h"
51 #include "util-privs.h"
52 #include "util-device.h"
53 
54 #include "runmodes.h"
55 
56 #include "source-nfq.h"
57 
58 #ifndef NFQ
59 /** Handle the case where no NFQ support is compiled in.
60  *
61  */
62 
63 TmEcode NoNFQSupportExit(ThreadVars *, const void *, void **);
64 
66 {
67  tmm_modules[TMM_RECEIVENFQ].name = "ReceiveNFQ";
68  tmm_modules[TMM_RECEIVENFQ].ThreadInit = NoNFQSupportExit;
75 }
76 
78 {
79  tmm_modules[TMM_VERDICTNFQ].name = "VerdictNFQ";
80  tmm_modules[TMM_VERDICTNFQ].ThreadInit = NoNFQSupportExit;
86 }
87 
88 void TmModuleDecodeNFQRegister (void)
89 {
90  tmm_modules[TMM_DECODENFQ].name = "DecodeNFQ";
91  tmm_modules[TMM_DECODENFQ].ThreadInit = NoNFQSupportExit;
98 }
99 
100 TmEcode NoNFQSupportExit(ThreadVars *tv, const void *initdata, void **data)
101 {
102  SCLogError(SC_ERR_NFQ_NOSUPPORT,"Error creating thread %s: you do not have support for nfqueue "
103  "enabled please recompile with --enable-nfqueue", tv->name);
104  exit(EXIT_FAILURE);
105 }
106 
107 #else /* implied we do have NFQ support */
108 
109 extern int max_pending_packets;
110 
111 #define MAX_ALREADY_TREATED 5
112 #define NFQ_VERDICT_RETRY_TIME 3
113 static int already_seen_warning;
114 static int runmode_workers;
115 
116 #define NFQ_BURST_FACTOR 4
117 
118 #ifndef SOL_NETLINK
119 #define SOL_NETLINK 270
120 #endif
121 
122 //#define NFQ_DFT_QUEUE_LEN NFQ_BURST_FACTOR * MAX_PENDING
123 //#define NFQ_NF_BUFSIZE 1500 * NFQ_DFT_QUEUE_LEN
124 
125 typedef struct NFQThreadVars_
126 {
127  uint16_t nfq_index;
130 
131  char *data; /** Per function and thread data */
132  int datalen; /** Length of per function and thread data */
133 
135 } NFQThreadVars;
136 /* shared vars for all for nfq queues and threads */
137 static NFQGlobalVars nfq_g;
138 
139 static NFQThreadVars g_nfq_t[NFQ_MAX_QUEUE];
140 static NFQQueueVars g_nfq_q[NFQ_MAX_QUEUE];
141 static uint16_t receive_queue_num = 0;
142 static SCMutex nfq_init_lock;
143 
144 TmEcode ReceiveNFQLoop(ThreadVars *tv, void *data, void *slot);
145 TmEcode ReceiveNFQThreadInit(ThreadVars *, const void *, void **);
147 void ReceiveNFQThreadExitStats(ThreadVars *, void *);
148 
150 TmEcode VerdictNFQThreadInit(ThreadVars *, const void *, void **);
152 
154 TmEcode DecodeNFQThreadInit(ThreadVars *, const void *, void **);
156 
158 
159 typedef enum NFQMode_ {
163 } NFQMode;
164 
165 #define NFQ_FLAG_FAIL_OPEN (1 << 0)
166 
167 typedef struct NFQCnf_ {
169  uint32_t mark;
170  uint32_t mask;
171  uint32_t bypass_mark;
172  uint32_t bypass_mask;
173  uint32_t next_queue;
174  uint32_t flags;
175  uint8_t batchcount;
176 } NFQCnf;
177 
179 
181 {
182  /* XXX create a general NFQ setup function */
183  memset(&nfq_g, 0, sizeof(nfq_g));
184  SCMutexInit(&nfq_init_lock, NULL);
185 
186  tmm_modules[TMM_RECEIVENFQ].name = "ReceiveNFQ";
195 }
196 
198 {
199  tmm_modules[TMM_VERDICTNFQ].name = "VerdictNFQ";
205 }
206 
208 {
209  tmm_modules[TMM_DECODENFQ].name = "DecodeNFQ";
216 }
217 
218 /** \brief To initialize the NFQ global configuration data
219  *
220  * \param quiet It tells the mode of operation, if it is TRUE nothing will
221  * be get printed.
222  */
223 void NFQInitConfig(char quiet)
224 {
225  intmax_t value = 0;
226  const char *nfq_mode = NULL;
227  int boolval;
228 
229  SCLogDebug("Initializing NFQ");
230 
231  memset(&nfq_config, 0, sizeof(nfq_config));
232 
233  if ((ConfGet("nfq.mode", &nfq_mode)) == 0) {
234  nfq_config.mode = NFQ_ACCEPT_MODE;
235  } else {
236  if (!strcmp("accept", nfq_mode)) {
237  nfq_config.mode = NFQ_ACCEPT_MODE;
238  } else if (!strcmp("repeat", nfq_mode)) {
239  nfq_config.mode = NFQ_REPEAT_MODE;
240  } else if (!strcmp("route", nfq_mode)) {
241  nfq_config.mode = NFQ_ROUTE_MODE;
242  } else {
243  SCLogError(SC_ERR_INVALID_ARGUMENT, "Unknown nfq.mode");
244  exit(EXIT_FAILURE);
245  }
246  }
247 
248  (void)ConfGetBool("nfq.fail-open", (int *)&boolval);
249  if (boolval) {
250 #ifdef HAVE_NFQ_SET_QUEUE_FLAGS
251  SCLogInfo("Enabling fail-open on queue");
252  nfq_config.flags |= NFQ_FLAG_FAIL_OPEN;
253 #else
255  "nfq.%s set but NFQ library has no support for it.", "fail-open");
256 #endif
257  }
258 
259  if ((ConfGetInt("nfq.repeat-mark", &value)) == 1) {
260  nfq_config.mark = (uint32_t)value;
261  }
262 
263  if ((ConfGetInt("nfq.repeat-mask", &value)) == 1) {
264  nfq_config.mask = (uint32_t)value;
265  }
266 
267  if ((ConfGetInt("nfq.bypass-mark", &value)) == 1) {
268  nfq_config.bypass_mark = (uint32_t)value;
269  }
270 
271  if ((ConfGetInt("nfq.bypass-mask", &value)) == 1) {
272  nfq_config.bypass_mask = (uint32_t)value;
273  }
274 
275  if ((ConfGetInt("nfq.route-queue", &value)) == 1) {
276  nfq_config.next_queue = ((uint32_t)value) << 16;
277  }
278 
279  if ((ConfGetInt("nfq.batchcount", &value)) == 1) {
280 #ifdef HAVE_NFQ_SET_VERDICT_BATCH
281  if (value > 255) {
282  SCLogWarning(SC_ERR_INVALID_ARGUMENT, "nfq.batchcount cannot exceed 255.");
283  value = 255;
284  }
285  if (value > 1)
