Commit Graph

5739 Commits (64017cd29bf77aefed42bb1010f2e4bb1c9cac6c)

Author SHA1 Message Date
Eric Leblond dbb3e1976e util-decode-mime: fix IsIpv6Host function
Using in6_addr is better when calling inet_pton. This fixes an
issue reported by ASAN.
11 years ago
Eric Leblond 38750f1313 smtp-layer: remove FIXME and del excessive newline 11 years ago
Eric Leblond 6f04988ba1 output-json: add tx_id to events
This patch updates alert, stmp and http JSON logging to have a
tx_id in the root of the JSON log message.
11 years ago
Eric Leblond 113d6a3950 output-json: add create header with tx function
To be able to correlate between events, it is better to have the
tx_id information in the root object. This function adds a new
function to automate the addition of the field.
11 years ago
Eric Leblond 96412e8921 json-email: JsonEmailAddMetadata update
Add tx_id to the list of params to be in sync with recent changes.
11 years ago
Eric Leblond bf6b0145e2 json-http: gen metadata function with tx_id param 11 years ago
Eric Leblond d9b602fc0f json-smtp: add tx_id param to metadata generation
In all metadata generation contexts we know the tx_id so we better
used it to log the correct transaction and not an other one.
11 years ago
Eric Leblond 0ef0f1d526 json-smtp: change copyright date 11 years ago
Eric Leblond f03a7a032f json-alert: add smtp elements in alert 11 years ago
Eric Leblond 77a5273cde json-smtp: fix a debug message 11 years ago
Eric Leblond 946f2a6acc email-json: add bcc to extended fields 11 years ago
Eric Leblond fbd6428f1b smtp-layer: add MAIL FROM parsing test in unittest 11 years ago
Eric Leblond 534360fc02 smtp-layer: add HELO parsing test in unittest 11 years ago
Eric Leblond f81f353d1f email-json: add 'date' field extraction 11 years ago
Eric Leblond 6f033747ec util-decode-mime: add unittests for field fetching 11 years ago
Eric Leblond 17edff6c5e unittests: finally register MIME tests 11 years ago
Eric Leblond 6e0668125c email-json: improve log message 11 years ago
Eric Leblond dad1f85edb email-json: add author
Add myself as author and change the copyright date.
11 years ago
Eric Leblond caa8982b43 email-json: add some fields
This patch adds some fields to the list of extracted fields.
11 years ago
Eric Leblond ca52fa91dd email-json: body md5 logging is optional 11 years ago
Eric Leblond a719ea3c92 email-json: add capa to display subject md5
To be able to identify mails with identical subjects without
using the subject itself as a key, it is possible to use the md5
hash of the subjet string. This allows to limit the privacy impact.
11 years ago
Eric Leblond 881aa3efce email-json: don't log subject by default
It seems to be a bit too intrusive for the privacy so this patch
adds this field to the extended logging only.
11 years ago
Eric Leblond 7bb38f7c30 decode-mime: fix typo in comment 11 years ago
Eric Leblond 431dc155aa email-json: delete white space from "from"
The From field is handled separatly and it could also starts by
white spaces.
11 years ago
Eric Leblond abcaf46193 email-json: delete leading white spaces
Some mail clients are using tabulation and/or space for comma
separated list. This patch removes them so the event will contain
only significative characters.
11 years ago
Eric Leblond 4c0f8803e7 email-json: factorize the code 11 years ago
Eric Leblond a7ef0c05ba email-json: add LOG_EMAIL_COMMA type
extract these data types by treating them as a comma separated list.
11 years ago
Eric Leblond 3456ec467f email-json: add custom fields support
This patch adds a way to specify which MIME fields to log via
the custom keyword in the EVE configuration. it also adds an
extended logging where some fields are added. The logging support
mono value fields as well as multivalue fields via the use of
JSON array.
11 years ago
Eric Leblond 714c30a127 decode-mime: introduce MimeDecFindFieldsForEach
This patch introduces a new function that can be used to handle
multivalued MIME fields. A callback function can be called for
each corresponding field value.
11 years ago
Eric Leblond 54038f5691 file-json: log 'email' information
Log information coming from email/MIME decoding in the message.
11 years ago
Eric Leblond ab941305d5 email-json: add function to export data 11 years ago
Eric Leblond 77119a3186 file-json: output smtp proto info 11 years ago
Eric Leblond 47a199ee97 smtp-json: introduce function to output smtp data 11 years ago
Eric Leblond 94dbd303e4 file-json: log http data using common function 11 years ago
Eric Leblond 4ef12dcf5d alert-json: use new JsonHttpAddMetadata function
This patch uses the newly introduced function to handle the logging
of HTTP data.
11 years ago
Eric Leblond bccabe3813 http-json: introduce JsonHttpAddMetadata function
This function will be usable in other logging components to add
the http data to their messages.
11 years ago
Eric Leblond d7e13c2c03 email-json: output MIME parsing status
If the status is not PARSE_DONE then in that case we may have
imcomplete information. Increasing the stream reassemly depth
in that case would be a good idea.
11 years ago
Eric Leblond a233a982ea decode-mime: add function to get status
This new function return the textual status of MIME parsing.
11 years ago
Eric Leblond 9900558428 smtp: add 'body-md5' mime option
This option will allow the user to select weither or not he wants
to journalize the md5 of the mail body.
11 years ago
Eric Leblond ea311c1594 email-json: export md5sum of body
The body_md5 has been added and contain the value of the md5sum
of the body.

