[Oisf-users] Multiple receive NFQs
Victor Julien
lists at inliniac.net
Wed May 25 21:56:57 UTC 2016
On 16-05-16 16:39, Vishal Kotalwar V wrote:
> Hi All,
> I am new to suricata and trying to understand it. I know suricata
> can receive on multiple NFQs via -q 0 -q 1 ... -q 15. I understood the
> NFQRegisterQueue() part also for multiple Qs but I am not getting
> how ReceiveNFQThreadInit() is creating/initializing all threads/NFQs. I
> see only one nfq_t->nfq_index being used for NFQ creation. How are
> multiple NFQ created & NFQCallBack() registered for each NFQ ?
Had to really look into it to get it clear again, but this is how it works.
When the threads are created, for workers mode this is the logic:
RunModeIpsNFQWorker
...
ret = RunModeSetIPSWorker(NFQGetThread,
"ReceiveNFQ",
"VerdictNFQ",
"DecodeNFQ");
The runmode workers is setup by RunModeSetIPSWorker, where the
NFQGetThread function controls what is passed to ReceiveNFQThreadInit.
The value passed to NFQGetThread is the recv thread number (first is 0).
void *NFQGetThread(int number) simply returns the thread data the thread
will use. It's a bit different than most ThreadInit functions in
Suricata as it's getting a pointer to some static memory instead of
setting new memory up itself. This is because the 'thread data' is
really a per queue data structure that is shared between recv and
verdict. The per queue data structures are set up while parsing the
commandline, through NFQRegisterQueue().
I would probably handle this differently if I created this today, but
this is probably the oldest code in Suricata ;)
Btw, this question fits the oisf-devel list better.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list