aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd461c7888a'
${ noResults }
suricata/src/source-af-packet.h

153 lines
4.1 KiB
C
Raw Normal View History Unescape Escape

af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
/* Copyright (C) 2011,2012 Open Information Security Foundation
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Eric Leblond <eric@regit.org>
*/
#ifndef __SOURCE_AFP_H__
#define __SOURCE_AFP_H__
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
#ifndef HAVE_PACKET_FANOUT /* not defined if linux/if_packet.h trying to force */
#define HAVE_PACKET_FANOUT 1
#define PACKET_FANOUT 18
#define PACKET_FANOUT_HASH 0
#define PACKET_FANOUT_LB 1
#define PACKET_FANOUT_CPU 2
af-packet: sync header with latest features Sync the replacement define with the latest Linux code. This patch also updates the detection part in configure.ac to do a declaration of all fields if the newest features are not present.
10 years ago
#define PACKET_FANOUT_ROLLOVER 3
#define PACKET_FANOUT_RND 4
#define PACKET_FANOUT_QM 5
#define PACKET_FANOUT_FLAG_ROLLOVER 0x1000
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
#define PACKET_FANOUT_FLAG_DEFRAG 0x8000
af-packet: fix compilation on new systems. Inclusion of if_packet.h was missing when the support of new options related to packet fanout is present in the file.
13 years ago
#else /* HAVE_PACKET_FANOUT */
#include <linux/if_packet.h>
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
#endif /* HAVE_PACKET_FANOUT */
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
#include "queue.h"
af-packet: finalize code This patch handles the end of AF_PACKET socket support work. It provides conditional compilation, autofp and single runmode. It also adds a 'defrag' option which is used to activate defrag support in kernel to avoid rx_hash computation in flow mode to fail due to fragmentation. This patch contains some fixes by Anoop Saldanha, and incorporate change following review by Anoop Saldanha and Victor Julien. AF_PACKET support is only build if the --enable-af-packet flag is given to the configure command line. Detection of code availability is also done: a check of the existence of AF_PACKET in standard header is done. It seems this variable is Linux specific and it should be enough to avoid compilation of AF_PACKET support on other OSes. Compilation does not depend on up-to-date headers on the system. If none are present, wemake our own declaration of FANOUT variables. This will permit compilation of the feature for system where only the kernel has been updated to a version superior to 3.1.
14 years ago
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
13 years ago
/* value for flags */
#define AFP_RING_MODE (1<<0)
af-packet: Implement zero copy This patch adds support for zero copy to AF_PACKET running mode. This requires to use the 'worker' mode which is the only one where the threading architecture is simple enough to permit this without heavy modification.
13 years ago
#define AFP_ZERO_COPY (1<<1)
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
#define AFP_SOCK_PROTECT (1<<2)
af-packet: add optional emergency mode Flush all waiting packets to be in sync with kernel when drop occurs. This mode can be activated by setting use-emergency-flush to yes in the interface configuration.
13 years ago
#define AFP_EMERGENCY_MODE (1<<3)
af-packet: tpacket_v3 implementation This patch adds a basic implementation of AF_PACKET tpacket v3. It is basic in the way it is only working for 'workers' runnning mode. If not in 'workers' mode there is a fallback to tpacket_v2. Feature is activated via tpacket-v3 option in the af-packet section of Suricata YAML.
12 years ago
#define AFP_TPACKET_V3 (1<<4)
af-packet: cleaning and hole hunting Reorder fields in AFPThreadVars and suppress some that were not used elsewhere than in the initialization.
9 years ago
#define AFP_VLAN_DISABLED (1<<5)
af-packet: add option to use memory locked mmap
9 years ago
#define AFP_MMAP_LOCKED (1<<6)
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
#define AFP_COPY_MODE_NONE 0
#define AFP_COPY_MODE_TAP 1
#define AFP_COPY_MODE_IPS 2
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
13 years ago
af-packet: multi interface support This patch adds multi interface support to AF_PACKET. A structure is used at thread creation to give all needed information to the input module. Parsing of the options is done in runmode preparation through a dedicated function which return the configuration in a structure usable by thread creation.
14 years ago
#define AFP_FILE_MAX_PKTS 256
#define AFP_IFACE_NAME_LENGTH 48
af-packet: configurable tpacket_v3 block timeout Block timeout defines the maximum filling duration of a block.
