# liblua
AC_ARG_ENABLE(lua,
AS_HELP_STRING([--enable-lua],[Enable Lua support]),
- [ enable_lua="$enableval"],
- [ enable_lua="no"])
- AC_ARG_ENABLE(luajit,
- AS_HELP_STRING([--enable-luajit],[Enable Luajit support]),
- [ enable_luajit="$enableval"],
- [ enable_luajit="no"])
- if test "$enable_lua" = "yes"; then
- if test "$enable_luajit" = "yes"; then
- echo "ERROR: can't enable liblua and luajit at the same time."
- echo "For LuaJIT, just use --enable-luajit. For liblua (no jit)"
- echo "support, use just --enable-lua."
- echo "Both options will enable the Lua scripting capabilities"
- echo "in Suricata".
- echo
- exit 1
- fi
- fi
+ [ enable_lua="$enableval"],
+ [ enable_lua="no"])
AC_ARG_WITH(liblua_includes,
[ --with-liblua-includes=DIR liblua include directory],
fi
fi
- # libluajit
- AC_ARG_WITH(libluajit_includes,
- [ --with-libluajit-includes=DIR libluajit include directory],
- [with_libluajit_includes="$withval"],[with_libluajit_includes="no"])
- AC_ARG_WITH(libluajit_libraries,
- [ --with-libluajit-libraries=DIR libluajit library directory],
- [with_libluajit_libraries="$withval"],[with_libluajit_libraries="no"])
-
- if test "$enable_luajit" = "yes"; then
- if test "$with_libluajit_includes" != "no"; then
- CPPFLAGS="${CPPFLAGS} -I${with_libluajit_includes}"
- else
- PKG_CHECK_MODULES([LUAJIT], [luajit], , LUAJIT="no")
- CPPFLAGS="${CPPFLAGS} ${LUAJIT_CFLAGS}"
- fi
-
- AC_CHECK_HEADER(lualib.h,LUAJIT="yes",LUAJIT="no")
- if test "$LUAJIT" = "yes"; then
- if test "$with_libluajit_libraries" != "no"; then
- LDFLAGS="${LDFLAGS} -L${with_libluajit_libraries}"
- else
- PKG_CHECK_MODULES([LUAJIT], [luajit])
- LIBS="${LIBS} ${LUAJIT_LIBS}"
- fi
-
- AC_CHECK_LIB(luajit-5.1, luaL_openlibs,, LUAJIT="no")
-
- if test "$LUAJIT" = "no"; then
- echo
- echo " ERROR! libluajit library not found, go get it"
- echo " from http://luajit.org/index.html or your distribution:"
- echo
- echo " Ubuntu: apt-get install libluajit-5.1-dev"
- echo
- echo " If you installed software in a non-standard prefix"
- echo " consider adjusting the PKG_CONFIG_PATH environment variable"
- echo " or use --with-libluajit-libraries configure option."
- echo
- exit 1
- fi
-
- AC_DEFINE([HAVE_LUA],[1],[lua support available])
- AC_DEFINE([HAVE_LUAJIT],[1],[libluajit available])
- enable_lua="yes, through luajit"
- enable_luajit="yes"
- else
- echo
- echo " ERROR! libluajit headers not found, go get them"
- echo " from http://luajit.org/index.html or your distribution:"
- echo
- echo " Ubuntu: apt-get install libluajit-5.1-dev"
- echo
- echo " If you installed software in a non-standard prefix"
- echo " consider adjusting the PKG_CONFIG_PATH environment variable"
- echo " or use --with-libluajit-includes and --with-libluajit-libraries"
- echo " configure option."
- echo
- exit 1
- fi
- fi
-
AM_CONDITIONAL([HAVE_LUA], [test "x$enable_lua" != "xno"])
# If Lua is enabled, test the integer size.
hiredis async with libevent: ${enable_hiredis_async}
PCRE jit: ${pcre2_jit_available}
LUA support: ${enable_lua}
- libluajit: ${enable_luajit}
GeoIP2 support: ${enable_geoip}
JA3 support: ${enable_ja3}
JA4 support: ${enable_ja4}
# message with the offending stacktrace if enabled.
#stacktrace-on-signal: on
-luajit
-~~~~~~
-
-states
-^^^^^^
-
-Luajit has a strange memory requirement, it's 'states' need to be in the
-first 2G of the process' memory. For this reason when luajit is used the
-states are allocated at the process startup. This option controls how many
-states are preallocated.
-
-If the pool is depleted a warning is generated. Suricata will still try to
-continue, but may fail if other parts of the engine take too much memory.
-If the pool was depleted a hint will be printed at the engines exit.
-
-States are allocated as follows: for each detect script a state is used per
-detect thread. For each output script, a single state is used. Keep in
-mind that a rule reload temporary doubles the states requirement.
