Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 11:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Revert "Move BinPAC, bifcl, af_packet, and gen_zam submodules into main zeek repo"

Browse source
This commit is contained in:
Tim Wojtulewicz 2025-08-15 15:11:22 -07:00 committed by GitHub
parent a10a70994e
commit e64ec54172
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
146 changed files with 50 additions and 20635 deletions
Download patch file Download diff file Expand all files Collapse all files

1
src/iosource/CMakeLists.txt
View file

@ -13,4 +13,3 @@ zeek_add_subdir_library(
PktSrc.cc)
add_subdirectory(pcap)
add_subdirectory(af_packet)

326
src/iosource/af_packet/AF_Packet.cc
View file

@ -1,326 +0,0 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/iosource/af_packet/AF_Packet.h"
#include "zeek/iosource/af_packet/RX_Ring.h"
#include "zeek/iosource/af_packet/af_packet.bif.h"
#ifndef TP_STATUS_CSUM_VALID
#define TP_STATUS_CSUM_VALID (1 << 7)
#endif
using namespace zeek::iosource::pktsrc;
AF_PacketSource::~AF_PacketSource() { Close(); }
AF_PacketSource::AF_PacketSource(const std::string& path, bool is_live) {
if ( ! is_live )
Error("AF_Packet source does not support offline input");
current_filter = -1;
props.path = path;
props.is_live = is_live;
socket_fd = -1;
rx_ring = nullptr;
checksum_mode = zeek::BifConst::AF_Packet::checksum_validation_mode->AsEnum();
}
void AF_PacketSource::Open() {
uint64_t buffer_size = zeek::BifConst::AF_Packet::buffer_size;
uint64_t block_size = zeek::BifConst::AF_Packet::block_size;
int block_timeout_msec = static_cast<int>(zeek::BifConst::AF_Packet::block_timeout * 1000.0);
int link_type = zeek::BifConst::AF_Packet::link_type;
bool enable_hw_timestamping = zeek::BifConst::AF_Packet::enable_hw_timestamping;
bool enable_fanout = zeek::BifConst::AF_Packet::enable_fanout;
bool enable_defrag = zeek::BifConst::AF_Packet::enable_defrag;
socket_fd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
if ( socket_fd < 0 ) {
Error(errno ? strerror(errno) : "unable to create socket");
return;
}
auto info = GetInterfaceInfo(props.path);
if ( ! info.Valid() ) {
Error(errno ? strerror(errno) : "unable to get interface information");
close(socket_fd);
socket_fd = -1;
return;
}
if ( ! info.IsUp() ) {
Error("interface is down");
close(socket_fd);
socket_fd = -1;
return;
}
// Create RX-ring
try {
rx_ring = new RX_Ring(socket_fd, buffer_size, block_size, block_timeout_msec);
} catch ( RX_RingException& e ) {
Error(errno ? strerror(errno) : "unable to create RX-ring");
close(socket_fd);
return;
}
// Setup interface
if ( ! BindInterface(info) ) {
Error(errno ? strerror(errno) : "unable to bind to interface");
close(socket_fd);
return;
}
if ( ! EnablePromiscMode(info) ) {
Error(errno ? strerror(errno) : "unable enter promiscuous mode");
close(socket_fd);
return;
}
if ( ! ConfigureFanoutGroup(enable_fanout, enable_defrag) ) {
Error(errno ? strerror(errno) : "failed to join fanout group");
close(socket_fd);
return;
