]>
Commit | Line | Data |
---|---|---|
c78e112e | 1 | /* Copyright (C) 2011,2012 Open Information Security Foundation |
c45d8985 EL |
2 | * |
3 | * You can copy, redistribute or modify this Program under the terms of | |
4 | * the GNU General Public License version 2 as published by the Free | |
5 | * Software Foundation. | |
6 | * | |
7 | * This program is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | * | |
12 | * You should have received a copy of the GNU General Public License | |
13 | * version 2 along with this program; if not, write to the Free Software | |
14 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | |
15 | * 02110-1301, USA. | |
16 | */ | |
17 | ||
a6457262 EL |
18 | /** |
19 | * \ingroup afppacket | |
20 | * | |
21 | * @{ | |
22 | */ | |
23 | ||
e80b30c0 EL |
24 | /** |
25 | * \file | |
26 | * | |
27 | * \author Eric Leblond <eric@regit.org> | |
28 | * | |
29 | * AF_PACKET socket runmode | |
30 | * | |
31 | */ | |
32 | ||
33 | ||
c45d8985 | 34 | #include "suricata-common.h" |
e80b30c0 | 35 | #include "config.h" |
c45d8985 EL |
36 | #include "tm-threads.h" |
37 | #include "conf.h" | |
38 | #include "runmodes.h" | |
39 | #include "runmode-af-packet.h" | |
40 | #include "log-httplog.h" | |
41 | #include "output.h" | |
c45d8985 EL |
42 | #include "detect-engine-mpm.h" |
43 | ||
44 | #include "alert-fastlog.h" | |
45 | #include "alert-prelude.h" | |
c45d8985 EL |
46 | #include "alert-unified2-alert.h" |
47 | #include "alert-debuglog.h" | |
48 | ||
49 | #include "util-debug.h" | |
50 | #include "util-time.h" | |
51 | #include "util-cpu.h" | |
52 | #include "util-affinity.h" | |
871b2189 | 53 | #include "util-device.h" |
75c875b1 | 54 | #include "util-runmodes.h" |
56373e5b | 55 | #include "util-ioctl.h" |
c45d8985 | 56 | |
e80b30c0 EL |
57 | #include "source-af-packet.h" |
58 | ||
8879df80 EL |
59 | extern int max_pending_packets; |
60 | ||
c174c9d7 | 61 | static const char *default_mode_workers = NULL; |
c45d8985 EL |
62 | |
63 | const char *RunModeAFPGetDefaultMode(void) | |
64 | { | |
c174c9d7 | 65 | return default_mode_workers; |
c45d8985 EL |
66 | } |
67 | ||
68 | void RunModeIdsAFPRegister(void) | |
69 | { | |
e80b30c0 EL |
70 | RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "single", |
71 | "Single threaded af-packet mode", | |
72 | RunModeIdsAFPSingle); | |
beaa909e EL |
73 | RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "workers", |
74 | "Workers af-packet mode, each thread does all" | |
75 | " tasks from acquisition to logging", | |
76 | RunModeIdsAFPWorkers); | |
c174c9d7 | 77 | default_mode_workers = "workers"; |
e80b30c0 EL |
78 | RunModeRegisterNewRunMode(RUNMODE_AFP_DEV, "autofp", |
79 | "Multi socket AF_PACKET mode. Packets from " | |
80 | "each flow are assigned to a single detect " | |
81 | "thread.", | |
82 | RunModeIdsAFPAutoFp); | |
c45d8985 EL |
83 | return; |
84 | } | |
85 | ||
994bc15c EL |
86 | |
87 | #ifdef HAVE_AF_PACKET | |
88 | ||
45d5c3ca EL |
89 | void AFPDerefConfig(void *conf) |
90 | { | |
91 | AFPIfaceConfig *pfp = (AFPIfaceConfig *)conf; | |
92 | /* Pcap config is used only once but cost of this low. */ | |
93 | if (SC_ATOMIC_SUB(pfp->ref, 1) == 0) { | |
94 | SCFree(pfp); | |
95 | } | |
96 | } | |
97 | ||
f89a4219 VJ |
98 | /* if cluster id is not set, assign it automagically, uniq value per |