9 years ago
/* In kernel the allocated block size is allocated using the formula
* page_size << order. So default value is using the same formula with
* an order of 3 which guarantee we have some room in the block compared
* to standard frame size */
af-packet: configurable tpacket_v3 block size It is used to set the block size in tpacket_v3. It will allow user to tune the capture depending on his bandwidth. Default block size value has been updated to a bigger value to allow more efficient wlak on block.
9 years ago
#define AFP_BLOCK_SIZE_DEFAULT_ORDER 3
af-packet: multi interface support This patch adds multi interface support to AF_PACKET. A structure is used at thread creation to give all needed information to the input module. Parsing of the options is done in runmode preparation through a dedicated function which return the configuration in a structure usable by thread creation.
14 years ago
typedef struct AFPIfaceConfig_
{
char iface[AFP_IFACE_NAME_LENGTH];
/* number of threads */
int threads;
/* socket buffer size */
int buffer_size;
af-packet: improve mmaped running mode. The mmaped mode was using a too small ring buffer size which was not able to handle burst of packets coming from the network. This may explain the important packet loss rate observed by Edward Fjellskål. This patch increases the default value and adds a ring-size variable which can be used to manually tune the value.
13 years ago
/* ring size in number of packets */
int ring_size;
af-packet: configurable tpacket_v3 block timeout Block timeout defines the maximum filling duration of a block.
9 years ago
/* block size for tpacket_v3 in */
af-packet: configurable tpacket_v3 block size It is used to set the block size in tpacket_v3. It will allow user to tune the capture depending on his bandwidth. Default block size value has been updated to a bigger value to allow more efficient wlak on block.
9 years ago
int block_size;
af-packet: configurable tpacket_v3 block timeout Block timeout defines the maximum filling duration of a block.
9 years ago
/* block timeout for tpacket_v3 in milliseconds */
int block_timeout;
af-packet: multi interface support This patch adds multi interface support to AF_PACKET. A structure is used at thread creation to give all needed information to the input module. Parsing of the options is done in runmode preparation through a dedicated function which return the configuration in a structure usable by thread creation.
14 years ago
/* cluster param */
int cluster_id;
int cluster_type;
af-packet: Add option to disable promiscuous mode This patch adds an option to suricata.yaml to be able to disable the switch of the interface into promiscuous mode.
14 years ago
/* promisc mode */
int promisc;
af-packet: mmap support This patch adds mmap support for af-packet. Suricata now makes use of the ring buffer feature of AF_PACKET if 'use-mmap' variable is set to yes on an interface.
13 years ago
/* misc use flags including ring mode */
int flags;
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
int copy_mode;
af-packet: add support for checksum verif mode This patch adds support for checksum verification mode. Auto mode is not yet supported.
13 years ago
ChecksumValidationMode checksum_mode;
af-packet: add support for BPF filter. This patch adds support for BPF in AF_PACKET running mode. The command line syntax is the same as the one used of PF_RING. The method is the same too: The pcap_compile__nopcap() function is used to build the BPF filter. It is then injected into the kernel with a setsockopt() call. If the adding of the BPF fail, suricata exit.
13 years ago
char *bpf_filter;
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
char *out_iface;
runmode: introduce configuration dereferencing. A devide configuration can be used by multiple threads. It is thus necessary to wait that all threads stop using the configuration before freeing it. This patch introduces an atomic counter and a free function which has to be called by each thread when it will not use anymore the structure. If the configuration is not used anymore, it is freed by the free function.
14 years ago
SC_ATOMIC_DECLARE(unsigned int, ref);
void (*DerefFunc)(void *);
af-packet: multi interface support This patch adds multi interface support to AF_PACKET. A structure is used at thread creation to give all needed information to the input module. Parsing of the options is done in runmode preparation through a dedicated function which return the configuration in a structure usable by thread creation.
14 years ago
} AFPIfaceConfig;
af-packet: add doxygen comments This patch adds doxygen comments to newly introduced function and adds module AF_PACKET doxygen module with a dedicated AFP peers module.
