suricata
source-nfq.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Eric Leblond <eric@regit.org>
23  *
24  * Netfilter's netfilter_queue support for reading packets from the
25  * kernel and setting verdicts back to it (inline mode).
26  * Supported on Linux and Windows.
27  *
28  * \todo test if Receive and Verdict if both are present
29  */
30 
31 #include "suricata-common.h"
32 #include "suricata.h"
33 #include "decode.h"
34 #include "packet-queue.h"
35 
36 #include "threads.h"
37 #include "threadvars.h"
38 #include "tm-threads.h"
39 #include "tm-queuehandlers.h"
40 #include "tmqh-packetpool.h"
41 
42 #include "conf.h"
43 #include "config.h"
44 #include "conf-yaml-loader.h"
45 #include "source-nfq-prototypes.h"
46 #include "action-globals.h"
47 
48 #include "util-debug.h"
49 #include "util-error.h"
50 #include "util-byte.h"
51 #include "util-cpu.h"
52 #include "util-privs.h"
53 #include "util-device.h"
54 
55 #include "runmodes.h"
56 
57 #include "source-nfq.h"
58 
59 #ifndef NFQ
60 /** Handle the case where no NFQ support is compiled in.
61  *
62  */
63 
64 TmEcode NoNFQSupportExit(ThreadVars *, const void *, void **);
65 
67 {
68  tmm_modules[TMM_RECEIVENFQ].name = "ReceiveNFQ";
69  tmm_modules[TMM_RECEIVENFQ].ThreadInit = NoNFQSupportExit;
76 }
77 
79 {
80  tmm_modules[TMM_VERDICTNFQ].name = "VerdictNFQ";
81  tmm_modules[TMM_VERDICTNFQ].ThreadInit = NoNFQSupportExit;
87 }
88 
89 void TmModuleDecodeNFQRegister (void)
90 {
91  tmm_modules[TMM_DECODENFQ].name = "DecodeNFQ";
92  tmm_modules[TMM_DECODENFQ].ThreadInit = NoNFQSupportExit;
99 }
100 
101 TmEcode NoNFQSupportExit(ThreadVars *tv, const void *initdata, void **data)
102 {
103  SCLogError(SC_ERR_NFQ_NOSUPPORT,"Error creating thread %s: you do not have support for nfqueue "
104  "enabled please recompile with --enable-nfqueue", tv->name);
105  exit(EXIT_FAILURE);
106 }
107 
108 #else /* implied we do have NFQ support */
109 
110 extern int max_pending_packets;
111 
112 #define MAX_ALREADY_TREATED 5
113 #define NFQ_VERDICT_RETRY_TIME 3
114 static int already_seen_warning;
115 static int runmode_workers;
116 
117 #define NFQ_BURST_FACTOR 4
118 
119 #ifndef SOL_NETLINK
120 #define SOL_NETLINK 270
121 #endif
122 
123 //#define NFQ_DFT_QUEUE_LEN NFQ_BURST_FACTOR * MAX_PENDING
124 //#define NFQ_NF_BUFSIZE 1500 * NFQ_DFT_QUEUE_LEN
125 
126 typedef struct NFQThreadVars_
127 {
128  uint16_t nfq_index;
131 
133 
134  char *data; /** Per function and thread data */
135  int datalen; /** Length of per function and thread data */
136 
138 } NFQThreadVars;
139 /* shared vars for all for nfq queues and threads */
140 static NFQGlobalVars nfq_g;
141 
142 static NFQThreadVars *g_nfq_t;
143 static NFQQueueVars *g_nfq_q;
144 static uint16_t receive_queue_num = 0;
145 static SCMutex nfq_init_lock;
146 
147 TmEcode ReceiveNFQLoop(ThreadVars *tv, void *data, void *slot);
148 TmEcode ReceiveNFQThreadInit(ThreadVars *, const void *, void **);
150 void ReceiveNFQThreadExitStats(ThreadVars *, void *);
151 
153 TmEcode VerdictNFQThreadInit(ThreadVars *, const void *, void **);
155 
157 TmEcode DecodeNFQThreadInit(ThreadVars *, const void *, void **);
159 
161 
162 typedef enum NFQMode_ {
166 } NFQMode;
167 
168 #define NFQ_FLAG_FAIL_OPEN (1 << 0)
169 
170 typedef struct NFQCnf_ {
172  uint32_t mark;
173  uint32_t mask;
174  uint32_t bypass_mark;
175  uint32_t bypass_mask;
176  uint32_t next_queue;
177  uint32_t flags;
178  uint8_t batchcount;
179 } NFQCnf;
180 
182 
184 {
185  /* XXX create a general NFQ setup function */
186  memset(&nfq_g, 0, sizeof(nfq_g));
187  SCMutexInit(&nfq_init_lock, NULL);
188 
189  tmm_modules[TMM_RECEIVENFQ].name = "ReceiveNFQ";
198 }
199 
201 {
202  tmm_modules[TMM_VERDICTNFQ].name = "VerdictNFQ";
208 }
209 
211 {
212  tmm_modules[TMM_DECODENFQ].name = "DecodeNFQ";
219 }
220 
221 /** \brief To initialize the NFQ global configuration data
222  *
223  * \param quiet It tells the mode of operation, if it is TRUE nothing will
224  * be get printed.