99 | * interface. */ | |
100 | static int cluster_id_auto = 1; | |
101 | ||
fbca1a4e EL |
102 | /** |
103 | * \brief extract information from config file | |
104 | * | |
105 | * The returned structure will be freed by the thread init function. | |
106 | * This is thus necessary to or copy the structure before giving it | |
107 | * to thread or to reparse the file for each thread (and thus have | |
108 | * new structure. | |
109 | * | |
110 | * \return a AFPIfaceConfig corresponding to the interface name | |
111 | */ | |
75c875b1 | 112 | void *ParseAFPConfig(const char *iface) |
fbca1a4e EL |
113 | { |
114 | char *threadsstr = NULL; | |
115 | ConfNode *if_root; | |
4ae27756 | 116 | ConfNode *if_default = NULL; |
fbca1a4e EL |
117 | ConfNode *af_packet_node; |
118 | AFPIfaceConfig *aconf = SCMalloc(sizeof(*aconf)); | |
119 | char *tmpclusterid; | |
120 | char *tmpctype; | |
662dccd8 | 121 | char *copymodestr; |
fbca1a4e | 122 | intmax_t value; |
67f791e8 | 123 | int boolval; |
f2a6fb8a | 124 | char *bpf_filter = NULL; |
662dccd8 | 125 | char *out_iface = NULL; |
fbca1a4e | 126 | |
e176be6f | 127 | if (unlikely(aconf == NULL)) { |
75c875b1 EL |
128 | return NULL; |
129 | } | |
130 | ||
11bdf483 VJ |
131 | if (iface == NULL) { |
132 | SCFree(aconf); | |
fbca1a4e EL |
133 | return NULL; |
134 | } | |
11bdf483 | 135 | |
fbca1a4e EL |
136 | strlcpy(aconf->iface, iface, sizeof(aconf->iface)); |
137 | aconf->threads = 1; | |
45d5c3ca | 138 | SC_ATOMIC_INIT(aconf->ref); |
0227a87f | 139 | (void) SC_ATOMIC_ADD(aconf->ref, 1); |
fbca1a4e EL |
140 | aconf->buffer_size = 0; |
141 | aconf->cluster_id = 1; | |
142 | aconf->cluster_type = PACKET_FANOUT_HASH; | |
df7dbe36 | 143 | aconf->promisc = 1; |
6062e00c | 144 | aconf->checksum_mode = CHECKSUM_VALIDATION_KERNEL; |
45d5c3ca | 145 | aconf->DerefFunc = AFPDerefConfig; |
49b7b00f | 146 | aconf->flags = 0; |
f2a6fb8a | 147 | aconf->bpf_filter = NULL; |
662dccd8 | 148 | aconf->out_iface = NULL; |
c8b3f441 | 149 | aconf->copy_mode = AFP_COPY_MODE_NONE; |
f2a6fb8a EL |
150 | |
151 | if (ConfGet("bpf-filter", &bpf_filter) == 1) { | |
152 | if (strlen(bpf_filter) > 0) { | |
153 | aconf->bpf_filter = bpf_filter; | |
154 | SCLogInfo("Going to use command-line provided bpf filter '%s'", | |
155 | aconf->bpf_filter); | |
156 | } | |
157 | } | |
fbca1a4e EL |
158 | |
159 | /* Find initial node */ | |
160 | af_packet_node = ConfGetNode("af-packet"); | |
161 | if (af_packet_node == NULL) { | |
162 | SCLogInfo("Unable to find af-packet config using default value"); | |
163 | return aconf; | |
164 | } | |
165 | ||
aa8e747e | 166 | if_root = ConfFindDeviceConfig(af_packet_node, iface); |
4ae27756 | 167 | |
aa8e747e | 168 | if_default = ConfFindDeviceConfig(af_packet_node, "default"); |
4ae27756 EL |
169 | |
170 | if (if_root == NULL && if_default == NULL) { | |
fbca1a4e | 171 | SCLogInfo("Unable to find af-packet config for " |
4ae27756 | 172 | "interface \"%s\" or \"default\", using default value", |
fbca1a4e EL |
173 | iface); |
174 | return aconf; | |
175 | } | |
176 | ||
4ae27756 EL |
177 | /* If there is no setting for current interface use default one as main iface */ |
178 | if (if_root == NULL) { | |
179 | if_root = if_default; | |
180 | if_default = NULL; | |
181 | } | |
182 | ||
