[Oisf-devel] [COMMIT] OISF branch, master, updated. suricata-1.4-160-g53fe756

noreply at openinfosecfoundation.org noreply at openinfosecfoundation.org
Mon May 6 09:32:32 UTC 2013 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OISF".

The branch, master has been updated
       via  53fe756798003570757b00d5988d881e4c9d00b5 (commit)
       via  b7c759fdf40f418a010b093d89b91833cb9018a0 (commit)
       via  703e5848e4c716fd2a14023820a46318ef8ef73e (commit)
       via  8da02115c9d91dde00e7c735063faf312109f1c6 (commit)
       via  6678c9feb992feb49fc5b94c63d5e89562625b83 (commit)
      from  b68d566c4401314ab98c1c971ea16863e2d59801 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 53fe756798003570757b00d5988d881e4c9d00b5
Author: Victor Julien <victor at inliniac.net>
Date:   Mon May 6 11:31:24 2013 +0200

    NFQ: convert batchcount related yaml errors to warnings.

commit b7c759fdf40f418a010b093d89b91833cb9018a0
Author: Victor Julien <victor at inliniac.net>
Date:   Mon May 6 11:10:11 2013 +0200

    NFQ: fix configure check for finding out signed/unsigned args for nfq_get_payload

commit 703e5848e4c716fd2a14023820a46318ef8ef73e
Author: Eric Leblond <eric at regit.org>
Date:   Thu Jan 24 22:37:39 2013 +0100

    nfq: add errno display when verdict fail
    
    In case of error, errno is set by sendmsg which is called by
    nfnetlink and which is called by libnetfilter_queue. This patch
    displays the string expression of errno if verdict has failed.

commit 8da02115c9d91dde00e7c735063faf312109f1c6
Author: Florian Westphal <fw at strlen.de>
Date:   Wed Jan 16 13:05:48 2013 +0100

    nfq: add support for batch verdicts
    
    Normally, there is one verdict per packet, i.e., we receive a packet,
    process it, and then tell the kernel what to do with that packet (eg.
    DROP or ACCEPT).
    
    recv(), packet id x
    send verdict v, packet id x
    recv(), packet id x+1
    send verdict v, packet id x+1
    [..]
    recv(), packet id x+n
    send verdict v, packet id x+n
    
    An alternative is to process several packets from the queue, and then send
    a batch-verdict.
    
    recv(), packet id x
    recv(), packet id x+1
    [..]
    recv(), packet id x+n
    send batch verdict v, packet id x+n
    
    A batch verdict affects all previous packets (packet_id <= x+n),
    we thus only need to remember the last packet_id seen.
    
    Caveats:
    - can't modify payload
    - verdict is applied to all packets
    - nfmark (if set) will be set for all packets
    - increases latency (packets remain queued by the kernel
      until batch verdict is sent).
    
    To solve this, we only defer verdict for up to 20 packets and
    send pending batch-verdict immediately if:
    - no packets are currently queue
    - current packet should be dropped
    - current packet has different nfmark
    - payload of packet was modified
    
    This patch adds a configurable batch verdict support for workers runmode.
    The batch verdicts are turned off by default.
    
    Problem is that batch verdicts only work with kernels >= 3.1, i.e.
    using newer libnetfilter_queue with an old kernel means non-working
    suricata. So the functionnality has to be disabled by default.

commit 6678c9feb992feb49fc5b94c63d5e89562625b83
Author: Florian Westphal <fw at strlen.de>
Date:   Wed Jan 16 12:56:44 2013 +0100

    nfq: avoid extra copy when running in workers mode
    
    currently, the packet payload recv()d from the nfqueue netlink
    socket is copied into a new packet buffer.
    
    This is required because the recv-buffer space used is tied
    to the current thread, but a packet may be handed off to other
    threads, and the recv-buffer can be re-used while the packet
    is handled by another thread.
    
    However, in worker runmode, the packet will always be handled
    by the current thread, and the recv-buffer will only be reused
    after the entire packet processing stack is done with the packet.
    
    Thus, in worker runmode, we can avoid the copy and assign
    the packet data area directly.

-----------------------------------------------------------------------

Summary of changes:
 configure.ac     |    2 +
 src/source-nfq.c |  134 ++++++++++++++++++++++++++++++++++++++++++++++++++---
 src/source-nfq.h |    8 +++
 suricata.yaml.in |    3 +
 4 files changed, 139 insertions(+), 8 deletions(-)


hooks/post-receive
-- 
OISF

More information about the Oisf-devel mailing list