286  nfq_config.batchcount = (uint8_t) (value - 1);
287 #else
289  "nfq.%s set but NFQ library has no support for it.", "batchcount");
290 #endif
291  }
292 
293  if (!quiet) {
294  switch (nfq_config.mode) {
295  case NFQ_ACCEPT_MODE:
296  SCLogInfo("NFQ running in standard ACCEPT/DROP mode");
297  break;
298  case NFQ_REPEAT_MODE:
299  SCLogInfo("NFQ running in REPEAT mode with mark %"PRIu32"/%"PRIu32,
300  nfq_config.mark, nfq_config.mask);
301  break;
302  case NFQ_ROUTE_MODE:
303  SCLogInfo("NFQ running in route mode with next queue %"PRIu32,
304  nfq_config.next_queue >> 16);
305  break;
306  }
307  }
308 
309 }
310 
311 static uint8_t NFQVerdictCacheLen(NFQQueueVars *t)
312 {
313 #ifdef HAVE_NFQ_SET_VERDICT_BATCH
314  return t->verdict_cache.len;
315 #else
316  return 0;
317 #endif
318 }
319 
320 static void NFQVerdictCacheFlush(NFQQueueVars *t)
321 {
322 #ifdef HAVE_NFQ_SET_VERDICT_BATCH
323  int ret;
324  int iter = 0;
325 
326  do {
327  if (t->verdict_cache.mark_valid)
328  ret = nfq_set_verdict_batch2(t->qh,
331  t->verdict_cache.mark);
332  else
333  ret = nfq_set_verdict_batch(t->qh,
336  } while ((ret < 0) && (iter++ < NFQ_VERDICT_RETRY_TIME));
337 
338  if (ret < 0) {
339  SCLogWarning(SC_ERR_NFQ_SET_VERDICT, "nfq_set_verdict_batch failed: %s",
340  strerror(errno));
341  } else {
342  t->verdict_cache.len = 0;
343  t->verdict_cache.mark_valid = 0;
344  }
345 #endif
346 }
347 
348 static int NFQVerdictCacheAdd(NFQQueueVars *t, Packet *p, uint32_t verdict)
349 {
350 #ifdef HAVE_NFQ_SET_VERDICT_BATCH
351  if (t->verdict_cache.maxlen == 0)
352  return -1;
353 
354  if (p->flags & PKT_STREAM_MODIFIED || verdict == NF_DROP)
355  goto flush;
356 
357  if (p->flags & PKT_MARK_MODIFIED) {
358  if (!t->verdict_cache.mark_valid) {
359  if (t->verdict_cache.len)
360  goto flush;
361  t->verdict_cache.mark_valid = 1;
362  t->verdict_cache.mark = p->nfq_v.mark;
363  } else if (t->verdict_cache.mark != p->nfq_v.mark) {
364  goto flush;
365  }
366  } else if (t->verdict_cache.mark_valid) {
367  goto flush;
368  }
369 
370  if (t->verdict_cache.len == 0) {
371  t->verdict_cache.verdict = verdict;
372  } else if (t->verdict_cache.verdict != verdict)
373  goto flush;
374 
375  /* same verdict, mark not set or identical -> can cache */
377 
378  if (t->verdict_cache.len >= t->verdict_cache.maxlen)
379  NFQVerdictCacheFlush(t);
380  else
381  t->verdict_cache.len++;
382  return 0;
383  flush:
384  /* can't cache. Flush current cache and signal caller it should send single verdict */
385  if (NFQVerdictCacheLen(t) > 0)
386  NFQVerdictCacheFlush(t);
387 #endif
388  return -1;
389 }
390 
391 static inline void NFQMutexInit(NFQQueueVars *nq)
392 {
393  char *active_runmode = RunmodeGetActive();
394 
395  if (active_runmode && !strcmp("workers", active_runmode)) {
396  nq->use_mutex = 0;
397  runmode_workers = 1;
398  SCLogInfo("NFQ running in 'workers' runmode, will not use mutex.");
399  } else {
400  nq->use_mutex = 1;
401  runmode_workers = 0;
402  SCMutexInit(&nq->mutex_qh, NULL);
403  }
404 }
405 
406 #define NFQMutexLock(nq) do { \
407  if ((nq)->use_mutex) \
408  SCMutexLock(&(nq)->mutex_qh); \
409 } while (0)
410 
411 #define NFQMutexUnlock(nq) do { \
412  if ((nq)->use_mutex) \
413  SCMutexUnlock(&(nq)->mutex_qh); \
414 } while (0)
415 
416 /**
417  * \brief Read data from nfq message and setup Packet
418  *
419  * \note
420  * In case of error, this function verdict the packet
421  * to avoid skb to get stuck in kernel.
422  */
423 static int NFQSetupPkt (Packet *p, struct nfq_q_handle *qh, void *data)
424 {
425  struct nfq_data *tb = (struct nfq_data *)data;
426  int ret;
427  char *pktdata;
428  struct nfqnl_msg_packet_hdr *ph;
429 
430  ph = nfq_get_msg_packet_hdr(tb);
431  if (ph != NULL) {
432  p->nfq_v.id = ntohl(ph->packet_id);
433  //p->nfq_v.hw_protocol = ntohs(p->nfq_v.ph->hw_protocol);
434  p->nfq_v.hw_protocol = ph->hw_protocol;
435  }
436  /* coverity[missing_lock] */
437  p->nfq_v.mark = nfq_get_nfmark(tb);
438  if (nfq_config.mode == NFQ_REPEAT_MODE) {
439  if ((nfq_config.mark & nfq_config.mask) ==
440  (p->nfq_v.mark & nfq_config.mask)) {
441  int iter = 0;
442  if (already_seen_warning < MAX_ALREADY_TREATED)
443  SCLogInfo("Packet seems already treated by suricata");
444  already_seen_warning++;
445  do {
446  ret = nfq_set_verdict(qh, p->nfq_v.id, NF_ACCEPT, 0, NULL);
447  } while ((ret < 0) && (iter++ < NFQ_VERDICT_RETRY_TIME));
448  if (ret < 0) {
450  "nfq_set_verdict of %p failed %" PRId32 ": %s",
451  p, ret, strerror(errno));
452  }
453  return -1 ;
454  }
455  }
456  p->nfq_v.ifi = nfq_get_indev(tb);
457  p->nfq_v.ifo = nfq_get_outdev(tb);
458  p->nfq_v.verdicted = 0;
459 
460 #ifdef NFQ_GET_PAYLOAD_SIGNED
461  ret = nfq_get_payload(tb, &pktdata);
462 #else
463  ret = nfq_get_payload(tb, (unsigned char **) &pktdata);
464 #endif /* NFQ_GET_PAYLOAD_SIGNED */
465  if (ret > 0) {
466  /* nfq_get_payload returns a pointer to a part of memory
467  * that is not preserved over the lifetime of our packet.