183 | if (ConfGetChildValueWithDefault(if_root, if_default, "threads", &threadsstr) != 1) { | |
c174c9d7 | 184 | aconf->threads = 0; |
fbca1a4e EL |
185 | } else { |
186 | if (threadsstr != NULL) { | |
c174c9d7 VJ |
187 | if (strcmp(threadsstr, "auto") == 0) { |
188 | aconf->threads = 0; | |
189 | } else { | |
190 | aconf->threads = (uint8_t)atoi(threadsstr); | |
191 | } | |
fbca1a4e EL |
192 | } |
193 | } | |
194 | if (aconf->threads == 0) { | |
56373e5b | 195 | int rss_queues; |
c174c9d7 | 196 | aconf->threads = (int)UtilCpuGetNumProcessorsOnline(); |
56373e5b EL |
197 | /* Get the number of RSS queues and take the min */ |
198 | rss_queues = GetIfaceRSSQueuesNum(iface); | |
199 | if (rss_queues > 0) { | |
200 | if (rss_queues < aconf->threads) { | |
201 | aconf->threads = rss_queues; | |
f89a4219 | 202 | SCLogInfo("More cores than RSS queues, using %d threads for interface %s", |
56373e5b EL |
203 | aconf->threads, iface); |
204 | } | |
205 | } | |
c174c9d7 VJ |
206 | if (aconf->threads) |
207 | SCLogInfo("Using %d AF_PACKET threads for interface %s", aconf->threads, iface); | |
208 | } | |
209 | if (aconf->threads <= 0) { | |
fbca1a4e EL |
210 | aconf->threads = 1; |
211 | } | |
45d5c3ca | 212 | |
4ae27756 | 213 | if (ConfGetChildValueWithDefault(if_root, if_default, "copy-iface", &out_iface) == 1) { |
662dccd8 EL |
214 | if (strlen(out_iface) > 0) { |
215 | aconf->out_iface = out_iface; | |
216 | } | |
217 | } | |
218 | ||
876b356b EL |
219 | if (ConfGetChildValueBoolWithDefault(if_root, if_default, "use-mmap", (int *)&boolval) == 1) { |
220 | if (boolval) { | |
221 | aconf->flags |= AFP_RING_MODE; | |
222 | } else { | |
223 | SCLogInfo("Disabling mmaped capture on iface %s", | |
224 | aconf->iface); | |
225 | } | |
226 | } else { | |
662dccd8 EL |
227 | aconf->flags |= AFP_RING_MODE; |
228 | } | |
876b356b | 229 | |
8035d834 EL |
230 | if (aconf->flags & AFP_RING_MODE) { |
231 | (void)ConfGetChildValueBoolWithDefault(if_root, if_default, | |
232 | "mmap-locked", (int *)&boolval); | |
233 | if (boolval) { | |
234 | SCLogInfo("Enabling locked memory for mmap on iface %s", | |
bae1b03c | 235 | aconf->iface); |
8035d834 EL |
236 | aconf->flags |= AFP_MMAP_LOCKED; |
237 | } | |
238 | (void)ConfGetChildValueBoolWithDefault(if_root, if_default, | |
239 | "tpacket-v3", (int *)&boolval); | |
240 | if (boolval) { | |
241 | if (strcasecmp(RunmodeGetActive(), "workers") == 0) { | |
242 | #ifdef HAVE_TPACKET_V3 | |
243 | SCLogInfo("Enabling tpacket v3 capture on iface %s", | |
244 | aconf->iface); | |
245 | aconf->flags |= AFP_TPACKET_V3|AFP_RING_MODE; | |
c2d0d938 | 246 | #else |
8035d834 EL |
247 | SCLogNotice("System too old for tpacket v3 switching to v2"); |
248 | aconf->flags |= AFP_RING_MODE; | |
c2d0d938 | 249 | #endif |
8035d834 EL |
250 | } else { |
251 | SCLogError(SC_ERR_RUNMODE, | |
252 | "tpacket v3 is only implemented for 'workers' running mode." | |
253 | " Switching to tpacket v2."); | |
254 | aconf->flags |= AFP_RING_MODE; | |
255 | } | |
256 | } | |
257 | (void)ConfGetChildValueBoolWithDefault(if_root, if_default, | |
258 | "use-emergency-flush", (int *)&boolval); | |
259 | if (boolval) { | |
260 | SCLogInfo("Enabling ring emergency flush on iface %s", | |
261 | aconf->iface); | |
262 | aconf->flags |= AFP_EMERGENCY_MODE; | |
bae1b03c | 263 | } |
27b5136b EL |
264 | } |
