Mixed mode v17 #3790
Closed
Mixed mode v17 #3790
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Packets can arrive from different capture modes the engine needs to figure out how the packet has to be handled, as ips or ids. To do so a flag that specify the mode, if ids or ips, is set.
Following the previous patch (33a0af), now the inline mode depends on the packet mode rather than the engine.
When a device will be created its runmode id is set and in order to do that the runmode id needs to be a parameter of the runmodes function but it will be used within the LiveDev API.
In some functions, such as DetectEngineMultiTenantSetupLoadLivedevMappings and EBPFLoadFile, LiveGetDevice is called to search for a device, but it will need the runmode id as parameter. It's needed to add an api that given the device name it returns the runmode id because at this stage the device's runmode id is not knew.
To setup the capture method correctly, a device needs to know to which runmode it belongs to such that the runmode function, of the capture method, will get the proper device.
Since an id is introduced for a device, it can be used to retreive a device name instead of using a counter variable. This also permits to choice the proper device when more capture modes are running.
This implements the usage of the new API to support multiple runmodes.
If suricata is started with multiple runmodes, some threads would be spawned more than once, which is not correct and lead to misbehaviours.
This permits to start suricata in mixed mode. The following runmodes can be mixed: - NFQ - NFLOG - AF_PACKET - NETMAP
Having a global applayer_counters var leads to a heap-buffer-overflow because the counters array is read from the wrong thread. This moves applayer_counters in ThreadVars such that each thread has its own applayer_counters.
If suri is in mixed mode, the wrong iface is picked up because the last one is considered.
Actually the command outputs just one runmode, but since there are two runmodes now it needs to output all of them.
|
After sitting on this for too long, I've come to a decision: I have changed my mind on this feature, and I'm not going to take this in. I feel the added complexity is too high compared to the niche use case it benefits. Also, by making some things in the packet path dynamic that are not currently, I fear we will introduce a per packet performance penalty. I appreciate you've put a lot of work into this, so thank you for your hard work. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Make sure these boxes are signed before submitting your Pull Request -- thank you.
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/1604
Describe changes:
af_packet and netmap can be mixed simply running suricata as:
suricata -c etc/suricata/suricata.yaml --netmap --af-packet ...PRScript output (if applicable):