This patch is using the state PARSE_DONE on the MIME state to
detect when a message has been completely parsed.
11 years ago
Eric Leblond d39009ca58 decode-mime: compute body md5
This patch is computing the md5 sum of the body of the MIME message.
This will allow to detect messages with same content and sent to
different people.
11 years ago
Eric Leblond e43eb76abd app-layer-stmp: simplify code
Delete a only used once goto to a point where we only do a return.
11 years ago
Eric Leblond 0f3979cc81 output-json-smtp: output RCPT TO fields
This patch uses an array to output the RCPT TO fields to the
JSON message.
11 years ago
Eric Leblond 752fdba957 app-layer-smtp: parse and extract RCPT TO fields
Add the RCPT TO fields to a linked list stored in the transaction.
11 years ago
Eric Leblond 2abae3f0a1 smtp-json: update SMTP EVE messages
This patch updates SMTP message to have them feature a 'smtp'
section which will contain all fields coming from the smtp
protocol.
11 years ago
Eric Leblond 7bca8268bc app-layer-smtp: extract and store HELO and MAIL FROM
This patch updates the SMTP transaction and SMTP state to be able
to contain the HELO and MAIL FROM fields.
11 years ago
Eric Leblond 5c26a2f2c8 email-json: move email fields to email section
This patch changes the way smtp message are written. It is using
the "email" key to store the email related fields. This will
allow to do the same search through SMTP and IMAP if we implement
this last one.
11 years ago
Victor Julien 77302e5d51 threshold: remove debug message from info loglevel 11 years ago
Victor Julien fc7f090cd3 flow: add missing storage size to checks, output 11 years ago
Victor Julien 37fa4a4876 host: update host size logic
Instead of using (sizeof(Host)+HostStorageSize()) in many places,
create a simple size variable that is set during setup.
11 years ago
Victor Julien 480e91edac ippair: update ippair size logic
Instead of using (sizeof(IPPair)+IPPairStorageSize()) in many places,
create a simple size variable that is set during setup.
11 years ago
Victor Julien ff769b73a7 stream: improve retransmission detection
Consider packets starting before last_ack and ending after it also
to be retransmissions. This way we can see if they are having
different data.
11 years ago
Victor Julien 6b2f831a70 mpm: SGH maxlen was actually minlen, so rename 11 years ago
Victor Julien 2716c78628 mpm: improve SGH content len tracking
SGH's track content length for rule grouping.

This patch changes the logic to only consider the pattern that is
used in the mpm for a sig.
11 years ago
Victor Julien e529ebb50e mpm: redo uri maxlen logic
The mpm_uricontent_maxlen logic was meant to track the shortest
possible pattern in the MPM of a SGH. So a minlen more than a maxlen.

This patch replaces the complicated tracking logic by a simpler
scheme. When the SGH's are finalize, the minlen is calculated.