265 | ||
662dccd8 EL |
266 | |
267 | aconf->copy_mode = AFP_COPY_MODE_NONE; | |
4ae27756 | 268 | if (ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", ©modestr) == 1) { |
662dccd8 EL |
269 | if (aconf->out_iface == NULL) { |
270 | SCLogInfo("Copy mode activated but no destination" | |
271 | " iface. Disabling feature"); | |
272 | } else if (!(aconf->flags & AFP_RING_MODE)) { | |
273 | SCLogInfo("Copy mode activated but use-mmap " | |
274 | "set to no. Disabling feature"); | |
275 | } else if (strlen(copymodestr) <= 0) { | |
276 | aconf->out_iface = NULL; | |
277 | } else if (strcmp(copymodestr, "ips") == 0) { | |
278 | SCLogInfo("AF_PACKET IPS mode activated %s->%s", | |
279 | iface, | |
280 | aconf->out_iface); | |
281 | aconf->copy_mode = AFP_COPY_MODE_IPS; | |
282 | } else if (strcmp(copymodestr, "tap") == 0) { | |
283 | SCLogInfo("AF_PACKET TAP mode activated %s->%s", | |
284 | iface, | |
285 | aconf->out_iface); | |
286 | aconf->copy_mode = AFP_COPY_MODE_TAP; | |
287 | } else { | |
288 | SCLogInfo("Invalid mode (not in tap, ips)"); | |
289 | } | |
290 | } | |
291 | ||
45d5c3ca | 292 | SC_ATOMIC_RESET(aconf->ref); |
0227a87f | 293 | (void) SC_ATOMIC_ADD(aconf->ref, aconf->threads); |
45d5c3ca | 294 | |
4ae27756 | 295 | if (ConfGetChildValueWithDefault(if_root, if_default, "cluster-id", &tmpclusterid) != 1) { |
f89a4219 | 296 | aconf->cluster_id = (uint16_t)(cluster_id_auto++); |
fbca1a4e EL |
297 | } else { |
298 | aconf->cluster_id = (uint16_t)atoi(tmpclusterid); | |
299 | SCLogDebug("Going to use cluster-id %" PRId32, aconf->cluster_id); | |
300 | } | |
301 | ||
4ae27756 | 302 | if (ConfGetChildValueWithDefault(if_root, if_default, "cluster-type", &tmpctype) != 1) { |
f89a4219 VJ |
303 | /* default to our safest choice: flow hashing + defrag enabled */ |
304 | aconf->cluster_type = PACKET_FANOUT_HASH | PACKET_FANOUT_FLAG_DEFRAG; | |
fbca1a4e EL |
305 | } else if (strcmp(tmpctype, "cluster_round_robin") == 0) { |
306 | SCLogInfo("Using round-robin cluster mode for AF_PACKET (iface %s)", | |
307 | aconf->iface); | |
308 | aconf->cluster_type = PACKET_FANOUT_LB; | |
309 | } else if (strcmp(tmpctype, "cluster_flow") == 0) { | |
310 | /* In hash mode, we also ask for defragmentation needed to | |
311 | * compute the hash */ | |
312 | uint16_t defrag = 0; | |
4c6595f4 | 313 | int conf_val = 0; |
fbca1a4e EL |
314 | SCLogInfo("Using flow cluster mode for AF_PACKET (iface %s)", |
315 | aconf->iface); | |
4c6595f4 EL |
316 | ConfGetChildValueBoolWithDefault(if_root, if_default, "defrag", &conf_val); |
317 | if (conf_val) { | |
0df4c583 | 318 | SCLogInfo("Using defrag kernel functionality for AF_PACKET (iface %s)", |
fbca1a4e EL |
319 | aconf->iface); |
320 | defrag = PACKET_FANOUT_FLAG_DEFRAG; | |
321 | } | |
322 | aconf->cluster_type = PACKET_FANOUT_HASH | defrag; | |
323 | } else if (strcmp(tmpctype, "cluster_cpu") == 0) { | |
324 | SCLogInfo("Using cpu cluster mode for AF_PACKET (iface %s)", | |
325 | aconf->iface); | |
326 | aconf->cluster_type = PACKET_FANOUT_CPU; | |
dc306f3b EL |
327 | } else if (strcmp(tmpctype, "cluster_qm") == 0) { |
328 | SCLogInfo("Using queue based cluster mode for AF_PACKET (iface %s)", | |
329 | aconf->iface); | |
330 | aconf->cluster_type = PACKET_FANOUT_QM; | |
331 | } else if (strcmp(tmpctype, "cluster_random") == 0) { | |