.. _deprecation policy: https://suricata.io/about/deprecation-policy/
Lua Scripting
-------------
-- Suricata has the ``lua`` (or ``luajit``) keyword which allows for a
+- Suricata has the ``lua`` keyword which allows for a
rule to reference a Lua script that can access the packet, payload,
HTTP buffers, etc.
- Provides powerful flexibility and capabilities that Snort does
util-lua-hassh.h \
util-lua-http.h \
util-lua-ja3.h \
- util-luajit.h \
util-lua-smtp.h \
util-lua-ssh.h \
util-lua-tls.h \
util-lua-hassh.c \
util-lua-http.c \
util-lua-ja3.c \
- util-luajit.c \
util-lua-smtp.c \
util-lua-ssh.c \
util-lua-tls.c \
UtRegisterTest("LuaMatchTest06a", LuaMatchTest06a);
}
#endif
-#endif /* HAVE_LUAJIT */
+#endif /* HAVE_LUA */
#include "util-streaming-buffer.h"
#include "util-lua.h"
-#include "util-luajit.h"
#include "tm-modules.h"
#include "tmqh-packetpool.h"
#include "decode-chdlc.h"
GlobalsInitPreConfig();
EngineModeSetIDS();
-#ifdef HAVE_LUAJIT
- if (LuajitSetupStatesPool() != 0) {
- exit(EXIT_FAILURE);
- }
-#endif
-
default_packet_size = DEFAULT_PACKET_SIZE;
/* load the pattern matchers */
MpmTableSetup();
}
}
-#ifdef HAVE_LUAJIT
- LuajitFreeStatesPool();
-#endif
-
exit(EXIT_SUCCESS);
#else
FatalError("Unittests are not build-in");
#include "util-hugepages.h"
#include "util-ioctl.h"
#include "util-landlock.h"
-#include "util-luajit.h"
#include "util-macset.h"
#include "util-misc.h"
#include "util-mpm-hs.h"
#endif
ConfDeInit();
-#ifdef HAVE_LUAJIT
- LuajitFreeStatesPool();
-#endif
+
DetectParseFreeRegexes();
SCPidfileRemove(suri->pid_filename);
#endif
#ifdef HAVE_JA4
strlcat(features, "HAVE_JA4 ", sizeof(features));
-#endif
-#ifdef HAVE_LUAJIT
- strlcat(features, "HAVE_LUAJIT ", sizeof(features));
#endif
strlcat(features, "HAVE_LIBJANSSON ", sizeof(features));
#ifdef PROFILING
*/
int PostConfLoadedSetup(SCInstance *suri)
{
- /* do this as early as possible #1577 #1955 */
-#ifdef HAVE_LUAJIT
- if (LuajitSetupStatesPool() != 0) {
- SCReturnInt(TM_ECODE_FAILED);
- }
-#endif
-
/* load the pattern matchers */
MpmTableSetup();
SpmTableSetup();
#include "util-print.h"
#include "util-unittest.h"
-#include "util-luajit.h"
#include "util-debug.h"
lua_State *LuaGetState(void)
{
lua_State *s = NULL;
-#ifdef HAVE_LUAJIT
- s = LuajitGetState();
-#else
s = luaL_newstate();
-#endif
return s;
}
while (lua_gettop(s) > 0) {
lua_pop(s, 1);
}
-#ifdef HAVE_LUAJIT
- LuajitReturnState(s);
-#else
lua_close(s);
-#endif
}
}
+++ /dev/null
-/* Copyright (C) 2007-2016 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- * \file
- *
- * \author Victor Julien <victor@inliniac.net>
- *
- */
-
-#include "suricata-common.h"
-
-#ifdef HAVE_LUAJIT
-#include "conf.h"
-#include "util-pool.h"
-#include "util-lua.h"
-#include "util-luajit.h"
-
-/** \brief lua_State pool
- *
- * Lua requires states to be alloc'd in memory <2GB. For this reason we
- * prealloc the states early during engine startup so we have a better chance
- * of getting the states. We protect the pool with a lock as the detect
- * threads access it during their init and cleanup.
- *
- * Pool size is automagically determined based on number of keyword occurrences,
- * cpus/cores and rule reloads being enabled or not.
- *
- * Alternatively, the "detect-engine.luajit-states" var can be set.
