af-packet: configurable tpacket_v3 block timeout

Block timeout defines the maximum filling duration of a block.

diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c
index 347373d3f2250117bc203ae0521cb151ece54bca..0c457ee7ba639a613a344c261bb6fc400b278130 100644 (file)
--- a/src/runmode-af-packet.c
+++ b/src/runmode-af-packet.c
@@ -370,6 +370,11 @@ void *ParseAFPConfig(const char *iface)
         }
     }
 
+    if ((ConfGetChildValueIntWithDefault(if_root, if_default, "block-timeout", &value)) == 1) {
+        aconf->block_timeout = value;
+    } else {
+        aconf->block_timeout = 10;
+    }
     if ((ConfGetChildValueIntWithDefault(if_root, if_default, "block-timeout", &value)) == 1) {
         aconf->block_timeout = value;
     } else {

diff --git a/src/source-af-packet.c b/src/source-af-packet.c
index 3fdeb4f000d43f36e994542232ebb0a3fc2b9f0e..3f447b081530608f47ebbc43a6a7101c1f5e9e9c 100644 (file)
--- a/src/source-af-packet.c
+++ b/src/source-af-packet.c
@@ -232,6 +232,7 @@ typedef struct AFPThreadVars_
 
     int ring_size;
     int block_size;
+    int block_timeout;
     /* socket buffer size */
     int buffer_size;
     /* Filter */
@@ -1582,7 +1583,7 @@ static int AFPComputeRingParamsV3(AFPThreadVars *ptv)
     ptv->req3.tp_block_nr = ptv->ring_size / frames_per_block + 1;
     /* exact division */
     ptv->req3.tp_frame_nr = ptv->req3.tp_block_nr * frames_per_block;
-    ptv->req3.tp_retire_blk_tov = 10; /* 10 ms timeout on block */
+    ptv->req3.tp_retire_blk_tov = ptv->block_timeout;
     ptv->req3.tp_feature_req_word = TP_FT_REQ_FILL_RXHASH;
     SCLogInfo("AF_PACKET V3 RX Ring params: block_size=%d block_nr=%d frame_size=%d frame_nr=%d (mem: %d)",
               ptv->req3.tp_block_size, ptv->req3.tp_block_nr,

diff --git a/src/source-af-packet.h b/src/source-af-packet.h
index 6560701ae4f5149d7b83c45d27c29a00684f917e..7b3214c4df5ed2d1c52d5771f80de7ebf8bd470b 100644 (file)
--- a/src/source-af-packet.h
+++ b/src/source-af-packet.h
@@ -58,6 +58,10 @@
 #define AFP_FILE_MAX_PKTS 256
 #define AFP_IFACE_NAME_LENGTH 48
 
+/* In kernel the allocated block size is allocated using the formula
+ * page_size << order. So default value is using the same formula with
+ * an order of 3 which guarantee we have some room in the block compared
+ * to standard frame size */
 #define AFP_BLOCK_SIZE_DEFAULT_ORDER 3
 
 typedef struct AFPIfaceConfig_
@@ -69,8 +73,10 @@ typedef struct AFPIfaceConfig_
     int buffer_size;
     /* ring size in number of packets */
     int ring_size;
-    /* block size for tpacket_v3 */
+    /* block size for tpacket_v3 in */
     int block_size;
+    /* block timeout for tpacket_v3 in milliseconds */
+    int block_timeout;
     /* cluster param */
     int cluster_id;
     int cluster_type;

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 5c0dd8b4a0de5a62bf1d91647050b4d73366f6ca..ea533081f47e581ae53cfedc44c872d839e51025 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -482,6 +482,9 @@ af-packet:
     # a decent number of packets. Size is in bytes so please consider your MTU. It should be
     # a power of 2 and it must be multiple of page size (usually 4096).
     #block-size: 32768
+    # tpacket_v3 block timeout: an open block is passed to userspace if it is not
+    # filled after block-timeout milliseconds.
+    #block-timeout: 10
     # On busy system, this could help to set it to yes to recover from a packet drop
     # phase. This will result in some packets (at max a ring flush) being non treated.
     #use-emergency-flush: yes