}
if ( ! ConfigureHWTimestamping(enable_hw_timestamping) ) {
Error(errno ? strerror(errno) : "failed to configure hardware timestamping");
close(socket_fd);
return;
}
props.netmask = NETMASK_UNKNOWN;
props.selectable_fd = socket_fd;
props.is_live = true;
props.link_type = link_type;
stats.received = stats.dropped = stats.link = stats.bytes_received = 0;
num_discarded = 0;
Opened(props);
}
AF_PacketSource::InterfaceInfo AF_PacketSource::GetInterfaceInfo(const std::string& path) {
AF_PacketSource::InterfaceInfo info;
struct ifreq ifr;
int ret;
memset(&ifr, 0, sizeof(ifr));
snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", path.c_str());
ret = ioctl(socket_fd, SIOCGIFFLAGS, &ifr);
if ( ret < 0 )
return info;
info.flags = ifr.ifr_flags;
ret = ioctl(socket_fd, SIOCGIFINDEX, &ifr);
if ( ret < 0 )
return info;
info.index = ifr.ifr_ifindex;
return info;
}
bool AF_PacketSource::BindInterface(const AF_PacketSource::InterfaceInfo& info) {
struct sockaddr_ll saddr_ll;
int ret;
memset(&saddr_ll, 0, sizeof(saddr_ll));
saddr_ll.sll_family = AF_PACKET;
saddr_ll.sll_protocol = htons(ETH_P_ALL);
saddr_ll.sll_ifindex = info.index;
ret = bind(socket_fd, (struct sockaddr*)&saddr_ll, sizeof(saddr_ll));
return (ret >= 0);
}
bool AF_PacketSource::EnablePromiscMode(const AF_PacketSource::InterfaceInfo& info) {
struct packet_mreq mreq;
int ret;
memset(&mreq, 0, sizeof(mreq));
mreq.mr_ifindex = info.index;
mreq.mr_type = PACKET_MR_PROMISC;
ret = setsockopt(socket_fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP, &mreq, sizeof(mreq));
return (ret >= 0);
}
bool AF_PacketSource::ConfigureFanoutGroup(bool enabled, bool defrag) {
if ( enabled ) {
uint32_t fanout_id = zeek::BifConst::AF_Packet::fanout_id;
uint32_t fanout_arg = ((fanout_id & 0xffff) | (GetFanoutMode(defrag) << 16));
if ( setsockopt(socket_fd, SOL_PACKET, PACKET_FANOUT, &fanout_arg, sizeof(fanout_arg)) < 0 )
return false;
}
return true;
}
bool AF_PacketSource::ConfigureHWTimestamping(bool enabled) {
if ( enabled ) {
struct ifreq ifr;
struct hwtstamp_config hwts_cfg;
memset(&hwts_cfg, 0, sizeof(hwts_cfg));
hwts_cfg.tx_type = HWTSTAMP_TX_OFF;
hwts_cfg.rx_filter = HWTSTAMP_FILTER_ALL;
memset(&ifr, 0, sizeof(ifr));
snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", props.path.c_str());
ifr.ifr_data = &hwts_cfg;
if ( ioctl(socket_fd, SIOCSHWTSTAMP, &ifr) < 0 )
return false;
int opt = SOF_TIMESTAMPING_RAW_HARDWARE | SOF_TIMESTAMPING_RX_HARDWARE;
if ( setsockopt(socket_fd, SOL_PACKET, PACKET_TIMESTAMP, &opt, sizeof(opt)) < 0 )
return false;
}
return true;
}
uint32_t AF_PacketSource::GetFanoutMode(bool defrag) {
uint32_t fanout_mode;
switch ( zeek::BifConst::AF_Packet::fanout_mode->AsEnum() ) {
case BifEnum::AF_Packet::FANOUT_CPU: fanout_mode = PACKET_FANOUT_CPU; break;
#ifdef PACKET_FANOUT_QM
case BifEnum::AF_Packet::FANOUT_QM: fanout_mode = PACKET_FANOUT_QM; break;
#endif
#ifdef PACKET_FANOUT_CBPF
case BifEnum::AF_Packet::FANOUT_CBPF: fanout_mode = PACKET_FANOUT_CBPF; break;
#endif