It also fixes a small corner case where the calculated "maxlen" could
be wrong. This would require a smaller pattern in a rule to be forced
as fast pattern.
11 years ago
Victor Julien df95d375bb detect: improve comments on mpm 11 years ago
Victor Julien 496f9800ac mpm: remove used counter 11 years ago
Victor Julien c53c9b4b20 mpm: remove bloated counting logic
Counters were only used to print debug info.
11 years ago
Victor Julien da7bad7c1b mpm: improve debug output 11 years ago
Victor Julien 977074930b mpm: use IPPROTO_TCP for readability 11 years ago
Victor Julien a559c41295 mpm: optimize & debug validate
Wrappers are called only if a mpm_ctx is available. So remove the test
for a null ctx and replace it by a debug validation BUG_ON.
11 years ago
Victor Julien 0dd3b73db2 mpm: assume we'll likely have a mpm_ctx 11 years ago
Victor Julien 7c336f4190 mpm: indent fix, no functional change 11 years ago
Victor Julien a00d83f1f5 mpm: change direction checking in mpm wrappers
Instead of having reachable assertions, use DEBUG_VALIDATE_BUG_ON
11 years ago
Victor Julien 804f861967 debug validation: introduce DEBUG_VALIDATE_BUG_ON
DEBUG_VALIDATE_BUG_ON(exp) will call BUG_ON(exp) if debug validation
is compiled in. Otherwise it's a no-op.
11 years ago
Victor Julien e755913b4b mpm: minor fixes and cleanups 11 years ago
Victor Julien cacf425bd3 stream: improve handling of GAPs at stream start
Detect and handle gaps at the start of the stream, when there may
be no segments in the list (yet).
11 years ago
Victor Julien 574ef0ad2a stream: RST last_ack update fix
Only use ACK if ACK flag was set and ACK value is valid.
11 years ago
Victor Julien 3ca44219dc proto detect: more bypass conditions
More exceptional cases for protocol detection. In very unbalanced flows,
where just a few bytes are sent toserver and many toclient, proto detect
might not complete in time on the toserver direction. This can lead to
queuing up many segments in the toclient direction.

Another case is that in come cases the stream is flagged as proto detect
done, but the flows proto detect flags are not set. This is now handled
by the ProtoDetectDone() check.
11 years ago
Victor Julien fa8dc77dcc debug validation: add segment list sanity check 11 years ago
Victor Julien e67188e437 detect: fix issue with smsg and seq wraps
Due to a broken sequence number check, detect could fail to process
smsgs in case of a sequence wrap. This could lead to excessive use
of smsg's but also of segments, since these aren't cleared until the
smsg containing them is.
11 years ago
Victor Julien 8ac49d9129 stream: allow next_seq catch up after pkt loss
If next_seq falls behind last_ack, force update it.
11 years ago
Victor Julien 596465b76d stream: use reassembly fast path after proto detect
Use the reassembly fast paths only after protocol detection has completed.
In some corner cases the sending of smaller segments lead to protocol
detection failing.
11 years ago
Victor Julien 34ed15e182 stream: fix protocol detection issue for GAPs
If the protocol required TOSERVER data first, but the SSN started with
a GAP, then the TOCLIENT side would get stuck in an expensive path:

1. it would run detection on TOCLIENT
2. it would try to force reassembly for TOSERVER
3. it would reset the detected protocol as TOSERVER failed
4. it would not evict any segment

This had 2 consequences:
1. on long running sessions this could lead to using lots of memory
   on segments, denying other sessions resources
2. wasted cycles on protocol detection and segment list management

This patch introduces a fix. It checks in the (2) stage above, whether
the opposing stream (that we depend on) it is a NOREASSEMBLY state. If
so, it gives up on this side of the session as well.
11 years ago
Victor Julien 708e80c900 stream: optimize proto detect segment handling
In case of protocol detection not yet being complete, the segment
list was walked unconditionally to unset the app layer processed
flag. Optimize this to bail on the first segment that doesn't have
the flag set.
11 years ago
Eric Leblond a286715367 host-storage: document host storage API 11 years ago
Jason Ish 06beca62f5 app-layer: template for application layer content inspection 11 years ago
Jason Ish bcda92134d app-layer: template for application layer tx logger 11 years ago
Jason Ish c1b921265f app-layer: template for application layer parser 11 years ago
Victor Julien cb060f16fd detect plugin: add template 11 years ago
Victor Julien 830dd32417 decoder: add template/example
Add fictional example / template for a packet decoder. It's not invoked
anywhere.
11 years ago
Victor Julien 371648a8c6 lua: TLS support
Support TLS in Lua detection scripts.

function init (args)
    local needs = {}
    needs["tls"] = tostring(true)
    return needs
end

function match(args)
    version, subject, issuer, fingerprint = TlsGetCertInfo();
    if version == nil then
        return 0
    end
    str = string.format("Version %s\nIssuer %s\nSubject %s\nFingerprint %s",
                        version, issuer, subject, fingerprint)
    SCLogInfo(str);
    return 1
end
11 years ago
Victor Julien 1e84950017 detect-lua: set direction 11 years ago
Victor Julien 8b3afb6986 lua: add direction support 11 years ago
Victor Julien a798cf9518 DNS: refactor tx completion logic
Use simple bool values to track the transaction state in both directions.

