af_packet: Remove submodule, adapt CMake/code for Zeek build

.gitmodules

@@ -49,9 +49,6 @@
 [submodule "auxil/spicy"]
 	path = auxil/spicy
 	url = https://github.com/zeek/spicy
-[submodule "auxil/zeek-af_packet-plugin"]
-	path = auxil/zeek-af_packet-plugin
-	url = https://github.com/zeek/zeek-af_packet-plugin.git
 [submodule "auxil/libunistd"]
 	path = auxil/libunistd
 	url = https://github.com/zeek/libunistd

CMakeLists.txt

@@ -1189,18 +1189,6 @@ endif ()
 # Tell the plugin code that we're building as part of the main tree.
 set(ZEEK_PLUGIN_INTERNAL_BUILD true CACHE INTERNAL "" FORCE)
 
-set(ZEEK_HAVE_AF_PACKET no)
-if (${CMAKE_SYSTEM_NAME} MATCHES Linux)
-    if (NOT DISABLE_AF_PACKET)
-        if (NOT AF_PACKET_PLUGIN_PATH)
-            set(AF_PACKET_PLUGIN_PATH ${CMAKE_SOURCE_DIR}/auxil/zeek-af_packet-plugin)
-        endif ()
-
-        list(APPEND ZEEK_INCLUDE_PLUGINS ${AF_PACKET_PLUGIN_PATH})
-        set(ZEEK_HAVE_AF_PACKET yes)
-    endif ()
-endif ()
-
 set(ZEEK_HAVE_JAVASCRIPT no)
 if (NOT DISABLE_JAVASCRIPT)
     set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} ${PROJECT_SOURCE_DIR}/auxil/zeekjs/cmake)
@@ -1220,6 +1208,7 @@ if (NOT DISABLE_JAVASCRIPT)
     endif ()
 endif ()
 
+set(ZEEK_HAVE_AF_PACKET no CACHE INTERNAL "Zeek has AF_PACKET support")
 set(ZEEK_HAVE_JAVASCRIPT ${ZEEK_HAVE_JAVASCRIPT} CACHE INTERNAL "Zeek has JavaScript support")
 
 set(DEFAULT_ZEEKPATH_PATHS

auxil/zeek-af_packet-plugin

@@ -1 +0,0 @@
-Subproject commit b89a6f64123f778090d1dd6ec48e6b8e8906ea11

scripts/base/init-bare.zeek

@@ -5691,6 +5691,31 @@ export {
 	};
 }
 
+module AF_Packet;
+
+export {
+	## Size of the ring-buffer.
+	const buffer_size = 128 * 1024 * 1024 &redef;
+	## Size of an individual block. Needs to be a multiple of page size.
+	const block_size = 4096 * 8 &redef;
+	## Retire timeout for a single block.
+	const block_timeout = 10msec &redef;
+	## Toggle whether to use hardware timestamps.
+	const enable_hw_timestamping = F &redef;
+	## Toggle whether to use PACKET_FANOUT.
+	const enable_fanout = T &redef;
+	## Toggle defragmentation of IP packets using PACKET_FANOUT_FLAG_DEFRAG.
+	const enable_defrag = F &redef;
+	## Fanout mode.
+	const fanout_mode = FANOUT_HASH &redef;
+	## Fanout ID.
+	const fanout_id = 23 &redef;
+	## Link type (default Ethernet).
+	const link_type = 1 &redef;
+	## Checksum validation mode.
+	const checksum_validation_mode: ChecksumMode = CHECKSUM_ON &redef;
+}
+
 module DCE_RPC;
 
 export {

src/iosource/CMakeLists.txt

@@ -13,3 +13,4 @@ zeek_add_subdir_library(
     PktSrc.cc)
 
 add_subdirectory(pcap)
+add_subdirectory(af_packet)

src/iosource/af_packet/AF_Packet.cc

@@ -1,25 +1,15 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "zeek/zeek-config.h"
+#include "zeek/iosource/af_packet/AF_Packet.h"
 
-// Starting with Zeek 6.0, zeek-config.h does not provide the
+#include "zeek/iosource/af_packet/RX_Ring.h"
-// ZEEK_VERSION_NUMBER macro anymore when compiling a included
+#include "zeek/iosource/af_packet/af_packet.bif.h"
-// plugin. Use the new zeek/zeek-version.h header if it exists.
-#if __has_include("zeek/zeek-version.h")
-#include "zeek/zeek-version.h"
-#endif
 
