From: Jason Ish Date: Mon, 17 Mar 2025 16:35:57 +0000 (-0600) Subject: af-packet: delay setting default-packet-size for af-packet X-Git-Tag: suricata-8.0.0-beta1~265 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8b6ed550a6f10150f5ecf154e7b60c6dc2f84fe;p=thirdparty%2Fsuricata.git af-packet: delay setting default-packet-size for af-packet AF_PACKET needs more information about its configuration before we can set the default packet size, so on startup, leave unset in suricata.c if in AF_PACKET mode. If defrag is enabled, use a default packet size of 9k for tpacket-v2. This can still lead to truncation events, then the user can increase their 'default-packet-size'. Tpacket-v3 does not need an increased packet size as it will handle any size of packet that is smaller than the configured block size which now has a default of 128k. 9k for the snap is somewhat arbitrary but is large enough for the common 9000 jumbo frame plus some extra headers including tpacket headers. Ticket: #7458 --- diff --git a/src/source-af-packet.c b/src/source-af-packet.c index 41e605fa85..a895caa813 100644 --- a/src/source-af-packet.c +++ b/src/source-af-packet.c @@ -1582,10 +1582,16 @@ sockaddr_ll) + ETH_HLEN) - ETH_HLEN); int snaplen = default_packet_size; if (snaplen == 0) { - snaplen = GetIfaceMaxPacketSize(ptv->livedev); - if (snaplen <= 0) { - SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface); - snaplen = 1514; + if (ptv->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) { + SCLogConfig("%s: defrag enabled, setting snaplen to %d", ptv->iface, + DEFAULT_TPACKET_DEFRAG_SNAPLEN); + snaplen = DEFAULT_TPACKET_DEFRAG_SNAPLEN; + } else { + snaplen = GetIfaceMaxPacketSize(ptv->livedev); + if (snaplen <= 0) { + SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface); + snaplen = 1514; + } } } @@ -1636,10 +1642,16 @@ sockaddr_ll) + ETH_HLEN) - ETH_HLEN); int snaplen = default_packet_size; if (snaplen == 0) { - snaplen = GetIfaceMaxPacketSize(ptv->livedev); - if (snaplen <= 0) { - SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface); - snaplen = 1514; + if (ptv->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) { + SCLogConfig("%s: defrag enabled, setting snaplen to %d", ptv->iface, + DEFAULT_TPACKET_DEFRAG_SNAPLEN); + snaplen = DEFAULT_TPACKET_DEFRAG_SNAPLEN; + } else { + snaplen = GetIfaceMaxPacketSize(ptv->livedev); + if (snaplen <= 0) { + SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface); + snaplen = 1514; + } } } diff --git a/src/source-af-packet.h b/src/source-af-packet.h index 61f95b54ca..29bedcb418 100644 --- a/src/source-af-packet.h +++ b/src/source-af-packet.h @@ -80,6 +80,11 @@ struct ebpf_timeout_config { /* Set max packet size to 65561: IP + Ethernet + 3 VLAN tags. */ #define MAX_PACKET_SIZE 65561 +/* Default snaplen to use when defrag enabled. 9k is somewhat + * arbitrary but is large enough for the common 9000 jumbo frame plus + * some extra headers including tpacket headers. */ +#define DEFAULT_TPACKET_DEFRAG_SNAPLEN 9216 + typedef struct AFPIfaceConfig_ { char iface[AFP_IFACE_NAME_LENGTH]; diff --git a/src/suricata.c b/src/suricata.c index ab8f48d5ba..b21a96589b 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -2443,6 +2443,11 @@ static int ConfigGetCaptureValue(SCInstance *suri) int nlive; int strip_trailing_plus = 0; switch (suri->run_mode) { + case RUNMODE_AFP_DEV: + /* For AF_PACKET we delay setting the + * default-packet-size until we know more about the + * configuration. */ + break; #ifdef WINDIVERT case RUNMODE_WINDIVERT: { /* by default, WinDivert collects from all devices */ @@ -2464,7 +2469,6 @@ static int ConfigGetCaptureValue(SCInstance *suri) /* fall through */ case RUNMODE_PLUGIN: case RUNMODE_PCAP_DEV: - case RUNMODE_AFP_DEV: case RUNMODE_AFXDP_DEV: nlive = LiveGetDeviceCount(); for (lthread = 0; lthread < nlive; lthread++) {