[Oisf-devel] A thread-sync issue in suricata

李志强1(研七 福州) lizhiqiang at ruijie.com.cn
Wed Nov 5 03:52:08 UTC 2014 

When I review the code of suricata-2.0.1, I found there is a thread-sync issue for streamTcp module.
The config of streamTcp parsed at function StreamTcpInitConfig in Suricata-Main.
Bug streamTcp tread init at function StreamTcpThreadInit in capture-Thread, such as AFPacketeth21.
If capture-thread run first after spawning, It will lead to streamTcp don’t prealloc any sessions.
This issue don’t affect the function, but I think it will reduce performance when process tcp flow.

Here is the details:


1.       my configuration:
My config in suricata.yaml is running with workers mode and use af-packet to capture packets.


2.       StreamTcpThreadInit is called after thread spawn, it will prealloc tcpsessions through PoolInit, here is the gdb stack trace:

#0  PoolInit (size=0, prealloc_size=0, elt_size=192, Alloc=0x50ea30 <StreamTcpSessionPoolAlloc>, Init=0x50e680 <StreamTcpSessionPoolInit>, InitData=0x0,
    Cleanup=0x50e730 <StreamTcpSessionPoolCleanup>, Free=0) at util-pool.c:85
#1  0x0000000000568b7c in PoolThreadGrow (pt=<optimized out>, size=0, prealloc_size=0, elt_size=192, Alloc=0x50ea30 <StreamTcpSessionPoolAlloc>,
    Init=0x50e680 <StreamTcpSessionPoolInit>, InitData=0x0, Cleanup=0x50e730 <StreamTcpSessionPoolCleanup>, Free=0) at util-pool-thread.c:116
#2  0x000000000050e13c in StreamTcpThreadInit (tv=0x266655e0, initdata=<optimized out>, data=<optimized out>) at stream-tcp.c:4600
#3  0x0000000000525480 in TmThreadsSlotPktAcqLoop (td=0x266655e0) at tm-threads.c:669
#4  0x00007ffff6f2ae9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#5  0x00007ffff67f93fd in clone () from /lib/x86_64-linux-gnu/libc.so.6
#6  0x0000000000000000 in ?? ()

You will sess the prealloc_size is 0 even in my suricata.yaml it set to 50000.
stream:
   memcap: 1gb
   checksum-validation: yes      # reject wrong csums
   midstream: false
  prealloc-sessions: 50000


3.       StreamTcpInitConfig is called in main thread after spawn the capture thread:
Breakpoint 2, StreamTcpInitConfig (quiet=0 '\000') at stream-tcp.c:341
341  {
(gdb) bt
#0  StreamTcpInitConfig (quiet=0 '\000') at stream-tcp.c:341
#1  0x0000000000410d70 in main (argc=<optimized out>, argv=<optimized out>) at suricata.c:2249

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20141105/3920df38/attachment.html>

More information about the Oisf-devel mailing list