-#include "AF_Packet.h"
-#include "RX_Ring.h"
-#include "af_packet.bif.h"
-
-// CentOS 7 if_packet.h does not yet have this define, provide it
-// explicitly if missing.
 #ifndef TP_STATUS_CSUM_VALID
 #define TP_STATUS_CSUM_VALID (1 << 7)
 #endif
 
-using namespace zeek::iosource::pktsrc;
+using namespace zeek::iosource::af_packet;
 
 AF_PacketSource::~AF_PacketSource() { Close(); }
 
@@ -165,15 +155,10 @@ bool AF_PacketSource::EnablePromiscMode(const AF_PacketSource::InterfaceInfo& in
 
 bool AF_PacketSource::ConfigureFanoutGroup(bool enabled, bool defrag) {
     if ( enabled ) {
-        uint32_t fanout_arg, fanout_id;
+        uint32_t fanout_id = zeek::BifConst::AF_Packet::fanout_id;
-        int ret;
+        uint32_t fanout_arg = ((fanout_id & 0xffff) | (GetFanoutMode(defrag) << 16));
 
-        fanout_id = zeek::BifConst::AF_Packet::fanout_id;
+        if ( setsockopt(socket_fd, SOL_PACKET, PACKET_FANOUT, &fanout_arg, sizeof(fanout_arg)) < 0 )
-        fanout_arg = ((fanout_id & 0xffff) | (GetFanoutMode(defrag) << 16));
-
-        ret = setsockopt(socket_fd, SOL_PACKET, PACKET_FANOUT, &fanout_arg, sizeof(fanout_arg));
-
-        if ( ret < 0 )
             return false;
     }
     return true;
@@ -183,7 +168,6 @@ bool AF_PacketSource::ConfigureHWTimestamping(bool enabled) {
     if ( enabled ) {
         struct ifreq ifr;
         struct hwtstamp_config hwts_cfg;
-        int ret, opt;
 
         memset(&hwts_cfg, 0, sizeof(hwts_cfg));
         hwts_cfg.tx_type = HWTSTAMP_TX_OFF;
@@ -192,13 +176,11 @@ bool AF_PacketSource::ConfigureHWTimestamping(bool enabled) {
         snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", props.path.c_str());
         ifr.ifr_data = &hwts_cfg;
 
-        ret = ioctl(socket_fd, SIOCSHWTSTAMP, &ifr);
+        if ( ioctl(socket_fd, SIOCSHWTSTAMP, &ifr) < 0 )
-        if ( ret < 0 )
             return false;
 
-        opt = SOF_TIMESTAMPING_RAW_HARDWARE | SOF_TIMESTAMPING_RX_HARDWARE;
+        int opt = SOF_TIMESTAMPING_RAW_HARDWARE | SOF_TIMESTAMPING_RX_HARDWARE;
-        ret = setsockopt(socket_fd, SOL_PACKET, PACKET_TIMESTAMP, &opt, sizeof(opt));
+        if ( setsockopt(socket_fd, SOL_PACKET, PACKET_TIMESTAMP, &opt, sizeof(opt)) < 0 )
-        if ( ret < 0 )
             return false;
     }
     return true;
@@ -244,7 +226,7 @@ bool AF_PacketSource::ExtractNextPacket(zeek::Packet* pkt) {
     if ( ! socket_fd )
         return false;
 
-    struct tpacket3_hdr* packet = 0;
+    struct tpacket3_hdr* packet = nullptr;
     const u_char* data;
     while ( true ) {
         if ( ! rx_ring->GetNextPacket(&packet) )
@@ -267,7 +249,6 @@ bool AF_PacketSource::ExtractNextPacket(zeek::Packet* pkt) {
         if ( packet->tp_status & TP_STATUS_VLAN_VALID )
             pkt->vlan = packet->hv1.tp_vlan_tci & 0x0fff;
 
-#if ZEEK_VERSION_NUMBER >= 50100
         switch ( checksum_mode ) {
             case BifEnum::AF_Packet::CHECKSUM_OFF: {
                 // If set to off, just accept whatever checksum in the packet is correct and
@@ -292,7 +273,6 @@ bool AF_PacketSource::ExtractNextPacket(zeek::Packet* pkt) {
                 break;
             }
         }
-#endif
 
         if ( current_hdr.len == 0 || current_hdr.caplen == 0 ) {
             Weird("empty_af_packet_header", pkt);

src/iosource/af_packet/AF_Packet.h

@@ -17,10 +17,9 @@ extern "C" {
 }
 
 #include "zeek/iosource/PktSrc.h"
+#include "zeek/iosource/af_packet/RX_Ring.h"
 