225  */
226 void NFQInitConfig(char quiet)
227 {
228  intmax_t value = 0;
229  const char *nfq_mode = NULL;
230  int boolval;
231 
232  SCLogDebug("Initializing NFQ");
233 
234  memset(&nfq_config, 0, sizeof(nfq_config));
235 
236  if ((ConfGet("nfq.mode", &nfq_mode)) == 0) {
237  nfq_config.mode = NFQ_ACCEPT_MODE;
238  } else {
239  if (!strcmp("accept", nfq_mode)) {
240  nfq_config.mode = NFQ_ACCEPT_MODE;
241  } else if (!strcmp("repeat", nfq_mode)) {
242  nfq_config.mode = NFQ_REPEAT_MODE;
243  } else if (!strcmp("route", nfq_mode)) {
244  nfq_config.mode = NFQ_ROUTE_MODE;
245  } else {
246  SCLogError(SC_ERR_INVALID_ARGUMENT, "Unknown nfq.mode");
247  exit(EXIT_FAILURE);
248  }
249  }
250 
251  (void)ConfGetBool("nfq.fail-open", (int *)&boolval);
252  if (boolval) {
253 #ifdef HAVE_NFQ_SET_QUEUE_FLAGS
254  SCLogInfo("Enabling fail-open on queue");
255  nfq_config.flags |= NFQ_FLAG_FAIL_OPEN;
256 #else
258  "nfq.%s set but NFQ library has no support for it.", "fail-open");
259 #endif
260  }
261 
262  if ((ConfGetInt("nfq.repeat-mark", &value)) == 1) {
263  nfq_config.mark = (uint32_t)value;
264  }
265 
266  if ((ConfGetInt("nfq.repeat-mask", &value)) == 1) {
267  nfq_config.mask = (uint32_t)value;
268  }
269 
270  if ((ConfGetInt("nfq.bypass-mark", &value)) == 1) {
271  nfq_config.bypass_mark = (uint32_t)value;
272  }
273 
274  if ((ConfGetInt("nfq.bypass-mask", &value)) == 1) {
275  nfq_config.bypass_mask = (uint32_t)value;
276  }
277 
278  if ((ConfGetInt("nfq.route-queue", &value)) == 1) {
279  nfq_config.next_queue = ((uint32_t)value) << 16;
280  }
281 
282  if ((ConfGetInt("nfq.batchcount", &value)) == 1) {
283 #ifdef HAVE_NFQ_SET_VERDICT_BATCH
284  if (value > 255) {
285  SCLogWarning(SC_ERR_INVALID_ARGUMENT, "nfq.batchcount cannot exceed 255.");
286  value = 255;
287  }
288  if (value > 1)
289  nfq_config.batchcount = (uint8_t) (value - 1);
290 #else
292  "nfq.%s set but NFQ library has no support for it.", "batchcount");
293 #endif
294  }
295 
296  if (!quiet) {
297  switch (nfq_config.mode) {
298  case NFQ_ACCEPT_MODE:
299  SCLogInfo("NFQ running in standard ACCEPT/DROP mode");
300  break;
301  case NFQ_REPEAT_MODE:
302  SCLogInfo("NFQ running in REPEAT mode with mark %"PRIu32"/%"PRIu32,
303  nfq_config.mark, nfq_config.mask);
304  break;
305  case NFQ_ROUTE_MODE:
306  SCLogInfo("NFQ running in route mode with next queue %"PRIu32,
307  nfq_config.next_queue >> 16);
308  break;
309  }
310  }
311 
312 }
313 
314 static uint8_t NFQVerdictCacheLen(NFQQueueVars *t)
315 {
316 #ifdef HAVE_NFQ_SET_VERDICT_BATCH
317  return t->verdict_cache.len;
318 #else
319  return 0;
320 #endif
321 }
322 
323 static void NFQVerdictCacheFlush(NFQQueueVars *t)
324 {
325 #ifdef HAVE_NFQ_SET_VERDICT_BATCH
326  int ret;
327  int iter = 0;
328 
329  do {
330  if (t->verdict_cache.mark_valid)
331  ret = nfq_set_verdict_batch2(t->qh,
334  t->verdict_cache.mark);
335  else
336  ret = nfq_set_verdict_batch(t->qh,
339  } while ((ret < 0) && (iter++ < NFQ_VERDICT_RETRY_TIME));
340 
341  if (ret < 0) {
342  SCLogWarning(SC_ERR_NFQ_SET_VERDICT, "nfq_set_verdict_batch failed: %s",
343  strerror(errno));
344  } else {
345  t->verdict_cache.len = 0;
346  t->verdict_cache.mark_valid = 0;
347  }
348 #endif
349 }
350 
351 static int NFQVerdictCacheAdd(NFQQueueVars *t, Packet *p, uint32_t verdict)
352 {
353 #ifdef HAVE_NFQ_SET_VERDICT_BATCH
354  if (t->verdict_cache.maxlen == 0)
355  return -1;
356 
357  if (p->flags & PKT_STREAM_MODIFIED || verdict == NF_DROP)
358  goto flush;
359 
360  if (p->flags & PKT_MARK_MODIFIED) {
361  if (!t->verdict_cache.mark_valid) {
362  if (t->verdict_cache.len)
363  goto flush;
364  t->verdict_cache.mark_valid = 1;
365  t->verdict_cache.mark = p->nfq_v.mark;
366  } else if (t->verdict_cache.mark != p->nfq_v.mark) {
367  goto flush;
368  }
369  } else if (t->verdict_cache.mark_valid) {
370  goto flush;
371  }
372 
373  if (t->verdict_cache.len == 0) {
374  t->verdict_cache.verdict = verdict;
375  } else if (t->verdict_cache.verdict != verdict)
376  goto flush;
377 
378  /* same verdict, mark not set or identical -> can cache */
380 
381  if (t->verdict_cache.len >= t->verdict_cache.maxlen)
382  NFQVerdictCacheFlush(t);
383  else
384  t->verdict_cache.len++;
385  return 0;
386  flush:
387  /* can't cache. Flush current cache and signal caller it should send single verdict */
388  if (NFQVerdictCacheLen(t) > 0)
389  NFQVerdictCacheFlush(t);
390 #endif
391  return -1;
392 }
393 
394 static inline void NFQMutexInit(NFQQueueVars *nq)
395 {
396  char *active_runmode = RunmodeGetActive();
397 
398  if (active_runmode && !strcmp("workers", active_runmode)) {
399  nq->use_mutex = 0;
400  runmode_workers = 1;
401  SCLogInfo("NFQ running in 'workers' runmode, will not use mutex.");
402  } else {
403  nq->use_mutex = 1;
404  runmode_workers = 0;
405  SCMutexInit(&nq->mutex_qh, NULL);
406  }
407 }
408 
409 #define NFQMutexLock(nq) do { \
410  if ((nq)->use_mutex) \
411  SCMutexLock(&(nq)->mutex_qh); \
412 } while (0)
413 
414 #define NFQMutexUnlock(nq) do { \
415  if ((nq)->use_mutex) \
416  SCMutexUnlock(&(nq)->mutex_qh); \
417 } while (0)
418 
419 /**
420  * \brief Read data from nfq message and setup Packet
421  *
422  * \note
423  * In case of error, this function verdict the packet
424  * to avoid skb to get stuck in kernel.
425  */
426 static int NFQSetupPkt (Packet *p, struct nfq_q_handle *qh, void *data)
427 {
428  struct nfq_data *tb = (struct nfq_data *)data;
429  int ret;
430  char *pktdata;
431  struct nfqnl_msg_packet_hdr *ph;
432 
433  ph = nfq_get_msg_packet_hdr(tb);
434  if (ph != NULL) {
435  p->nfq_v.id = SCNtohl(ph->packet_id);
436  //p->nfq_v.hw_protocol = SCNtohs(p->nfq_v.ph->hw_protocol);
437  p->nfq_v.hw_protocol = ph->hw_protocol;
438  }
439  /* coverity[missing_lock] */
440  p->nfq_v.mark = nfq_get_nfmark(tb);
441  if (nfq_config.mode == NFQ_REPEAT_MODE) {
442  if ((nfq_config.mark & nfq_config.mask) ==
443  (p->nfq_v.mark & nfq_config.mask)) {
444  int iter = 0;
445  if (already_seen_warning < MAX_ALREADY_TREATED)
446  SCLogInfo("Packet seems already treated by suricata");
447  already_seen_warning++;
448  do {
449  ret = nfq_set_verdict(qh, p->nfq_v.id, NF_ACCEPT, 0, NULL);
450  } while ((ret < 0) && (iter++ < NFQ_VERDICT_RETRY_TIME));
451  if (ret < 0) {
453  "nfq_set_verdict of %p failed %" PRId32 ": %s",
454  p, ret, strerror(errno));
455  }
456  return -1 ;
457  }
458  }
459  p->nfq_v.ifi = nfq_get_indev(tb);
460  p->nfq_v.ifo = nfq_get_outdev(tb);
461  p->nfq_v.verdicted = 0;
462 
463 #ifdef NFQ_GET_PAYLOAD_SIGNED
464  ret = nfq_get_payload(tb, &pktdata);
465 #else
466  ret = nfq_get_payload(tb, (unsigned char **) &pktdata);
467 #endif /* NFQ_GET_PAYLOAD_SIGNED */
468  if (ret > 0) {
469  /* nfq_get_payload returns a pointer to a part of memory
470  * that is not preserved over the lifetime of our packet.