468  * So we need to copy it. */
469  if (ret > 65536) {
470  /* Will not be able to copy data ! Set length to 0
471  * to trigger an error in packet decoding.
472  * This is unlikely to happen */
473  SCLogWarning(SC_ERR_INVALID_ARGUMENTS, "NFQ sent too big packet");
474  SET_PKT_LEN(p, 0);
475  } else if (runmode_workers) {
476  PacketSetData(p, (uint8_t *)pktdata, ret);
477  } else {
478  PacketCopyData(p, (uint8_t *)pktdata, ret);
479  }
480  } else if (ret == -1) {
481  /* unable to get pointer to data, ensure packet length is zero.
482  * This will trigger an error in packet decoding */
483  SET_PKT_LEN(p, 0);
484  }
485 
486  ret = nfq_get_timestamp(tb, &p->ts);
487  if (ret != 0 || p->ts.tv_sec == 0) {
488  memset (&p->ts, 0, sizeof(struct timeval));
489  gettimeofday(&p->ts, NULL);
490  }
491 
492  p->datalink = DLT_RAW;
493  return 0;
494 }
495 
496 static void NFQReleasePacket(Packet *p)
497 {
498  if (unlikely(!p->nfq_v.verdicted)) {
500  NFQSetVerdict(p);
501  }
503 }
504 
505 /**
506  * \brief bypass callback function for NFQ
507  *
508  * \param p a Packet to use information from to trigger bypass
509  * \return 1 if bypass is successful, 0 if not
510  */
511 static int NFQBypassCallback(Packet *p)
512 {
513  if (IS_TUNNEL_PKT(p)) {
514  /* real tunnels may have multiple flows inside them, so bypass can't
515  * work for those. Rebuilt packets from IP fragments are fine. */
516  if (p->flags & PKT_REBUILT_FRAGMENT) {
517  Packet *tp = p->root ? p->root : p;
519  tp->nfq_v.mark = (nfq_config.bypass_mark & nfq_config.bypass_mask)
520  | (tp->nfq_v.mark & ~nfq_config.bypass_mask);
521  tp->flags |= PKT_MARK_MODIFIED;
523  return 1;
524  }
525  return 0;
526  } else {
527  /* coverity[missing_lock] */
528  p->nfq_v.mark = (nfq_config.bypass_mark & nfq_config.bypass_mask)
529  | (p->nfq_v.mark & ~nfq_config.bypass_mask);
530  p->flags |= PKT_MARK_MODIFIED;
531  }
532 
533  return 1;
534 }
535 
536 static int NFQCallBack(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
537  struct nfq_data *nfa, void *data)
538 {
539  NFQThreadVars *ntv = (NFQThreadVars *)data;
540  ThreadVars *tv = ntv->tv;
541  int ret;
542 
543  /* grab a packet */
545  if (p == NULL) {
546  return -1;
547  }
549 
550  p->nfq_v.nfq_index = ntv->nfq_index;
551  /* if bypass mask is set then we may want to bypass so set pointer */
552  if (nfq_config.bypass_mask) {
553  p->BypassPacketsFlow = NFQBypassCallback;
554  }
555  ret = NFQSetupPkt(p, qh, (void *)nfa);
556  if (ret == -1) {
557 #ifdef COUNTERS
559  q->errs++;
560  q->pkts++;
561  q->bytes += GET_PKT_LEN(p);
562 #endif /* COUNTERS */
563  /* NFQSetupPkt is issuing a verdict
564  so we only recycle Packet and leave */
565  TmqhOutputPacketpool(tv, p);
566  return 0;
567  }
568 
569  p->ReleasePacket = NFQReleasePacket;
570 
571 #ifdef COUNTERS
573  q->pkts++;
574  q->bytes += GET_PKT_LEN(p);
575 #endif /* COUNTERS */
576 
577  if (ntv->slot) {
578  if (TmThreadsSlotProcessPkt(tv, ntv->slot, p) != TM_ECODE_OK) {
579  TmqhOutputPacketpool(ntv->tv, p);
580  return -1;
581  }
582  } else {
583  /* pass on... */
584  tv->tmqh_out(tv, p);
585  }
586 
587  return 0;
588 }
589 
590 static TmEcode NFQInitThread(NFQThreadVars *t, uint32_t queue_maxlen)
591 {
592  struct timeval tv;
593  int opt;
595  if (q == NULL) {
596  SCLogError(SC_ERR_NFQ_OPEN, "no queue for given index");
597  return TM_ECODE_FAILED;
598  }
599  SCLogDebug("opening library handle");
600  q->h = nfq_open();
601  if (q->h == NULL) {
602  SCLogError(SC_ERR_NFQ_OPEN, "nfq_open() failed");
603  return TM_ECODE_FAILED;
604  }
605 
606  if (nfq_g.unbind == 0)
607  {
608  /* VJ: on my Ubuntu Hardy system this fails the first time it's
609  * run. Ignoring the error seems to have no bad effects. */
610  SCLogDebug("unbinding existing nf_queue handler for AF_INET (if any)");
611  if (nfq_unbind_pf(q->h, AF_INET) < 0) {
612  SCLogError(SC_ERR_NFQ_UNBIND, "nfq_unbind_pf() for AF_INET failed");
613  exit(EXIT_FAILURE);
614  }
615  if (nfq_unbind_pf(q->h, AF_INET6) < 0) {
616  SCLogError(SC_ERR_NFQ_UNBIND, "nfq_unbind_pf() for AF_INET6 failed");
617  exit(EXIT_FAILURE);
618  }
619  nfq_g.unbind = 1;
620 
621  SCLogDebug("binding nfnetlink_queue as nf_queue handler for AF_INET and AF_INET6");
622 
623  if (nfq_bind_pf(q->h, AF_INET) < 0) {
624  SCLogError(SC_ERR_NFQ_BIND, "nfq_bind_pf() for AF_INET failed");
625  exit(EXIT_FAILURE);
626  }
627  if (nfq_bind_pf(q->h, AF_INET6) < 0) {
628  SCLogError(SC_ERR_NFQ_BIND, "nfq_bind_pf() for AF_INET6 failed");
629  exit(EXIT_FAILURE);
630  }
631  }
632 
633  SCLogInfo("binding this thread %d to queue '%" PRIu32 "'", t->nfq_index, q->queue_num);
634 
635  /* pass the thread memory as a void ptr so the
636  * callback function has access to it. */
637  q->qh = nfq_create_queue(q->h, q->queue_num, &NFQCallBack, (void *)t);
638  if (q->qh == NULL) {
639  SCLogError(SC_ERR_NFQ_CREATE_QUEUE, "nfq_create_queue failed");
640  return TM_ECODE_FAILED;
641  }
642 
643  SCLogDebug("setting copy_packet mode");
644 
645  /* 05DC = 1500 */