A tx is only created in two cases:
1. full request parsed
2. response parsed (request missing)

This is true even for multi-packet TCP requests.

This leads to the following tx completion logic for the request side:
the presence of a tx implies the request is complete

On the response side, we consider the tx complete when we have seen
the response. If the DNS parser thinks the response was lost, we also
flag the response side as complete.
11 years ago
Victor Julien 6b2fb3fd5d Fix minor format string issues 11 years ago
Victor Julien ba81c4d290 autotools: cleanup
Remove most of the CFLAGS updates from configure. Flags are now (mostly)
set in AM_CLFLAGS.

Update all -DBLAH additions to CFLAGS to use AC_DEFINE([BLAH], ...)

Improve Lua vs LuaJIT checking.

Improve the configure output a bit.

Lots of smaller cleanups.
11 years ago
Antti Tönkyrä 63a47967d7 source-pfring: don't set cluster mode when using ZC and VLAN tracking is disabled 11 years ago
gureedo c31660e5fd netmap: enable zero-copy mode only when copy-mode is specified.
Perform zero-copy checks only when copy-mode is specified.
11 years ago
Victor Julien cbf46c44ec transaction inspection: fix limit enforcement
Make sure we're never wrapping around the size value.
11 years ago
Antti Tönkyrä 834c36659e Allow colon in SSH version, at least some trojaned PuTTY clients have version like Putty-Local: Timestamp HH:MM:SS 11 years ago
Victor Julien 1235c578b2 xff: support ports and more ipv6 notations
It's not uncommon to see an header like:
X-Forwarded-For: 1.2.3.4:56789

This patch recognizes this case and ignores the port. It also supports
this for IPv6 if the address has the following notation:
X-Forwarded-For: [12::34]:1234

This patch also adds unittests.
11 years ago
Victor Julien 979bd35277 detect loader: move to own file 11 years ago
Victor Julien cfeaf42cab detect-loaders: configurable amount of loaders 11 years ago
Victor Julien f871c0e1b8 debug: packet pool init/destroy validation
Validate packet pool handling:
- pools are initialized before use
- pools are not used after destroy
- pools are not double initialized/destroyed
11 years ago
Victor Julien e44fd97d72 unittests: use a global packetpool 11 years ago
Victor Julien 99c0a7ad72 multi-detect: improve memory handling of setup code 11 years ago
Victor Julien b7b27684c2 multi-detect: detect loader for unix socket
Move the tenant load and reload commands to be executed by the detect
loader thread(s).

Limitation: no yaml parsing in parallel. The Conf API is currently not
thread safe, so don't load the tenant config (yaml) in parallel.
11 years ago
Victor Julien eb09118d64 detect: create loader threads
To speed up startup with many tenants, tenant loading will be parallelized.
As no tempary threads should be used for these memory allocation heavy
tasks, this patch adds new type of 'command' thread that can be used to
load and reload tenants.

This patch hardcodes the number of loaders to 4. Future work will make it
dynamic.

The loader thread essentially sleeps constantly. When a tasks is sent to
it, it will wake up and execute it.
11 years ago
Victor Julien 82aa419431 multi-detect: set tenant id on pseudo packets
Store the tenant id in the flow and use the stored id when setting
up pesudo packets.

For tunnel and defrag packets, get tenant from parent. This will only
pass tenant_id's set at capture time.

For defrag packets, the tenant selector based on vlan id will still
work as the vlan id(s) are stored in the defrag tracker before being
passed on.
11 years ago
Victor Julien e19c41a807 multi-detect: hash lookup for tenants
Use hash for storing and looking up det_ctxs.
11 years ago
Victor Julien 722c56dbf3 detect: clean up thread free code
Introduce DetectEngineThreadCtxFree that doesn't need a 'ThreadVars'
pointer.
11 years ago
Victor Julien 4f77e8967b multi-detect: make threshold prefix aware
Make threshold loading prefix aware, so it can be part of tenant
configuration.

If the setting is missing from the tenant, the global setting is tried
and if that too is missing, the global default is used.

Note: currently per host thresholds are tracked globally and NOT per
tenant.
11 years ago
Victor Julien a6e3cec9e5 multi-detect: make reference prefix aware
Make reference loading prefix aware, so it can be part of tenant
configuration.