471  * So we need to copy it. */
472  if (ret > 65536) {
473  /* Will not be able to copy data ! Set length to 0
474  * to trigger an error in packet decoding.
475  * This is unlikely to happen */
476  SCLogWarning(SC_ERR_INVALID_ARGUMENTS, "NFQ sent too big packet");
477  SET_PKT_LEN(p, 0);
478  } else if (runmode_workers) {
479  PacketSetData(p, (uint8_t *)pktdata, ret);
480  } else {
481  PacketCopyData(p, (uint8_t *)pktdata, ret);
482  }
483  } else if (ret == -1) {
484  /* unable to get pointer to data, ensure packet length is zero.
485  * This will trigger an error in packet decoding */
486  SET_PKT_LEN(p, 0);
487  }
488 
489  ret = nfq_get_timestamp(tb, &p->ts);
490  if (ret != 0 || p->ts.tv_sec == 0) {
491  memset (&p->ts, 0, sizeof(struct timeval));
492  gettimeofday(&p->ts, NULL);
493  }
494 
495  p->datalink = DLT_RAW;
496  return 0;
497 }
498 
499 static void NFQReleasePacket(Packet *p)
500 {
501  if (unlikely(!p->nfq_v.verdicted)) {
503  NFQSetVerdict(p);
504  }
506 }
507 
508 /**
509  * \brief bypass callback function for NFQ
510  *
511  * \param p a Packet to use information from to trigger bypass
512  * \return 1 if bypass is successful, 0 if not
513  */
514 static int NFQBypassCallback(Packet *p)
515 {
516  if (IS_TUNNEL_PKT(p)) {
517  /* real tunnels may have multiple flows inside them, so bypass can't
518  * work for those. Rebuilt packets from IP fragments are fine. */
519  if (p->flags & PKT_REBUILT_FRAGMENT) {
520  Packet *tp = p->root ? p->root : p;
522  tp->nfq_v.mark = (nfq_config.bypass_mark & nfq_config.bypass_mask)
523  | (tp->nfq_v.mark & ~nfq_config.bypass_mask);
524  tp->flags |= PKT_MARK_MODIFIED;
526  return 1;
527  }
528  return 0;
529  } else {
530  /* coverity[missing_lock] */
531  p->nfq_v.mark = (nfq_config.bypass_mark & nfq_config.bypass_mask)
532  | (p->nfq_v.mark & ~nfq_config.bypass_mask);
533  p->flags |= PKT_MARK_MODIFIED;
534  }
535 
536  return 1;
537 }
538 
539 static int NFQCallBack(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
540  struct nfq_data *nfa, void *data)
541 {
542  NFQThreadVars *ntv = (NFQThreadVars *)data;
543  ThreadVars *tv = ntv->tv;
544  int ret;
545 
546  /* grab a packet */
548  if (p == NULL) {
549  return -1;
550  }
552 
553  p->nfq_v.nfq_index = ntv->nfq_index;
554  /* if bypass mask is set then we may want to bypass so set pointer */
555  if (nfq_config.bypass_mask) {
556  p->BypassPacketsFlow = NFQBypassCallback;
557  }
558  ret = NFQSetupPkt(p, qh, (void *)nfa);
559  if (ret == -1) {
560 #ifdef COUNTERS
562  q->errs++;
563  q->pkts++;
564  q->bytes += GET_PKT_LEN(p);
565 #endif /* COUNTERS */
566  (void) SC_ATOMIC_ADD(ntv->livedev->pkts, 1);
567 
568  /* NFQSetupPkt is issuing a verdict
569  so we only recycle Packet and leave */
570  TmqhOutputPacketpool(tv, p);
571  return 0;
572  }
573 
574  p->ReleasePacket = NFQReleasePacket;
575 
576 #ifdef COUNTERS
578  q->pkts++;
579  q->bytes += GET_PKT_LEN(p);
580 #endif /* COUNTERS */
581  (void) SC_ATOMIC_ADD(ntv->livedev->pkts, 1);
582 
583  if (ntv->slot) {
584  if (TmThreadsSlotProcessPkt(tv, ntv->slot, p) != TM_ECODE_OK) {
585  TmqhOutputPacketpool(ntv->tv, p);
586  return -1;
587  }
588  } else {
589  /* pass on... */
590  tv->tmqh_out(tv, p);
591  }
592 
593  return 0;
594 }
595 
596 static TmEcode NFQInitThread(NFQThreadVars *t, uint32_t queue_maxlen)
597 {
598  struct timeval tv;
599  int opt;
601  if (q == NULL) {
602  SCLogError(SC_ERR_NFQ_OPEN, "no queue for given index");
603  return TM_ECODE_FAILED;
604  }
605  SCLogDebug("opening library handle");
606  q->h = nfq_open();
607  if (q->h == NULL) {
608  SCLogError(SC_ERR_NFQ_OPEN, "nfq_open() failed");
609  return TM_ECODE_FAILED;
610  }
611 
612  if (nfq_g.unbind == 0)
613  {
614  /* VJ: on my Ubuntu Hardy system this fails the first time it's
615  * run. Ignoring the error seems to have no bad effects. */
616  SCLogDebug("unbinding existing nf_queue handler for AF_INET (if any)");
617  if (nfq_unbind_pf(q->h, AF_INET) < 0) {
618  SCLogError(SC_ERR_NFQ_UNBIND, "nfq_unbind_pf() for AF_INET failed");
619  exit(EXIT_FAILURE);
620  }
621  if (nfq_unbind_pf(q->h, AF_INET6) < 0) {
622  SCLogError(SC_ERR_NFQ_UNBIND, "nfq_unbind_pf() for AF_INET6 failed");
623  exit(EXIT_FAILURE);
624  }
625  nfq_g.unbind = 1;
626 
627  SCLogDebug("binding nfnetlink_queue as nf_queue handler for AF_INET and AF_INET6");
628 
629  if (nfq_bind_pf(q->h, AF_INET) < 0) {
630  SCLogError(SC_ERR_NFQ_BIND, "nfq_bind_pf() for AF_INET failed");
631  exit(EXIT_FAILURE);
632  }
633  if (nfq_bind_pf(q->h, AF_INET6) < 0) {
634  SCLogError(SC_ERR_NFQ_BIND, "nfq_bind_pf() for AF_INET6 failed");
635  exit(EXIT_FAILURE);
636  }
637  }
638 
639  SCLogInfo("binding this thread %d to queue '%" PRIu32 "'", t->nfq_index, q->queue_num);
640 
641  /* pass the thread memory as a void ptr so the
642  * callback function has access to it. */
643  q->qh = nfq_create_queue(q->h, q->queue_num, &NFQCallBack, (void *)t);
644  if (q->qh == NULL) {
645  SCLogError(SC_ERR_NFQ_CREATE_QUEUE, "nfq_create_queue failed");
646  return TM_ECODE_FAILED;
647  }
648 
649  SCLogDebug("setting copy_packet mode");
650 
651  /* 05DC = 1500 */
652  //if (nfq_set_mode(nfq_t->qh, NFQNL_COPY_PACKET, 0x05DC) < 0) {
