Why does af-packet autofp runmode not support tpacket v3?

Help
,
1

Please include the following information with your help request:

  • Suricata version
    Suricata version 7.0.0 RELEASE
  • Operating system and/or Linux distribution
    CentOS Linux release 7.9
  • How you installed Suricata (from source, packages, something else)
    source

Hello there,

When I set Suricata’s af-packet autofp mode to tpacket v3, the following error is displayed:
“tpacket v3 is only implemented for ‘workers’ runmode. Switching to tpacket v2”.
I would like to know the design reasons why this mode does not support tpacket v3 ?

2

Please provide more details, how does your suricata.yaml look like, what kernel is used, what NIC etc.
What runmode do you run, instead of workers?

3
  1. suricata.yaml af-packet config:
af-packet:
  - interface: eth0
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    tpacket-v3: yes
    checksum-checks: no
  1. kernel version
3.10.0-1160.el7.x86_64

3.NIC

driver: virtio_net
version: 1.0.0
  1. suricata run command
suricata -c suricata.yaml -i eth0 --runmode autofp

I would like to understand the reasoning behind the logic design in the ParseAFPConfig function within the runmode-af-packet.c file of the Suricata source code. I couldn’t find any related documentation explaining it.

if (ConfGetChildValueBoolWithDefault(if_root, if_default, "tpacket-v3", (int *)&boolval) == 1) {
        if (boolval) {
            if (strcasecmp(RunmodeGetActive(), "workers") == 0) {
#ifdef HAVE_TPACKET_V3
                SCLogConfig("%s: enabling tpacket v3", aconf->iface);
                aconf->flags |= AFP_TPACKET_V3;
#else
                SCLogWarning("%s: system too old for tpacket v3 switching to v2", iface);
                aconf->flags &= ~AFP_TPACKET_V3;
#endif
            } else {
                SCLogWarning("%s: tpacket v3 is only implemented for 'workers' runmode."
                             " Switching to tpacket v2.",
                        iface);
                aconf->flags &= ~AFP_TPACKET_V3;
            }
        } else {
            aconf->flags &= ~AFP_TPACKET_V3;
        }
    }
4

I would recommend the runmode workers which has a better performance, autofp is more of a fallback, thus the focus is on the worker runmode.

Also make sure to run a newer kernel 3.10 is over 10 years old.

5

Not supporting v3 for autofp allows us to avoid some threading overhead. If you use autofp, performance is clearly not a major concern, so using v2 is fine.

6

Yes, thank you very much. I just want to confirm whether it is technically feasible for Suricata’s af-packet autofp mode to operate based on tpacket v3.

7

Support could be added, but it would require code changes. We are not planning to do it.

8

Thank you for your answer, it solved my question.