Feature #4070
open
capture plugins: receive notification when suricata is done with a packet
Added by Danny Browning about 4 years ago.
Updated 4 months ago.
Description
Capture plugins should receive a notification when suricata is done with a packet (reinit or free), so that they may take appropriate steps for the packets they have provided to suricata.
One example of this is pulling packets from a ring buffer and being able to mark when when the packet is no longer being used and can be written to again (e.g. write head).
Another example is a packet allocated with a different allocator that will not be cleaned up by a free of ext_pkt, as in a rust packet.
This is how I would expect to use this functionality:
static void IpcPacketReinit(Packet *p) {
if(p->reinit_data) {
rs_ipc_release_packet(p->reinit_data);
}
p->reinit_data = NULL;
PacketReinit(p);
}
int32_t ipc_set_packet_data(Packet *p, uint8_t *pktdata, uint32_t pktlen,
uint32_t linktype, uint32_t ts_sec, uint32_t ts_usec,
uint8_t *userdata) {
if(unlikely(PacketSetData(p, pktdata, pktlen) != 0)) {
return -1;
}
p->datalink = linktype;
p->ts.tv_sec = ts_sec;
p->ts.tv_usec = ts_usec;
p->reinit_data = userdata;
p->ReinitPacket = IpcPacketReinit;
p->flags = p->flags & PKT_ZERO_COPY;
return 0;
}
This should work similar to ReleasePacket functionality that af_packet and other capture types are using.
Use Case¶
Packets are being allocated outside of the C allocator (e.g. rust). When suricata is done processing the packet, the plugin needs to be notified that the packet can be reclaimed.
Current Limitations¶
ReleasePacket function is only called when the packet is released, not when done. ext_pkt serves as actual packet data when present.
- Assignee set to Community Ticket
- Target version set to TBD
- Subject changed from Capture Plugins should receive notification when suricata is done with a packet to capture plugins: receive notification when suricata is done with a packet
Also available in: Atom
PDF