653  if (nfq_set_mode(q->qh, NFQNL_COPY_PACKET, 0xFFFF) < 0) {
654  SCLogError(SC_ERR_NFQ_SET_MODE, "can't set packet_copy mode");
655  return TM_ECODE_FAILED;
656  }
657 
658 #ifdef HAVE_NFQ_MAXLEN
659  if (queue_maxlen > 0) {
660  SCLogInfo("setting queue length to %" PRId32 "", queue_maxlen);
661 
662  /* non-fatal if it fails */
663  if (nfq_set_queue_maxlen(q->qh, queue_maxlen) < 0) {
664  SCLogWarning(SC_ERR_NFQ_MAXLEN, "can't set queue maxlen: your kernel probably "
665  "doesn't support setting the queue length");
666  }
667  }
668 #endif /* HAVE_NFQ_MAXLEN */
669 
670  /* set netlink buffer size to a decent value */
671  nfnl_rcvbufsiz(nfq_nfnlh(q->h), queue_maxlen * 1500);
672  SCLogInfo("setting nfnl bufsize to %" PRId32 "", queue_maxlen * 1500);
673 
674  q->nh = nfq_nfnlh(q->h);
675  q->fd = nfnl_fd(q->nh);
676  NFQMutexInit(q);
677 
678  /* Set some netlink specific option on the socket to increase
679  performance */
680  opt = 1;
681 #ifdef NETLINK_BROADCAST_SEND_ERROR
682  if (setsockopt(q->fd, SOL_NETLINK,
683  NETLINK_BROADCAST_SEND_ERROR, &opt, sizeof(int)) == -1) {
685  "can't set netlink broadcast error: %s",
686  strerror(errno));
687  }
688 #endif
689  /* Don't send error about no buffer space available but drop the
690  packets instead */
691 #ifdef NETLINK_NO_ENOBUFS
692  if (setsockopt(q->fd, SOL_NETLINK,
693  NETLINK_NO_ENOBUFS, &opt, sizeof(int)) == -1) {
695  "can't set netlink enobufs: %s",
696  strerror(errno));
697  }
698 #endif
699 
700 #ifdef HAVE_NFQ_SET_QUEUE_FLAGS
701  if (nfq_config.flags & NFQ_FLAG_FAIL_OPEN) {
702  uint32_t flags = NFQA_CFG_F_FAIL_OPEN;
703  uint32_t mask = NFQA_CFG_F_FAIL_OPEN;
704  int r = nfq_set_queue_flags(q->qh, mask, flags);
705 
706  if (r == -1) {
707  SCLogWarning(SC_ERR_NFQ_SET_MODE, "can't set fail-open mode: %s",
708  strerror(errno));
709  } else {
710  SCLogInfo("fail-open mode should be set on queue");
711  }
712  }
713 #endif
714 
715 #ifdef HAVE_NFQ_SET_VERDICT_BATCH
716  if (runmode_workers) {
717  q->verdict_cache.maxlen = nfq_config.batchcount;
718  } else if (nfq_config.batchcount) {
719  SCLogError(SC_ERR_INVALID_ARGUMENT, "nfq.batchcount is only valid in workers runmode.");
720  }
721 #endif
722 
723  /* set a timeout to the socket so we can check for a signal
724  * in case we don't get packets for a longer period. */
725  tv.tv_sec = 1;
726  tv.tv_usec = 0;
727 
728  if(setsockopt(q->fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) == -1) {
729  SCLogWarning(SC_ERR_NFQ_SETSOCKOPT, "can't set socket timeout: %s", strerror(errno));
730  }
731 
732  SCLogDebug("nfq_q->h %p, nfq_q->nh %p, nfq_q->qh %p, nfq_q->fd %" PRId32 "",
733  q->h, q->nh, q->qh, q->fd);
734 
735  return TM_ECODE_OK;
736 }
737 
738 TmEcode ReceiveNFQThreadInit(ThreadVars *tv, const void *initdata, void **data)
739 {
740  SCMutexLock(&nfq_init_lock);
741 
742  sigset_t sigs;
743  sigfillset(&sigs);
744  pthread_sigmask(SIG_BLOCK, &sigs, NULL);
745 
746  NFQThreadVars *ntv = (NFQThreadVars *) initdata;
747  /* store the ThreadVars pointer in our NFQ thread context
748  * as we will need it in our callback function */
749  ntv->tv = tv;
750 
751  int r = NFQInitThread(ntv, (max_pending_packets * NFQ_BURST_FACTOR));
752  if (r != TM_ECODE_OK) {
753  SCLogError(SC_ERR_NFQ_THREAD_INIT, "nfq thread failed to initialize");
754 
755  SCMutexUnlock(&nfq_init_lock);
756  exit(EXIT_FAILURE);
757  }
758 
759 #define T_DATA_SIZE 70000
760  ntv->data = SCMalloc(T_DATA_SIZE);
761  if (ntv->data == NULL) {
762  SCMutexUnlock(&nfq_init_lock);
763  return TM_ECODE_FAILED;
764  }
765  ntv->datalen = T_DATA_SIZE;
766 #undef T_DATA_SIZE
767 
768  *data = (void *)ntv;
769 
770  SCMutexUnlock(&nfq_init_lock);
771  return TM_ECODE_OK;
772 }
773 
774 static void NFQDestroyQueue(NFQQueueVars *nq)
775 {
776  if (unlikely(nq == NULL)) {
777  return;
778  }
779 
780  SCLogDebug("starting... will close queuenum %" PRIu32 "", nq->queue_num);
781  NFQMutexLock(nq);
782  if (nq->qh != NULL) {
783  nfq_destroy_queue(nq->qh);
784  nq->qh = NULL;
785  nfq_close(nq->h);
786  nq->h = NULL;
787  }
788  NFQMutexUnlock(nq);
789 }
790 
792 {
793  NFQThreadVars *ntv = (NFQThreadVars *)data;
794  NFQQueueVars *nq = NFQGetQueue(ntv->nfq_index);
795 
796  if (ntv->data != NULL) {
797  SCFree(ntv->data);
798  ntv->data = NULL;
799  }
800  ntv->datalen = 0;
801 
802  NFQDestroyQueue(nq);
803 
804  SCMutexLock(&nfq_init_lock);
805  if (--receive_queue_num == 0) {
806  // No more active queues, we may now free global contexts
807  SCFree(g_nfq_t);
808  SCFree(g_nfq_q);
809  }
810  SCMutexUnlock(&nfq_init_lock);
811 
812  return TM_ECODE_OK;
813 }
814 
815 TmEcode VerdictNFQThreadInit(ThreadVars *tv, const void *initdata, void **data)
816 {
817  NFQThreadVars *ntv = (NFQThreadVars *) initdata;
818 
819  CaptureStatsSetup(tv, &ntv->stats);
820 
821  *data = (void *)ntv;
822  return TM_ECODE_OK;
823 }
824 
826 {
827  NFQThreadVars *ntv = (NFQThreadVars *)data;
828  NFQQueueVars *nq = NFQGetQueue(ntv->nfq_index);
829 
830  NFQDestroyQueue(nq);
831 
832  return TM_ECODE_OK;
833 }
834 
835 /**
836  * \brief Add a single Netfilter queue
837  *
838  * \param string with the queue number
839  *
840  * \retval 0 on success.
