https://redmine.openinfosecfoundation.org/
https://redmine.openinfosecfoundation.org/favicon.ico?1701117002
2020-10-14T18:21:58Z
Open Information Security Foundation
Suricata - Feature #4070: Capture Plugins should receive notification when suricata is done with a packet
https://redmine.openinfosecfoundation.org/issues/4070?journal_id=18033
2020-10-14T18:21:58Z
Danny Browning
<ul></ul><p>This is how I would expect to use this functionality:</p>
<pre><code class="c syntaxhl" data-language="c"><span class="k">static</span> <span class="kt">void</span> <span class="nf">IpcPacketReinit</span><span class="p">(</span><span class="n">Packet</span> <span class="o">*</span><span class="n">p</span><span class="p">)</span> <span class="p">{</span>
<span class="k">if</span><span class="p">(</span><span class="n">p</span><span class="o">-></span><span class="n">reinit_data</span><span class="p">)</span> <span class="p">{</span>
<span class="n">rs_ipc_release_packet</span><span class="p">(</span><span class="n">p</span><span class="o">-></span><span class="n">reinit_data</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">p</span><span class="o">-></span><span class="n">reinit_data</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span>
<span class="n">PacketReinit</span><span class="p">(</span><span class="n">p</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int32_t</span> <span class="nf">ipc_set_packet_data</span><span class="p">(</span><span class="n">Packet</span> <span class="o">*</span><span class="n">p</span><span class="p">,</span> <span class="kt">uint8_t</span> <span class="o">*</span><span class="n">pktdata</span><span class="p">,</span> <span class="kt">uint32_t</span> <span class="n">pktlen</span><span class="p">,</span>
<span class="kt">uint32_t</span> <span class="n">linktype</span><span class="p">,</span> <span class="kt">uint32_t</span> <span class="n">ts_sec</span><span class="p">,</span> <span class="kt">uint32_t</span> <span class="n">ts_usec</span><span class="p">,</span>
<span class="kt">uint8_t</span> <span class="o">*</span><span class="n">userdata</span><span class="p">)</span> <span class="p">{</span>
<span class="k">if</span><span class="p">(</span><span class="n">unlikely</span><span class="p">(</span><span class="n">PacketSetData</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">pktdata</span><span class="p">,</span> <span class="n">pktlen</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">))</span> <span class="p">{</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">p</span><span class="o">-></span><span class="n">datalink</span> <span class="o">=</span> <span class="n">linktype</span><span class="p">;</span>
<span class="n">p</span><span class="o">-></span><span class="n">ts</span><span class="p">.</span><span class="n">tv_sec</span> <span class="o">=</span> <span class="n">ts_sec</span><span class="p">;</span>
<span class="n">p</span><span class="o">-></span><span class="n">ts</span><span class="p">.</span><span class="n">tv_usec</span> <span class="o">=</span> <span class="n">ts_usec</span><span class="p">;</span>
<span class="n">p</span><span class="o">-></span><span class="n">reinit_data</span> <span class="o">=</span> <span class="n">userdata</span><span class="p">;</span>
<span class="n">p</span><span class="o">-></span><span class="n">ReinitPacket</span> <span class="o">=</span> <span class="n">IpcPacketReinit</span><span class="p">;</span>
<span class="n">p</span><span class="o">-></span><span class="n">flags</span> <span class="o">=</span> <span class="n">p</span><span class="o">-></span><span class="n">flags</span> <span class="o">&</span> <span class="n">PKT_ZERO_COPY</span><span class="p">;</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre>
<p>This should work similar to ReleasePacket functionality that af_packet and other capture types are using.</p>
Suricata - Feature #4070: Capture Plugins should receive notification when suricata is done with a packet
https://redmine.openinfosecfoundation.org/issues/4070?journal_id=20514
2021-09-02T16:27:49Z
Danny Browning
<ul></ul><a name="Use-Case"></a>
<h1 >Use Case<a href="#Use-Case" class="wiki-anchor">¶</a></h1>
<p>Packets are being allocated outside of the C allocator (e.g. rust). When suricata is done processing the packet, the plugin needs to be notified that the packet can be reclaimed.</p>
<a name="Current-Limitations"></a>
<h1 >Current Limitations<a href="#Current-Limitations" class="wiki-anchor">¶</a></h1>
<p>ReleasePacket function is only called when the packet is released, not when done. ext_pkt serves as actual packet data when present.</p>