13 years ago
/**
* \ingroup afppeers
* @{
*/
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
typedef struct AFPPeer_ {
SC_ATOMIC_DECLARE(int, socket);
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
SC_ATOMIC_DECLARE(int, sock_usage);
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
SC_ATOMIC_DECLARE(int, if_idx);
int flags;
af-packet: pack AFPPeer structure
9 years ago
SCMutex sock_protect;
af-packet: implement late open This patch implements "late open". On high performance system, it is needed to create the AF_PACKET just before reading to avoid overflow. Socket creation has to be done with respect to the order of thread creation to respect affinity settings. This patch adds a counter to AFPPeer to be ale to synchronize the initial socket creation.
13 years ago
int turn; /**< Field used to store initialisation order. */
af-packet: pack AFPPeer structure
9 years ago
SC_ATOMIC_DECLARE(uint8_t, state);
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
struct AFPPeer_ *peer;
TAILQ_ENTRY(AFPPeer_) next;
af-packet: pack AFPPeer structure
9 years ago
char iface[AFP_IFACE_NAME_LENGTH];
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
} AFPPeer;
af-packet: clean APFPacketVar before release. This patch resets the AFPPacketVar linked to a Packet in the release function to avoid any side effect when the packet is reused. To do so a new AFPV_CLEANUP macro has been introduced.
13 years ago
/**
* \brief per packet AF_PACKET vars
*
* This structure is used y the release data system and is cleaned
* up by the AFPV_CLEANUP macro below.
*/
capture: add data release mechanism This patch adds a data release mechanism. If the capture module has a call to indicate that userland has finished with the data, it is possible to use this system. The data will then be released when the treatment of the packet is finished. To do so the Packet structure has been modified: + TmEcode (*ReleaseData)(ThreadVars *, struct Packet_ *); If ReleaseData is null, the function is called when the treatment of the Packet is finished. Thus it is sufficient for the capture module to code a function wrapping the data release mechanism and to assign it to ReleaseData field. This patch also includes an implementation of this mechanism for AF_PACKET.
13 years ago
typedef struct AFPPacketVars_
{
void *relptr;
af-packet: rework socket transition phase. Suricata was not able to start cleanly in AF_PACKET with default suricata.yaml file if there was no eth1 on the system. This patch fixes this issue and rework the socket transition phase to fix some serious issues (file descriptor leak) found when fixing this problem. Every 20 seconds it displays a message to the user to warn him about the interface not being accessible: [ERRCODE: SC_ERR_AFP_CREATE(196)] - Can not open iface 'eth1'
13 years ago
AFPPeer *peer; /**< Sending peer for IPS/TAP mode */
/** Pointer to ::AFPPeer used for capture. Field is used to be able
* to do reference counting.
*/
AFPPeer *mpeer;
af-packet: cleaning and hole hunting Reorder fields in AFPThreadVars and suppress some that were not used elsewhere than in the initialization.
9 years ago
uint8_t copy_mode;
capture: add data release mechanism This patch adds a data release mechanism. If the capture module has a call to indicate that userland has finished with the data, it is possible to use this system. The data will then be released when the treatment of the packet is finished. To do so the Packet structure has been modified: + TmEcode (*ReleaseData)(ThreadVars *, struct Packet_ *); If ReleaseData is null, the function is called when the treatment of the Packet is finished. Thus it is sufficient for the capture module to code a function wrapping the data release mechanism and to assign it to ReleaseData field. This patch also includes an implementation of this mechanism for AF_PACKET.
13 years ago
} AFPPacketVars;
af-packet: clean APFPacketVar before release. This patch resets the AFPPacketVar linked to a Packet in the release function to avoid any side effect when the packet is reused. To do so a new AFPV_CLEANUP macro has been introduced.
13 years ago
#define AFPV_CLEANUP(afpv) do { \
(afpv)->relptr = NULL; \
(afpv)->copy_mode = 0; \
(afpv)->peer = NULL; \
(afpv)->mpeer = NULL; \
} while(0)
af-packet: add doxygen comments This patch adds doxygen comments to newly introduced function and adds module AF_PACKET doxygen module with a dedicated AFP peers module.
13 years ago
/**
* @}
*/
capture: add data release mechanism This patch adds a data release mechanism. If the capture module has a call to indicate that userland has finished with the data, it is possible to use this system. The data will then be released when the treatment of the packet is finished. To do so the Packet structure has been modified: + TmEcode (*ReleaseData)(ThreadVars *, struct Packet_ *); If ReleaseData is null, the function is called when the treatment of the Packet is finished. Thus it is sufficient for the capture module to code a function wrapping the data release mechanism and to assign it to ReleaseData field. This patch also includes an implementation of this mechanism for AF_PACKET.