-#include "RX_Ring.h"
+namespace zeek::iosource::af_packet {
-
-namespace af_packet::iosource::pktsrc {
 
 class AF_PacketSource : public zeek::iosource::PktSrc {
 public:
@@ -80,4 +79,4 @@ private:
     uint32_t GetFanoutMode(bool defrag);
 };
 
-} // namespace zeek::iosource::pktsrc
+} // namespace zeek::iosource::af_packet

src/iosource/af_packet/CMakeLists.txt

@@ -1,27 +1,5 @@
-cmake_minimum_required(VERSION 3.15 FATAL_ERROR)
+if (${CMAKE_SYSTEM_NAME} MATCHES Linux)
+    set(ZEEK_HAVE_AF_PACKET yes CACHE INTERNAL "")
 
-project(ZeekPluginAF_Packet)
+    zeek_add_plugin(Zeek AF_Packet SOURCES Plugin.cc AF_Packet.cc RX_Ring.cc BIFS af_packet.bif)
-
-include(ZeekPlugin)
-include(CheckSymbolExists)
-
-zeek_plugin_begin(Zeek AF_Packet)
-zeek_plugin_cc(src/Plugin.cc)
-zeek_plugin_cc(src/AF_Packet.cc)
-zeek_plugin_cc(src/RX_Ring.cc)
-zeek_plugin_bif(src/af_packet.bif)
-zeek_plugin_dist_files(zeekctl/af_packet.py README COPYING VERSION)
-zeek_plugin_end()
-
-check_symbol_exists(TP_STATUS_CSUM_VALID linux/if_packet.h HAVE_TP_STATUS_CSUM_VALID)
-if (NOT HAVE_TP_STATUS_CSUM_VALID)
-    message(STATUS "Checksum offloading to the kernel might not be fully supported.")
-endif ()
-
-file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
-
-if ("${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}")
-    # Allows building rpm/deb packages via "make package" in build dir.
-    include(ConfigurePackaging)
-    ConfigurePackaging(${VERSION})
 endif ()

src/iosource/af_packet/Plugin.cc

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/iosource/Component.h"
+#include "zeek/iosource/af_packet/AF_Packet.h"
+
+namespace zeek::plugin::Zeek_AF_Packet {
+
+class Plugin : public plugin::Plugin {
+    plugin::Configuration Configure() override {
+        AddComponent(
+            new ::zeek::iosource::PktSrcComponent("AF_PacketReader", "af_packet",
+                                                  ::zeek::iosource::PktSrcComponent::LIVE,
+                                                  ::zeek::iosource::af_packet::AF_PacketSource::InstantiateAF_Packet));
+
+        zeek::plugin::Configuration config;
+        config.name = "Zeek::AF_Packet";
+        config.description = "Packet acquisition via AF_Packet";
+        config.version.major = 4;
+        config.version.minor = 0;
+        config.version.patch = 0;
+        return config;
+    }
+} plugin;
+
+} // namespace zeek::plugin::Zeek_AF_Packet

src/iosource/af_packet/RX_Ring.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "RX_Ring.h"
+#include "zeek/iosource/af_packet/RX_Ring.h"
 
 #include <cstring>
 #include <utility>
@@ -12,34 +12,33 @@ extern "C" {
 #include <unistd.h>          // sysconf
 }
 
-RX_Ring::RX_Ring(int sock, size_t bufsize, size_t blocksize, int blocktimeout_msec) {
+using namespace zeek::iosource::af_packet;
-    int ret, ver = TPACKET_VERSION;
 
+RX_Ring::RX_Ring(int sock, size_t bufsize, size_t blocksize, int blocktimeout_msec) {
     if ( sock < 0 )
         throw RX_RingException("invalid socket");
 
     // Configure socket
-    ret = setsockopt(sock, SOL_PACKET, PACKET_VERSION, &ver, sizeof(ver));
+    int ver = TPACKET_VERSION;
-    if ( ret )
+    if ( setsockopt(sock, SOL_PACKET, PACKET_VERSION, &ver, sizeof(ver)) != 0 )
         throw RX_RingException("unable to set TPacket version");
 
