/* Copyright (C) 2011-2021 Open Information Security Foundation

 *

 * You can copy, redistribute or modify this Program under the terms of

 * the GNU General Public License version 2 as published by the Free

 * Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * version 2 along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 */

/**

 *  \defgroup afppacket AF_PACKET running mode

 *

 *  @{

 */

/**

 * \file

 *

 * \author Eric Leblond <eric@regit.org>

 *

 * AF_PACKET socket acquisition support

 *

 */

#define PCAP_DONT_INCLUDE_PCAP_BPF_H 1

#define SC_PCAP_DONT_INCLUDE_PCAP_H 1

#include "suricata-common.h"

#include "suricata.h"

#include "packet.h"

#include "decode.h"

#include "packet-queue.h"

#include "threads.h"

#include "threadvars.h"

#include "tm-queuehandlers.h"

#include "tm-modules.h"

#include "tm-threads.h"

#include "tm-threads-common.h"

#include "conf.h"

#include "util-cpu.h"

#include "util-datalink.h"

#include "util-debug.h"

#include "util-device.h"

#include "util-ebpf.h"

#include "util-error.h"

#include "util-privs.h"

#include "util-optimize.h"

#include "util-checksum.h"

#include "util-ioctl.h"

#include "util-host-info.h"

#include "tmqh-packetpool.h"

#include "source-af-packet.h"

#include "runmodes.h"

#include "flow-storage.h"

#include "util-validate.h"

#include "action-globals.h"

#ifdef HAVE_AF_PACKET

#if HAVE_SYS_IOCTL_H

#include <sys/ioctl.h>

#endif

#if HAVE_LINUX_SOCKIOS_H

#include <linux/sockios.h>

#endif

#ifdef HAVE_PACKET_EBPF

#include <bpf/libbpf.h>

#include <bpf/bpf.h>

#endif

struct bpf_program {

    unsigned int bf_len;

    struct bpf_insn *bf_insns;

};

#ifdef HAVE_PCAP_H

#include <pcap.h>

#endif

#ifdef HAVE_PCAP_PCAP_H

#include <pcap/pcap.h>

#endif

#include "util-bpf.h"

#if HAVE_LINUX_IF_ETHER_H

#include <linux/if_ether.h>

#endif

#if HAVE_LINUX_IF_PACKET_H

#include <linux/if_packet.h>

#endif

#if HAVE_LINUX_IF_ARP_H

#include <linux/if_arp.h>

#endif

#if HAVE_LINUX_FILTER_H

#include <linux/filter.h>

#endif

#if HAVE_SYS_MMAN_H

#include <sys/mman.h>

#endif

#ifdef HAVE_HW_TIMESTAMPING

#include <linux/net_tstamp.h>

#endif

#endif /* HAVE_AF_PACKET */

extern uint16_t max_pending_packets;

#ifndef HAVE_AF_PACKET

TmEcode NoAFPSupportExit(ThreadVars *, const void *, void **);

void TmModuleReceiveAFPRegister (void)

{

    tmm_modules[TMM_RECEIVEAFP].name = "ReceiveAFP";

    tmm_modules[TMM_RECEIVEAFP].ThreadInit = NoAFPSupportExit;

    tmm_modules[TMM_RECEIVEAFP].Func = NULL;

    tmm_modules[TMM_RECEIVEAFP].ThreadExitPrintStats = NULL;

    tmm_modules[TMM_RECEIVEAFP].ThreadDeinit = NULL;

    tmm_modules[TMM_RECEIVEAFP].cap_flags = 0;

    tmm_modules[TMM_RECEIVEAFP].flags = TM_FLAG_RECEIVE_TM;

}

/**

 * \brief Registration Function for DecodeAFP.

 */

void TmModuleDecodeAFPRegister (void)

{

    tmm_modules[TMM_DECODEAFP].name = "DecodeAFP";

    tmm_modules[TMM_DECODEAFP].ThreadInit = NoAFPSupportExit;

    tmm_modules[TMM_DECODEAFP].Func = NULL;

    tmm_modules[TMM_DECODEAFP].ThreadExitPrintStats = NULL;

    tmm_modules[TMM_DECODEAFP].ThreadDeinit = NULL;

    tmm_modules[TMM_DECODEAFP].cap_flags = 0;

    tmm_modules[TMM_DECODEAFP].flags = TM_FLAG_DECODE_TM;

}

/**

 * \brief this function prints an error message and exits.

