From: Eric Leblond <eric@regit.org>
Date: Fri, 19 Jun 2015 10:13:31 +0000 (+0200)
Subject: af-packet: implement rollover option
X-Git-Tag: suricata-3.0RC1~247
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8fde842f97161fe69013944800ebd68cb805384a;p=thirdparty%2Fsuricata.git

af-packet: implement rollover option

This patch implements the rollover option in af_packet capture.
This should heavily minimize the packet drops as well as the
maximum bandwidth treated for a single flow.

The option has been deactivated by default but it is activated in
the af_packet default section. This ensure there is no change for
old users using an existing YAML. And new users will benefit from
the change.

This option is available since Linux 3.10. An analysis of af_packet
kernel code shows that setting the flag in all cases should not
cause any trouble for older kernel.
---

diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c
index cd2b5266b7..fc17a4bd66 100644
--- a/src/runmode-af-packet.c
+++ b/src/runmode-af-packet.c
@@ -301,6 +301,14 @@ void *ParseAFPConfig(const char *iface)
         return NULL;
     }
 
+    int conf_val = 0;
+    ConfGetChildValueBoolWithDefault(if_root, if_default, "rollover", &conf_val);
+    if (conf_val) {
+        SCLogInfo("Using rollover kernel functionality for AF_PACKET (iface %s)",
+                aconf->iface);
+        aconf->cluster_type |= PACKET_FANOUT_FLAG_ROLLOVER;
+    }
+
     /*load af_packet bpf filter*/
     /* command line value has precedence */
     if (ConfGet("bpf-filter", &bpf_filter) != 1) {
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 480521a42b..da1ee3a9cc 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -428,6 +428,10 @@ af-packet:
     # In some fragmentation case, the hash can not be computed. If "defrag" is set
     # to yes, the kernel will do the needed defragmentation before sending the packets.
     defrag: yes
+    # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
+    # full then kernel will send the packet on the next socket with room available. This option
+    # can minimize packet drop and increase the treated bandwith on single intensive flow.
+    #rollover: yes
     # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
     use-mmap: yes
     # Ring size will be computed with respect to max_pending_packets and number
@@ -474,6 +478,7 @@ af-packet:
   - interface: default
     #threads: auto
     #use-mmap: yes
+    rollover: yes
 
 # Netmap support
 #