From: Jason Ish Date: Wed, 19 Feb 2025 05:07:40 +0000 (-0600) Subject: af-packet: use tpacket v3 by default for ids mode X-Git-Tag: suricata-8.0.0-beta1~241 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7fdb08b7c759324dc37865c5c791d867392b529d;p=thirdparty%2Fsuricata.git af-packet: use tpacket v3 by default for ids mode If "tpacket-v3" is not present in the configuration file, and we are in IDS mode, default to "tpacket-v3". Required moving the check for tpacket-v3 after the copy-mode configuration, so the warning about tpacket-v3 in active modes has been moved as well. Ticket: #4798 --- diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c index 14d910a3e9..ec02b6d02f 100644 --- a/src/runmode-af-packet.c +++ b/src/runmode-af-packet.c @@ -284,22 +284,6 @@ static void *ParseAFPConfig(const char *iface) aconf->flags |= AFP_MMAP_LOCKED; } - if (ConfGetChildValueBoolWithDefault(if_root, if_default, "tpacket-v3", &boolval) == 1) { - if (boolval) { - if (strcasecmp(RunmodeGetActive(), "workers") == 0) { - SCLogConfig("%s: enabling tpacket v3", aconf->iface); - aconf->flags |= AFP_TPACKET_V3; - } else { - SCLogWarning("%s: tpacket v3 is only implemented for 'workers' runmode." - " Switching to tpacket v2.", - iface); - aconf->flags &= ~AFP_TPACKET_V3; - } - } else { - aconf->flags &= ~AFP_TPACKET_V3; - } - } - (void)ConfGetChildValueBoolWithDefault(if_root, if_default, "use-emergency-flush", &boolval); if (boolval) { SCLogConfig("%s: using emergency ring flush", aconf->iface); @@ -316,20 +300,39 @@ static void *ParseAFPConfig(const char *iface) } else if (strcmp(copymodestr, "ips") == 0) { SCLogInfo("%s: AF_PACKET IPS mode activated %s->%s", iface, iface, aconf->out_iface); aconf->copy_mode = AFP_COPY_MODE_IPS; - if (aconf->flags & AFP_TPACKET_V3) { - SCLogWarning("%s: using tpacket_v3 in IPS mode will result in high latency", iface); - } } else if (strcmp(copymodestr, "tap") == 0) { SCLogInfo("%s: AF_PACKET TAP mode activated %s->%s", iface, iface, aconf->out_iface); aconf->copy_mode = AFP_COPY_MODE_TAP; - if (aconf->flags & AFP_TPACKET_V3) { - SCLogWarning("%s: using tpacket_v3 in TAP mode will result in high latency", iface); - } } else { SCLogWarning("Invalid 'copy-mode' (not in tap, ips)"); } } + if (ConfGetChildValueBoolWithDefault(if_root, if_default, "tpacket-v3", &boolval) == 1) { + if (boolval) { + if (strcasecmp(RunmodeGetActive(), "workers") == 0) { + SCLogConfig("%s: enabling tpacket v3", aconf->iface); + aconf->flags |= AFP_TPACKET_V3; + } else { + SCLogWarning("%s: tpacket v3 is only implemented for 'workers' runmode." + " Switching to tpacket v2.", + iface); + aconf->flags &= ~AFP_TPACKET_V3; + } + } else { + aconf->flags &= ~AFP_TPACKET_V3; + } + } else if (aconf->copy_mode == AFP_COPY_MODE_NONE) { + // If copy mode is none (passive IDS) and "tpacket-v3" is not + // present, default to TPACKET_V3. + SCLogConfig("%s: enabling tpacket v3", aconf->iface); + aconf->flags |= AFP_TPACKET_V3; + } + + if (aconf->flags & AFP_TPACKET_V3 && aconf->copy_mode) { + SCLogWarning("%s: using tpacket-v3 in IPS or TAP mode will result in high latency", iface); + } + if (ConfGetChildValueWithDefault(if_root, if_default, "cluster-id", &tmpclusterid) != 1) { aconf->cluster_id = (uint16_t)(cluster_id_auto++); } else { diff --git a/suricata.yaml.in b/suricata.yaml.in index 6182bd595d..40484ea1c4 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -667,7 +667,8 @@ af-packet: # subscribing could lock your system #mmap-locked: yes # Use tpacket_v3 capture mode. - # Don't use it in IPS or TAP mode as it causes severe latency + # Defaults to true for non-copy modes, and false for tap and ips mode. + # Don't use it in IPS or TAP mode as it causes severe latency. #tpacket-v3: yes # Ring size will be computed with respect to "max-pending-packets" and number # of threads. You can set manually the ring size in number of packets by setting @@ -720,6 +721,8 @@ af-packet: # in the list above. - interface: default #threads: auto + # If left commented out, defaults to true when not in a copy + # (inline) mode. #tpacket-v3: yes # Linux high speed af-xdp capture support