- */
-static Pool *luajit_states = NULL;
-static pthread_mutex_t luajit_states_lock = SCMUTEX_INITIALIZER;
-static int luajit_states_cnt = 0;
-static int luajit_states_cnt_max = 0;
-static int luajit_states_size = 0;
-#define LUAJIT_DEFAULT_STATES 128
-
-static void *LuaStatePoolAlloc(void)
-{
- return luaL_newstate();
-}
-
-static void LuaStatePoolFree(void *d)
-{
- lua_State *s = (lua_State *)d;
- if (s != NULL)
- lua_close(s);
-}
-
-/** \brief Populate lua states pool
- *
- * \param num keyword instances
- * \param reloads bool indicating we have rule reloads enabled
- */
-int LuajitSetupStatesPool(void)
-{
- int retval = 0;
- pthread_mutex_lock(&luajit_states_lock);
-
- if (luajit_states == NULL) {
- intmax_t cnt = 0;
- if (ConfGetInt("luajit.states", &cnt) != 1) {
- ConfNode *denode = NULL;
- ConfNode *decnf = ConfGetNode("detect-engine");
- if (decnf != NULL) {
- TAILQ_FOREACH(denode, &decnf->head, next) {
- if (denode->val && strcmp(denode->val, "luajit-states") == 0) {
- ConfGetChildValueInt(denode, "luajit-states", &cnt);
- }
- }
- }
- }
- if (cnt == 0) {
- cnt = LUAJIT_DEFAULT_STATES;
- }
- luajit_states_size = cnt;
-
- luajit_states = PoolInit(0, cnt, 0, LuaStatePoolAlloc, NULL, NULL, NULL, LuaStatePoolFree);
- if (luajit_states == NULL) {
- SCLogError("luastate pool init failed, lua/luajit keywords won't work");
- retval = -1;
- }
-
- if (retval == 0) {
- SCLogConfig("luajit states preallocated: %d", luajit_states_size);
- }
- }
-
- pthread_mutex_unlock(&luajit_states_lock);
- return retval;
-}
-
-void LuajitFreeStatesPool(void)
-{
- pthread_mutex_lock(&luajit_states_lock);
- if (luajit_states_cnt_max > luajit_states_size) {
- SCLogNotice("luajit states used %d is bigger than pool size %d. Set "
- "luajit.states to %d to avoid memory issues. "
- "See tickets #1577 and #1955.",
- luajit_states_cnt_max, luajit_states_size, luajit_states_cnt_max);
- }
- PoolFree(luajit_states);
- luajit_states = NULL;
- luajit_states_size = 0;
- luajit_states_cnt = 0;
- pthread_mutex_unlock(&luajit_states_lock);
-}
-
-lua_State *LuajitGetState(void)
-{
- lua_State *s = NULL;
- pthread_mutex_lock(&luajit_states_lock);
- if (luajit_states != NULL) {
- s = (lua_State *)PoolGet(luajit_states);
- if (s != NULL) {
- if (luajit_states_cnt == luajit_states_size) {
- SCLogWarning("luajit states pool size %d "
- "reached. Increase luajit.states config option. "
- "See tickets #1577 and #1955",
- luajit_states_size);
- }
-
- luajit_states_cnt++;
- if (luajit_states_cnt > luajit_states_cnt_max)
- luajit_states_cnt_max = luajit_states_cnt;
- }
- }
- pthread_mutex_unlock(&luajit_states_lock);
- return s;
-}
-
-void LuajitReturnState(lua_State *s)
-{
- if (s != NULL) {
- pthread_mutex_lock(&luajit_states_lock);
- PoolReturn(luajit_states, (void *)s);
- BUG_ON(luajit_states_cnt <= 0);
- luajit_states_cnt--;
- pthread_mutex_unlock(&luajit_states_lock);
- }
-}
-
-#endif /* HAVE_LUAJIT */
+++ /dev/null
-/* Copyright (C) 2007-2016 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- * \file
- *
- * \author Victor Julien <victor@inliniac.net>
- */
-
-#ifndef SURICATA_UTIL_LUAJIT_H
-#define SURICATA_UTIL_LUAJIT_H
-
-#ifdef HAVE_LUAJIT
-
-#include "util-lua.h"
-
-int LuajitSetupStatesPool(void);
-void LuajitFreeStatesPool(void);
-lua_State *LuajitGetState(void);
-void LuajitReturnState(lua_State *s);
-
-#endif /* HAVE_LUAJIT */
-
-#endif /* SURICATA_UTIL_LUAJIT_H */
# Generally, the per-thread stack-size should not exceed 8MB.
#stack-size: 8mb
-# Luajit has a strange memory requirement, its 'states' need to be in the
-# first 2G of the process' memory.
-#
-# 'luajit.states' is used to control how many states are preallocated.
-# State use: per detect script: 1 per detect thread. Per output script: 1 per
-# script.
-luajit:
- states: 128
-
# Profiling settings. Only effective if Suricata has been built with
# the --enable-profiling configure flag.
#
projects / thirdparty / suricata.git / commitdiff