841  * \retval -1 on failure.
842  */
843 int NFQRegisterQueue(const uint16_t number)
844 {
845  NFQThreadVars *ntv = NULL;
846  NFQQueueVars *nq = NULL;
847  char queue[10] = { 0 };
848  static bool many_queues_warned = false;
849  uint16_t num_cpus = UtilCpuGetNumProcessorsOnline();
850 
851  if (g_nfq_t == NULL || g_nfq_q == NULL) {
852  SCLogError(SC_ERR_INVALID_ARGUMENT, "NFQ context is not initialized");
853  return -1;
854  }
855 
856  SCMutexLock(&nfq_init_lock);
857  if (!many_queues_warned && (receive_queue_num >= num_cpus)) {
859  "using more Netfilter queues than %hu available CPU core(s) "
860  "may degrade performance",
861  num_cpus);
862  many_queues_warned = true;
863  }
864  if (receive_queue_num >= NFQ_MAX_QUEUE) {
866  "can not register more than %d Netfilter queues",
867  NFQ_MAX_QUEUE);
868  SCMutexUnlock(&nfq_init_lock);
869  return -1;
870  }
871 
872  ntv = &g_nfq_t[receive_queue_num];
873  ntv->nfq_index = receive_queue_num;
874 
875  nq = &g_nfq_q[receive_queue_num];
876  nq->queue_num = number;
877  receive_queue_num++;
878  SCMutexUnlock(&nfq_init_lock);
879  snprintf(queue, sizeof(queue) - 1, "NFQ#%hu", number);
880  LiveRegisterDevice(queue);
881 
882  ntv->livedev = LiveGetDevice(queue);
883 
884  if (ntv->livedev == NULL) {
885  SCLogError(SC_ERR_INVALID_VALUE, "Unable to find Live device");
886  return -1;
887  }
888 
889  SCLogDebug("Queue %d registered.", number);
890  return 0;
891 }
892 
893 /**
894  * \brief Parses and adds Netfilter queue(s).
895  *
896  * \param string with the queue number or range
897  *
898  * \retval 0 on success.
899  * \retval -1 on failure.
900  */
901 int NFQParseAndRegisterQueues(const char *queues)
902 {
903  uint16_t queue_start = 0;
904  uint16_t queue_end = 0;
905  uint16_t num_queues = 1; // if argument is correct, at least one queue will be created
906 
907  // Either "id" or "start:end" format (e.g., "12" or "0:5")
908  int count = sscanf(queues, "%hu:%hu", &queue_start, &queue_end);
909 
910  if (count < 1) {
911  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified queue(s) argument '%s' is not "
912  "valid (allowed queue numbers are 0-65535)", queues);
913  return -1;
914  }
915 
916  // Do we have a range?
917  if (count == 2) {
918  // Sanity check
919  if (queue_start > queue_end) {
920  SCLogError(SC_ERR_INVALID_ARGUMENT, "start queue's number %d is greater than "
921  "ending number %d", queue_start, queue_end);
922  return -1;
923  }
924 
925  num_queues = queue_end - queue_start + 1; // +1 due to inclusive range
926  }
927 
928  g_nfq_t = (NFQThreadVars *)SCCalloc(num_queues, sizeof(NFQThreadVars));
929 
930  if (g_nfq_t == NULL) {
931  SCLogError(SC_ERR_MEM_ALLOC, "Unable to allocate NFQThreadVars");
932  exit(EXIT_FAILURE);
933  }
934 
935  g_nfq_q = (NFQQueueVars *)SCCalloc(num_queues, sizeof(NFQQueueVars));
936 
937  if (g_nfq_q == NULL) {
938  SCLogError(SC_ERR_MEM_ALLOC, "Unable to allocate NFQQueueVars");
939  SCFree(g_nfq_t);
940  exit(EXIT_FAILURE);
941  }
942 
943  do {
944  if (NFQRegisterQueue(queue_start) != 0) {
945  return -1;
946  }
947  } while (++queue_start <= queue_end);
948 
949  return 0;
950 }
951 
952 /**
953  * \brief Get a pointer to the NFQ queue at index
954  *
955  * \param number idx of the queue in our array
956  *
957  * \retval ptr pointer to the NFQThreadVars at index
958  * \retval NULL on error
959  */
960 void *NFQGetQueue(int number)
961 {
962  if (number >= receive_queue_num)
963  return NULL;
964 
965  return (void *)&g_nfq_q[number];
966 }
967 
968 /**
969  * \brief Get a pointer to the NFQ thread at index
970  *
971  * This function is temporary used as configuration parser.
972  *
973  * \param number idx of the queue in our array
974  *
975  * \retval ptr pointer to the NFQThreadVars at index
976  * \retval NULL on error
977  */
978 void *NFQGetThread(int number)
979 {
980  if (number >= receive_queue_num)
981  return NULL;
982 
983  return (void *)&g_nfq_t[number];
984 }
985 
986 /**
987  * \brief NFQ function to get a packet from the kernel
988  *
989  * \note separate functions for Linux and Win32 for readability.