#ifdef PACKET_FANOUT_EBPF
case BifEnum::AF_Packet::FANOUT_EBPF: fanout_mode = PACKET_FANOUT_EBPF; break;
#endif
default: fanout_mode = PACKET_FANOUT_HASH; break;
}
if ( defrag )
fanout_mode |= PACKET_FANOUT_FLAG_DEFRAG;
return fanout_mode;
}
void AF_PacketSource::Close() {
if ( socket_fd < 0 )
return;
delete rx_ring;
rx_ring = nullptr;
close(socket_fd);
socket_fd = -1;
Closed();
}
bool AF_PacketSource::ExtractNextPacket(zeek::Packet* pkt) {
if ( ! socket_fd )
return false;
struct tpacket3_hdr* packet = nullptr;
const u_char* data;
while ( true ) {
if ( ! rx_ring->GetNextPacket(&packet) )
return false;
current_hdr.ts.tv_sec = packet->tp_sec;
current_hdr.ts.tv_usec = packet->tp_nsec / 1000;
current_hdr.caplen = packet->tp_snaplen;
current_hdr.len = packet->tp_len;
data = (u_char*)packet + packet->tp_mac;
if ( ! ApplyBPFFilter(current_filter, &current_hdr, data) ) {
++num_discarded;
DoneWithPacket();
continue;
}
pkt->Init(props.link_type, &current_hdr.ts, current_hdr.caplen, current_hdr.len, data);
if ( packet->tp_status & TP_STATUS_VLAN_VALID )
pkt->vlan = packet->hv1.tp_vlan_tci & 0x0fff;
switch ( checksum_mode ) {
case BifEnum::AF_Packet::CHECKSUM_OFF: {
// If set to off, just accept whatever checksum in the packet is correct and
// skip checking it here and in Zeek.
pkt->l4_checksummed = true;
break;
}
case BifEnum::AF_Packet::CHECKSUM_KERNEL: {
// If set to kernel, check whether the kernel thinks the checksum is valid. If it
// does, tell Zeek to skip checking by itself.
if ( ((packet->tp_status & TP_STATUS_CSUM_VALID) != 0) ||
((packet->tp_status & TP_STATUS_CSUMNOTREADY) != 0) )
pkt->l4_checksummed = true;
else
pkt->l4_checksummed = false;
break;
}
case BifEnum::AF_Packet::CHECKSUM_ON:
default: {
// Let Zeek handle it.
pkt->l4_checksummed = false;
break;
}
}
if ( current_hdr.len == 0 || current_hdr.caplen == 0 ) {
Weird("empty_af_packet_header", pkt);
return false;
}
stats.received++;
stats.bytes_received += current_hdr.len;
return true;
}
return false;
}
void AF_PacketSource::DoneWithPacket() { rx_ring->ReleasePacket(); }
bool AF_PacketSource::PrecompileFilter(int index, const std::string& filter) {
return PktSrc::PrecompileBPFFilter(index, filter);
}
bool AF_PacketSource::SetFilter(int index) {
current_filter = index;
return true;
}
void AF_PacketSource::Statistics(Stats* s) {
if ( ! socket_fd ) {
s->received = s->bytes_received = s->link = s->dropped = 0;
return;
}
struct tpacket_stats_v3 tp_stats;
socklen_t tp_stats_len = sizeof(struct tpacket_stats_v3);
int ret;
ret = getsockopt(socket_fd, SOL_PACKET, PACKET_STATISTICS, &tp_stats, &tp_stats_len);
if ( ret < 0 ) {
Error(errno ? strerror(errno) : "unable to retrieve statistics");
s->received = s->bytes_received = s->link = s->dropped = 0;
return;
}
stats.link += tp_stats.tp_packets;
stats.dropped += tp_stats.tp_drops;
memcpy(s, &stats, sizeof(Stats));
}
zeek::iosource::PktSrc* AF_PacketSource::InstantiateAF_Packet(const std::string& path, bool is_live) {
return new AF_PacketSource(path, is_live);
}