 */

TmEcode NoAFPSupportExit(ThreadVars *tv, const void *initdata, void **data)

{

    SCLogError("Error creating thread %s: you do not have "

               "support for AF_PACKET enabled, on Linux host please recompile "

               "with --enable-af-packet",

            tv->name);

    exit(EXIT_FAILURE);

}

#else /* We have AF_PACKET support */

#define AFP_IFACE_NAME_LENGTH 48

#define AFP_STATE_DOWN 0

#define AFP_STATE_UP 1

#define AFP_RECONNECT_TIMEOUT 500000

#define AFP_DOWN_COUNTER_INTERVAL 40

#define POLL_TIMEOUT 100

/* kernel flags defined for RX ring tp_status */

#ifndef TP_STATUS_KERNEL

#define TP_STATUS_KERNEL 0

#endif

#ifndef TP_STATUS_USER

#define TP_STATUS_USER BIT_U32(0)

#endif

#ifndef TP_STATUS_COPY

#define TP_STATUS_COPY BIT_U32(1)

#endif

#ifndef TP_STATUS_LOSING

#define TP_STATUS_LOSING BIT_U32(2)

#endif

#ifndef TP_STATUS_CSUMNOTREADY

#define TP_STATUS_CSUMNOTREADY BIT_U32(3)

#endif

#ifndef TP_STATUS_VLAN_VALID

#define TP_STATUS_VLAN_VALID BIT_U32(4)

#endif

#ifndef TP_STATUS_BLK_TMO

#define TP_STATUS_BLK_TMO BIT_U32(5)

#endif

#ifndef TP_STATUS_VLAN_TPID_VALID

#define TP_STATUS_VLAN_TPID_VALID BIT_U32(6)

#endif

#ifndef TP_STATUS_CSUM_VALID

#define TP_STATUS_CSUM_VALID BIT_U32(7)

#endif

#ifndef TP_STATUS_TS_SOFTWARE

#define TP_STATUS_TS_SOFTWARE BIT_U32(29)

#endif

#ifndef TP_STATUS_TS_SYS_HARDWARE

#define TP_STATUS_TS_SYS_HARDWARE BIT_U32(30) /* kernel comment says: "deprecated, never set" */

#endif

#ifndef TP_STATUS_TS_RAW_HARDWARE

#define TP_STATUS_TS_RAW_HARDWARE BIT_U32(31)

#endif

#ifndef TP_STATUS_USER_BUSY

/* HACK special setting in the tp_status field for frames we are

 * still working on. This can happen in autofp mode where the

 * capture thread goes around the ring and finds a frame that still

 * hasn't been released by a worker thread.

 *

 * We use bits 29, 30, 31. 29 and 31 are software and hardware

 * timestamps. 30 should not be set by the kernel at all. Combined

 * they should never be set on the rx-ring together.

 *

 * The excessive casting is for handling the fact that the kernel

 * defines almost all of these as int flags, not unsigned ints. */

#define TP_STATUS_USER_BUSY                                                                        \

    (uint32_t)((uint32_t)TP_STATUS_TS_SOFTWARE | (uint32_t)TP_STATUS_TS_SYS_HARDWARE |             \

               (uint32_t)TP_STATUS_TS_RAW_HARDWARE)

#endif

#define FRAME_BUSY(tp_status)                                                                      \

    (((uint32_t)(tp_status) & (uint32_t)TP_STATUS_USER_BUSY) == (uint32_t)TP_STATUS_USER_BUSY)

enum {

    AFP_READ_OK,

    AFP_READ_FAILURE,

    /** Error during treatment by other functions of Suricata */

    AFP_SURI_FAILURE,

    AFP_KERNEL_DROP,

};

enum {

    AFP_FATAL_ERROR = 1,

    AFP_RECOVERABLE_ERROR,

};

union thdr {

    struct tpacket2_hdr *h2;

#ifdef HAVE_TPACKET_V3

    struct tpacket3_hdr *h3;

#endif

    void *raw;

};

#ifdef HAVE_PACKET_EBPF

static int AFPBypassCallback(Packet *p);

static int AFPXDPBypassCallback(Packet *p);

#endif

#define MAX_MAPS 32

/**

 * \brief Structure to hold thread specific variables.

