aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Support for PF_RING versions where packet passed as a reference and version 4.7.1 where pfring_enable_ring now seems to be required.

Browse Source
remotes/origin/master-1.1.x
William 15 years ago committed by Victor Julien
parent a0b4068041
commit 1099093e0f
3 changed files with 104 additions and 26 deletions
Show Stats Download Patch File Download Diff File

50
configure.in
Unescape Escape View File

@ -636,14 +636,54 @@ esac
fi fi
fi fi
AC_TRY_COMPILE([ #include <pfring.h> ], LIBPFRING_ENABLE_RING=""
[ pfring *pd; pd = pfring_open("eth1", 1, 1515, 1); pfring_set_cluster(pd, 99, cluster_round_robin); ], AC_CHECK_LIB(pfring, pfring_enable_ring,, LIBPFRING_ENABLE_RING="no")
[ pfring_cluster_type_available=yes ], [:] if test "$LIBPFRING_ENABLE_RING" != "no"; then
) AC_DEFINE([HAVE_PFRING_ENABLE],[1],[PF_RING pfring_enable_ring is available])
fi
AC_MSG_CHECKING([if pfring_set_cluster is available])
AC_TRY_COMPILE([
#include <pfring.h>
],
[
pfring *pd;
pd = pfring_open("eth1", 1, 1515, 1);
pfring_set_cluster(pd, 99, cluster_round_robin);
],
[ pfring_cluster_type_available=yes ], [:])
if test "$pfring_cluster_type_available" = "yes"; then if test "$pfring_cluster_type_available" = "yes"; then
CFLAGS="${CFLAGS} -DHAVE_PFRING_CLUSTER_TYPE" AC_DEFINE([HAVE_PFRING_CLUSTER_TYPE],[1],[PF_RING pfring_set_cluster is available])
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
fi fi
STORE_CFLAGS="${CFLAGS}"
CFLAGS="${CFLAGS} -Werror"
AC_MSG_CHECKING([if pfring_recv expects u_char**])
AC_TRY_COMPILE([
#include <pfring.h>
],
[
u_char *buffer;
struct pfring_pkthdr hdr;
pfring *pd; memset(&hdr, 0, sizeof(hdr));
pd = pfring_open("eth1", 1, 1515, 1);
pfring_recv(pd, &buffer, 0, &hdr, 1);
],
[ pfring_recv_uchar_buff=yes ], [:])
CFLAGS="${STORE_CFLAGS}"
if test "$pfring_recv_uchar_buff" = "yes"; then
AC_DEFINE([HAVE_PFRING_RECV_UCHAR],[1],[PF_RING pfring_recv buffer is u_char**])
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
fi
# libpcap # libpcap
AC_ARG_WITH(libpcap_includes, AC_ARG_WITH(libpcap_includes,