     InitLayout(bufsize, blocksize, blocktimeout_msec);
-    ret = setsockopt(sock, SOL_PACKET, PACKET_RX_RING, (uint8_t*)&layout, sizeof(layout));
+    if ( setsockopt(sock, SOL_PACKET, PACKET_RX_RING, (uint8_t*)&layout, sizeof(layout)) != 0 )
-    if ( ret )
         throw RX_RingException("unable to set ring layout");
 
     // Map memory
-    size = layout.tp_block_size * layout.tp_block_nr;
+    size = static_cast<size_t>(layout.tp_block_size) * layout.tp_block_nr;
-    ring = (uint8_t*)mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, sock, 0);
+    ring = (uint8_t*)mmap(nullptr, size, PROT_READ | PROT_WRITE, MAP_SHARED, sock, 0);
     if ( ring == MAP_FAILED )
         throw RX_RingException("unable to map ring memory");
 
     block_num = packet_num = 0;
-    packet = NULL;
+    packet = nullptr;
 
     // Init block mapping
     blocks = new tpacket_block_desc*[layout.tp_block_nr];
-    for ( unsigned int i = 0; i < layout.tp_block_nr; i++ )
+    for ( size_t i = 0; i < layout.tp_block_nr; i++ )
         blocks[i] = (struct tpacket_block_desc*)(ring + i * layout.tp_block_size);
 }
 
@@ -49,7 +48,7 @@ RX_Ring::~RX_Ring() {
     delete[] blocks;
     munmap(ring, size);
 
-    blocks = 0;
+    blocks = nullptr;
     size = 0;
 }
 
@@ -59,7 +58,7 @@ bool RX_Ring::GetNextPacket(tpacket3_hdr** hdr) {
     if ( (block_hdr->block_status & TP_STATUS_USER) == 0 )
         return false;
 
-    if ( packet == NULL ) {
+    if ( packet == nullptr ) {
         // New block
         packet_num = block_hdr->num_pkts;
         if ( packet_num == 0 ) {
@@ -96,5 +95,5 @@ void RX_Ring::NextBlock() {
 
     block_hdr->block_status = TP_STATUS_KERNEL;
     block_num = (block_num + 1) % layout.tp_block_nr;
-    packet = NULL;
+    packet = nullptr;
 }

src/iosource/af_packet/RX_Ring.h

@@ -5,14 +5,17 @@
 extern "C" {
 #include <linux/if_packet.h> // AF_PACKET, etc.
 }
+
 #include <cstdint>
 #include <stdexcept>
-#include <string>
 
 #define TPACKET_VERSION TPACKET_V3
 
+namespace zeek::iosource::af_packet {
+
 class RX_RingException : public std::runtime_error {
 public:
+    RX_RingException(const char* what_arg) : std::runtime_error(what_arg) {}
     RX_RingException(const std::string& what_arg) : std::runtime_error(what_arg) {}
 };
 
@@ -42,3 +45,5 @@ private:
     uint8_t* ring;
     size_t size;
 };
+
+} // namespace zeek::iosource::af_packet

src/iosource/af_packet/af_packet.bif

@@ -0,0 +1,16 @@
+# See the file "COPYING" in the main distribution directory for copyright.
+
+# Options for the AF_Packet packet source.
+
+module AF_Packet;
+
+const buffer_size: count;
+const block_size: count;
+const block_timeout: interval;
+const enable_hw_timestamping: bool;
+const enable_defrag: bool;
+const enable_fanout: bool;
+const fanout_mode: FanoutMode;
+const fanout_id: count;
+const link_type: count;
+const checksum_validation_mode: ChecksumMode;

src/iosource/af_packet/scripts/__load__.zeek

@@ -1,5 +0,0 @@
-#
-# This is loaded unconditionally at Zeek startup.
-#
-
-@load ./init.zeek

src/iosource/af_packet/scripts/af_packet/__load__.zeek

@@ -1 +0,0 @@
-# This package currently doesn't have any generic script functionality.