990  */
991 static void NFQRecvPkt(NFQQueueVars *t, NFQThreadVars *tv)
992 {
993  int rv, ret;
994  int flag = NFQVerdictCacheLen(t) ? MSG_DONTWAIT : 0;
995 
996  /* XXX what happens on rv == 0? */
997  rv = recv(t->fd, tv->data, tv->datalen, flag);
998 
999  if (rv < 0) {
1000  if (errno == EINTR || errno == EWOULDBLOCK) {
1001  /* no error on timeout */
1002  if (flag)
1003  NFQVerdictCacheFlush(t);
1004 
1005  /* inject a fake packet on timeout */
1006  TmThreadsCaptureInjectPacket(tv->tv, tv->slot, NULL);
1007  } else {
1008 #ifdef COUNTERS
1009  NFQMutexLock(t);
1010  t->errs++;
1011  NFQMutexUnlock(t);
1012 #endif /* COUNTERS */
1013  }
1014  } else if(rv == 0) {
1015  SCLogWarning(SC_ERR_NFQ_RECV, "recv got returncode 0");
1016  } else {
1017 #ifdef DBG_PERF
1018  if (rv > t->dbg_maxreadsize)
1019  t->dbg_maxreadsize = rv;
1020 #endif /* DBG_PERF */
1021 
1022  //printf("NFQRecvPkt: t %p, rv = %" PRId32 "\n", t, rv);
1023 
1024  NFQMutexLock(t);
1025  if (t->qh != NULL) {
1026  ret = nfq_handle_packet(t->h, tv->data, rv);
1027  } else {
1028  SCLogWarning(SC_ERR_NFQ_HANDLE_PKT, "NFQ handle has been destroyed");
1029  ret = -1;
1030  }
1031  NFQMutexUnlock(t);
1032 
1033  if (ret != 0) {
1034  SCLogWarning(SC_ERR_NFQ_HANDLE_PKT, "nfq_handle_packet error %"PRId32" %s",
1035  ret, strerror(errno));
1036  }
1037  }
1038 }
1039 
1040 /**
1041  * \brief Main NFQ reading Loop function
1042  */
1044 {
1045  SCEnter();
1046  NFQThreadVars *ntv = (NFQThreadVars *)data;
1047  NFQQueueVars *nq = NFQGetQueue(ntv->nfq_index);
1048 
1049  ntv->slot = ((TmSlot *) slot)->slot_next;
1050 
1051  while(1) {
1052  if (suricata_ctl_flags != 0) {
1053  NFQDestroyQueue(nq);
1054  break;
1055  }
1056  NFQRecvPkt(nq, ntv);
1057 
1059  }
1061 }
1062 
1063 /**
1064  * \brief NFQ receive module stats printing function
1065  */
1067 {
1068  NFQThreadVars *ntv = (NFQThreadVars *)data;
1069  NFQQueueVars *nq = NFQGetQueue(ntv->nfq_index);
1070 #ifdef COUNTERS
1071  SCLogNotice("(%s) Treated: Pkts %" PRIu32 ", Bytes %" PRIu64 ", Errors %" PRIu32 "",
1072  tv->name, nq->pkts, nq->bytes, nq->errs);
1073  SCLogNotice("(%s) Verdict: Accepted %"PRIu32", Dropped %"PRIu32", Replaced %"PRIu32,
1074  tv->name, nq->accepted, nq->dropped, nq->replaced);
1075 #endif
1076 }
1077 
1078 /**
1079  * \brief NFQ verdict function
1080  */
1082 {
1083  int iter = 0;
1084  int ret = 0;
1085  uint32_t verdict = NF_ACCEPT;
1086  /* we could also have a direct pointer but we need to have a ref counf in this case */
1087  NFQQueueVars *t = g_nfq_q + p->nfq_v.nfq_index;
1088 
1089  /** \todo add a test on validity of the entry NFQQueueVars could have been
1090  * wipeout
1091  */
1092 
1093  p->nfq_v.verdicted = 1;
1094 
1095  /* can't verdict a "fake" packet */
1096  if (PKT_IS_PSEUDOPKT(p)) {
1097  return TM_ECODE_OK;
1098  }
1099 
1100  //printf("%p verdicting on queue %" PRIu32 "\n", t, t->queue_num);
1101  NFQMutexLock(t);
1102 
1103  if (t->qh == NULL) {
1104  /* Somebody has started a clean-up, we leave */
1105  NFQMutexUnlock(t);
1106  return TM_ECODE_OK;
1107  }
1108 
1109  if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
1110  verdict = NF_DROP;
1111 #ifdef COUNTERS
1112  t->dropped++;
1113 #endif /* COUNTERS */
1114  } else {
1115  switch (nfq_config.mode) {
1116  default:
1117  case NFQ_ACCEPT_MODE:
1118  verdict = NF_ACCEPT;
1119  break;
1120  case NFQ_REPEAT_MODE:
1121  verdict = NF_REPEAT;
1122  break;
1123  case NFQ_ROUTE_MODE:
1124  verdict = ((uint32_t) NF_QUEUE) | nfq_config.next_queue;
1125  break;
1126  }
1127 
1128  if (p->flags & PKT_STREAM_MODIFIED) {
1129 #ifdef COUNTERS
1130  t->replaced++;
1131 #endif /* COUNTERS */
1132  }
1133 
1134 #ifdef COUNTERS
1135  t->accepted++;
1136 #endif /* COUNTERS */
1137  }
1138 
1139  ret = NFQVerdictCacheAdd(t, p, verdict);
1140  if (ret == 0) {
1141  NFQMutexUnlock(t);
1142  return TM_ECODE_OK;
1143  }
1144 
1145  do {
1146  switch (nfq_config.mode) {
1147  default:
1148  case NFQ_ACCEPT_MODE:
1149  case NFQ_ROUTE_MODE:
1150  if (p->flags & PKT_MARK_MODIFIED) {
1151 #ifdef HAVE_NFQ_SET_VERDICT2
1152  if (p->flags & PKT_STREAM_MODIFIED) {
1153  ret = nfq_set_verdict2(t->qh, p->nfq_v.id, verdict,
1154  p->nfq_v.mark,
1155  GET_PKT_LEN(p), GET_PKT_DATA(p));
1156  } else {
1157  ret = nfq_set_verdict2(t->qh, p->nfq_v.id, verdict,
1158  p->nfq_v.mark,
1159  0, NULL);
1160  }
1161 #else /* fall back to old function */
1162  if (p->flags & PKT_STREAM_MODIFIED) {
1163  ret = nfq_set_verdict_mark(t->qh, p->nfq_v.id, verdict,
1164  htonl(p->nfq_v.mark),
1165  GET_PKT_LEN(p), GET_PKT_DATA(p));
1166  } else {
1167  ret = nfq_set_verdict_mark(t->qh, p->nfq_v.id, verdict,
1168  htonl(p->nfq_v.mark),
1169  0, NULL);
1170  }
1171 #endif /* HAVE_NFQ_SET_VERDICT2 */
1172  } else {
1173  if (p->flags & PKT_STREAM_MODIFIED) {
1174  ret = nfq_set_verdict(t->qh, p->nfq_v.id, verdict,
1175  GET_PKT_LEN(p), GET_PKT_DATA(p));
1176  } else {
1177  ret = nfq_set_verdict(t->qh, p->nfq_v.id, verdict, 0, NULL);
1178  }
1179 
1180  }
1181  break;
1182  case NFQ_REPEAT_MODE:
1183 #ifdef HAVE_NFQ_SET_VERDICT2
1184  if (p->flags & PKT_STREAM_MODIFIED) {
1185  ret = nfq_set_verdict2(t->qh, p->nfq_v.id, verdict,
1186  (nfq_config.mark & nfq_config.mask) | (p->nfq_v.mark & ~nfq_config.mask),
1187  GET_PKT_LEN(p), GET_PKT_DATA(p));
1188  } else {
1189  ret = nfq_set_verdict2(t->qh, p->nfq_v.id, verdict,
1190  (nfq_config.mark & nfq_config.mask) | (p->nfq_v.mark & ~nfq_config.mask),
1191  0, NULL);
1192  }
1193 #else /* fall back to old function */
1194  if (p->flags & PKT_STREAM_MODIFIED) {
1195  ret = nfq_set_verdict_mark(t->qh, p->nfq_v.id, verdict,
1196  htonl((nfq_config.mark & nfq_config.mask) | (p->nfq_v.mark & ~nfq_config.mask)),
1197  GET_PKT_LEN(p), GET_PKT_DATA(p));
1198  } else {
1199  ret = nfq_set_verdict_mark(t->qh, p->nfq_v.id, verdict,
1200  htonl((nfq_config.mark & nfq_config.mask) | (p->nfq_v.mark & ~nfq_config.mask)),
1201  0, NULL);
1202  }
1203 #endif /* HAVE_NFQ_SET_VERDICT2 */
1204  break;
1205  }
1206  } while ((ret < 0) && (iter++ < NFQ_VERDICT_RETRY_TIME));
1207 
1208  NFQMutexUnlock(t);
1209 
1210  if (ret < 0) {