61
doc/INSTALL.PF_RING
Unescape Escape View File

@ -39,30 +39,56 @@ dkms install -m pf_ring -v 4
#if you issue the following command you can see that pf_ring should now be installed as DKMS module #if you issue the following command you can see that pf_ring should now be installed as DKMS module
dkms status dkms status
#Now lets go through the steps to build a PF_RING aware driver. #Now lets go through the steps to build a e1000e PF_RING aware driver.
mkdir /usr/src/e1000e-pf_ring-1.0.15 mkdir /usr/src/e1000e-pf_ring-1.3.10a
cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/old/e1000e-1.0.15/src/* /usr/src/e1000e-pf_ring-1.0.15/ cd /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/e1000e-1.3.10a/src/
#We copy this over so that DKMS can find it for driver rebuilds #We copy this over so that DKMS can find it for driver rebuilds
cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/e1000e-pf_ring-1.0.15/ cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/e1000e-1.3.10a/src/* /usr/src/e1000e-pf_ring-1.3.10a/
cd /usr/src/e1000e-pf_ring-1.0.15/ cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/e1000e-pf_ring-1.3.10a/
#Fix the path to pf_ring.h #Fix the path to pf_ring.h
sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/' netdev.c cd /usr/src/e1000e-pf_ring-1.3.10a/
sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/' netdev.c
#Create a file called dkms.conf and place the following into the file. #Create a file called dkms.conf and place the following into the file.
nano dkms.conf nano dkms.conf
PACKAGE_NAME="e1000e-pf_ring" PACKAGE_NAME="e1000e-pf_ring"
PACKAGE_VERSION="1.0.15" PACKAGE_VERSION="1.3.10a"
BUILT_MODULE_NAME[0]="e1000e" BUILT_MODULE_NAME[0]="e1000e"
DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000e/" DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000e/"
AUTOINSTALL="yes" AUTOINSTALL="yes"
#Build and install the module we don't build a deb as currently this appears to be broken in Ubuntu-10.04 #Build and install the module we don't build a deb as currently this appears to be broken in Ubuntu-10.04
dkms add -m e1000e-pf_ring -v 1.0.15 dkms add -m e1000e-pf_ring -v 1.3.10a
dkms build -m e1000e-pf_ring -v 1.0.15 dkms build -m e1000e-pf_ring -v 1.3.10a
dkms install -m e1000e-pf_ring -v 1.0.15 dkms install -m e1000e-pf_ring -v 1.3.10a
#Now lets go through the steps to build a e1000 PF_RING aware driver.
mkdir /usr/src/e1000-pf_ring-8.0.30
cd /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000/e1000-8.0.30/src/
#We copy this over so that DKMS can find it for driver rebuilds
cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000/e1000-8.0.30/src/* /usr/src/e1000-pf_ring-8.0.30
cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/e1000-pf_ring-8.0.30
#Fix the path to pf_ring.h
cd /usr/src/e1000-pf_ring-8.0.30
sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/' e1000_main.c
#Create a file called dkms.conf and place the following into the file.
nano dkms.conf
PACKAGE_NAME="e1000-pf_ring"
PACKAGE_VERSION="8.0.30"
BUILT_MODULE_NAME[0]="e1000"
DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000/"
AUTOINSTALL="yes"
dkms add -m e1000-pf_ring -v 8.0.30
dkms build -m e1000-pf_ring -v 8.0.30
dkms install -m e1000-pf_ring -v 8.0.30
#Make the dir structure to hold are PF_RING enabled userland Apps. #Make the dir structure to hold are PF_RING enabled userland Apps.
mkdir -p /opt/PF_RING/{bin,lib,include/linux,sbin} mkdir -p /opt/PF_RING/{bin,lib,include/linux,sbin}
@ -76,21 +102,15 @@ cp -f pfring_e1000e_dna.h /opt/PF_RING/include
make && make install make && make install
#Build and install the PF_RING enabled libpcap #Build and install the PF_RING enabled libpcap
cd /usr/src/PF_RING_CURRENT_SVN/userland/libpcap-1.0.0-ring #PF_RING enabled libpcap
cd /usr/src/PF_RING_CURRENT_SVN/userland/libpcap-1.1.1-ring
./configure ./configure
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile.in sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile.in
./configure --prefix=/opt/PF_RING && make && make install ./configure --prefix=/opt/PF_RING && make && make install
#Build and install tcpdump using the PF_RING enabled version of libpcap #Build and install tcpdump using the PF_RING enabled version of libpcap
cd /usr/src/PF_RING_CURRENT_SVN/userland/tcpdump-4.0.0 cd /usr/src/PF_RING_CURRENT_SVN/userland/tcpdump-4.1.1
./configure
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile.in
sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/' Makefile
sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/' Makefile.in
sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//' Makefile
sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//' Makefile.in
./configure LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/ --enable-ipv6 && make && make install ./configure LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/ --enable-ipv6 && make && make install
#Pull down the latest version of suricata from the git repo and build with PF_RING support. #Pull down the latest version of suricata from the git repo and build with PF_RING support.
@ -121,5 +141,6 @@ echo "options pf_ring transparent_mode=0 num_slots=32768 enable_tx_capture=0" >
modinfo pf_ring && cat /proc/net/pf_ring/info modinfo pf_ring && cat /proc/net/pf_ring/info
#If you need to uninstall PF_RING or rollback your PF_RING aware drivers to their previous state you can do so with the following commands. #If you need to uninstall PF_RING or rollback your PF_RING aware drivers to their previous state you can do so with the following commands.
dkms remove -m e1000e-pf_ring -v 1.0.15 --all dkms remove -m e1000e-pf_ring -v 1.3.10a --all
dkms remove -m e1000 -v 8.0.30 --all
dkms remove -m pf_ring -v 4 --all dkms remove -m pf_ring -v 4 --all