82
src/iosource/af_packet/AF_Packet.h
View file

@ -1,82 +0,0 @@
// See the file "COPYING" in the main distribution directory for copyright.
#pragma once
extern "C" {
#include <errno.h> // errorno
#include <linux/if.h> // ifreq
#include <linux/if_packet.h> // AF_PACKET, etc.
#include <linux/net_tstamp.h> // hwtstamp_config
#include <linux/sockios.h> // SIOCSHWTSTAMP
#include <net/ethernet.h> // ETH_P_ALL
#include <pcap.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h> // close()
}
#include "zeek/iosource/PktSrc.h"
#include "zeek/iosource/af_packet/RX_Ring.h"
namespace zeek::iosource::pktsrc {
class AF_PacketSource : public zeek::iosource::PktSrc {
public:
/**
* Constructor.
*
* path: Name of the interface to open (the AF_Packet source doesn't
* support reading from files).
*
* is_live: Must be true (the AF_Packet source doesn't support offline
* operation).
*/
AF_PacketSource(const std::string& path, bool is_live);
/**
* Destructor.
*/
~AF_PacketSource() override;
static PktSrc* InstantiateAF_Packet(const std::string& path, bool is_live);
protected:
// PktSrc interface.
void Open() override;
void Close() override;
bool ExtractNextPacket(zeek::Packet* pkt) override;
void DoneWithPacket() override;
bool PrecompileFilter(int index, const std::string& filter) override;
bool SetFilter(int index) override;
void Statistics(Stats* stats) override;
private:
Properties props;
Stats stats;
int current_filter = 0;
unsigned int num_discarded = 0;
int checksum_mode = 0;
int socket_fd = -1;
RX_Ring* rx_ring = nullptr;
struct pcap_pkthdr current_hdr = {};
struct InterfaceInfo {
int index = -1;
int flags = 0;
bool Valid() { return index >= 0; }
bool IsUp() { return flags & IFF_UP; }
};
InterfaceInfo GetInterfaceInfo(const std::string& path);
bool BindInterface(const InterfaceInfo& info);
bool EnablePromiscMode(const InterfaceInfo& info);
bool ConfigureFanoutGroup(bool enabled, bool defrag);
bool ConfigureHWTimestamping(bool enabled);
uint32_t GetFanoutMode(bool defrag);
};
} // namespace zeek::iosource::pktsrc

5
src/iosource/af_packet/CMakeLists.txt
View file

@ -1,5 +0,0 @@
if (${CMAKE_SYSTEM_NAME} MATCHES Linux)
set(ZEEK_HAVE_AF_PACKET yes CACHE INTERNAL "")
zeek_add_plugin(Zeek AF_Packet SOURCES Plugin.cc AF_Packet.cc RX_Ring.cc BIFS af_packet.bif)
endif ()

27
src/iosource/af_packet/Plugin.cc
View file

@ -1,27 +0,0 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/iosource/Component.h"
#include "zeek/iosource/af_packet/AF_Packet.h"
namespace zeek::plugin::Zeek_AF_Packet {
class Plugin : public plugin::Plugin {
plugin::Configuration Configure() override {
AddComponent(
new ::zeek::iosource::PktSrcComponent("AF_PacketReader", "af_packet",
::zeek::iosource::PktSrcComponent::LIVE,
::zeek::iosource::pktsrc::AF_PacketSource::InstantiateAF_Packet));
zeek::plugin::Configuration config;
config.name = "Zeek::AF_Packet";
config.description = "Packet acquisition via AF_Packet";
config.version.major = 4;
config.version.minor = 0;
config.version.patch = 0;
return config;
}
} plugin;
} // namespace zeek::plugin::Zeek_AF_Packet