332 | SCLogInfo("Using random based cluster mode for AF_PACKET (iface %s)", | |
333 | aconf->iface); | |
334 | aconf->cluster_type = PACKET_FANOUT_RND; | |
335 | } else if (strcmp(tmpctype, "cluster_rollover") == 0) { | |
336 | SCLogInfo("Using rollover based cluster mode for AF_PACKET (iface %s)", | |
337 | aconf->iface); | |
338 | aconf->cluster_type = PACKET_FANOUT_ROLLOVER; | |
339 | ||
fbca1a4e EL |
340 | } else { |
341 | SCLogError(SC_ERR_INVALID_CLUSTER_TYPE,"invalid cluster-type %s",tmpctype); | |
11bdf483 | 342 | SCFree(aconf); |
fbca1a4e EL |
343 | return NULL; |
344 | } | |
345 | ||
8fde842f EL |
346 | int conf_val = 0; |
347 | ConfGetChildValueBoolWithDefault(if_root, if_default, "rollover", &conf_val); | |
348 | if (conf_val) { | |
349 | SCLogInfo("Using rollover kernel functionality for AF_PACKET (iface %s)", | |
350 | aconf->iface); | |
351 | aconf->cluster_type |= PACKET_FANOUT_FLAG_ROLLOVER; | |
352 | } | |
353 | ||
f2a6fb8a EL |
354 | /*load af_packet bpf filter*/ |
355 | /* command line value has precedence */ | |
356 | if (ConfGet("bpf-filter", &bpf_filter) != 1) { | |
4ae27756 | 357 | if (ConfGetChildValueWithDefault(if_root, if_default, "bpf-filter", &bpf_filter) == 1) { |
f2a6fb8a EL |
358 | if (strlen(bpf_filter) > 0) { |
359 | aconf->bpf_filter = bpf_filter; | |
360 | SCLogInfo("Going to use bpf filter %s", aconf->bpf_filter); | |
361 | } | |
362 | } | |
363 | } | |
364 | ||
4ae27756 | 365 | if ((ConfGetChildValueIntWithDefault(if_root, if_default, "buffer-size", &value)) == 1) { |
fbca1a4e EL |
366 | aconf->buffer_size = value; |
367 | } else { | |
368 | aconf->buffer_size = 0; | |
369 | } | |
4ae27756 | 370 | if ((ConfGetChildValueIntWithDefault(if_root, if_default, "ring-size", &value)) == 1) { |
8879df80 EL |
371 | aconf->ring_size = value; |
372 | if (value * aconf->threads < max_pending_packets) { | |
373 | aconf->ring_size = max_pending_packets / aconf->threads + 1; | |
374 | SCLogWarning(SC_ERR_AFP_CREATE, "Inefficient setup: ring-size < max_pending_packets. " | |
375 | "Resetting to decent value %d.", aconf->ring_size); | |
376 | /* We want at least that max_pending_packets packets can be handled by the | |
377 | * interface. This is generous if we have multiple interfaces listening. */ | |
378 | } | |
379 | } else { | |
380 | /* We want that max_pending_packets packets can be handled by suricata | |
381 | * for this interface. To take burst into account we multiply the obtained | |
382 | * size by 2. */ | |
383 | aconf->ring_size = max_pending_packets * 2 / aconf->threads; | |
384 | } | |
fbca1a4e | 385 | |
fa902abe EL |
386 | aconf->block_size = getpagesize() << AFP_BLOCK_SIZE_DEFAULT_ORDER; |
387 | if ((ConfGetChildValueIntWithDefault(if_root, if_default, "block-size", &value)) == 1) { | |
388 | if (value % getpagesize()) { | |
389 | SCLogError(SC_ERR_INVALID_VALUE, "Block-size must be a multiple of pagesize."); | |
390 | } else { | |
391 | aconf->block_size = value; | |
392 | } | |
393 | } | |
394 | ||
395 | if ((ConfGetChildValueIntWithDefault(if_root, if_default, "block-timeout", &value)) == 1) { | |
234aefdf EL |
396 | aconf->block_timeout = value; |
397 | } else { | |
398 | aconf->block_timeout = 10; | |
399 | } | |
400 | if ((ConfGetChildValueIntWithDefault(if_root, if_default, "block-timeout", &value)) == 1) { | |
