From: Eric Leblond Date: Tue, 9 May 2017 21:35:03 +0000 (+0200) Subject: af-packet: warn when tpacket_v3 is used in IPS X-Git-Tag: suricata-4.0.0-beta1~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=050d8f788b1b9f62f0bc46a245c506e39a42621a;p=thirdparty%2Fsuricata.git af-packet: warn when tpacket_v3 is used in IPS Update yaml and add an error message. --- diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c index cbd27c9378..55844dfc6f 100644 --- a/src/runmode-af-packet.c +++ b/src/runmode-af-packet.c @@ -264,11 +264,17 @@ static void *ParseAFPConfig(const char *iface) iface, aconf->out_iface); aconf->copy_mode = AFP_COPY_MODE_IPS; + if (aconf->flags & AFP_TPACKET_V3) { + SCLogWarning(SC_ERR_RUNMODE, "Using tpacket_v3 in IPS mode will result in high latency"); + } } else if (strcmp(copymodestr, "tap") == 0) { SCLogInfo("AF_PACKET TAP mode activated %s->%s", iface, aconf->out_iface); aconf->copy_mode = AFP_COPY_MODE_TAP; + if (aconf->flags & AFP_TPACKET_V3) { + SCLogWarning(SC_ERR_RUNMODE, "Using tpacket_v3 in TAP mode will result in high latency"); + } } else { SCLogInfo("Invalid mode (not in tap, ips)"); } diff --git a/suricata.yaml.in b/suricata.yaml.in index 19e5401929..e8f806ffee 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -573,7 +573,8 @@ af-packet: # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock # your system #mmap-locked: yes - # Use experimental tpacket_v3 capture mode, only active if use-mmap is true + # Use tpacket_v3 capture mode, only active if use-mmap is true + # Don't use it in IPS or TAP mode as it causes severe latency #tpacket-v3: yes # Ring size will be computed with respect to max_pending_packets and number # of threads. You can set manually the ring size in number of packets by setting