127
src/iosource/af_packet/README
View file

@ -1,127 +0,0 @@
# Zeek::AF_Packet
This plugin provides native AF_Packet support for Zeek. For details about AF_Packet, see the corresponding [man page](http://man7.org/linux/man-pages/man7/packet.7.html).
> **Note**:
> Starting with Zeek version 5.2, Zeek ships with a built-in version of this plugin.
## Installation
Before installing the plugin, make sure your kernel supports PACKET_FANOUT[^1] and TPACKET_V3.
### Package Manager
The plugin is available as package for the [Zeek Package Manager](https://github.com/zeek/package-manager) and can be installed using the following command:
zkg install zeek-af_packet-plugin
### Manual Install
The following will compile and install the AF_Packet plugin alongside Zeek:
# ./configure && make && make install
If everything built and installed correctly, you should see this:
# zeek -NN Zeek::AF_Packet
Zeek::AF_Packet - Packet acquisition via AF_Packet (dynamic, version 4.0.0)
[Packet Source] AF_PacketReader (interface prefix "af_packet"; supports live input)
[Type] AF_Packet::FanoutMode
[Type] AF_Packet::ChecksumMode
[Constant] AF_Packet::buffer_size
[Constant] AF_Packet::block_size
[Constant] AF_Packet::block_timeout
[Constant] AF_Packet::enable_hw_timestamping
[Constant] AF_Packet::enable_defrag
[Constant] AF_Packet::enable_fanout
[Constant] AF_Packet::fanout_mode
[Constant] AF_Packet::fanout_id
[Constant] AF_Packet::link_type
[Constant] AF_Packet::checksum_validation_mode
## Usage
Once installed, you can use AF_Packet interfaces/ports by prefixing them with `af_packet::` on the command line. For example, to use AF_Packet to monitor interface `eth0`:
# zeek -i af_packet::eth0
### Permissions
To use AF_Packet, running Zeek without root privileges, the Zeek processes need the CAP_NET_RAW capability. You can set it with the following command (on each sensor, after `zeekctl install`):
# setcap cap_net_raw+eip <path_to_zeek>/bin/zeek
The AF_Packet plugin automatically enables promiscuous mode on the interfaces. As the plugin is using PACKET_ADD_MEMBERSHIP to enter the promiscuous mode without interfering others, the PROMISC flag is not touched. To verify that the interface entered promiscuous mode you can use `dmesg`.
### Offloading
Remember to disable any offloading features provided by the Network Interface Card (NIC) or Linux networking stack that interfere with Zeek. In general, Zeek expects to see network packets as they arrive on the wire. See this [blog post](https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html) for more background. Toggling offloading features can be done with the `ethtool -K` command, for example:
# IFACE=eth0
# for offload in rx tx sg tso ufo gso gro lro; do
# ethtool -K $IFACE $offload off
# done
For more details around the involved offloads consult the [ethtool manpage](https://man7.org/linux/man-pages/man8/ethtool.8.html). In addition, `ethtool -S` can be used to gather statistics at the interface level.
While all offloading should usually be disabled, the plugin supports to outsource certain tasks like checksum validation. See the [configuration section](#advanced-configuration) for further information.
## Usage with `zeekctl`
To use the AF_Packet plugin with `zeekctl`, the `custom` load balance method can be utilized. The following shows an exemplary configuration:
[manager]
type=manager
host=localhost
[proxy-1]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=af_packet::eth0
lb_method=custom
lb_procs=8
pin_cpus=0,1,2,3,4,5,6,7
# Optional parameters for per node configuration:
af_packet_fanout_id=23