646  //if (nfq_set_mode(nfq_t->qh, NFQNL_COPY_PACKET, 0x05DC) < 0) {
647  if (nfq_set_mode(q->qh, NFQNL_COPY_PACKET, 0xFFFF) < 0) {
648  SCLogError(SC_ERR_NFQ_SET_MODE, "can't set packet_copy mode");
649  return TM_ECODE_FAILED;
650  }
651 
652 #ifdef HAVE_NFQ_MAXLEN
653  if (queue_maxlen > 0) {
654  SCLogInfo("setting queue length to %" PRId32 "", queue_maxlen);
655 
656  /* non-fatal if it fails */
657  if (nfq_set_queue_maxlen(q->qh, queue_maxlen) < 0) {
658  SCLogWarning(SC_ERR_NFQ_MAXLEN, "can't set queue maxlen: your kernel probably "
659  "doesn't support setting the queue length");
660  }
661  }
662 #endif /* HAVE_NFQ_MAXLEN */
663 
664  /* set netlink buffer size to a decent value */
665  nfnl_rcvbufsiz(nfq_nfnlh(q->h), queue_maxlen * 1500);
666  SCLogInfo("setting nfnl bufsize to %" PRId32 "", queue_maxlen * 1500);
667 
668  q->nh = nfq_nfnlh(q->h);
669  q->fd = nfnl_fd(q->nh);
670  NFQMutexInit(q);
671 
672  /* Set some netlink specific option on the socket to increase
673  performance */
674  opt = 1;
675 #ifdef NETLINK_BROADCAST_SEND_ERROR
676  if (setsockopt(q->fd, SOL_NETLINK,
677  NETLINK_BROADCAST_SEND_ERROR, &opt, sizeof(int)) == -1) {
679  "can't set netlink broadcast error: %s",
680  strerror(errno));
681  }
682 #endif
683  /* Don't send error about no buffer space available but drop the
684  packets instead */
685 #ifdef NETLINK_NO_ENOBUFS
686  if (setsockopt(q->fd, SOL_NETLINK,
687  NETLINK_NO_ENOBUFS, &opt, sizeof(int)) == -1) {
689  "can't set netlink enobufs: %s",
690  strerror(errno));
691  }
692 #endif
693 
694 #ifdef HAVE_NFQ_SET_QUEUE_FLAGS
695  if (nfq_config.flags & NFQ_FLAG_FAIL_OPEN) {
696  uint32_t flags = NFQA_CFG_F_FAIL_OPEN;
697  uint32_t mask = NFQA_CFG_F_FAIL_OPEN;
698  int r = nfq_set_queue_flags(q->qh, mask, flags);
699 
700  if (r == -1) {
701  SCLogWarning(SC_ERR_NFQ_SET_MODE, "can't set fail-open mode: %s",
702  strerror(errno));
703  } else {
704  SCLogInfo("fail-open mode should be set on queue");
705  }
706  }
707 #endif
708 
709 #ifdef HAVE_NFQ_SET_VERDICT_BATCH
710  if (runmode_workers) {
711  q->verdict_cache.maxlen = nfq_config.batchcount;
712  } else if (nfq_config.batchcount) {
713  SCLogError(SC_ERR_INVALID_ARGUMENT, "nfq.batchcount is only valid in workers runmode.");
714  }
715 #endif
716 
717  /* set a timeout to the socket so we can check for a signal
718  * in case we don't get packets for a longer period. */
719  tv.tv_sec = 1;
720  tv.tv_usec = 0;
721 
722  if(setsockopt(q->fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) == -1) {
723  SCLogWarning(SC_ERR_NFQ_SETSOCKOPT, "can't set socket timeout: %s", strerror(errno));
724  }
725 
726  SCLogDebug("nfq_q->h %p, nfq_q->nh %p, nfq_q->qh %p, nfq_q->fd %" PRId32 "",
727  q->h, q->nh, q->qh, q->fd);
728 
729  return TM_ECODE_OK;
730 }
731 
732 TmEcode ReceiveNFQThreadInit(ThreadVars *tv, const void *initdata, void **data)
733 {
734  SCMutexLock(&nfq_init_lock);
735 
736  sigset_t sigs;
737  sigfillset(&sigs);
738  pthread_sigmask(SIG_BLOCK, &sigs, NULL);
739 
740  NFQThreadVars *ntv = (NFQThreadVars *) initdata;
741  /* store the ThreadVars pointer in our NFQ thread context
742  * as we will need it in our callback function */
743  ntv->tv = tv;
744 
745  int r = NFQInitThread(ntv, (max_pending_packets * NFQ_BURST_FACTOR));
746  if (r != TM_ECODE_OK) {
747  SCLogError(SC_ERR_NFQ_THREAD_INIT, "nfq thread failed to initialize");
748 
749  SCMutexUnlock(&nfq_init_lock);
750  exit(EXIT_FAILURE);
751  }
752 
753 #define T_DATA_SIZE 70000
754  ntv->data = SCMalloc(T_DATA_SIZE);
755  if (ntv->data == NULL) {
756  SCMutexUnlock(&nfq_init_lock);
757  return TM_ECODE_FAILED;
758  }
759  ntv->datalen = T_DATA_SIZE;
760 #undef T_DATA_SIZE
761 
762  *data = (void *)ntv;
763 
764  SCMutexUnlock(&nfq_init_lock);
765  return TM_ECODE_OK;
766 }
767 
768 
770 {
771  NFQThreadVars *ntv = (NFQThreadVars *)data;
772  NFQQueueVars *nq = NFQGetQueue(ntv->nfq_index);
773 
774  if (ntv->data != NULL) {
775  SCFree(ntv->data);
776  ntv->data = NULL;
777  }
778  ntv->datalen = 0;
779 
780  NFQMutexLock(nq);
781  SCLogDebug("starting... will close queuenum %" PRIu32 "", nq->queue_num);
782  if (nq->qh) {
783  nfq_destroy_queue(nq->qh);
784  nq->qh = NULL;
785  }
786  NFQMutexUnlock(nq);
787 
788  return TM_ECODE_OK;
789 }
790 
791 
792 TmEcode VerdictNFQThreadInit(ThreadVars *tv, const void *initdata, void **data)
793 {
794  NFQThreadVars *ntv = (NFQThreadVars *) initdata;
795 
796  CaptureStatsSetup(tv, &ntv->stats);
797 
798  *data = (void *)ntv;
799  return TM_ECODE_OK;
800 }
801 
803 {
804  NFQThreadVars *ntv = (NFQThreadVars *)data;
805  NFQQueueVars *nq = NFQGetQueue(ntv->nfq_index);
806 
807  SCLogDebug("starting... will close queuenum %" PRIu32 "", nq->queue_num);
808  NFQMutexLock(nq);
809  if (nq->qh) {
810  nfq_destroy_queue(nq->qh);
811  nq->qh = NULL;
812  }
813  NFQMutexUnlock(nq);
814 
815  return TM_ECODE_OK;
816 }
817 
818 /**
819  * \brief Add a Netfilter queue
820  *
821  * \param string with the queue name
822  *
823  * \retval 0 on success.
