This is a import of two coccinelle patches that detect problem
on Packet handling. They are run on all commited C files in src
by the script run_check.sh.
This patch fixes Packet initialisation. In some place the pkt field
was not set after a memset used to zero the structure and this could
lead to some problems.
This patch fixes some problem with affinity work and modify the
configuration file format.
For example, the detect cup set can be formatted as follow:
- detect_cpu_set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
prio:
low: [ 0 ] # threads on CPU 0 have low prio
medium: [ "1-2" ] # threads on CPU 1 and 2 have medium prio
high: [ 3 ] # threads on CPU 3 have high prio
default: "medium" #default priority is "medium"
This patch modifies the NFQ option system to avoid implicit
choice. 'nfq.mode' is now a string which can take a value
in the 'accept', 'repeat' and 'route' set.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch adds the support of queue redirect. If 'next_queue'
variable is set, the verdict sent to kernel is modified to contain
the indication of a queue number (equal to 'next_queue') which will
receive the packet after the verdict. This feature can be used to
chain easily tools using NFQUEUE.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch adds detection of already treated packet. If a packet is
coming with an already set mark, it will be accepted and the processing
of the packet is aborted.
The patch display a message when the problem occurs but the number of
message is limited to a fix counter in a way to avoid flooding the log.
Signed-off-by: Eric Leblond <eric@regit.org>
A big sized buffer was allocated at each packet parsing. This patch
uses a per-thread variable to have a persistent memory usage.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch adds a new mode for NFQ inline mode. The idea is to
simulate a non final NFQUEUE rules.
This permit to do send all needed packets to suricata via a simple
FORWARD rule:
iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
And below, we have a standard filtering ruleset.
To do so, suricata issues a NF_REPEAT instead of a NF_ACCEPT verdict and
put a mark ($MARK) with respect to a mask ($MASK) on the handled packet.
NF_REPEAT verdict has for effect to have the packet reinjected at start
of the hook after the verdict. As it has been marked by suricata during
the verdict it will not rematch the initial rules and make his way to
the following classical ruleset.
Mode, mark and mask can be configured via suricata.yaml file with the
following syntax:
nfq:
repeat_mode: (false|true)
mark: $MARK
mask: $MASK
Default is false to preserve backward compatibility.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch adds support for multiple Netfilter queue
in the NFQ run mode. Suricata can now be started on
multiple queue by using a comma separated list of
queue identifier on the command line. The following syntax:
suricata -q 0 -q 1 -c /opt/suricata/etc/suricata.yaml
will start a suricata listening to Netfilter queue 0 and 1.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch prepare support for multiqueue in the
source file. The NFQ vars contained in Packet structure
has a new member. It is a reference to the NFQ thread var
it comes from. The behaviour is modified as a single verdict
thread treat packet for all Netfilter queues.
Locking is done in the verdict function to ensure that
simultaneous modifications of counters can not occur.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch adds a new parameter the affinity. The 'threads' keyword
is used to set the number of threads to start for a family. It can
only be used on family where multiple thread are laucnh in the running
mode. This is mainly the case of the detect threads.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch updates affinity setting to add a support for per cpu
priority setting. In exclusive mode a thread is dedicated to a CPU.
This patch adds the ability to set the thread prio for all threads
of a family running on a given CPU.
With this patch we can write
- detect_cpu_set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
low_prio: [ 0 ]
medium_prio: [ "1-2" ]
high_prio: [ 3 ]
With this configuration, detect threads assigned to cpu 0 will
have a low priority. Detect threads on cpus 1 and 2 will have
prio medium...
The previous configuration is equivalent to:
- detect_cpu_set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
low_prio: [ 0 ]
high_prio: [ 3 ]
prio: "medium"
because the prio value is used a default.
Signed-off-by: Eric Leblond <eric@regit.org>
The default NFQ run mode is now using the new affinity system. It
thus can be configured via suricata.yaml.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch implement the setting of each management threads in
the corresponding thread affinity. This is done by modifiying
thread creation function.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch features the implementation of affinity related
changes in tm-threads. In place code has been used but some
refactoring has been done to avoid code duplication.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch modifies runmode to parse configuration file related
to affinity settings. It also prepare the export of the
set_cpu_affinity which was previously local. It is now used
in the affinity and tm-threads files.
Signed-off-by: Eric Leblond <eric@regit.org>
This small patch add inclusion of util-affinity.h in the
files that will have to use affinity related features.
Signed-off-by: Eric Leblond <eric@regit.org>
This patch introduces the configuration part of cpu_affinity
evolution. The idea is to have thread families (receive, stream, ...)
and to be able to specify for each of them:
- The cpus to use
- The mode of balancing between the cpus
- The thread priority to use (value of nice)
Signed-off-by: Eric Leblond <eric@regit.org>
Eric Leblond
Anoop Saldanha
Martin Beyer
Victor Julien
Gurvinder Singh