From: Eric Leblond Date: Fri, 8 Apr 2016 08:03:52 +0000 (+0200) Subject: af-packet: configurable tpacket_v3 block size X-Git-Tag: suricata-3.1RC1~104 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa902abedf92e82768519c72ce3e180ace0784da;p=thirdparty%2Fsuricata.git af-packet: configurable tpacket_v3 block size It is used to set the block size in tpacket_v3. It will allow user to tune the capture depending on his bandwidth. Default block size value has been updated to a bigger value to allow more efficient wlak on block. --- diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c index 0397401e37..347373d3f2 100644 --- a/src/runmode-af-packet.c +++ b/src/runmode-af-packet.c @@ -361,6 +361,21 @@ void *ParseAFPConfig(const char *iface) aconf->ring_size = max_pending_packets * 2 / aconf->threads; } + aconf->block_size = getpagesize() << AFP_BLOCK_SIZE_DEFAULT_ORDER; + if ((ConfGetChildValueIntWithDefault(if_root, if_default, "block-size", &value)) == 1) { + if (value % getpagesize()) { + SCLogError(SC_ERR_INVALID_VALUE, "Block-size must be a multiple of pagesize."); + } else { + aconf->block_size = value; + } + } + + if ((ConfGetChildValueIntWithDefault(if_root, if_default, "block-timeout", &value)) == 1) { + aconf->block_timeout = value; + } else { + aconf->block_timeout = 10; + } + (void)ConfGetChildValueBoolWithDefault(if_root, if_default, "disable-promisc", (int *)&boolval); if (boolval) { SCLogInfo("Disabling promiscuous mode on iface %s", diff --git a/src/source-af-packet.c b/src/source-af-packet.c index 95a85a9d25..3fdeb4f000 100644 --- a/src/source-af-packet.c +++ b/src/source-af-packet.c @@ -231,11 +231,11 @@ typedef struct AFPThreadVars_ int socket; int ring_size; - /* Filter */ - char *bpf_filter; - + int block_size; /* socket buffer size */ int buffer_size; + /* Filter */ + char *bpf_filter; int promisc; @@ -1555,7 +1555,7 @@ frame size: TPACKET_ALIGN(snaplen + TPACKET_ALIGN(TPACKET_ALIGN(tp_hdrlen) + siz static int AFPComputeRingParamsV3(AFPThreadVars *ptv) { - ptv->req3.tp_block_size = getpagesize(); + ptv->req3.tp_block_size = ptv->block_size; ptv->req3.tp_frame_size = 2048; int frames_per_block = 0; int tp_hdrlen = sizeof(struct tpacket3_hdr); @@ -1649,8 +1649,7 @@ static int AFPSetupRing(AFPThreadVars *ptv, char *devname) return AFP_FATAL_ERROR; } } else { -#define DEFAULT_ORDER 3 - for (order = DEFAULT_ORDER; order >= 0; order--) { + for (order = AFP_BLOCK_SIZE_DEFAULT_ORDER; order >= 0; order--) { if (AFPComputeRingParams(ptv, order) != 1) { SCLogInfo("Ring parameter are incorrect. Please correct the devel"); return AFP_FATAL_ERROR; @@ -1982,6 +1981,7 @@ TmEcode ReceiveAFPThreadInit(ThreadVars *tv, void *initdata, void **data) ptv->buffer_size = afpconfig->buffer_size; ptv->ring_size = afpconfig->ring_size; + ptv->block_size = afpconfig->block_size; ptv->promisc = afpconfig->promisc; ptv->checksum_mode = afpconfig->checksum_mode; diff --git a/src/source-af-packet.h b/src/source-af-packet.h index 75904f3186..6560701ae4 100644 --- a/src/source-af-packet.h +++ b/src/source-af-packet.h @@ -58,6 +58,8 @@ #define AFP_FILE_MAX_PKTS 256 #define AFP_IFACE_NAME_LENGTH 48 +#define AFP_BLOCK_SIZE_DEFAULT_ORDER 3 + typedef struct AFPIfaceConfig_ { char iface[AFP_IFACE_NAME_LENGTH]; @@ -67,6 +69,8 @@ typedef struct AFPIfaceConfig_ int buffer_size; /* ring size in number of packets */ int ring_size; + /* block size for tpacket_v3 */ + int block_size; /* cluster param */ int cluster_id; int cluster_type; diff --git a/suricata.yaml.in b/suricata.yaml.in index b5e92fd751..5c0dd8b4a0 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -478,6 +478,10 @@ af-packet: # intensive single-flow you could want to set the ring-size independantly of the number # of threads: #ring-size: 2048 + # Block size is used by tpacket_v3 only. It should set to a value high enough to contain + # a decent number of packets. Size is in bytes so please consider your MTU. It should be + # a power of 2 and it must be multiple of page size (usually 4096). + #block-size: 32768 # On busy system, this could help to set it to yes to recover from a packet drop # phase. This will result in some packets (at max a ring flush) being non treated. #use-emergency-flush: yes