Feature #4070
opencapture plugins: receive notification when suricata is done with a packet
Description
Capture plugins should receive a notification when suricata is done with a packet (reinit or free), so that they may take appropriate steps for the packets they have provided to suricata.
One example of this is pulling packets from a ring buffer and being able to mark when when the packet is no longer being used and can be written to again (e.g. write head).
Another example is a packet allocated with a different allocator that will not be cleaned up by a free of ext_pkt, as in a rust packet.
Updated by Danny Browning about 4 years ago
This is how I would expect to use this functionality:
static void IpcPacketReinit(Packet *p) {
if(p->reinit_data) {
rs_ipc_release_packet(p->reinit_data);
}
p->reinit_data = NULL;
PacketReinit(p);
}
int32_t ipc_set_packet_data(Packet *p, uint8_t *pktdata, uint32_t pktlen,
uint32_t linktype, uint32_t ts_sec, uint32_t ts_usec,
uint8_t *userdata) {
if(unlikely(PacketSetData(p, pktdata, pktlen) != 0)) {
return -1;
}
p->datalink = linktype;
p->ts.tv_sec = ts_sec;
p->ts.tv_usec = ts_usec;
p->reinit_data = userdata;
p->ReinitPacket = IpcPacketReinit;
p->flags = p->flags & PKT_ZERO_COPY;
return 0;
}
This should work similar to ReleasePacket functionality that af_packet and other capture types are using.
Updated by Danny Browning over 3 years ago
Use Case¶
Packets are being allocated outside of the C allocator (e.g. rust). When suricata is done processing the packet, the plugin needs to be notified that the packet can be reclaimed.
Current Limitations¶
ReleasePacket function is only called when the packet is released, not when done. ext_pkt serves as actual packet data when present.
Updated by Philippe Antoine 6 months ago
- Assignee set to Community Ticket
- Target version set to TBD
Updated by Victor Julien 6 months ago
- Subject changed from Capture Plugins should receive notification when suricata is done with a packet to capture plugins: receive notification when suricata is done with a packet