This patch implements the rollover option in af_packet capture.
This should heavily minimize the packet drops as well as the
maximum bandwidth treated for a single flow.
The option has been deactivated by default but it is activated in
the af_packet default section. This ensure there is no change for
old users using an existing YAML. And new users will benefit from
the change.
This option is available since Linux 3.10. An analysis of af_packet
kernel code shows that setting the flag in all cases should not
cause any trouble for older kernel.
return NULL;
}
+ int conf_val = 0;
+ ConfGetChildValueBoolWithDefault(if_root, if_default, "rollover", &conf_val);
+ if (conf_val) {
+ SCLogInfo("Using rollover kernel functionality for AF_PACKET (iface %s)",
+ aconf->iface);
+ aconf->cluster_type |= PACKET_FANOUT_FLAG_ROLLOVER;
+ }
+
/*load af_packet bpf filter*/
/* command line value has precedence */
if (ConfGet("bpf-filter", &bpf_filter) != 1) {
# In some fragmentation case, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: yes
+ # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
+ # full then kernel will send the packet on the next socket with room available. This option
+ # can minimize packet drop and increase the treated bandwith on single intensive flow.
+ #rollover: yes
# To use the ring feature of AF_PACKET, set 'use-mmap' to yes
use-mmap: yes
# Ring size will be computed with respect to max_pending_packets and number
- interface: default
#threads: auto
#use-mmap: yes
+ rollover: yes
# Netmap support
#
projects / thirdparty / suricata.git / commitdiff