824  * \retval -1 on failure.
825  */
826 int NFQRegisterQueue(char *queue)
827 {
828  NFQThreadVars *ntv = NULL;
829  NFQQueueVars *nq = NULL;
830  /* Extract the queue number from the specified command line argument */
831  uint16_t queue_num = 0;
832  if ((ByteExtractStringUint16(&queue_num, 10, strlen(queue), queue)) < 0)
833  {
834  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified queue number %s is not "
835  "valid", queue);
836  return -1;
837  }
838 
839  SCMutexLock(&nfq_init_lock);
840  if (receive_queue_num >= NFQ_MAX_QUEUE) {
842  "too much Netfilter queue registered (%d)",
843  receive_queue_num);
844  SCMutexUnlock(&nfq_init_lock);
845  return -1;
846  }
847  if (receive_queue_num == 0) {
848  memset(&g_nfq_t, 0, sizeof(g_nfq_t));
849  memset(&g_nfq_q, 0, sizeof(g_nfq_q));
850  }
851 
852  ntv = &g_nfq_t[receive_queue_num];
853  ntv->nfq_index = receive_queue_num;
854 
855  nq = &g_nfq_q[receive_queue_num];
856  nq->queue_num = queue_num;
857  receive_queue_num++;
858  SCMutexUnlock(&nfq_init_lock);
859  LiveRegisterDevice(queue);
860 
861  SCLogDebug("Queue \"%s\" registered.", queue);
862  return 0;
863 }
864 
865 
866 
867 /**
868  * \brief Get a pointer to the NFQ queue at index
869  *
870  * \param number idx of the queue in our array
871  *
872  * \retval ptr pointer to the NFQThreadVars at index
873  * \retval NULL on error
874  */
875 void *NFQGetQueue(int number)
876 {
877  if (number >= receive_queue_num)
878  return NULL;
879 
880  return (void *)&g_nfq_q[number];
881 }
882 
883 /**
884  * \brief Get a pointer to the NFQ thread at index
885  *
886  * This function is temporary used as configuration parser.
887  *
888  * \param number idx of the queue in our array
889  *
890  * \retval ptr pointer to the NFQThreadVars at index
891  * \retval NULL on error
892  */
893 void *NFQGetThread(int number)
894 {
895  if (number >= receive_queue_num)
896  return NULL;
897 
898  return (void *)&g_nfq_t[number];
899 }
900 
901 /**
902  * \brief NFQ function to get a packet from the kernel
903  *
904  * \note separate functions for Linux and Win32 for readability.
905  */
906 static void NFQRecvPkt(NFQQueueVars *t, NFQThreadVars *tv)
907 {
908  int rv, ret;
909  int flag = NFQVerdictCacheLen(t) ? MSG_DONTWAIT : 0;
910 
911  /* XXX what happens on rv == 0? */
912  rv = recv(t->fd, tv->data, tv->datalen, flag);
913 
914  if (rv < 0) {
915  if (errno == EINTR || errno == EWOULDBLOCK) {
916  /* no error on timeout */
917  if (flag)
918  NFQVerdictCacheFlush(t);
919  } else {
920 #ifdef COUNTERS
921  NFQMutexLock(t);
922  t->errs++;
923  NFQMutexUnlock(t);
924 #endif /* COUNTERS */
925  }
926  } else if(rv == 0) {
927  SCLogWarning(SC_ERR_NFQ_RECV, "recv got returncode 0");
928  } else {
929 #ifdef DBG_PERF
930  if (rv > t->dbg_maxreadsize)
931  t->dbg_maxreadsize = rv;
932 #endif /* DBG_PERF */
933 
934  //printf("NFQRecvPkt: t %p, rv = %" PRId32 "\n", t, rv);
935 
936  NFQMutexLock(t);
937  if (t->qh != NULL) {
938  ret = nfq_handle_packet(t->h, tv->data, rv);
939  } else {
940  SCLogWarning(SC_ERR_NFQ_HANDLE_PKT, "NFQ handle has been destroyed");
941  ret = -1;
942  }
943  NFQMutexUnlock(t);
944 
945  if (ret != 0) {
946  SCLogWarning(SC_ERR_NFQ_HANDLE_PKT, "nfq_handle_packet error %"PRId32" %s",
947  ret, strerror(errno));
948  }
949  }
950 }
951 
952 /**
953  * \brief Main NFQ reading Loop function
954  */
956 {
957  SCEnter();
958  NFQThreadVars *ntv = (NFQThreadVars *)data;
959  NFQQueueVars *nq = NFQGetQueue(ntv->nfq_index);
960 
961  ntv->slot = ((TmSlot *) slot)->slot_next;
962 
963  while(1) {
964  if (suricata_ctl_flags != 0) {
965  NFQMutexLock(nq);
966  if (nq->qh) {
967  nfq_destroy_queue(nq->qh);
968  nq->qh = NULL;
969  }
970  NFQMutexUnlock(nq);
971  break;
972  }
973  NFQRecvPkt(nq, ntv);
974 
976  }
978 }
979 
980 /**
981  * \brief NFQ receive module stats printing function
982  */
984 {
985  NFQThreadVars *ntv = (NFQThreadVars *)data;
986  NFQQueueVars *nq = NFQGetQueue(ntv->nfq_index);
987 #ifdef COUNTERS
988  SCLogNotice("(%s) Treated: Pkts %" PRIu32 ", Bytes %" PRIu64 ", Errors %" PRIu32 "",
989  tv->name, nq->pkts, nq->bytes, nq->errs);
990  SCLogNotice("(%s) Verdict: Accepted %"PRIu32", Dropped %"PRIu32", Replaced %"PRIu32,
991  tv->name, nq->accepted, nq->dropped, nq->replaced);
992 #endif
993 }
994 
995 /**
996  * \brief NFQ verdict function
997  */
999 {
1000  int iter = 0;
1001  int ret = 0;
1002  uint32_t verdict = NF_ACCEPT;
1003  /* we could also have a direct pointer but we need to have a ref counf in this case */
1004  NFQQueueVars *t = g_nfq_q + p->nfq_v.nfq_index;
1005 
1006  /** \todo add a test on validity of the entry NFQQueueVars could have been
1007  * wipeout
1008  */
1009 
1010  p->nfq_v.verdicted = 1;
