Project

General

Profile

Actions

Feature #4070

open

capture plugins: receive notification when suricata is done with a packet

Added by Danny Browning almost 4 years ago. Updated 14 days ago.

Status:
New
Priority:
Normal
Target version:
Effort:
low
Difficulty:
Label:

Description

Capture plugins should receive a notification when suricata is done with a packet (reinit or free), so that they may take appropriate steps for the packets they have provided to suricata.

One example of this is pulling packets from a ring buffer and being able to mark when when the packet is no longer being used and can be written to again (e.g. write head).

Another example is a packet allocated with a different allocator that will not be cleaned up by a free of ext_pkt, as in a rust packet.

Actions #1

Updated by Danny Browning almost 4 years ago

This is how I would expect to use this functionality:

static void IpcPacketReinit(Packet *p) {
    if(p->reinit_data) {
        rs_ipc_release_packet(p->reinit_data);
    }
    p->reinit_data = NULL;
    PacketReinit(p);
}

int32_t ipc_set_packet_data(Packet *p, uint8_t *pktdata, uint32_t pktlen,
                             uint32_t linktype, uint32_t ts_sec, uint32_t ts_usec,
                             uint8_t *userdata) {
    if(unlikely(PacketSetData(p, pktdata, pktlen) != 0)) {
        return -1;
    }
    p->datalink = linktype;
    p->ts.tv_sec = ts_sec;
    p->ts.tv_usec = ts_usec;
    p->reinit_data = userdata;
    p->ReinitPacket = IpcPacketReinit;
    p->flags = p->flags & PKT_ZERO_COPY;

    return 0;
}

This should work similar to ReleasePacket functionality that af_packet and other capture types are using.

Actions #2

Updated by Danny Browning almost 3 years ago

Use Case

Packets are being allocated outside of the C allocator (e.g. rust). When suricata is done processing the packet, the plugin needs to be notified that the packet can be reclaimed.

Current Limitations

ReleasePacket function is only called when the packet is released, not when done. ext_pkt serves as actual packet data when present.

Actions #3

Updated by Philippe Antoine about 1 month ago

  • Assignee set to Community Ticket
  • Target version set to TBD
Actions #4

Updated by Victor Julien 14 days ago

  • Subject changed from Capture Plugins should receive notification when suricata is done with a packet to capture plugins: receive notification when suricata is done with a packet
Actions

Also available in: Atom PDF