[Oisf-devel] [RFC] library: create a shared library out of Suricata

[Ansis Atteka]

This RFC patch creates libsuricata2.so library that for now merely
exports the SuricataMain() function so that suricata daemon could use
it. In the future, other functions could be exported as well that
would allow other daemons, like Open vSwitch, to call into suricata
code base.

The long term motiviation behind creating a shared library out of
suricata is to:
1. allow IDS integration in packet pipelines that currently don't have
   packet acqusition mechanisms in Suricata or where it would be
   non-trivial to implement one.
2. achieve better performance by reducing packet copies and context
   switches that are necessary to hand off packets to IDS engine.

With this patch I want to get feedback if decoupling Suricata into a
library actually makes sense and if it makes sense to build on top
of this patch. In particular I want to start discussion on following
topics:
1. Licensing. Open vSwitch is licensed under Apache2 license
   whereas Suricata is licensed under GPLv2. Best to my understanding,
   if suricata would be converted into a library, then for OVS
   to be able to link against such library, Suricata license
   would have to be relaxed (e.g. LGPL?). Would something like
   this be even possible?
2. Threading model for Library. At least for OVS use-cases Open vSwitch already
   implements its own packet acqusition mechanism (it can get packet via
   OVS kernel module Netlink socket, DPDK and possibly in future AF_XDP).
   Which means that neither single, autofp or workers mode is appropriate.
   One soutlion seems to be to assign ThreadVars variable to OVS threads.
3. Ownership of system resources. The Suricata and OVS should coordinate
   on use of per-process system resources to avoid race conditions.
---
 configure.ac    |  1 +
 src/Makefile.am | 28 ++++++++++++++++++----------
 2 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/configure.ac b/configure.ac
index 58208420b..98a2df0aa 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4,6 +4,7 @@
     AC_CONFIG_SRCDIR([src/suricata.c])
     AC_CONFIG_MACRO_DIR(m4)
     AM_INIT_AUTOMAKE([tar-ustar subdir-objects])
+    LT_PREREQ([2.2])
 
     AC_LANG([C])
     AC_PROG_CC_C99
diff --git a/src/Makefile.am b/src/Makefile.am
index 0e9acce52..2c461f77e 100755
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,10 +1,11 @@
-noinst_HEADERS = action-globals.h \
-    app-layer-nbss.h app-layer-dcerpc-common.h \
-    debug.h \
-	flow-private.h queue.h source-nfq-prototypes.h \
-	source-windivert-prototypes.h \
-	suricata-common.h threadvars.h tree.h \
-    util-validate.h
+GENERATED_SOURCES = action-globals.h \
+app-layer-nbss.h app-layer-dcerpc-common.h \
+debug.h \
+flow-private.h queue.h source-nfq-prototypes.h \
+source-windivert-prototypes.h \
+suricata-common.h threadvars.h tree.h \
+util-validate.h
+
 bin_PROGRAMS = suricata
 if BUILD_FUZZTARGETS
     bin_PROGRAMS += fuzz_applayerprotodetectgetproto \
@@ -540,17 +541,24 @@ win32-misc.c win32-misc.h \
 win32-service.c win32-service.h \
 win32-syslog.h
 
+include_HEADERS = $(COMMON_SOURCES) $(GENERATED_SOURCES)
 EXTRA_DIST = tests
 
 # set the include path found by configure
 AM_CPPFLAGS = $(all_includes)
 
-suricata_SOURCES = main.c $(COMMON_SOURCES)
+suricata_SOURCES = main.c
+
+lib_LTLIBRARIES = libsuricata2.la
+libsuricata2_la_SOURCES = $(COMMON_SOURCES)
+libsuricata2_la_CPPFLAGS = -I$(top_srcdir)/src
+libsuricata2_la_LIBADD = $(HTP_LDADD) $(RUST_LDADD) $(RUST_SURICATA_LIB)
+libsuricata2_la_LDFLAGS = -Wl,--version-script,libsuricata2.map
 
 # the library search path.
 suricata_LDFLAGS = $(all_libraries) ${SECLDFLAGS}
-suricata_LDADD = $(HTP_LDADD) $(RUST_LDADD)
-suricata_DEPENDENCIES = $(RUST_SURICATA_LIB)
+suricata_LDADD = $(HTP_LDADD) $(RUST_LDADD) libsuricata2.la
+suricata_DEPENDENCIES = $(RUST_SURICATA_LIB) libsuricata2.la
 
 if BUILD_FUZZTARGETS
 nodist_fuzz_applayerprotodetectgetproto_SOURCES = tests/fuzz/fuzz_applayerprotodetectgetproto.c $(COMMON_SOURCES)
-- 
2.20.1