plugins: support for capture plugins

Allow a plugin to register itself as a capture source. This isn't that much different than how current sources register, it just happens a little later on during startup. One "slot" is reserved for capture plugins, but multiple plugins implementing a capture can be loaded. The --capture-plugin command line option must be used to tell Suricata which plugin to use. This is still very much a work in progress, but can load PF_RING as a capture plugin.
5 years ago · e10d107415
parent 8fb35236e6
commit e10d107415
11 changed files with 91 additions and 7 deletions
--- a/src/decode.h
+++ b/src/decode.h
@ -28,6 +28,7 @@
 #define COUNTERS
 #include "suricata-common.h"
 #include "suricata-plugin.h"
 #include "threadvars.h"
 #include "util-debug.h"
 #include "decode-events.h"
@ -479,6 +480,9 @@ typedef struct Packet_
        WinDivertPacketVars windivert_v;
 #endif /* WINDIVERT */
        /* A chunk of memory that a plugin can use for its packet vars. */
        uint8_t plugin_v[PLUGIN_VAR_SIZE];
        /** libpcap vars: shared by Pcap Live mode and Pcap File mode */
        PcapPacketVars pcap_v;
    };
--- a/src/runmode-unix-socket.c
+++ b/src/runmode-unix-socket.c
@ -573,7 +573,7 @@ static TmEcode UnixSocketPcapFilesCheck(void *data)
    PreRunInit(RUNMODE_PCAP_FILE);
    PreRunPostPrivsDropInit(RUNMODE_PCAP_FILE);
-    RunModeDispatch(RUNMODE_PCAP_FILE, NULL);
+    RunModeDispatch(RUNMODE_PCAP_FILE, NULL, NULL, NULL);
    /* Un-pause all the paused threads */
    TmThreadWaitOnThreadInit();
--- a/src/runmodes.c
+++ b/src/runmodes.c
@ -38,6 +38,7 @@
 #include "runmodes.h"
 #include "util-unittest.h"
 #include "util-misc.h"
 #include "util-plugin.h"
 #include "output.h"
@ -54,6 +55,8 @@
 #include "flow-bypass.h"
 #include "counters.h"
 #include "suricata-plugin.h"
 int debuglog_enabled = 0;
 int threading_set_cpu_affinity = FALSE;
@ -122,6 +125,8 @@ static const char *RunModeTranslateModeToName(int runmode)
 #else
            return "PFRING(DISABLED)";
 #endif
        case RUNMODE_PLUGIN:
            return "PLUGIN";
        case RUNMODE_NFQ:
            return "NFQ";
        case RUNMODE_NFLOG:
@ -275,7 +280,8 @@ void RunModeListRunmodes(void)
 /**
 */
-void RunModeDispatch(int runmode, const char *custom_mode)
+void RunModeDispatch(int runmode, const char *custom_mode,
    const char *capture_plugin_name, const char *capture_plugin_args)
 {
    char *local_custom_mode = NULL;
@ -301,6 +307,15 @@ void RunModeDispatch(int runmode, const char *custom_mode)
                custom_mode = RunModeIdsPfringGetDefaultMode();
                break;
 #endif
            case RUNMODE_PLUGIN: {
                SCCapturePlugin *plugin = SCPluginFindCaptureByName(capture_plugin_name);
                if (plugin == NULL) {
                    FatalError(SC_ERR_PLUGIN, "No capture plugin found with name %s",
                            capture_plugin_name);
                }
                custom_mode = (const char *)plugin->GetDefaultMode();
                break;
            }
            case RUNMODE_NFQ:
                custom_mode = RunModeIpsNFQGetDefaultMode();
                break;
--- a/src/runmodes.h
+++ b/src/runmodes.h
@ -40,6 +40,7 @@ enum RunModes {
    RUNMODE_NAPATECH,
    RUNMODE_UNIX_SOCKET,
    RUNMODE_WINDIVERT,
    RUNMODE_PLUGIN,
    RUNMODE_USER_MAX, /* Last standard running mode */
    RUNMODE_LIST_KEYWORDS,
    RUNMODE_LIST_APP_LAYERS,
@ -77,7 +78,7 @@ char *RunmodeGetActive(void);
 const char *RunModeGetMainMode(void);
 void RunModeListRunmodes(void);
-void RunModeDispatch(int, const char *);
+void RunModeDispatch(int, const char *, const char *capture_plugin_name, const char *capture_plugin_args);
 void RunModeRegisterRunModes(void);
 void RunModeRegisterNewRunMode(enum RunModes, const char *, const char *,
                               int (*RunModeFunc)(void));
--- a/src/suricata-plugin.h
+++ b/src/suricata-plugin.h
@ -25,6 +25,12 @@
 #include "conf.h"
 /**
 * The size of the data chunk inside each packet structure a plugin
 * has for private data (Packet->plugin_v).