1212  "nfq_set_verdict of %p failed %" PRId32 ": %s",
1213  p, ret, strerror(errno));
1214  return TM_ECODE_FAILED;
1215  }
1216  return TM_ECODE_OK;
1217 }
1218 
1219 /**
1220  * \brief NFQ verdict module packet entry function
1221  */
1223 {
1224  NFQThreadVars *ntv = (NFQThreadVars *)data;
1225  /* update counters */
1226  CaptureStatsUpdate(tv, &ntv->stats, p);
1227 
1228  int ret;
1229  /* if this is a tunnel packet we check if we are ready to verdict
1230  * already. */
1231  if (IS_TUNNEL_PKT(p)) {
1232  SCLogDebug("tunnel pkt: %p/%p %s", p, p->root, p->root ? "upper layer" : "root");
1233  bool verdict = VerdictTunnelPacket(p);
1234  /* don't verdict if we are not ready */
1235  if (verdict == true) {
1236  ret = NFQSetVerdict(p->root ? p->root : p);
1237  if (ret != TM_ECODE_OK) {
1238  return ret;
1239  }
1240  }
1241  } else {
1242  /* no tunnel, verdict normally */
1243  ret = NFQSetVerdict(p);
1244  if (ret != TM_ECODE_OK) {
1245  return ret;
1246  }
1247  }
1248  return TM_ECODE_OK;
1249 }
1250 
1251 /**
1252  * \brief Decode a packet coming from NFQ
1253  */
1255 {
1256 
1257  IPV4Hdr *ip4h = (IPV4Hdr *)GET_PKT_DATA(p);
1258  IPV6Hdr *ip6h = (IPV6Hdr *)GET_PKT_DATA(p);
1259  DecodeThreadVars *dtv = (DecodeThreadVars *)data;
1260 
1261  /* XXX HACK: flow timeout can call us for injected pseudo packets
1262  * see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
1263  if (PKT_IS_PSEUDOPKT(p))
1264  return TM_ECODE_OK;
1265 
1266  DecodeUpdatePacketCounters(tv, dtv, p);
1267 
1268  if (IPV4_GET_RAW_VER(ip4h) == 4) {
1269  if (unlikely(GET_PKT_LEN(p) > USHRT_MAX)) {
1270  return TM_ECODE_FAILED;
1271  }
1272  SCLogDebug("IPv4 packet");
1273  DecodeIPV4(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
1274  } else if(IPV6_GET_RAW_VER(ip6h) == 6) {
1275  if (unlikely(GET_PKT_LEN(p) > USHRT_MAX)) {
1276  return TM_ECODE_FAILED;
1277  }
1278  SCLogDebug("IPv6 packet");
1279  DecodeIPV6(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
1280  } else {
1281  SCLogDebug("packet unsupported by NFQ, first byte: %02x", *GET_PKT_DATA(p));
1282  }
1283 
1284  PacketDecodeFinalize(tv, dtv, p);
1285 
1286  return TM_ECODE_OK;
1287 }
1288 
1289 /**
1290  * \brief Initialize the NFQ Decode threadvars
1291  */
1292 TmEcode DecodeNFQThreadInit(ThreadVars *tv, const void *initdata, void **data)
1293 {
1294  DecodeThreadVars *dtv = NULL;
1295  dtv = DecodeThreadVarsAlloc(tv);
1296 
1297  if (dtv == NULL)
1299 
1300  DecodeRegisterPerfCounters(dtv, tv);
1301 
1302  *data = (void *)dtv;
1303 
1304  return TM_ECODE_OK;
1305 }
1306 
1308 {
1309  if (data != NULL)
1310  DecodeThreadVarsFree(tv, data);
1312 }
1313 
1314 #endif /* NFQ */
IPV6Hdr ip6h
#define MAX_ALREADY_TREATED
Definition: source-nfq.c:112
uint32_t mark
Definition: source-nfq.h:79
#define SCMutex
#define TM_FLAG_DECODE_TM
Definition: tm-modules.h:32
uint16_t flags
void ReceiveNFQThreadExitStats(ThreadVars *, void *)
NFQ receive module stats printing function.
Definition: source-nfq.c:1066
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *tv)
Alloc and setup DecodeThreadVars.
Definition: decode.c:592
#define SCLogDebug(...)
Definition: util-debug.h:335
void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p)
Definition: decode.c:685
#define NFQ_VERDICT_RETRY_TIME
Definition: source-nfq.c:113
uint32_t verdict
Definition: source-nfq.h:78
int(* BypassPacketsFlow)(struct Packet_ *)
Definition: decode.h:485
uint8_t cap_flags
Definition: tm-modules.h:67
int LiveRegisterDevice(const char *dev)
Add a pcap device for monitoring and create structure.
Definition: util-device.c:111
TmEcode ReceiveNFQLoop(ThreadVars *tv, void *data, void *slot)
Main NFQ reading Loop function.
Definition: source-nfq.c:1043
uint32_t packet_id
Definition: source-nfq.h:77
uint8_t flags
Definition: tm-modules.h:70
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:860
TmEcode DecodeNFQ(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *)
Decode a packet coming from NFQ.
Definition: source-nfq.c:1254
#define SET_PKT_LEN(p, len)
Definition: decode.h:227
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Finalize decoding of a packet.
Definition: decode.c:114
TmEcode DecodeNFQThreadInit(ThreadVars *, const void *, void **)
Initialize the NFQ Decode threadvars.
Definition: source-nfq.c:1292
#define unlikely(expr)
Definition: util-optimize.h:35
TmEcode(* Func)(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *)
Definition: tm-modules.h:52
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as an boolen.
Definition: conf.c:517
uint8_t maxlen
Definition: source-nfq.h:82
#define SOL_NETLINK
Definition: source-nfq.c:120
uint8_t batchcount
Definition: source-nfq.c:178
void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
Definition: decode.c:453
TmSlot * slot
Definition: source-nfq.c:130
#define NFQMutexUnlock(nq)
Definition: source-nfq.c:414
uint32_t accepted
Definition: source-nfq.h:73
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:107
#define IS_TUNNEL_PKT(p)
Definition: decode.h:884
uint32_t next_queue
Definition: source-nfq.c:176
TmEcode DecodeNFQThreadDeinit(ThreadVars *tv, void *data)
Definition: source-nfq.c:1307
SCMutex mutex_qh
Definition: source-nfq.h:59
volatile uint8_t suricata_ctl_flags
Definition: suricata.c:200
TmEcode VerdictNFQThreadDeinit(ThreadVars *, void *)
Definition: source-nfq.c:825
uint32_t bypass_mark
Definition: source-nfq.c:174
#define SC_CAP_NET_ADMIN
Definition: util-privs.h:31
void NFQInitConfig(char quiet)
To initialize the NFQ global configuration data.
Definition: source-nfq.c:226
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:176
uint16_t nfq_index
Definition: source-nfq.h:42
enum NFQMode_ NFQMode
TmEcode(* PktAcqLoop)(ThreadVars *, void *, void *)
Definition: tm-modules.h:54
void(* ReleasePacket)(struct Packet_ *)
Definition: decode.h:482
#define SCMutexLock(mut)
#define IPV4_GET_RAW_VER(ip4h)
Definition: decode-ipv4.h:94
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:161
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:331
int NFQParseAndRegisterQueues(const char *queues)
Parses and adds Netfilter queue(s).