fa902abe EL |
401 | aconf->block_timeout = value; |
402 | } else { | |
403 | aconf->block_timeout = 10; | |
404 | } | |
405 | ||
4ae27756 | 406 | (void)ConfGetChildValueBoolWithDefault(if_root, if_default, "disable-promisc", (int *)&boolval); |
67f791e8 | 407 | if (boolval) { |
df7dbe36 EL |
408 | SCLogInfo("Disabling promiscuous mode on iface %s", |
409 | aconf->iface); | |
410 | aconf->promisc = 0; | |
411 | } | |
67f791e8 | 412 | |
4ae27756 | 413 | if (ConfGetChildValueWithDefault(if_root, if_default, "checksum-checks", &tmpctype) == 1) { |
6062e00c | 414 | if (strcmp(tmpctype, "auto") == 0) { |
6062e00c | 415 | aconf->checksum_mode = CHECKSUM_VALIDATION_AUTO; |
d18e2f6e | 416 | } else if (ConfValIsTrue(tmpctype)) { |
6062e00c | 417 | aconf->checksum_mode = CHECKSUM_VALIDATION_ENABLE; |
d18e2f6e | 418 | } else if (ConfValIsFalse(tmpctype)) { |
6062e00c EL |
419 | aconf->checksum_mode = CHECKSUM_VALIDATION_DISABLE; |
420 | } else if (strcmp(tmpctype, "kernel") == 0) { | |
421 | aconf->checksum_mode = CHECKSUM_VALIDATION_KERNEL; | |
422 | } else { | |
423 | SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid value for checksum-checks for %s", aconf->iface); | |
424 | } | |
425 | } | |
df7dbe36 | 426 | |
b7bf299e EL |
427 | |
428 | int ltype = AFPGetLinkType(iface); | |
429 | switch (ltype) { | |
430 | case LINKTYPE_ETHERNET: | |
431 | if (GetIfaceOffloading(iface) == 1) { | |
432 | SCLogWarning(SC_ERR_AFP_CREATE, | |
433 | "Using AF_PACKET with GRO or LRO activated can lead to capture problems"); | |
434 | } | |
435 | case -1: | |
436 | default: | |
437 | break; | |
e951afb9 VJ |
438 | } |
439 | ||
bed18678 VJ |
440 | char *active_runmode = RunmodeGetActive(); |
441 | if (active_runmode && !strcmp("workers", active_runmode)) { | |
442 | aconf->flags |= AFP_ZERO_COPY; | |
443 | SCLogInfo("%s: enabling zero copy mode", iface); | |
444 | } else { | |
445 | /* If we are using copy mode we need a lock */ | |
446 | aconf->flags |= AFP_SOCK_PROTECT; | |
447 | } | |
448 | ||
449 | /* If we are in RING mode, then we can use ZERO copy | |
450 | * by using the data release mechanism */ | |
451 | if (aconf->flags & AFP_RING_MODE) { | |
452 | aconf->flags |= AFP_ZERO_COPY; | |
453 | SCLogInfo("%s: enabling zero copy mode by using data release call", iface); | |
454 | } | |
455 | ||
fbca1a4e EL |
456 | return aconf; |
457 | } | |
458 | ||
75c875b1 EL |
459 | int AFPConfigGeThreadsCount(void *conf) |
460 | { | |
461 | AFPIfaceConfig *afp = (AFPIfaceConfig *)conf; | |
462 | return afp->threads; | |
463 | } | |
fbca1a4e | 464 | |
1e36053e EL |
465 | int AFPRunModeIsIPS() |
466 | { | |
467 | int nlive = LiveGetDeviceCount(); | |
468 | int ldev; | |
469 | ConfNode *if_root; | |
470 | ConfNode *if_default = NULL; | |
471 | ConfNode *af_packet_node; | |
472 | int has_ips = 0; | |
473 | int has_ids = 0; | |
474 | ||
475 | /* Find initial node */ | |
476 | af_packet_node = ConfGetNode("af-packet"); | |
477 | if (af_packet_node == NULL) { | |
478 | return 0; | |
479 | } | |
480 | ||
481 | if_default = ConfNodeLookupKeyValue(af_packet_node, "interface", "default"); | |
482 | ||
483 | for (ldev = 0; ldev < nlive; ldev++) { | |
484 | char *live_dev = LiveGetDeviceName(ldev); | |
7cdc5706 VJ |
485 | if (live_dev == NULL) { |
486 | SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file"); | |
