[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-1.3.1-61-gac56b1b

noreply at openinfosecfoundation.org noreply at openinfosecfoundation.org
Mon Sep 3 14:13:09 UTC 2012

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".

The branch, master has been updated
       via  ac56b1bf24e5003806c85fe549fc7fcd24e1d627 (commit)
       via  27b5136bf29a2698ccbb4b303619a08d045689e0 (commit)
       via  ec76742caa03344ae755a34caf49f87004590b7a (commit)
       via  1ea809520a7d5e93ccdfde2ac8c39391d0cbe5ef (commit)
       via  a645726262bb6e87c79e316862f67542cdf42e11 (commit)
       via  662dccd8a5180807e3749842508b80e2e2183051 (commit)
       via  2011a3f87e433b0c8b72ea2b8b2b10d6ed8485e3 (commit)
       via  8879df80049a1db693e1f196f50928cf2472f12f (commit)
       via  9622704c8c948ab3f23165e060a4027532e395c7 (commit)
      from  5d27518bbd8343094188bdd81d40c0439f658243 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit ac56b1bf24e5003806c85fe549fc7fcd24e1d627
Author: Eric Leblond <eric at regit.org>
Date:   Tue Aug 14 09:49:07 2012 +0200

    af-packet: detect MTU mismatch and warn user
    If the MTU on the reception interface and the one on the transmission
    interface are different, this will result in an error at transmission
    when sending packet to the wire.

commit 27b5136bf29a2698ccbb4b303619a08d045689e0
Author: Eric Leblond <eric at regit.org>
Date:   Fri Jul 27 11:48:10 2012 +0200

    af-packet: add optional emergency mode
    Flush all waiting packets to be in sync with kernel when drop
    occurs. This mode can be activated by setting use-emergency-flush
    to yes in the interface configuration.

commit ec76742caa03344ae755a34caf49f87004590b7a
Author: Eric Leblond <eric at regit.org>
Date:   Mon Jul 30 12:12:34 2012 +0200

    af-packet: reorder socket operation.
    This patch moves raw socket binding at the end of init code to
    avoid to have a flow of packets reaching the socket before we
    start to read them.
    The socket creation is now made in the loop function to avoid
    any timing issue between init function and the call of the loop.

commit 1ea809520a7d5e93ccdfde2ac8c39391d0cbe5ef
Author: Eric Leblond <eric at regit.org>
Date:   Fri Jul 20 21:11:23 2012 +0200

    af-packet: fix runmode name in logging function

commit a645726262bb6e87c79e316862f67542cdf42e11
Author: Eric Leblond <eric at regit.org>
Date:   Mon Sep 3 14:57:44 2012 +0200

    af-packet: add doxygen comments
    This patch adds doxygen comments to newly introduced function and adds
    module AF_PACKET doxygen module with a dedicated AFP peers module.

commit 662dccd8a5180807e3749842508b80e2e2183051
Author: Eric Leblond <eric at regit.org>
Date:   Thu Jul 19 20:07:05 2012 +0200

    af-packet: IPS and TAP feature
    This patch adds a new feature to AF_PACKET capture mode. It is now
    possible to use AF_PACKET in IPS and TAP mode: all traffic received
    on a interface will be forwarded (at the Ethernet level) to an other
    interface. To do so, Suricata create a raw socket and sends the receive
    packets to a interface designed in the configuration file.
    This patch adds two variables to the configuration of af-packet
     copy-mode: ips or tap
     copy-iface: eth1 #the interface where packet are copied
    If copy-mode is set to ips then the packet wth action DROP are not
    copied to the destination interface. If copy-mode is set to tap,
    all packets are copied to the destination interface.
    Any other value of copy-mode results in the feature to be unused.
    There is no default interface for copy-iface and the variable has
    to be set for the ids or tap mode to work.
    For now, this feature depends of the release data system. This
    implies you need to activate the ring mode and zero copy. Basically
    use-mmap has to be set to yes.
    This patch adds a peering of AF_PACKET sockets from the thread on
    one interface to the threads on another interface. Peering is
    necessary as if we use an other socket the capture socket receives
    all emitted packets. This is made using a new AFPPeer structure to
    avoid direct interaction between AFPTreadVars.
    There is currently a bug in Linux kernel (prior to 3.6) and it is
    not possible to use multiple threads.
    You need to setup two interfaces with equality on the threads
    variable. copy-mode variable must be set on the two interfaces
    and use-mmap must be set to activated.
    A valid configuration for an IPS using eth0 and vboxnet1 interfaces
    will look like:
      - interface: eth0
        threads: 1
        defrag: yes
        cluster-type: cluster_flow
        cluster-id: 98
        copy-mode: ips
        copy-iface: vboxnet1
        buffer-size: 64535
        use-mmap: yes
      - interface: vboxnet1
        threads: 1
        cluster-id: 97
        defrag: yes
        cluster-type: cluster_flow
        copy-mode: ips
        copy-iface: eth0
        buffer-size: 64535
        use-mmap: yes

commit 2011a3f87e433b0c8b72ea2b8b2b10d6ed8485e3
Author: Eric Leblond <eric at regit.org>
Date:   Fri Jun 15 17:18:57 2012 +0200

    capture: add data release mechanism
    This patch adds a data release mechanism. If the capture module
    has a call to indicate that userland has finished with the data,
    it is possible to use this system. The data will then be released
    when the treatment of the packet is finished.
    To do so the Packet structure has been modified:
    +    TmEcode (*ReleaseData)(ThreadVars *, struct Packet_ *);
    If ReleaseData is null, the function is called when the treatment
    of the Packet is finished.
    Thus it is sufficient for the capture module to code a function
    wrapping the data release mechanism and to assign it to ReleaseData
    This patch also includes an implementation of this mechanism for

commit 8879df80049a1db693e1f196f50928cf2472f12f
Author: Eric Leblond <eric at regit.org>
Date:   Thu Jul 5 07:41:16 2012 +0200

    af-packet: improve mmaped running mode.
    The mmaped mode was using a too small ring buffer size which was
    not able to handle burst of packets coming from the network. This
    may explain the important packet loss rate observed by Edward
    This patch increases the default value and adds a ring-size
    variable which can be used to manually tune the value.

commit 9622704c8c948ab3f23165e060a4027532e395c7
Author: Eric Leblond <eric at regit.org>
Date:   Fri Jul 20 09:41:52 2012 +0200

    af-packet: delete design comments


Summary of changes:
 src/decode.h            |    7 +
 src/runmode-af-packet.c |  129 ++++++++++++++-
 src/source-af-packet.c  |  396 +++++++++++++++++++++++++++++++++++++++++------
 src/source-af-packet.h  |   47 ++++++-
 src/suricata.c          |    2 +
 src/tmqh-packetpool.c   |   17 ++-
 suricata.yaml.in        |   16 ++
 7 files changed, 553 insertions(+), 61 deletions(-)


More information about the Oisf-devel mailing list