1011 
1012  /* can't verdict a "fake" packet */
1013  if (PKT_IS_PSEUDOPKT(p)) {
1014  return TM_ECODE_OK;
1015  }
1016 
1017  //printf("%p verdicting on queue %" PRIu32 "\n", t, t->queue_num);
1018  NFQMutexLock(t);
1019 
1020  if (t->qh == NULL) {
1021  /* Somebody has started a clean-up, we leave */
1022  NFQMutexUnlock(t);
1023  return TM_ECODE_OK;
1024  }
1025 
1026  if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
1027  verdict = NF_DROP;
1028 #ifdef COUNTERS
1029  t->dropped++;
1030 #endif /* COUNTERS */
1031  } else {
1032  switch (nfq_config.mode) {
1033  default:
1034  case NFQ_ACCEPT_MODE:
1035  verdict = NF_ACCEPT;
1036  break;
1037  case NFQ_REPEAT_MODE:
1038  verdict = NF_REPEAT;
1039  break;
1040  case NFQ_ROUTE_MODE:
1041  verdict = ((uint32_t) NF_QUEUE) | nfq_config.next_queue;
1042  break;
1043  }
1044 
1045  if (p->flags & PKT_STREAM_MODIFIED) {
1046 #ifdef COUNTERS
1047  t->replaced++;
1048 #endif /* COUNTERS */
1049  }
1050 
1051 #ifdef COUNTERS
1052  t->accepted++;
1053 #endif /* COUNTERS */
1054  }
1055 
1056  ret = NFQVerdictCacheAdd(t, p, verdict);
1057  if (ret == 0) {
1058  NFQMutexUnlock(t);
1059  return TM_ECODE_OK;
1060  }
1061 
1062  do {
1063  switch (nfq_config.mode) {
1064  default:
1065  case NFQ_ACCEPT_MODE:
1066  case NFQ_ROUTE_MODE:
1067  if (p->flags & PKT_MARK_MODIFIED) {
1068 #ifdef HAVE_NFQ_SET_VERDICT2
1069  if (p->flags & PKT_STREAM_MODIFIED) {
1070  ret = nfq_set_verdict2(t->qh, p->nfq_v.id, verdict,
1071  p->nfq_v.mark,
1072  GET_PKT_LEN(p), GET_PKT_DATA(p));
1073  } else {
1074  ret = nfq_set_verdict2(t->qh, p->nfq_v.id, verdict,
1075  p->nfq_v.mark,
1076  0, NULL);
1077  }
1078 #else /* fall back to old function */
1079  if (p->flags & PKT_STREAM_MODIFIED) {
1080  ret = nfq_set_verdict_mark(t->qh, p->nfq_v.id, verdict,
1081  htonl(p->nfq_v.mark),
1082  GET_PKT_LEN(p), GET_PKT_DATA(p));
1083  } else {
1084  ret = nfq_set_verdict_mark(t->qh, p->nfq_v.id, verdict,
1085  htonl(p->nfq_v.mark),
1086  0, NULL);
1087  }
1088 #endif /* HAVE_NFQ_SET_VERDICT2 */
1089  } else {
1090  if (p->flags & PKT_STREAM_MODIFIED) {
1091  ret = nfq_set_verdict(t->qh, p->nfq_v.id, verdict,
1092  GET_PKT_LEN(p), GET_PKT_DATA(p));
1093  } else {
1094  ret = nfq_set_verdict(t->qh, p->nfq_v.id, verdict, 0, NULL);
1095  }
1096 
1097  }
1098  break;
1099  case NFQ_REPEAT_MODE:
1100 #ifdef HAVE_NFQ_SET_VERDICT2
1101  if (p->flags & PKT_STREAM_MODIFIED) {
1102  ret = nfq_set_verdict2(t->qh, p->nfq_v.id, verdict,
1103  (nfq_config.mark & nfq_config.mask) | (p->nfq_v.mark & ~nfq_config.mask),
1104  GET_PKT_LEN(p), GET_PKT_DATA(p));
1105  } else {
1106  ret = nfq_set_verdict2(t->qh, p->nfq_v.id, verdict,
1107  (nfq_config.mark & nfq_config.mask) | (p->nfq_v.mark & ~nfq_config.mask),
1108  0, NULL);
1109  }
1110 #else /* fall back to old function */
1111  if (p->flags & PKT_STREAM_MODIFIED) {
1112  ret = nfq_set_verdict_mark(t->qh, p->nfq_v.id, verdict,
1113  htonl((nfq_config.mark & nfq_config.mask) | (p->nfq_v.mark & ~nfq_config.mask)),
1114  GET_PKT_LEN(p), GET_PKT_DATA(p));
1115  } else {
1116  ret = nfq_set_verdict_mark(t->qh, p->nfq_v.id, verdict,
1117  htonl((nfq_config.mark & nfq_config.mask) | (p->nfq_v.mark & ~nfq_config.mask)),
1118  0, NULL);
1119  }
1120 #endif /* HAVE_NFQ_SET_VERDICT2 */
1121  break;
1122  }
1123  } while ((ret < 0) && (iter++ < NFQ_VERDICT_RETRY_TIME));
1124 
1125  NFQMutexUnlock(t);
1126 
1127  if (ret < 0) {
1129  "nfq_set_verdict of %p failed %" PRId32 ": %s",
1130  p, ret, strerror(errno));
1131  return TM_ECODE_FAILED;
1132  }
1133  return TM_ECODE_OK;
1134 }
1135 
1136 /**
1137  * \brief NFQ verdict module packet entry function
1138  */
1140 {
1141  NFQThreadVars *ntv = (NFQThreadVars *)data;
1142  /* update counters */
1143  CaptureStatsUpdate(tv, &ntv->stats, p);
1144 
1145  int ret;
1146  /* if this is a tunnel packet we check if we are ready to verdict
1147  * already. */
1148  if (IS_TUNNEL_PKT(p)) {
1149  SCLogDebug("tunnel pkt: %p/%p %s", p, p->root, p->root ? "upper layer" : "root");
1150  bool verdict = VerdictTunnelPacket(p);
1151  /* don't verdict if we are not ready */
1152  if (verdict == true) {
1153  ret = NFQSetVerdict(p->root ? p->root : p);
1154  if (ret != TM_ECODE_OK) {
1155  return ret;
1156  }
1157  }
1158  } else {
1159  /* no tunnel, verdict normally */
1160  ret = NFQSetVerdict(p);
1161  if (ret != TM_ECODE_OK) {
1162  return ret;
1163  }
1164  }
1165  return TM_ECODE_OK;
1166 }
1167 
1168 /**
1169  * \brief Decode a packet coming from NFQ
1170  */
1172 {
1173 
1174  IPV4Hdr *ip4h = (IPV4Hdr *)GET_PKT_DATA(p);
1175  IPV6Hdr *ip6h = (IPV6Hdr *)GET_PKT_DATA(p);
1176  DecodeThreadVars *dtv = (DecodeThreadVars *)data;
1177 
1178  /* XXX HACK: flow timeout can call us for injected pseudo packets
