From: Jason Ish Date: Mon, 17 Mar 2025 16:35:57 +0000 (-0600) Subject: af-packet: delay setting default-packet-size for af-packet X-Git-Tag: suricata-7.0.9~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3be2b29b54bc90daa786d64aee44a8d57493a11;p=thirdparty%2Fsuricata.git af-packet: delay setting default-packet-size for af-packet AF_PACKET needs more information about its configuration before we can set the default packet size, so on startup, leave unset in suricata.c if in AF_PACKET mode. If defrag is enabled, use a default packet size of 9k for tpacket-v2. This can still lead to truncation events, then the user can increase their 'default-packet-size'. Tpacket-v3 does not need an increased packet size as it will handle any size of packet that is smaller than the configured block size which now has a default of 128k. 9k for the snap is somewhat arbitrary but is large enough for the common 9000 jumbo frame plus some extra headers including tpacket headers. Ticket: #7458 (cherry picked from commit b8b6ed550a6f10150f5ecf154e7b60c6dc2f84fe) --- diff --git a/src/source-af-packet.c b/src/source-af-packet.c index f9eb66023b..ee22592b99 100644 --- a/src/source-af-packet.c +++ b/src/source-af-packet.c @@ -1585,10 +1585,16 @@ sockaddr_ll) + ETH_HLEN) - ETH_HLEN); int snaplen = default_packet_size; if (snaplen == 0) { - snaplen = GetIfaceMaxPacketSize(ptv->livedev); - if (snaplen <= 0) { - SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface); - snaplen = 1514; + if (ptv->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) { + SCLogConfig("%s: defrag enabled, setting snaplen to %d", ptv->iface, + DEFAULT_TPACKET_DEFRAG_SNAPLEN); + snaplen = DEFAULT_TPACKET_DEFRAG_SNAPLEN; + } else { + snaplen = GetIfaceMaxPacketSize(ptv->livedev); + if (snaplen <= 0) { + SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface); + snaplen = 1514; + } } } @@ -1639,10 +1645,16 @@ sockaddr_ll) + ETH_HLEN) - ETH_HLEN); int snaplen = default_packet_size; if (snaplen == 0) { - snaplen = GetIfaceMaxPacketSize(ptv->livedev); - if (snaplen <= 0) { - SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface); - snaplen = 1514; + if (ptv->cluster_type & PACKET_FANOUT_FLAG_DEFRAG) { + SCLogConfig("%s: defrag enabled, setting snaplen to %d", ptv->iface, + DEFAULT_TPACKET_DEFRAG_SNAPLEN); + snaplen = DEFAULT_TPACKET_DEFRAG_SNAPLEN; + } else { + snaplen = GetIfaceMaxPacketSize(ptv->livedev); + if (snaplen <= 0) { + SCLogWarning("%s: unable to get MTU, setting snaplen default of 1514", ptv->iface); + snaplen = 1514; + } } } diff --git a/src/source-af-packet.h b/src/source-af-packet.h index 84cd52e03f..022caaa0a3 100644 --- a/src/source-af-packet.h +++ b/src/source-af-packet.h @@ -80,6 +80,11 @@ struct ebpf_timeout_config { /* Set max packet size to 65561: IP + Ethernet + 3 VLAN tags. */ #define MAX_PACKET_SIZE 65561 +/* Default snaplen to use when defrag enabled. 9k is somewhat + * arbitrary but is large enough for the common 9000 jumbo frame plus + * some extra headers including tpacket headers. */ +#define DEFAULT_TPACKET_DEFRAG_SNAPLEN 9216 + typedef struct AFPIfaceConfig_ { char iface[AFP_IFACE_NAME_LENGTH]; diff --git a/src/suricata.c b/src/suricata.c index 70b4dfae86..75c4b6ac49 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -2449,6 +2449,11 @@ static int ConfigGetCaptureValue(SCInstance *suri) int nlive; int strip_trailing_plus = 0; switch (suri->run_mode) { + case RUNMODE_AFP_DEV: + /* For AF_PACKET we delay setting the + * default-packet-size until we know more about the + * configuration. */ + break; #ifdef WINDIVERT case RUNMODE_WINDIVERT: { /* by default, WinDivert collects from all devices */ @@ -2469,7 +2474,6 @@ static int ConfigGetCaptureValue(SCInstance *suri) strip_trailing_plus = 1; /* fall through */ case RUNMODE_PCAP_DEV: - case RUNMODE_AFP_DEV: case RUNMODE_AFXDP_DEV: case RUNMODE_PFRING: nlive = LiveGetDeviceCount();