 */
 #define PLUGIN_VAR_SIZE 64
 /**
 * Structure to define a Suricata plugin.
 */
@ -50,4 +56,13 @@ typedef struct SCPluginFileType_ {
 bool SCPluginRegisterFileType(SCPluginFileType *);
 typedef struct SCCapturePlugin_ {
    char *name;
    void (*Init)(const char *args, int plugin_slot, int receive_slot, int decode_slot);
    const char *(*GetDefaultMode)(void);
    TAILQ_ENTRY(SCCapturePlugin_) entries;
 } SCCapturePlugin;
 int SCPluginRegisterCapture(SCCapturePlugin *);
 #endif /* __SURICATA_PLUGIN_H */
--- a/src/suricata.c
+++ b/src/suricata.c
@ -1202,6 +1202,9 @@ static TmEcode ParseCommandLine(int argc, char** argv, SCInstance *suri)
        {"no-random", 0, &g_disable_randomness, 1},
        {"strict-rule-keywords", optional_argument, 0, 0},
        {"capture-plugin", required_argument, 0, 0},
        {"cpature-plugin-args", required_argument, 0, 0},
 #ifdef BUILD_UNIX_SOCKET
        {"unix-socket", optional_argument, 0, 0},
 #endif
@ -1293,6 +1296,13 @@ static TmEcode ParseCommandLine(int argc, char** argv, SCInstance *suri)
                return TM_ECODE_FAILED;
 #endif /* HAVE_PFRING */
            }
            else if (strcmp((long_opts[option_index]).name , "capture-plugin") == 0){
                suri->run_mode = RUNMODE_PLUGIN;
                suri->capture_plugin_name = optarg;
            }
            else if (strcmp((long_opts[option_index]).name , "capture-plugin-args") == 0){
                suri->capture_plugin_args = optarg;
            }
            else if (strcmp((long_opts[option_index]).name , "af-packet") == 0)
            {
                if (ParseCommandLineAfpacket(suri, optarg) != TM_ECODE_OK) {
@ -2550,7 +2560,7 @@ int PostConfLoadedSetup(SCInstance *suri)
    FeatureTrackingRegister(); /* must occur prior to output mod registration */
    RegisterAllModules();
-    SCPluginsLoad();
+    SCPluginsLoad(suri->capture_plugin_name, suri->capture_plugin_args);
    AppLayerHtpNeedFileInspection();
@ -2792,7 +2802,8 @@ int SuricataMain(int argc, char **argv)
    }
    SCSetStartTime(&suricata);
-    RunModeDispatch(suricata.run_mode, suricata.runmode_custom_mode);
+    RunModeDispatch(suricata.run_mode, suricata.runmode_custom_mode,
            suricata.capture_plugin_name, suricata.capture_plugin_args);
    if (suricata.run_mode != RUNMODE_UNIX_SOCKET) {
        UnixManagerThreadSpawnNonRunmode();
    }
--- a/src/suricata.h
+++ b/src/suricata.h
@ -158,6 +158,9 @@ typedef struct SCInstance_ {
    const char *progname; /**< pointer to argv[0] */
    const char *conf_filename;
    char *strict_rule_parsing_string;
    const char *capture_plugin_name;
    const char *capture_plugin_args;
 } SCInstance;
--- a/src/tm-modules.c
