Project

General

Profile

Actions

Feature #4070

open

Capture Plugins should receive notification when suricata is done with a packet

Added by Danny Browning over 3 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
low
Difficulty:
Label:

Description

Capture plugins should receive a notification when suricata is done with a packet (reinit or free), so that they may take appropriate steps for the packets they have provided to suricata.

One example of this is pulling packets from a ring buffer and being able to mark when when the packet is no longer being used and can be written to again (e.g. write head).

Another example is a packet allocated with a different allocator that will not be cleaned up by a free of ext_pkt, as in a rust packet.

Actions #1

Updated by Danny Browning over 3 years ago

This is how I would expect to use this functionality:

static void IpcPacketReinit(Packet *p) {
    if(p->reinit_data) {
        rs_ipc_release_packet(p->reinit_data);
    }
    p->reinit_data = NULL;
    PacketReinit(p);
}

int32_t ipc_set_packet_data(Packet *p, uint8_t *pktdata, uint32_t pktlen,
                             uint32_t linktype, uint32_t ts_sec, uint32_t ts_usec,
                             uint8_t *userdata) {
    if(unlikely(PacketSetData(p, pktdata, pktlen) != 0)) {
        return -1;
    }
    p->datalink = linktype;
    p->ts.tv_sec = ts_sec;
    p->ts.tv_usec = ts_usec;
    p->reinit_data = userdata;
    p->ReinitPacket = IpcPacketReinit;
    p->flags = p->flags & PKT_ZERO_COPY;

    return 0;
}

This should work similar to ReleasePacket functionality that af_packet and other capture types are using.

Actions #2

Updated by Danny Browning over 2 years ago

Use Case

Packets are being allocated outside of the C allocator (e.g. rust). When suricata is done processing the packet, the plugin needs to be notified that the packet can be reclaimed.

Current Limitations

ReleasePacket function is only called when the packet is released, not when done. ext_pkt serves as actual packet data when present.

Actions

Also available in: Atom PDF