aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,159 Commits
7 Branches
155 Tags
197 MiB
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9b05db7db0'
${ noResults }
Commit Graph

10159 Commits (9b05db7db0c3ed4647adbe763f77a5f61b6aefe1)
 

Author SHA1 Message Date
Eric Leblond fc2f2fa7d3 bypass: allow bypass for packet without flow 
For capture method that have their own flow structure (not maintained
by Suricata), it can make sense to bypass a packet even if there is
no Flow in Suricata.

For AF_PACKET it does not make sense as the eBPF map entry will
be destroyed as soon as it will be checked by the flow bypass
manager. Thus we shortcut the bypass function if ever no Flow is
attached to the packet.

This path also removes reference to Flow in the bypass functions
for AF_PACKET. It was not necessary and we possibly could benefit
of it if ever we change the bypass algorithm.
 6 years ago
Eric Leblond 285768c59e ebpf: fix bypass filter vlan 6 years ago
Eric Leblond 8a11581ac8 doc: update ebpf doc following bypass_filter change 6 years ago
Eric Leblond 853d832de7 ebpf: complete vlan support for ebpf bypass filter 6 years ago
Eric Leblond 253c011c70 doc: update for latest xdp_filter.c change 6 years ago
Eric Leblond 6ab1cbcb8e bypass: use flow storage for bypass counter 
There is a synchronization issue occuring when a flow is
added to the eBPF bypass maps. The flow can have packets
in the ring buffer that have already passed the eBPF stage.
By consequences, they are not accounted in the eBPF counter
but are accounted by Suricata flow engine.

This was causing counters to be completely wrong. This code
fixes the issue by avoiding the counter change in invalid
case.

To avoid adding 4 64bits integers to the Flow structure for the
bypass accounting, we use instead a FlowStorage. This limits the
memory usage to the size of a pointer.
 6 years ago
Eric Leblond 640bc937b4 ebpf: add vlan tracking option to xdp_filter 
If vlan is not use for tracking in Suricata this result in vlan not
being used in the flow key in Suricata and we need to adjust that
in the XDP filter to avoid any problem.
 6 years ago
Eric Leblond 34b8583f35 ebpf: tls encrypted bypass in xdp_filter 
Tests have shown that when we bypass encrypted traffic a non
neglicteable amount of encrypted  packets of the session are already in the
capture ring buffer. Result is that Suricata is doing unnecessary
work on these packets.

These packets can be identified via the first bytes of their payloads
so we can bypass them directly in the XDP code. This is done here
for application data packets on port 443 and for TLS 1.2.
 6 years ago
Eric Leblond d2d3a5a92a ebpf: fix UDP bypass in xdp_filter 6 years ago
Eric Leblond 98b68e87eb ebpf: fix typo in xdp_filter.c comment 6 years ago
Eric Leblond 4e6add7faa bypass: generalize iface bypass stats 
Introduce functions in util-device.c to be able to manage the
flow bypassed count stats.
 6 years ago
Eric Leblond 7e8f4b70f0 ebpf: add comment for some define in XDP filter 6 years ago
Eric Leblond 455d78728e ebpf: remove useless var in xdp_filter 6 years ago
Eric Leblond 258e90be76 util-ebpf: change flow accounting logic 
Update the flow counters during the life of a bypassed flow
instead of just accounting at the end of it.
 6 years ago
Eric Leblond 3026e9a80d util-ebpf: better error handling 6 years ago
Eric Leblond 2ffd3ad2b7 util-ebpf: better error handling of map unlink 6 years ago
Eric Leblond b952b32a26 util-ebpf: rename field 'unlink' to avoid confusion 6 years ago
Eric Leblond edf2db4e30 af-packet: improve warning message 6 years ago
Eric Leblond 567b5ee1bc af-packet: rename option 'no-percpu-hash' 6 years ago
Eric Leblond 0f6b1297a9 af-packet: warn when XDP is not supported 6 years ago
Eric Leblond b1c9b39435 af-packet: remove question from code 6 years ago
Eric Leblond 1992093c88 flow-bypass: rename variables 6 years ago
Eric Leblond d239e0f2d5 flow-hash: doc and code cleaning 6 years ago
Eric Leblond b736344975 flow-bypass: clock_gettime error handling 
Only reason clock_gettime could fail is a permission so let's
error and leave the flow bypass manager if it is the case.

Also let's suppress the error message if ever the error appear in
the middle of a run (which is unlikely).
 6 years ago
Eric Leblond 4129938c21 util-ebpf: log level fixes and code cleaning 6 years ago
Eric Leblond 140269a6be util-ebpf: init code optimization 6 years ago
Eric Leblond ccb8f3cd4b configure: libbpf path 6 years ago
Eric Leblond 373afab9e0 ebpf: reindent xdp_filter.c 6 years ago
Eric Leblond ca50f8852e doc: improve ebpf doc 
Add example of bypass rules and explain clang dependency.
 6 years ago
Eric Leblond c11eb78141 doc: document netronome hardware bypass usage 6 years ago
Eric Leblond c5e2af0545 util-ebpf: fix error reported by coccinelle check 
Some allocation errors were not checked during init phase.
 6 years ago
Eric Leblond c1fd0da550 af-packet: add vlan_id in bypass key 
Bypassing on vlan was not supported due to the missing key.
 6 years ago
Eric Leblond 651a27e4fb ebpf: fix percpu hash handling 
An alignement issue was preventing the code to work properly.
We introduce macros taken from Linux source code sample to get
something that should work on the long term.
 6 years ago
Eric Leblond 142c69e1ef flow-bypass: increase bypass timeout 
This is needed as we did switch from counter maintained in kernel
to internal polling so we need a bigger value.
 6 years ago
Eric Leblond b8e184ceb5 flow-bypass: fix timeout of maps bypassed flows 
The time is taken from the parameter and is checked against real
flow entries so we need a standard time.
 6 years ago
Eric Leblond 07d0bd3a0f util-ebpf: fix IPv6 deletion loop 6 years ago
Eric Leblond b481f290e2 af-packet: fix bypass for IPv6 6 years ago
Eric Leblond 3bd8ba5d00 util-ebpf: add message if key deletion fails 6 years ago
Eric Leblond 269f601f8a util-ebpf: can't delete in place so update algo 6 years ago
Eric Leblond 5b056c15bf af-packet: fix default in pinned maps name 6 years ago
Eric Leblond eff56acca5 af-packet: be sure to nullify option if not set 6 years ago
Eric Leblond 36c6a62954 util-ebpf: simplify function declarations 6 years ago
Eric Leblond 69630d7a17 util-ebpf: micro optimization 6 years ago
Eric Leblond d21c3a6555 util-ebpf: create flow from bypassed flows 6 years ago
Eric Leblond 04c65a309e flow-hash: new function to get flow from flowkey 6 years ago
Eric Leblond 885fc992de ebpf: make table iterator generic 
Also adds a basic skeleton for flow creation loop.
 6 years ago
Eric Leblond 880c42f11c af-packet: bypass with init function 6 years ago
Eric Leblond f93573ac5e ebpf: fix indentation in xdp_filter 6 years ago
Eric Leblond 522e98d830 util-ebpf: fix iteration in flow timeout 
We were not setting the key using the correct item in map. Result
was deletion of wrong flow.
 6 years ago
Eric Leblond f270e53477 ebpf: set number of RSS queues to a power of 2 
This is needed as netronome can not do a division (so can't do a modulo)
in hardware.
 6 years ago