1179  * see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
1180  if (PKT_IS_PSEUDOPKT(p))
1181  return TM_ECODE_OK;
1182 
1183  DecodeUpdatePacketCounters(tv, dtv, p);
1184 
1185  if (IPV4_GET_RAW_VER(ip4h) == 4) {
1186  SCLogDebug("IPv4 packet");
1187  DecodeIPV4(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
1188  } else if(IPV6_GET_RAW_VER(ip6h) == 6) {
1189  SCLogDebug("IPv6 packet");
1190  DecodeIPV6(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
1191  } else {
1192  SCLogDebug("packet unsupported by NFQ, first byte: %02x", *GET_PKT_DATA(p));
1193  }
1194 
1195  PacketDecodeFinalize(tv, dtv, p);
1196 
1197  return TM_ECODE_OK;
1198 }
1199 
1200 /**
1201  * \brief Initialize the NFQ Decode threadvars
1202  */
1203 TmEcode DecodeNFQThreadInit(ThreadVars *tv, const void *initdata, void **data)
1204 {
1205  DecodeThreadVars *dtv = NULL;
1206  dtv = DecodeThreadVarsAlloc(tv);
1207 
1208  if (dtv == NULL)
1210 
1211  DecodeRegisterPerfCounters(dtv, tv);
1212 
1213  *data = (void *)dtv;
1214 
1215  return TM_ECODE_OK;
1216 }
1217 
1219 {
1220  if (data != NULL)
1221  DecodeThreadVarsFree(tv, data);
1223 }
1224 
1225 #endif /* NFQ */
1226 
IPV6Hdr ip6h
#define MAX_ALREADY_TREATED
Definition: source-nfq.c:111
uint32_t mark
Definition: source-nfq.h:78
#define TM_FLAG_DECODE_TM
Definition: tm-modules.h:32
uint16_t flags
void ReceiveNFQThreadExitStats(ThreadVars *, void *)
NFQ receive module stats printing function.
Definition: source-nfq.c:983
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *tv)
Alloc and setup DecodeThreadVars.
Definition: decode.c:497
#define SCLogDebug(...)
Definition: util-debug.h:326
void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p)
Definition: decode.c:590
#define NFQ_VERDICT_RETRY_TIME
Definition: source-nfq.c:112
uint32_t verdict
Definition: source-nfq.h:77
int(* BypassPacketsFlow)(struct Packet_ *)
Definition: decode.h:467
uint8_t cap_flags
Definition: tm-modules.h:67
int LiveRegisterDevice(const char *dev)
Add a pcap device for monitoring.
Definition: util-device.c:68
TmEcode ReceiveNFQLoop(ThreadVars *tv, void *data, void *slot)
Main NFQ reading Loop function.
Definition: source-nfq.c:955
uint32_t packet_id
Definition: source-nfq.h:76
uint8_t flags
Definition: tm-modules.h:70
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:862
TmEcode DecodeNFQ(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *)
Decode a packet coming from NFQ.
Definition: source-nfq.c:1171
#define SET_PKT_LEN(p, len)
Definition: decode.h:220
int PacketCopyData(Packet *p, uint8_t *pktdata, int pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:247
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Finalize decoding of a packet.
Definition: decode.c:109
TmEcode DecodeNFQThreadInit(ThreadVars *, const void *, void **)
Initialize the NFQ Decode threadvars.
Definition: source-nfq.c:1203
#define unlikely(expr)
Definition: util-optimize.h:35
TmEcode(* Func)(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *)
Definition: tm-modules.h:52
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as an boolen.
Definition: conf.c:442
uint8_t maxlen
Definition: source-nfq.h:81
#define SOL_NETLINK
Definition: source-nfq.c:119
uint8_t batchcount
Definition: source-nfq.c:175
void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
Definition: decode.c:402
TmSlot * slot
Definition: source-nfq.c:129
#define NFQMutexUnlock(nq)
Definition: source-nfq.c:411
uint32_t accepted
Definition: source-nfq.h:72
#define IS_TUNNEL_PKT(p)
Definition: decode.h:886
uint32_t next_queue
Definition: source-nfq.c:173
TmEcode DecodeNFQThreadDeinit(ThreadVars *tv, void *data)
Definition: source-nfq.c:1218
SCMutex mutex_qh
Definition: source-nfq.h:58
volatile uint8_t suricata_ctl_flags
Definition: suricata.c:201
TmEcode VerdictNFQThreadDeinit(ThreadVars *, void *)
Definition: source-nfq.c:802
uint32_t bypass_mark
Definition: source-nfq.c:171
#define SC_CAP_NET_ADMIN
Definition: util-privs.h:31
void NFQInitConfig(char quiet)
To initialize the NFQ global configuration data.
Definition: source-nfq.c:223
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:169
uint16_t nfq_index
Definition: source-nfq.h:41
enum NFQMode_ NFQMode
TmEcode(* PktAcqLoop)(ThreadVars *, void *, void *)
Definition: tm-modules.h:54
void(* ReleasePacket)(struct Packet_ *)
Definition: decode.h:464
#define IPV4_GET_RAW_VER(ip4h)
Definition: decode-ipv4.h:94
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:154
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:331
char * RunmodeGetActive(void)
Definition: runmodes.c:187
uint32_t mark
Definition: source-nfq.c:169
uint64_t bytes
Definition: source-nfq.h:70
TmEcode NFQSetVerdict(Packet *p)
NFQ verdict function.