af_packet_fanout_mode=AF_Packet::FANOUT_HASH
af_packet_buffer_size=128*1024*1024
If all interfaces using `lb_method=custom` should be configured for AF_Packet, the prefix can be globally defined by adding the following line to `zeekctl.conf`:
lb_custom.InterfacePrefix=af_packet::
## Advanced Configuration
While the plugin aims at providing a "plug and play" user experience, it exposes several configuration options of the underlying API for customization (see [init.zeek](scripts/init.zeek) for the default values):
* `buffer_size`: Set the overall buffer size allocated per socket. As the buffer is divided into blocks, this should be a multiple of the block size.
* `block_size`: Set the size of a block in the buffer. Instead of ingesting packet by packet into the application, packets are aggregated in blocks to improve performance. The block size **must** be a multiple of the system's page size (see `getconf PAGE_SIZE`).
* `block_timeout`: Set the timeout in milliseconds for passing a block to the application. This can be useful to reduce latency on less busy links.
* `enable_hw_timestamping`: Enable support for hardware timestamping. Please note that this is an experimental feature.
* `enable_defrag`: Enable defragmentation of IP packets before packets are load-balanced. This can be useful to prevent different fragments from being sent to different workers.
* `enable_fanout`: Enable packet fanout for load-balancing across multiple workers. The load-balancing strategy is determined by the fanout mode.
* `fanout_mode`: Set the load-balancing strategy. See [af_packet.bif](af_packet.bif) for the supported fanout modes.
* `fanout_id`: Set the fanout ID that identifies a load-balancing group. When monitoring multiple interfaces, a separate ID has to be configured for each interface.
* `link_type`: Set the link layer protocol.
* `checksum_validation_mode`: Set how checksums are calculated and verified. See [af_packet.bif](af_packet.bif) for the supported validation modes.
> **Note**:
> Setting `checksum_validation_mode` will not have any effect when used with Zeek prior version 5.1.
For further details on the above configuration options see the [kernel documentation](https://docs.kernel.org/networking/packet_mmap.html). Actual performance tuning is rather an art. For in-depth guidance, see the following resources, which can be transferred to Zeek:
* [Suricata Extreme Performance Tuning guide](https://github.com/pevma/SEPTun)
* [Suricata Extreme Performance Tuning guide - Mark II](https://github.com/pevma/SEPTun-Mark-II)
## Limitations
* __VLAN tagging is now supported.__ Even using AF_Packet's ``ETH_P_ALL``, the kernel removes VLAN tags from packets.
~~While the tags are provided spereately, there is no efficient way to pass them to Zeek.~~ Applying knowledge about the internal data structures used by Zeek, the plugin now forwards VLAN tag control information to Zeek. Both IEEE 802.1Q and IEEE 802.1ad (QinQ) will be handled as expected.
* Zeek workers crashing or restarting can, for a short period of time, disturb load balancing due to their packet
sockets being removed and later rejoining the fanout group. This may be visible in Zeek logs as gaps and/or duplicated connection entries produced by different Zeek workers.
[^1]: Note that some kernel versions between 3.10 and 4.7 might exhibit a bug that prevents the required symmetric hashing. The script available at https://github.com/JustinAzoff/can-i-use-afpacket-fanout can be used to verify whether PACKET_FANOUT works as expected. This issue should have been fixed in all stable kernels by now.