487 | return 0; | |
488 | } | |
1e36053e | 489 | char *copymodestr = NULL; |
aa8e747e | 490 | if_root = ConfFindDeviceConfig(af_packet_node, live_dev); |
1e36053e EL |
491 | |
492 | if (if_root == NULL) { | |
493 | if (if_default == NULL) { | |
494 | SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file"); | |
495 | return 0; | |
496 | } | |
497 | if_root = if_default; | |
498 | } | |
499 | ||
500 | if (ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", ©modestr) == 1) { | |
501 | if (strcmp(copymodestr, "ips") == 0) { | |
502 | has_ips = 1; | |
503 | } else { | |
504 | has_ids = 1; | |
505 | } | |
506 | } else { | |
507 | has_ids = 1; | |
508 | } | |
509 | } | |
510 | ||
511 | if (has_ids && has_ips) { | |
512 | SCLogInfo("AF_PACKET mode using IPS and IDS mode"); | |
513 | for (ldev = 0; ldev < nlive; ldev++) { | |
514 | char *live_dev = LiveGetDeviceName(ldev); | |
7cdc5706 VJ |
515 | if (live_dev == NULL) { |
516 | SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file"); | |
517 | return 0; | |
518 | } | |
1e36053e EL |
519 | if_root = ConfNodeLookupKeyValue(af_packet_node, "interface", live_dev); |
520 | char *copymodestr = NULL; | |
521 | ||
522 | if (if_root == NULL) { | |
523 | if (if_default == NULL) { | |
524 | SCLogError(SC_ERR_INVALID_VALUE, "Problem with config file"); | |
525 | return 0; | |
526 | } | |
527 | if_root = if_default; | |
528 | } | |
529 | ||
530 | if (! ((ConfGetChildValueWithDefault(if_root, if_default, "copy-mode", ©modestr) == 1) && | |
531 | (strcmp(copymodestr, "ips") == 0))) { | |
532 | SCLogError(SC_ERR_INVALID_ARGUMENT, | |
533 | "AF_PACKET IPS mode used and interface '%s' is in IDS or TAP mode. " | |
534 | "Sniffing '%s' but expect bad result as stream-inline is activated.", | |
535 | live_dev, live_dev); | |
536 | } | |
537 | } | |
538 | } | |
539 | ||
540 | return has_ips; | |
541 | } | |
542 | ||
994bc15c EL |
543 | #endif |
544 | ||
545 | ||
38b349af | 546 | int RunModeIdsAFPAutoFp(void) |
e80b30c0 EL |
547 | { |
548 | SCEnter(); | |
549 | ||
550 | /* We include only if AF_PACKET is enabled */ | |
551 | #ifdef HAVE_AF_PACKET | |
75c875b1 | 552 | int ret; |
e80b30c0 | 553 | char *live_dev = NULL; |
e80b30c0 | 554 | |
fbca1a4e EL |
555 | RunModeInitialize(); |
556 | ||
557 | TimeModeSetLive(); | |
558 | ||
2179ac25 | 559 | (void)ConfGet("af-packet.live-interface", &live_dev); |
fbca1a4e | 560 | |
75c875b1 | 561 | SCLogDebug("live_dev %s", live_dev); |
e80b30c0 | 562 | |
662dccd8 EL |
563 | if (AFPPeersListInit() != TM_ECODE_OK) { |
564 | SCLogError(SC_ERR_RUNMODE, "Unable to init peers list."); | |
565 | exit(EXIT_FAILURE); | |
566 | } | |
567 | ||
38b349af | 568 | ret = RunModeSetLiveCaptureAutoFp(ParseAFPConfig, |
75c875b1 EL |
569 | AFPConfigGeThreadsCount, |
570 | "ReceiveAFP", | |
41c768ce | 571 | "DecodeAFP", thread_name_autofp, |
75c875b1 EL |
572 | live_dev); |
573 | if (ret != 0) { | |
625a1e07 | 574 | SCLogError(SC_ERR_RUNMODE, "Unable to start runmode"); |
75c875b1 | 575 | exit(EXIT_FAILURE); |
e80b30c0 EL |
576 | } |
577 | ||
662dccd8 EL |
578 | /* In IPS mode each threads must have a peer */ |
579 | if (AFPPeersListCheck() != TM_ECODE_OK) { | |
580 | SCLogError(SC_ERR_RUNMODE, "Some IPS capture threads did not peer."); | |
581 | exit(EXIT_FAILURE); | |