+++ b/src/tm-modules.c
@ -213,6 +213,8 @@ const char * TmModuleTmmIdToString(TmmId id)
        CASE_CODE (TMM_DECODEPCAPFILE);
        CASE_CODE (TMM_RECEIVEPFRING);
        CASE_CODE (TMM_DECODEPFRING);
        CASE_CODE (TMM_RECEIVEPLUGIN);
        CASE_CODE (TMM_DECODEPLUGIN);
        CASE_CODE (TMM_RESPONDREJECT);
        CASE_CODE (TMM_DECODEIPFW);
        CASE_CODE (TMM_VERDICTIPFW);
--- a/src/tm-threads-common.h
+++ b/src/tm-threads-common.h
@ -41,6 +41,8 @@ typedef enum {
    TMM_DECODEPCAPFILE,
    TMM_RECEIVEPFRING,
    TMM_DECODEPFRING,
    TMM_RECEIVEPLUGIN,
    TMM_DECODEPLUGIN,
    TMM_RESPONDREJECT,
    TMM_DECODEIPFW,
    TMM_VERDICTIPFW,
--- a/src/util-plugin.c
+++ b/src/util-plugin.c
@ -26,6 +26,8 @@
 static TAILQ_HEAD(, SCPluginFileType_) output_types =
    TAILQ_HEAD_INITIALIZER(output_types);
 static TAILQ_HEAD(, SCCapturePlugin_) capture_plugins = TAILQ_HEAD_INITIALIZER(capture_plugins);
 static void InitPlugin(char *path)
 {
    void *lib = dlopen(path, RTLD_NOW);
@ -48,7 +50,7 @@ static void InitPlugin(char *path)
    }
 }
-void SCPluginsLoad(void)
+void SCPluginsLoad(const char *capture_plugin_name, const char *capture_plugin_args)
 {
    ConfNode *conf = ConfGetNode("plugins");
    if (conf == NULL) {
@ -82,6 +84,16 @@ void SCPluginsLoad(void)
            InitPlugin(plugin->val);
        }
    }
    if (run_mode == RUNMODE_PLUGIN) {
        SCCapturePlugin *capture = SCPluginFindCaptureByName(capture_plugin_name);
        if (capture == NULL) {
            FatalError(SC_ERR_PLUGIN, "No capture plugin found with name %s",
                    capture_plugin_name);
        }
        capture->Init(capture_plugin_args, RUNMODE_PLUGIN, TMM_RECEIVEPLUGIN,
                TMM_DECODEPLUGIN);
    }
 }
 /**
@ -139,6 +151,24 @@ SCPluginFileType *SCPluginFindFileType(const char *name)
    return NULL;
 }
 int SCPluginRegisterCapture(SCCapturePlugin *plugin)
 {
    TAILQ_INSERT_TAIL(&capture_plugins, plugin, entries);
    SCLogNotice("Capture plugin registered: %s", plugin->name);
    return 0;
 }
 SCCapturePlugin *SCPluginFindCaptureByName(const char *name)
 {
    SCCapturePlugin *plugin = NULL;
    TAILQ_FOREACH(plugin, &capture_plugins, entries) {
        if (strcmp(name, plugin->name) == 0) {
            return plugin;
        }
    }
    return plugin;
 }
 #else
 void PluginsLoad(void)
--- a/src/util-plugin.h
+++ b/src/util-plugin.h
@ -20,7 +20,8 @@
 #include "suricata-plugin.h"
-void SCPluginsLoad(void);
+void SCPluginsLoad(const char *capture_plugin_name, const char *capture_plugin_args);
 SCPluginFileType *SCPluginFindFileType(const char *name);
 SCCapturePlugin *SCPluginFindCaptureByName(const char *name);
 #endif /* __UTIL_PLUGIN_H__ */