19
src/source-pfring.c
Unescape Escape View File

@ -219,11 +219,18 @@ TmEcode ReceivePfring(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Pa
} }
/* Depending on what compile time options are used for pfring we either return 0 or -1 on error and always 1 for success */ /* Depending on what compile time options are used for pfring we either return 0 or -1 on error and always 1 for success */
#ifdef HAVE_PFRING_RECV_UCHAR
int r = pfring_recv(ptv->pd, (u_char**)&GET_PKT_DIRECT_DATA(p),
(u_int)GET_PKT_DIRECT_MAX_SIZE(p),
&hdr,
LIBPFRING_WAIT_FOR_INCOMING);
#else
int r = pfring_recv(ptv->pd, (char *)GET_PKT_DIRECT_DATA(p), int r = pfring_recv(ptv->pd, (char *)GET_PKT_DIRECT_DATA(p),
(u_int)GET_PKT_DIRECT_MAX_SIZE(p), (u_int)GET_PKT_DIRECT_MAX_SIZE(p),
&hdr, &hdr,
LIBPFRING_WAIT_FOR_INCOMING); LIBPFRING_WAIT_FOR_INCOMING);
#endif /* HAVE_PFRING_RECV_UCHAR */
if (r == 1) { if (r == 1) {
//printf("RecievePfring src %" PRIu32 " sport %" PRIu32 " dst %" PRIu32 " dstport %" PRIu32 "\n", //printf("RecievePfring src %" PRIu32 " sport %" PRIu32 " dst %" PRIu32 " dstport %" PRIu32 "\n",
// hdr.parsed_pkt.ipv4_src,hdr.parsed_pkt.l4_src_port, hdr.parsed_pkt.ipv4_dst,hdr.parsed_pkt.l4_dst_port); // hdr.parsed_pkt.ipv4_src,hdr.parsed_pkt.l4_src_port, hdr.parsed_pkt.ipv4_dst,hdr.parsed_pkt.l4_dst_port);
@ -308,6 +315,16 @@ TmEcode ReceivePfringThreadInit(ThreadVars *tv, void *initdata, void **data) {
return TM_ECODE_FAILED; return TM_ECODE_FAILED;
} }
/* It seems that as of 4.7.1 this is required */
#ifdef HAVE_PFRING_ENABLE
rc = pfring_enable_ring(ptv->pd);
if (rc != 0) {
SCLogError(SC_ERR_PF_RING_OPEN, "pfring_enable failed returned %d ", rc);
return TM_ECODE_FAILED;
}
#endif /* HAVE_PFRING_ENABLE */
SCLogInfo("(%s) Using PF_RING v.%d.%d.%d, interface %s, cluster-id %d", SCLogInfo("(%s) Using PF_RING v.%d.%d.%d, interface %s, cluster-id %d",
tv->name, (version & 0xFFFF0000) >> 16, (version & 0x0000FF00) >> 8, tv->name, (version & 0xFFFF0000) >> 16, (version & 0x0000FF00) >> 8,
version & 0x000000FF, ptv->interface, ptv->cluster_id); version & 0x000000FF, ptv->interface, ptv->cluster_id);

Write Preview
Loading…
Cancel
Save