 */

typedef struct AFPThreadVars_

{

    union AFPRing {

        union thdr **v2;

        struct iovec *v3;

    } ring;

    /* counters */

    uint64_t pkts;

    ThreadVars *tv;

    TmSlot *slot;

    LiveDevice *livedev;

    /* data link type for the thread */

    uint32_t datalink;

#ifdef HAVE_PACKET_EBPF

    /* File descriptor of the IPv4 flow bypass table maps */

    int v4_map_fd;

    /* File descriptor of the IPv6 flow bypass table maps */

    int v6_map_fd;

#endif

    unsigned int frame_offset;

    ChecksumValidationMode checksum_mode;

    /* references to packet and drop counters */

    uint16_t capture_kernel_packets;

    uint16_t capture_kernel_drops;

    uint16_t capture_errors;

    uint16_t afpacket_spin;

    uint16_t capture_afp_poll;

    uint16_t capture_afp_poll_signal;

    uint16_t capture_afp_poll_timeout;

    uint16_t capture_afp_poll_data;

    uint16_t capture_afp_poll_err;

    uint16_t capture_afp_send_err;

    uint64_t send_errors_logged; /**< snapshot of send errors logged. */

    /* handle state */

    uint8_t afp_state;

    uint8_t copy_mode;

    unsigned int flags;

    /* IPS peer */

    AFPPeer *mpeer;

    /*

     *  Init related members

     */

    /* thread specific socket */

    int socket;

    int ring_size;

    int v2_block_size;

    int block_size;

    int block_timeout;

    /* socket buffer size */

    int buffer_size;

    /* Filter */

    const char *bpf_filter;

    int promisc;

    /* bitmask of ignored ssl_pkttypes */

    uint32_t pkttype_filter_mask;

    int down_count;

    uint16_t cluster_id;

    int cluster_type;

    int threads;

    union AFPTpacketReq {

        struct tpacket_req v2;

#ifdef HAVE_TPACKET_V3

        struct tpacket_req3 v3;

#endif

    } req;

    char iface[AFP_IFACE_NAME_LENGTH];

    /* IPS output iface */

    char out_iface[AFP_IFACE_NAME_LENGTH];

    /* mmap'ed ring buffer */

    unsigned int ring_buflen;

    uint8_t *ring_buf;

    int snaplen; /**< snaplen in use for passing on to bpf */

#ifdef HAVE_PACKET_EBPF

    uint8_t xdp_mode;

    int ebpf_lb_fd;

    int ebpf_filter_fd;

    struct ebpf_timeout_config ebpf_t_config;

#endif

} AFPThreadVars;

static TmEcode ReceiveAFPThreadInit(ThreadVars *, const void *, void **);

static void ReceiveAFPThreadExitStats(ThreadVars *, void *);

static TmEcode ReceiveAFPThreadDeinit(ThreadVars *, void *);

static TmEcode ReceiveAFPLoop(ThreadVars *tv, void *data, void *slot);

static TmEcode DecodeAFPThreadInit(ThreadVars *, const void *, void **);

static TmEcode DecodeAFPThreadDeinit(ThreadVars *tv, void *data);

static TmEcode DecodeAFP(ThreadVars *, Packet *, void *);

static TmEcode AFPSetBPFFilter(AFPThreadVars *ptv);

static int AFPGetIfnumByDev(int fd, const char *ifname, int verbose);

static int AFPGetDevFlags(int fd, const char *ifname);

static int AFPDerefSocket(AFPPeer* peer);

static int AFPRefSocket(AFPPeer* peer);

/**

 * \brief Registration Function for RecieveAFP.

 * \todo Unit tests are needed for this module.

 */

void TmModuleReceiveAFPRegister (void)

{

    tmm_modules[TMM_RECEIVEAFP].name = "ReceiveAFP";

    tmm_modules[TMM_RECEIVEAFP].ThreadInit = ReceiveAFPThreadInit;

    tmm_modules[TMM_RECEIVEAFP].Func = NULL;

    tmm_modules[TMM_RECEIVEAFP].PktAcqLoop = ReceiveAFPLoop;

    tmm_modules[TMM_RECEIVEAFP].PktAcqBreakLoop = NULL;

    tmm_modules[TMM_RECEIVEAFP].ThreadExitPrintStats = ReceiveAFPThreadExitStats;

    tmm_modules[TMM_RECEIVEAFP].ThreadDeinit = ReceiveAFPThreadDeinit;

    tmm_modules[TMM_RECEIVEAFP].cap_flags = SC_CAP_NET_RAW;

    tmm_modules[TMM_RECEIVEAFP].flags = TM_FLAG_RECEIVE_TM;

}

/**

 *  \defgroup afppeers AFP peers list

 *

 * AF_PACKET has an IPS mode were interface are peered: packet from

 * on interface are sent the peered interface and the other way. The ::AFPPeer

 * list is maintaining the list of peers. Each ::AFPPeer is storing the needed

 * information to be able to send packet on the interface.