If the setting is missing from the tenant, the global setting is tried
and if that too is missing, the global default is used.
11 years ago
Victor Julien 5fff250749 multi-detect: make classification prefix aware
Make classification loading prefix aware, so it can be part of tenant
configuration.

If the setting is missing from the tenant, the global setting is tried
and if that too is missing, the global default is used.
11 years ago
Victor Julien d8181802d3 multi-detect: add reload-tenant command
Allow for a tenant to be reloaded. The command is the same as the
register-tenant command, so with a yaml and tenant-id as argument.
However this replaces an existing tenant.
11 years ago
Victor Julien 8673801ea3 multi-detect: add tenant id to alert json output
Add a integer field "tenant_id" to the JSON alert output.
11 years ago
Victor Julien f4c9915066 multi-detect: store tenant id in packet
Store tenant id in the packet so that the output API's can log it.
11 years ago
Victor Julien 642c267dc4 multi-detect: refuse to add duplicate tenant
Generate error if tentant to be added is already loaded.
11 years ago
Victor Julien 4e0683c3f5 multi-detect: cleanup, reuse tenant loading code
Reuse tenant loading from YAML code for Unix Socket.
11 years ago
Victor Julien 646eb4c2a8 multi-detect: load tenants from yaml file
Load tenants and mappings from the suricata.yaml when available.
11 years ago
Victor Julien 216638c342 multi-detect: implement unregister-tenant-handler
Remove a tenant handler from the list and apply it.
11 years ago
Victor Julien 93f856a1b3 detect: don't error out on no de_ctx
This can happen on a multi-detect setup with no registered
engines yet.
11 years ago
Victor Julien b6f290fac7 multi-detect: set selector from yaml
Yaml setting is: multi-detect.selector

Implement 'vlan' and 'direct'.
11 years ago
Victor Julien c72b7f83b8 multi-detect: error on start if no selector registered
Force user to select the method at startup.
11 years ago
Victor Julien 1127ad66b4 multi-detect: register counters on 'master' det_ctx
Otherwise counters are only registered after the stats api is
already fixed.
11 years ago
Victor Julien 7c581c0ffc multi-detect: allow start up with 0 tenants 11 years ago
Victor Julien 6d92e8d220 unix-socket: implement register-tenant-handler
Register tenant handlers/selectors based on what the unix command
"register-tenant-handler" tells.

Check traffic id before adding it. No duplicated registrations for
a traffic id are allowed.
11 years ago
Victor Julien 1893c5edb1 multi-detect: initial selectors for tenants
The Detection Thread has the TenantGetId pointer which allows it
to select a tenant id based on the packet.
11 years ago
Victor Julien 0ff6d3dcfd detect: select detect engine at Detect entry
Limited to Pcap only currently.
11 years ago
Victor Julien bc7e9be5c6 unix-socket: allow tenant id with pcap-file
Register the tenant id that the pcap-file optionally got.
11 years ago
Victor Julien bea66156b9 pcap-file: set tenant-id if available
Set the id to each packet's 'pcap_v' structure.
11 years ago
Victor Julien 98d265f40b detect: use multi tenant thread init if MT enabled 11 years ago
Victor Julien b653479815 detect: make multi tenancy a global switch
At start up we will set this flag based on "multi-detect.enabled".
11 years ago
Victor Julien 3f12bdd4f8 tenants: apply added/removed tenant
Apply to the engine.
11 years ago
Victor Julien def2b58725 detect: initial MT lookup logic
In the DetectEngineThreadCtx, store another DetectEngineThreadCtx per
tenant.

Currently it's just a simple array indexed by the tenant id.
11 years ago
Victor Julien 147a6d2bfd multi-detect: (un)register-tenant unix socket commands
Make available to live mode and unix socket mode.

register-tenant:
    Loads a new YAML, does basic validation.
    Loads a new detection engine
    Loads rules
    Add new de_ctx to master store and stores tenant id in the de_ctx so
        we can look it up by tenant id later.

unregister-tenant:
    Gets the de_ctx, moves it to the freelist
    Removes config

Introduce DetectEngineGetByTenantId, which gets a reference to the
detect engine by tenant id.
11 years ago
Victor Julien 3aa58f25ad eve alert: fix stream payload printing 11 years ago
Victor Julien 2ef0ebb24b detect: fix pass transaction handling
If a flow was 'pass'd, it means that no packet of it will flow be handled
by the detection engine. A side effect of this was that the per flow
inspect_id would never be moved forward. This in turn lead to a situation
where transactions wouldn't be freed.