Definition: source-nfq.c:998
uint32_t dropped
Definition: source-nfq.h:73
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1122
int ByteExtractStringUint16(uint16_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:217
#define TM_FLAG_RECEIVE_TM
Definition: tm-modules.h:31
void * NFQGetThread(int number)
Get a pointer to the NFQ thread at index.
Definition: source-nfq.c:893
TmEcode(* PktAcqBreakLoop)(ThreadVars *, void *)
Definition: tm-modules.h:57
int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
Definition: decode-ipv4.c:533
TmEcode ReceiveNFQThreadInit(ThreadVars *, const void *, void **)
Definition: source-nfq.c:732
uint32_t replaced
Definition: source-nfq.h:74
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
Definition: decode-ipv6.c:584
NFQMode_
Definition: source-nfq.c:159
#define SCMutexUnlock(mut)
void TmqhOutputPacketpool(ThreadVars *t, Packet *p)
uint32_t errs
Definition: source-nfq.h:71
int max_pending_packets
Definition: suricata.c:218
int datalink
Definition: decode.h:556
#define SCMutexInit(mut, mutattr)
#define IPV6_GET_RAW_VER(ip6h)
Definition: decode-ipv6.h:62
uint16_t queue_num
Definition: source-nfq.h:60
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:285
struct nfq_q_handle * qh
Definition: source-nfq.h:57
uint16_t hw_protocol
Definition: source-nfq.h:47
uint8_t mark_valid
Definition: source-nfq.h:79
#define PKT_STREAM_MODIFIED
Definition: decode.h:1085
void(* tmqh_out)(struct ThreadVars_ *, struct Packet_ *)
Definition: threadvars.h:79
void TmModuleVerdictNFQRegister(void)
Definition: source-nfq.c:197
Structure to hold thread specific data for all decode modules.
Definition: decode.h:619
void(* RegisterTests)(void)
Definition: tm-modules.h:65
TmEcode(* ThreadDeinit)(ThreadVars *, void *)
Definition: tm-modules.h:49
#define SCEnter(...)
Definition: util-debug.h:328
struct TmSlot_ * slot_next
Definition: tm-threads.h:72
#define PKT_REBUILT_FRAGMENT
Definition: decode.h:1110
uint8_t len
Definition: source-nfq.h:80
TmEcode VerdictNFQ(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *)
NFQ verdict module packet entry function.
Definition: source-nfq.c:1139
uint32_t ifi
Definition: source-nfq.h:45
NFQMode mode
Definition: source-nfq.c:168
struct nfnl_handle * nh
Definition: source-nfq.h:53
#define SCReturnInt(x)
Definition: util-debug.h:332
void(* ThreadExitPrintStats)(ThreadVars *, void *)
Definition: tm-modules.h:48
#define PACKET_UPDATE_ACTION(p, a)
Definition: decode.h:867
TmEcode VerdictNFQThreadInit(ThreadVars *, const void *, void **)
Definition: source-nfq.c:792
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:272
#define T_DATA_SIZE
const char * name
Definition: tm-modules.h:44
#define NFQ_BURST_FACTOR
Definition: source-nfq.c:116
#define SCMalloc(a)
Definition: util-mem.h:174
int NFQRegisterQueue(char *queue)
Add a Netfilter queue.
Definition: source-nfq.c:826
SCMutex tunnel_mutex
Definition: decode.h:569
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:245
struct NFQThreadVars_ NFQThreadVars
uint32_t flags
Definition: source-nfq.c:174
#define SCFree(a)
Definition: util-mem.h:236
#define NFQMutexLock(nq)
Definition: source-nfq.c:406
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:260
TmModule tmm_modules[TMM_SIZE]
Definition: tm-modules.h:73
TmEcode ReceiveNFQThreadDeinit(ThreadVars *, void *)
Definition: source-nfq.c:769
int ConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:380
#define NFQ_MAX_QUEUE
Definition: source-nfq.h:33
uint8_t use_mutex
Definition: source-nfq.h:55
#define SCMutex
#define StatsSyncCountersIfSignalled(tv)
Definition: counters.h:135
#define SCMutexLock(mut)
uint16_t nfq_index
Definition: source-nfq.c:127
TmEcode(* ThreadInit)(ThreadVars *, const void *, void **)
Definition: tm-modules.h:47
uint8_t verdicted
Definition: source-nfq.h:42
uint32_t bypass_mask
Definition: source-nfq.c:172
#define NFQ_FLAG_FAIL_OPEN
Definition: source-nfq.c:165
uint32_t mask
Definition: source-nfq.c:170
void TmModuleReceiveNFQRegister(void)
Definition: source-nfq.c:180
struct nfq_handle * h
Definition: source-nfq.h:52
uint32_t ifo
Definition: source-nfq.h:46
#define GET_PKT_DATA(p)
Definition: decode.h:216
void DecodeUpdatePacketCounters(ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
Definition: decode.c:463
uint32_t mark
Definition: source-nfq.h:44
char name[16]
Definition: threadvars.h:59
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1119
struct NFQCnf_ NFQCnf
void * NFQGetQueue(int number)
Get a pointer to the NFQ queue at index.
Definition: source-nfq.c:875
void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s)
Definition: decode.c:603
NFQPacketVars nfq_v
Definition: decode.h:443
NFQCnf nfq_config
Definition: source-nfq.c:178
Per thread variable structure.
Definition: threadvars.h:57
struct timeval ts
Definition: decode.h:435
#define GET_PKT_LEN(p)
Definition: decode.h:215
#define PKT_MARK_MODIFIED
Definition: decode.h:1086
#define ACTION_DROP
uint32_t flags
Definition: decode.h:427
void DecodeThreadVarsFree(ThreadVars *tv, DecodeThreadVars *dtv)
Definition: decode.c:523
uint32_t pkts
Definition: source-nfq.h:69
struct NFQQueueVars_::@124 verdict_cache
void TmModuleDecodeNFQRegister(void)
Definition: source-nfq.c:207
ThreadVars * tv
Definition: source-nfq.c:128
CaptureStats stats
Definition: source-nfq.c:134
IPV4Hdr ip4h
int PacketSetData(Packet *p, uint8_t *pktdata, int pktlen)
Set data for Packet and set length when zeo copy is used.
Definition: decode.c:543
struct Packet_ * root
Definition: decode.h:559