97
src/iosource/af_packet/RX_Ring.cc
View file

@ -1,97 +0,0 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/iosource/af_packet/RX_Ring.h"
#include <cstring>
#include <utility>
extern "C" {
#include <linux/if_packet.h> // AF_PACKET, etc.
#include <sys/mman.h> // mmap
#include <sys/socket.h> // socketopt consts
#include <unistd.h> // sysconf
}
RX_Ring::RX_Ring(int sock, size_t bufsize, size_t blocksize, int blocktimeout_msec) {
if ( sock < 0 )
throw RX_RingException("invalid socket");
// Configure socket
int ver = TPACKET_VERSION;
if ( setsockopt(sock, SOL_PACKET, PACKET_VERSION, &ver, sizeof(ver)) != 0 )
throw RX_RingException("unable to set TPacket version");
InitLayout(bufsize, blocksize, blocktimeout_msec);
if ( setsockopt(sock, SOL_PACKET, PACKET_RX_RING, (uint8_t*)&layout, sizeof(layout)) != 0 )
throw RX_RingException("unable to set ring layout");
// Map memory
size = static_cast<size_t>(layout.tp_block_size) * layout.tp_block_nr;
ring = (uint8_t*)mmap(nullptr, size, PROT_READ | PROT_WRITE, MAP_SHARED, sock, 0);
if ( ring == MAP_FAILED )
throw RX_RingException("unable to map ring memory");
block_num = packet_num = 0;
packet = nullptr;
// Init block mapping
blocks = new tpacket_block_desc*[layout.tp_block_nr];
for ( size_t i = 0; i < layout.tp_block_nr; i++ )
blocks[i] = (struct tpacket_block_desc*)(ring + i * layout.tp_block_size);
}
RX_Ring::~RX_Ring() {
ReleasePacket();
delete[] blocks;
munmap(ring, size);
blocks = nullptr;
size = 0;
}
bool RX_Ring::GetNextPacket(tpacket3_hdr** hdr) {
struct tpacket_hdr_v1* block_hdr = &(blocks[block_num]->hdr.bh1);
if ( (block_hdr->block_status & TP_STATUS_USER) == 0 )
return false;
if ( packet == nullptr ) {
// New block
packet_num = block_hdr->num_pkts;
if ( packet_num == 0 ) {
NextBlock();
return false;
}
packet = (struct tpacket3_hdr*)((uint8_t*)blocks[block_num] + block_hdr->offset_to_first_pkt);
}
else
// Continue with block
packet = (struct tpacket3_hdr*)((uint8_t*)packet + packet->tp_next_offset);
*hdr = packet;
packet_num--;
return true;
}
void RX_Ring::ReleasePacket() {
if ( packet_num == 0 )
NextBlock();
}
void RX_Ring::InitLayout(size_t bufsize, size_t blocksize, int blocktimeout_msec) {
memset(&layout, 0, sizeof(layout));
layout.tp_block_size = blocksize;
layout.tp_frame_size = TPACKET_ALIGNMENT << 7; // Seems to be irrelevant for V3
layout.tp_block_nr = bufsize / layout.tp_block_size;
layout.tp_frame_nr = (layout.tp_block_size / layout.tp_frame_size) * layout.tp_block_nr;
layout.tp_retire_blk_tov = blocktimeout_msec;
}
void RX_Ring::NextBlock() {
struct tpacket_hdr_v1* block_hdr = &(blocks[block_num]->hdr.bh1);
block_hdr->block_status = TP_STATUS_KERNEL;
block_num = (block_num + 1) % layout.tp_block_nr;
packet = nullptr;
}

44
src/iosource/af_packet/RX_Ring.h
View file

@ -1,44 +0,0 @@
// See the file "COPYING" in the main distribution directory for copyright.
#pragma once
extern "C" {
#include <linux/if_packet.h> // AF_PACKET, etc.
}
#include <cstdint>
#include <stdexcept>
#define TPACKET_VERSION TPACKET_V3
class RX_RingException : public std::runtime_error {
public:
RX_RingException(const std::string& what_arg) : std::runtime_error(what_arg) {}
};
class RX_Ring {
public:
/**
* Constructor
*/
RX_Ring(int sock, size_t bufsize, size_t blocksize, int blocktimeout_msec);
~RX_Ring();
bool GetNextPacket(tpacket3_hdr** hdr);
void ReleasePacket();
protected:
void InitLayout(size_t bufsize, size_t blocksize, int blocktimeout_msec);
void NextBlock();
private:
struct tpacket_req3 layout;
struct tpacket_block_desc** blocks;
struct tpacket3_hdr* packet;
unsigned int block_num;
unsigned int packet_num;
uint8_t* ring;
size_t size;
};