This patch addresses this case by incrementing the inspect_id anyway for
the pass case.
11 years ago
Victor Julien 06ee2bc87e detect: set flow noinspect on pass in applayer/stream
If a pass rule matches in the reassembled stream and/or in the
app-layer state, it means the rest of the flow should not be
inspected.
11 years ago
Victor Julien bbc9874b81 http: destroy htp_tx_t even if incomplete 11 years ago
Victor Julien 814f0b4094 detect: make http prefilter use disrupt flags 11 years ago
Victor Julien b592f98727 detect: optimize http prefilter handing 11 years ago
Victor Julien 6946e0be55 detect: pass flags to inspect_id update logic 11 years ago
Victor Julien c087708fa9 output-tx: use disrupt flags 11 years ago
Victor Julien 00ef789ffc app-layer: pass full flags around in tx handling 11 years ago
Victor Julien ea571add73 app-layer: disruption flags
Stream GAPs and stream reassembly depth are tracked per direction. In
many cases they will happen in one direction, but not in the other.

Example:
HTTP requests a generally smaller than responses. So on the response
side we may hit the depth limit, but not on the request side.

The asynchronious 'disruption' has a side effect in the transaction
engine. The 'progress' tracking would never mark such transactions
as complete, and thus some inspection and logging wouldn't happen
until the very last moment: when EOF's are passed around.

Especially in proxy environments with _very_ many transactions in a
single TCP connection, this could lead to serious resource issues. The
EOF handling would suddenly have to handle thousands or more
transactions. These transactions would have been stored for a long time.

This patch introduces the concept of disruption flags. Flags passed to
the tx progress logic that are and indication of disruptions in the
traffic or the traffic handling. The idea is that the progress is
marked as complete on disruption, even if a tx is not complete. This
allows the detection and logging engines to process the tx after which
it can be cleaned up.
11 years ago
Victor Julien 8125e04b39 detect: clean up flag usage 11 years ago
Victor Julien 6e2c90a83b detect: constify some DetectMpmPrefilter args 11 years ago
Victor Julien c419f33f44 dns: fix state progress handling 11 years ago
Victor Julien b0f5f7ee97 app-layer: fix args to state progress calls 11 years ago
Victor Julien 62fa9f09d4 Sync alversion/appversion types
The app layer state 'version' field is incremented with each update
to the state. It is used by the detection engine to see if the current
version of the state has already been inspected. Since app layer and
detect always run closely together there is no need for a big number
here. The detect code really only checks for equal/not-equal, so wrap
arounds are not an issue.
11 years ago
Victor Julien 11d3f5f67a http: harden tx inspection code 11 years ago
Victor Julien be2849044b flow/stream: xfer noinspect flags to pseudo pkts
Set noinspection flags for payloads and packets on flow and stream
pseudo packets. Without these, the pseudo packets could trigger
inspection even though this was disabled for a flow.
11 years ago
Victor Julien a0899cbe85 detect: optimize Signature layout 11 years ago
Victor Julien baadcab1b8 detect: default to u32 for SigIntId 11 years ago
Eric Leblond 1cd97713c2 file-json: add file_id to message
This will allow to get the filename and by consequence the file
after a parsing of the EVEV log file.
11 years ago
Eric Leblond 8fde842f97 af-packet: implement rollover option
This patch implements the rollover option in af_packet capture.
This should heavily minimize the packet drops as well as the
maximum bandwidth treated for a single flow.

The option has been deactivated by default but it is activated in
the af_packet default section. This ensure there is no change for
old users using an existing YAML. And new users will benefit from
the change.

This option is available since Linux 3.10. An analysis of af_packet
kernel code shows that setting the flag in all cases should not
cause any trouble for older kernel.
11 years ago
Eric Leblond dc306f3bad af-packet: implement new load balancing modes
This patch implements the fanout load balancing modes available
in kernel 4.0. The more interesting is cluster_qm that does the
load balancing based on the RSS queues. So if the network card
is doing a flow based load balancing then a given socket will
receive all packets of a flow indepently of the CPU affinity.
11 years ago
Eric Leblond 851fcef962 af-packet: sync header with latest features
Sync the replacement define with the latest Linux code.
This patch also updates the detection part in configure.ac
to do a declaration of all fields if the newest features are
not present.
11 years ago