src/iosource/af_packet/scripts/init.zeek

@@ -1,28 +0,0 @@
-##! Packet source using AF_Packet.
-##!
-##! Note: This module is in testing and is not yet considered stable!
-
-module AF_Packet;
-
-export {
-	## Size of the ring-buffer.
-	const buffer_size = 128 * 1024 * 1024 &redef;
-	## Size of an individual block. Needs to be a multiple of page size.
-	const block_size = 4096 * 8 &redef;
-	## Retire timeout for a single block.
-	const block_timeout = 10msec &redef;
-	## Toggle whether to use hardware timestamps.
-	const enable_hw_timestamping = F &redef;
-	## Toggle whether to use PACKET_FANOUT.
-	const enable_fanout = T &redef;
-	## Toggle defragmentation of IP packets using PACKET_FANOUT_FLAG_DEFRAG.
-	const enable_defrag = F &redef;
-	## Fanout mode.
-	const fanout_mode = FANOUT_HASH &redef;
-	## Fanout ID.
-	const fanout_id = 23 &redef;
-	## Link type (default Ethernet).
-	const link_type = 1 &redef;
-	## Checksum validation mode.
-	const checksum_validation_mode: ChecksumMode = CHECKSUM_ON &redef;
-}

src/iosource/af_packet/src/Plugin.cc

@@ -1,27 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "Plugin.h"
-
-#include "zeek/iosource/Component.h"
-
-#include "AF_Packet.h"
-
-namespace plugin::Zeek_AF_Packet {
-Plugin plugin;
-}
-
-using namespace af_packet::plugin::Zeek_AF_Packet;
-
-zeek::plugin::Configuration Plugin::Configure() {
-    AddComponent(
-        new ::zeek::iosource::PktSrcComponent("AF_PacketReader", "af_packet", ::zeek::iosource::PktSrcComponent::LIVE,
-                                              ::zeek::iosource::pktsrc::AF_PacketSource::InstantiateAF_Packet));
-
-    zeek::plugin::Configuration config;
-    config.name = "Zeek::AF_Packet";
-    config.description = "Packet acquisition via AF_Packet";
-    config.version.major = 4;
-    config.version.minor = 0;
-    config.version.patch = 0;
-    return config;
-}

src/iosource/af_packet/src/Plugin.h

@@ -1,17 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#pragma once
-
-#include <zeek/plugin/Plugin.h>
-
-namespace af_packet::plugin::Zeek_AF_Packet {
-
-class Plugin : public zeek::plugin::Plugin {
-protected:
-    // Overridden from zeek::plugin::Plugin.
-    zeek::plugin::Configuration Configure() override;
-};
-
-extern Plugin plugin;
-
-} // namespace plugin::Zeek_AF_Packet

src/iosource/af_packet/src/af_packet.bif

@@ -1,35 +0,0 @@
-
-# Options for the AF_Packet packet source.
-
-module AF_Packet;
-
-## Available fanout modes.
-enum FanoutMode %{
-	FANOUT_HASH, # PACKET_FANOUT_HASH
-	FANOUT_CPU,  # PACKET_FANOUT_CPU
-	FANOUT_QM,   # PACKET_FANOUT_QM
-	FANOUT_CBPF, # PACKET_FANOUT_CBPF
-	FANOUT_EBPF, # PACKET_FANOUT_EBPF
-%}
-
-## Available checksum validation modes.
-enum ChecksumMode %{
-	## Ignore checksums, i.e. always assume they are correct.
-	CHECKSUM_OFF,
-	## Let Zeek compute and verify checksums.
-	CHECKSUM_ON,
-	## Let the kernel handle checksum offloading.
-	## Note: Semantics may depend on the kernel and driver version.
-	CHECKSUM_KERNEL,
-%}
-
-const buffer_size: count;
-const block_size: count;
-const block_timeout: interval;
-const enable_hw_timestamping: bool;
-const enable_defrag: bool;
-const enable_fanout: bool;
-const fanout_mode: FanoutMode;
-const fanout_id: count;
-const link_type: count;
-const checksum_validation_mode: ChecksumMode;

src/types.bif

@@ -247,4 +247,26 @@ enum Level %{
 	ERROR = 2,
 %}
 
+module AF_Packet;
+
+## Available fanout modes.
+enum FanoutMode %{
+	FANOUT_HASH, # PACKET_FANOUT_HASH
+	FANOUT_CPU,  # PACKET_FANOUT_CPU
+	FANOUT_QM,   # PACKET_FANOUT_QM
+	FANOUT_CBPF, # PACKET_FANOUT_CBPF
+	FANOUT_EBPF, # PACKET_FANOUT_EBPF
+%}
+
+## Available checksum validation modes.
+enum ChecksumMode %{
+	## Ignore checksums, i.e. always assume they are correct.
+	CHECKSUM_OFF,
+	## Let Zeek compute and verify checksums.
+	CHECKSUM_ON,
+	## Let the kernel handle checksum offloading.
+	## Note: Semantics may depend on the kernel and driver version.
+	CHECKSUM_KERNEL,
+%}
+
 module GLOBAL;