13 years ago
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
void TmModuleReceiveAFPRegister (void);
void TmModuleDecodeAFPRegister (void);
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
TmEcode AFPPeersListInit();
TmEcode AFPPeersListCheck();
void AFPPeersListClean();
af-packet: don't check GRO LRO on non ethernet This way we avoid an error message when sniffing on a non Ethernet device.
9 years ago
int AFPGetLinkType(const char *ifname);
af-packet: IPS and TAP feature This patch adds a new feature to AF_PACKET capture mode. It is now possible to use AF_PACKET in IPS and TAP mode: all traffic received on a interface will be forwarded (at the Ethernet level) to an other interface. To do so, Suricata create a raw socket and sends the receive packets to a interface designed in the configuration file. This patch adds two variables to the configuration of af-packet interface: copy-mode: ips or tap copy-iface: eth1 #the interface where packet are copied If copy-mode is set to ips then the packet wth action DROP are not copied to the destination interface. If copy-mode is set to tap, all packets are copied to the destination interface. Any other value of copy-mode results in the feature to be unused. There is no default interface for copy-iface and the variable has to be set for the ids or tap mode to work. For now, this feature depends of the release data system. This implies you need to activate the ring mode and zero copy. Basically use-mmap has to be set to yes. This patch adds a peering of AF_PACKET sockets from the thread on one interface to the threads on another interface. Peering is necessary as if we use an other socket the capture socket receives all emitted packets. This is made using a new AFPPeer structure to avoid direct interaction between AFPTreadVars. There is currently a bug in Linux kernel (prior to 3.6) and it is not possible to use multiple threads. You need to setup two interfaces with equality on the threads variable. copy-mode variable must be set on the two interfaces and use-mmap must be set to activated. A valid configuration for an IPS using eth0 and vboxnet1 interfaces will look like: af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: vboxnet1 buffer-size: 64535 use-mmap: yes - interface: vboxnet1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes
13 years ago
af-packet: test if fanout is supported before use Older system may pretend they can support FANOUT but then fail to work at runtime. CentOS6 is an example of this. It would fail to start up with the default configuration with errors like: [15770] 21/6/2016 -- 16:00:13 - (tm-threads.c:2168) <Notice> (TmThreadWaitOnThreadInit) -- all 4 packet processing threads, 4 management threads initialized, engine started. [15785] 21/6/2016 -- 16:00:13 - (source-af-packet.c:1907) <Error> (AFPCreateSocket) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Coudn't set fanout mode, error Protocol not available [15785] 21/6/2016 -- 16:00:13 - (source-af-packet.c:1337) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error [15770] 21/6/2016 -- 16:00:13 - (suricata.c:2664) <Notice> (main) -- Signal Received. Stopping engine. [15787] 21/6/2016 -- 16:00:13 - (source-af-packet.c:1907) <Error> (AFPCreateSocket) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Coudn't set fanout mode, error Protocol not available [15788] 21/6/2016 -- 16:00:13 - (source-af-packet.c:1907) <Error> (AFPCreateSocket) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Coudn't set fanout mode, error Protocol not available [15786] 21/6/2016 -- 16:00:13 - (source-af-packet.c:1907) <Error> (AFPCreateSocket) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Coudn't set fanout mode, error Protocol not available [15789] 21/6/2016 -- 16:00:13 - (flow-manager.c:693) <Perf> (FlowManager) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state [15787] 21/6/2016 -- 16:00:13 - (source-af-packet.c:1337) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error [15788] 21/6/2016 -- 16:00:13 - (source-af-packet.c:1337) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error [15786] 21/6/2016 -- 16:00:13 - (source-af-packet.c:1337) <Error> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error This patch adds a test that if run before the number of threads is determined. If the test fails, only 1 thread is created.
9 years ago
int AFPIsFanoutSupported(void);
af-packet: basic support for AF_PACKET socket This patch provides basic support for AF_PACKET socket. It is completed by a subsequent patches prodiding extended features and bugfixes.
14 years ago
#endif /* __SOURCE_AFP_H__ */