15
src/iosource/af_packet/af_packet.bif
View file

@ -1,15 +0,0 @@
# Options for the AF_Packet packet source.
module AF_Packet;
const buffer_size: count;
const block_size: count;
const block_timeout: interval;
const enable_hw_timestamping: bool;
const enable_defrag: bool;
const enable_fanout: bool;
const fanout_mode: FanoutMode;
const fanout_id: count;
const link_type: count;
const checksum_validation_mode: ChecksumMode;

6
src/strings.bif
View file

@ -1251,7 +1251,7 @@ function hexdump%(data_str: string%) : string
function reverse%(str: string%) : string
%{
string s = str->ToStdString();
std::ranges::reverse(s);
reverse(s.begin(), s.end());
return zeek::make_intrusive<zeek::StringVal>(s.length(), (const char*)s.c_str());
%}
@ -1308,8 +1308,8 @@ static int64_t do_find_str(zeek::StringVal* str, zeek::StringVal* sub, int64_t s
if ( ! case_sensitive )
{
std::ranges::transform(s, s.begin(), ::tolower);
std::ranges::transform(sb, sb.begin(), ::tolower);
transform(s.begin(), s.end(), s.begin(), ::tolower);
transform(sb.begin(), sb.end(), sb.begin(), ::tolower);
}
if ( rfind )

2
src/telemetry/telemetry_functions.bif
View file

@ -73,7 +73,7 @@ bool labels_valid(std::span<const zeek::telemetry::LabelView> labels,
return std::find(keys.begin(), keys.end(), x.first) != keys.end();
};
return labels.size() == label_names.size()
&& std::ranges::all_of(labels, key_in_label_names);
&& std::all_of(labels.begin(), labels.end(), key_in_label_names);
}
template <class IntOrDbl>

22
src/types.bif
View file

@ -247,26 +247,4 @@ enum Level %{
ERROR = 2,
%}
module AF_Packet;
## Available fanout modes.
enum FanoutMode %{
FANOUT_HASH, # PACKET_FANOUT_HASH
FANOUT_CPU, # PACKET_FANOUT_CPU
FANOUT_QM, # PACKET_FANOUT_QM
FANOUT_CBPF, # PACKET_FANOUT_CBPF
FANOUT_EBPF, # PACKET_FANOUT_EBPF
%}
## Available checksum validation modes.
enum ChecksumMode %{
## Ignore checksums, i.e. always assume they are correct.
CHECKSUM_OFF,
## Let Zeek compute and verify checksums.
CHECKSUM_ON,
## Let the kernel handle checksum offloading.
## Note: Semantics may depend on the kernel and driver version.
CHECKSUM_KERNEL,
%}
module GLOBAL;

12
src/zeek.bif
View file

@ -17,7 +17,6 @@
#include <cstring>
#include <ctime>
#include <vector>
#include <numbers>
#include "zeek/digest.h"
#include "zeek/Reporter.h"
@ -4223,13 +4222,12 @@ function blocking_lookup_hostname%(host: string%) : addr_set
## .. zeek:see:: haversine_distance_ip
function haversine_distance%(lat1: double, long1: double, lat2: double, long2: double%): double
%{
constexpr double RADIUS = 3958.7615; // Mean radius of the Earth in miles.
constexpr double PI_360 = std::numbers::pi / 360.0;
constexpr double PI_180 = std::numbers::pi / 180.0;
const double PI = 3.14159;
const double RADIUS = 3958.8; // Earth's radius in miles.
double s1 = pow(sin((lat2 - lat1) * PI_360), 2);
double s2 = pow(sin((long2 - long1) * PI_360), 2);
double a = s1 + (cos(lat1 * PI_180) * cos(lat2 * PI_180) * s2);
double s1 = sin((lat2 - lat1) * PI/360);
double s2 = sin((long2 - long1) * PI/360);
double a = s1 * s1 + cos(lat1 * PI/180) * cos(lat2 * PI/180) * s2 * s2;
double distance = 2 * RADIUS * asin(sqrt(a));
return zeek::make_intrusive<zeek::DoubleVal>(distance);