582 | } | |
e80b30c0 | 583 | |
86a3f064 | 584 | SCLogDebug("RunModeIdsAFPAutoFp initialised"); |
e80b30c0 EL |
585 | #endif /* HAVE_AF_PACKET */ |
586 | ||
587 | SCReturnInt(0); | |
588 | } | |
589 | ||
590 | /** | |
591 | * \brief Single thread version of the AF_PACKET processing. | |
592 | */ | |
38b349af | 593 | int RunModeIdsAFPSingle(void) |
e80b30c0 | 594 | { |
38b349af | 595 | SCEnter(); |
1aab2470 EL |
596 | #ifdef HAVE_AF_PACKET |
597 | int ret; | |
598 | char *live_dev = NULL; | |
e80b30c0 EL |
599 | |
600 | RunModeInitialize(); | |
601 | TimeModeSetLive(); | |
602 | ||
2179ac25 | 603 | (void)ConfGet("af-packet.live-interface", &live_dev); |
e80b30c0 | 604 | |
662dccd8 EL |
605 | if (AFPPeersListInit() != TM_ECODE_OK) { |
606 | SCLogError(SC_ERR_RUNMODE, "Unable to init peers list."); | |
607 | exit(EXIT_FAILURE); | |
608 | } | |
609 | ||
38b349af | 610 | ret = RunModeSetLiveCaptureSingle(ParseAFPConfig, |
77869a2d EL |
611 | AFPConfigGeThreadsCount, |
612 | "ReceiveAFP", | |
41c768ce | 613 | "DecodeAFP", thread_name_single, |
1aab2470 EL |
614 | live_dev); |
615 | if (ret != 0) { | |
625a1e07 | 616 | SCLogError(SC_ERR_RUNMODE, "Unable to start runmode"); |
e80b30c0 EL |
617 | exit(EXIT_FAILURE); |
618 | } | |
e80b30c0 | 619 | |
662dccd8 EL |
620 | /* In IPS mode each threads must have a peer */ |
621 | if (AFPPeersListCheck() != TM_ECODE_OK) { | |
622 | SCLogError(SC_ERR_RUNMODE, "Some IPS capture threads did not peer."); | |
623 | exit(EXIT_FAILURE); | |
624 | } | |
625 | ||
86a3f064 | 626 | SCLogDebug("RunModeIdsAFPSingle initialised"); |
e80b30c0 EL |
627 | |
628 | #endif /* HAVE_AF_PACKET */ | |
629 | SCReturnInt(0); | |
c45d8985 | 630 | } |
beaa909e EL |
631 | |
632 | /** | |
633 | * \brief Workers version of the AF_PACKET processing. | |
634 | * | |
635 | * Start N threads with each thread doing all the work. | |
636 | * | |
637 | */ | |
38b349af | 638 | int RunModeIdsAFPWorkers(void) |
beaa909e | 639 | { |
38b349af | 640 | SCEnter(); |
beaa909e EL |
641 | #ifdef HAVE_AF_PACKET |
642 | int ret; | |
643 | char *live_dev = NULL; | |
beaa909e EL |
644 | |
645 | RunModeInitialize(); | |
646 | TimeModeSetLive(); | |
647 | ||
2179ac25 | 648 | (void)ConfGet("af-packet.live-interface", &live_dev); |
beaa909e | 649 | |
662dccd8 EL |
650 | if (AFPPeersListInit() != TM_ECODE_OK) { |
651 | SCLogError(SC_ERR_RUNMODE, "Unable to init peers list."); | |
652 | exit(EXIT_FAILURE); | |
653 | } | |
654 | ||
38b349af | 655 | ret = RunModeSetLiveCaptureWorkers(ParseAFPConfig, |
beaa909e EL |
656 | AFPConfigGeThreadsCount, |
657 | "ReceiveAFP", | |
41c768ce | 658 | "DecodeAFP", thread_name_workers, |
beaa909e EL |
659 | live_dev); |
660 | if (ret != 0) { | |
625a1e07 | 661 | SCLogError(SC_ERR_RUNMODE, "Unable to start runmode"); |
beaa909e EL |
662 | exit(EXIT_FAILURE); |
663 | } | |
664 | ||
662dccd8 EL |
665 | /* In IPS mode each threads must have a peer */ |
666 | if (AFPPeersListCheck() != TM_ECODE_OK) { | |
667 | SCLogError(SC_ERR_RUNMODE, "Some IPS capture threads did not peer."); | |
668 | exit(EXIT_FAILURE); | |
669 | } | |
670 | ||
86a3f064 | 671 | SCLogDebug("RunModeIdsAFPWorkers initialised"); |
beaa909e EL |
672 | |
673 | #endif /* HAVE_AF_PACKET */ | |
674 | SCReturnInt(0); | |
675 | } | |
a6457262 EL |
676 | |
677 | /** | |
678 | * @} | |
679 | */ |