af-packet: warn when tpacket_v3 is used in IPS

Update yaml and add an error message.

diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c
index cbd27c9378cdd60f683ae67320c0d4320ba9933e..55844dfc6fed342040b32d5da77db41eaab40b87 100644 (file)
--- a/src/runmode-af-packet.c
+++ b/src/runmode-af-packet.c
@@ -264,11 +264,17 @@ static void *ParseAFPConfig(const char *iface)
                     iface,
                     aconf->out_iface);
             aconf->copy_mode = AFP_COPY_MODE_IPS;
+            if (aconf->flags & AFP_TPACKET_V3) {
+                SCLogWarning(SC_ERR_RUNMODE, "Using tpacket_v3 in IPS mode will result in high latency");
+            }
         } else if (strcmp(copymodestr, "tap") == 0) {
             SCLogInfo("AF_PACKET TAP mode activated %s->%s",
                     iface,
                     aconf->out_iface);
             aconf->copy_mode = AFP_COPY_MODE_TAP;
+            if (aconf->flags & AFP_TPACKET_V3) {
+                SCLogWarning(SC_ERR_RUNMODE, "Using tpacket_v3 in TAP mode will result in high latency");
+            }
         } else {
             SCLogInfo("Invalid mode (not in tap, ips)");
         }

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 19e54019295c4e993d7b2e8cbfa78e8b8f377b91..e8f806ffee51da192cda2b943be7304423786347 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -573,7 +573,8 @@ af-packet:
     # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock
     # your system
     #mmap-locked: yes
-    # Use experimental tpacket_v3 capture mode, only active if use-mmap is true
+    # Use tpacket_v3 capture mode, only active if use-mmap is true
+    # Don't use it in IPS or TAP mode as it causes severe latency
     #tpacket-v3: yes
     # Ring size will be computed with respect to max_pending_packets and number
     # of threads. You can set manually the ring size in number of packets by setting