Definition: source-nfq.c:901
char * RunmodeGetActive(void)
Definition: runmodes.c:189
uint32_t mark
Definition: source-nfq.c:172
uint64_t bytes
Definition: source-nfq.h:71
TmEcode NFQSetVerdict(Packet *p)
NFQ verdict function.
Definition: source-nfq.c:1081
uint32_t dropped
Definition: source-nfq.h:74
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1134
#define TM_FLAG_RECEIVE_TM
Definition: tm-modules.h:31
void * NFQGetThread(int number)
Get a pointer to the NFQ thread at index.
Definition: source-nfq.c:978
TmEcode(* PktAcqBreakLoop)(ThreadVars *, void *)
Definition: tm-modules.h:57
int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
Definition: decode-ipv4.c:533
TmEcode ReceiveNFQThreadInit(ThreadVars *, const void *, void **)
Definition: source-nfq.c:738
uint32_t replaced
Definition: source-nfq.h:75
#define SCCalloc(nm, a)
Definition: util-mem.h:197
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
Definition: decode-ipv6.c:584
NFQMode_
Definition: source-nfq.c:162
#define SCMutexUnlock(mut)
void TmqhOutputPacketpool(ThreadVars *t, Packet *p)
uint32_t errs
Definition: source-nfq.h:72
int max_pending_packets
Definition: suricata.c:214
int NFQRegisterQueue(const uint16_t number)
Add a single Netfilter queue.
Definition: source-nfq.c:843
int datalink
Definition: decode.h:574
#define IPV6_GET_RAW_VER(ip6h)
Definition: decode-ipv6.h:62
uint16_t queue_num
Definition: source-nfq.h:61
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
struct nfq_q_handle * qh
Definition: source-nfq.h:58
uint16_t hw_protocol
Definition: source-nfq.h:48
uint8_t mark_valid
Definition: source-nfq.h:80
#define PKT_STREAM_MODIFIED
Definition: decode.h:1094
void(* tmqh_out)(struct ThreadVars_ *, struct Packet_ *)
Definition: threadvars.h:80
void TmModuleVerdictNFQRegister(void)
Definition: source-nfq.c:200
Structure to hold thread specific data for all decode modules.
Definition: decode.h:632
void(* RegisterTests)(void)
Definition: tm-modules.h:65
TmEcode(* ThreadDeinit)(ThreadVars *, void *)
Definition: tm-modules.h:49
#define SCEnter(...)
Definition: util-debug.h:337
struct TmSlot_ * slot_next
Definition: tm-threads.h:87
#define PKT_REBUILT_FRAGMENT
Definition: decode.h:1119
struct NFQQueueVars_::@134 verdict_cache
uint8_t len
Definition: source-nfq.h:81
TmEcode VerdictNFQ(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *)
NFQ verdict module packet entry function.
Definition: source-nfq.c:1222
uint32_t ifi
Definition: source-nfq.h:46
#define SCMutexInit(mut, mutattrs)
NFQMode mode
Definition: source-nfq.c:171
struct nfnl_handle * nh
Definition: source-nfq.h:54
#define SCReturnInt(x)
Definition: util-debug.h:341
LiveDevice * LiveGetDevice(const char *name)
Get a pointer to the device at idx.
Definition: util-device.c:248
#define SCNtohl(x)
void(* ThreadExitPrintStats)(ThreadVars *, void *)
Definition: tm-modules.h:48
#define PACKET_UPDATE_ACTION(p, a)
Definition: decode.h:865
TmEcode VerdictNFQThreadInit(ThreadVars *, const void *, void **)
Definition: source-nfq.c:815
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
#define T_DATA_SIZE
const char * name
Definition: tm-modules.h:44
#define NFQ_BURST_FACTOR
Definition: source-nfq.c:117
#define SCMalloc(a)
Definition: util-mem.h:166
SCMutex tunnel_mutex
Definition: decode.h:587
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
int PacketSetData(Packet *p, uint8_t *pktdata, uint32_t pktlen)
Set data for Packet and set length when zeo copy is used.
Definition: decode.c:638
struct NFQThreadVars_ NFQThreadVars
uint32_t flags
Definition: source-nfq.c:177
#define SCFree(a)
Definition: util-mem.h:228
#define NFQMutexLock(nq)
Definition: source-nfq.c:409
#define SCLogNotice(...)
Macro used to log NOTICE messages.
Definition: util-debug.h:269
TmModule tmm_modules[TMM_SIZE]
Definition: tm-modules.h:73
LiveDevice * livedev
Definition: source-nfq.c:132
TmEcode ReceiveNFQThreadDeinit(ThreadVars *, void *)
Definition: source-nfq.c:791
int ConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:437
#define NFQ_MAX_QUEUE
Definition: source-nfq.h:34
uint8_t use_mutex
Definition: source-nfq.h:56
#define StatsSyncCountersIfSignalled(tv)
Definition: counters.h:136
uint16_t nfq_index
Definition: source-nfq.c:128
TmEcode(* ThreadInit)(ThreadVars *, const void *, void **)
Definition: tm-modules.h:47
uint8_t verdicted
Definition: source-nfq.h:43
uint32_t bypass_mask
Definition: source-nfq.c:175
#define NFQ_FLAG_FAIL_OPEN
Definition: source-nfq.c:168
uint32_t mask
Definition: source-nfq.c:173
void TmModuleReceiveNFQRegister(void)
Definition: source-nfq.c:183
struct nfq_handle * h
Definition: source-nfq.h:53
uint32_t ifo
Definition: source-nfq.h:47
#define GET_PKT_DATA(p)
Definition: decode.h:223
void DecodeUpdatePacketCounters(ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
Definition: decode.c:558
uint32_t mark
Definition: source-nfq.h:45
char name[16]
Definition: threadvars.h:59
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1131
struct NFQCnf_ NFQCnf
void * NFQGetQueue(int number)
Get a pointer to the NFQ queue at index.
Definition: source-nfq.c:960
void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s)
Definition: decode.c:698
NFQPacketVars nfq_v
Definition: decode.h:457
NFQCnf nfq_config
Definition: source-nfq.c:181
Per thread variable structure.
Definition: threadvars.h:57
struct timeval ts
Definition: decode.h:449
#define GET_PKT_LEN(p)
Definition: decode.h:222
uint16_t UtilCpuGetNumProcessorsOnline(void)
Get the number of cpus online in the system.
Definition: util-cpu.c:99
#define PKT_MARK_MODIFIED
Definition: decode.h:1095
#define ACTION_DROP
uint32_t flags
Definition: decode.h:441
void DecodeThreadVarsFree(ThreadVars *tv, DecodeThreadVars *dtv)
Definition: decode.c:618
uint32_t pkts
Definition: source-nfq.h:70
int PacketCopyData(Packet *p, uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:258
void TmModuleDecodeNFQRegister(void)
Definition: source-nfq.c:210
ThreadVars * tv
Definition: source-nfq.c:129
CaptureStats stats
Definition: source-nfq.c:137
IPV4Hdr ip4h
struct Packet_ * root
Definition: decode.h:577