From: Eric Leblond <eric@regit.org>
Date: Fri, 8 Apr 2016 15:05:55 +0000 (+0200)
Subject: af-packet: add option to use memory locked mmap
X-Git-Tag: suricata-3.1RC1~102
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5c20191672de24d55852eb48dcd6a33524de4b7;p=thirdparty%2Fsuricata.git

af-packet: add option to use memory locked mmap
---

diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c
index 0c457ee7ba..15dc03baf4 100644
--- a/src/runmode-af-packet.c
+++ b/src/runmode-af-packet.c
@@ -222,6 +222,12 @@ void *ParseAFPConfig(const char *iface)
                 aconf->iface);
         aconf->flags |= AFP_RING_MODE;
     }
+    (void)ConfGetChildValueBoolWithDefault(if_root, if_default, "mmap-locked", (int *)&boolval);
+    if (boolval) {
+        SCLogInfo("Enabling locked memory for mmap on iface %s",
+                aconf->iface);
+        aconf->flags |= AFP_MMAP_LOCKED;
+    }
     (void)ConfGetChildValueBoolWithDefault(if_root, if_default, "tpacket-v3", (int *)&boolval);
     if (boolval) {
         if (strcasecmp(RunmodeGetActive(), "workers") == 0) {
diff --git a/src/source-af-packet.c b/src/source-af-packet.c
index 3f447b0815..b149de8157 100644
--- a/src/source-af-packet.c
+++ b/src/source-af-packet.c
@@ -1600,7 +1600,7 @@ static int AFPSetupRing(AFPThreadVars *ptv, char *devname)
     unsigned int ring_buflen;
     uint8_t * ring_buf;
     int order;
-    int r;
+    int r, mmap_flag;
 
     if (ptv->flags & AFP_TPACKET_V3) {
         val = TPACKET_V3;
@@ -1688,8 +1688,11 @@ static int AFPSetupRing(AFPThreadVars *ptv, char *devname)
     } else {
         ring_buflen = ptv->req.tp_block_nr * ptv->req.tp_block_size;
     }
+    mmap_flag = MAP_SHARED;
+    if (ptv->flags & AFP_MMAP_LOCKED)
+        mmap_flag |= MAP_LOCKED;
     ring_buf = mmap(0, ring_buflen, PROT_READ|PROT_WRITE,
-            MAP_SHARED, ptv->socket, 0);
+            mmap_flag, ptv->socket, 0);
     if (ring_buf == MAP_FAILED) {
         SCLogError(SC_ERR_MEM_ALLOC, "Unable to mmap");
         goto mmap_err;
diff --git a/src/source-af-packet.h b/src/source-af-packet.h
index 7b3214c4df..2aa803a56b 100644
--- a/src/source-af-packet.h
+++ b/src/source-af-packet.h
@@ -50,6 +50,7 @@
 #define AFP_EMERGENCY_MODE (1<<3)
 #define AFP_TPACKET_V3 (1<<4)
 #define AFP_VLAN_DISABLED (1<<5)
+#define AFP_MMAP_LOCKED (1<<6)
 
 #define AFP_COPY_MODE_NONE  0
 #define AFP_COPY_MODE_TAP   1
diff --git a/suricata.yaml.in b/suricata.yaml.in
index ea533081f4..c08165cc2d 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -470,6 +470,9 @@ af-packet:
     #rollover: yes
     # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
     use-mmap: yes
+    # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock
+    # your system
+    #mmap-locked: yes
     # Use tpacket_v3, capture mode, only active if user-mmap is true
     #tpacket-v3: yes
     # Ring size will be computed with respect to max_pending_packets and number