 * A element of the list must not be destroyed during the run of Suricata as it

 * is used by ::Packet and other threads.

 *

 *  @{

 */

typedef struct AFPPeersList_ {

    TAILQ_HEAD(, AFPPeer_) peers; /**< Head of list of fragments. */

    int cnt;

    int peered;

    int turn; /**< Next value for initialisation order */

    SC_ATOMIC_DECLARE(int, reached); /**< Counter used to synchronize start */

} AFPPeersList;

/**

 * \brief Update the peer.

 *

 * Update the AFPPeer of a thread ie set new state, socket number

 * or iface index.

 *

 */

static void AFPPeerUpdate(AFPThreadVars *ptv)

{

    if (ptv->mpeer == NULL) {

        return;

    }

    (void)SC_ATOMIC_SET(ptv->mpeer->if_idx, AFPGetIfnumByDev(ptv->socket, ptv->iface, 0));

    (void)SC_ATOMIC_SET(ptv->mpeer->socket, ptv->socket);

    (void)SC_ATOMIC_SET(ptv->mpeer->state, ptv->afp_state);

}

/**

 * \brief Clean and free ressource used by an ::AFPPeer

 */

static void AFPPeerClean(AFPPeer *peer)

{

    if (peer->flags & AFP_SOCK_PROTECT)

        SCMutexDestroy(&peer->sock_protect);

    SCFree(peer);

}

AFPPeersList peerslist;

/**

 * \brief Init the global list of ::AFPPeer

 */

TmEcode AFPPeersListInit(void)

{

    SCEnter();

    TAILQ_INIT(&peerslist.peers);

    peerslist.peered = 0;

    peerslist.cnt = 0;

    peerslist.turn = 0;

    SC_ATOMIC_INIT(peerslist.reached);

    (void) SC_ATOMIC_SET(peerslist.reached, 0);

    SCReturnInt(TM_ECODE_OK);

}

/**

 * \brief Check that all ::AFPPeer got a peer

 *

 * \retval TM_ECODE_FAILED if some threads are not peered or TM_ECODE_OK else.

 */

TmEcode AFPPeersListCheck(void)

{

#define AFP_PEERS_MAX_TRY 4

#define AFP_PEERS_WAIT 20000

    int try = 0;

    SCEnter();

    while (try < AFP_PEERS_MAX_TRY) {

        if (peerslist.cnt != peerslist.peered) {

            usleep(AFP_PEERS_WAIT);

        } else {

            SCReturnInt(TM_ECODE_OK);

        }

        try++;

    }

    SCLogError("thread number not equal");

    SCReturnInt(TM_ECODE_FAILED);

}

/**

 * \brief Declare a new AFP thread to AFP peers list.

 */

static TmEcode AFPPeersListAdd(AFPThreadVars *ptv)

{

    SCEnter();

    AFPPeer *peer = SCMalloc(sizeof(AFPPeer));

    AFPPeer *pitem;

    if (unlikely(peer == NULL)) {

        SCReturnInt(TM_ECODE_FAILED);

    }

    memset(peer, 0, sizeof(AFPPeer));

    SC_ATOMIC_INIT(peer->socket);

    SC_ATOMIC_INIT(peer->sock_usage);

    SC_ATOMIC_INIT(peer->if_idx);

    SC_ATOMIC_INIT(peer->state);

    peer->flags = ptv->flags;

    peer->turn = peerslist.turn++;

    if (peer->flags & AFP_SOCK_PROTECT) {

        SCMutexInit(&peer->sock_protect, NULL);

    }

    (void)SC_ATOMIC_SET(peer->sock_usage, 0);

    (void)SC_ATOMIC_SET(peer->state, AFP_STATE_DOWN);

    strlcpy(peer->iface, ptv->iface, AFP_IFACE_NAME_LENGTH);

    ptv->mpeer = peer;

    /* add element to iface list */

    TAILQ_INSERT_TAIL(&peerslist.peers, peer, next);

    if (ptv->copy_mode != AFP_COPY_MODE_NONE) {

        peerslist.cnt++;

        /* Iter to find a peer */

        TAILQ_FOREACH(pitem, &peerslist.peers, next) {

            if (pitem->peer)

                continue;

            if (strcmp(pitem->iface, ptv->out_iface))

                continue;

            peer->peer = pitem;

            pitem->peer = peer;

            LiveDevice *iface = ptv->livedev;

            DEBUG_VALIDATE_BUG_ON(iface == NULL);

            DEBUG_VALIDATE_BUG_ON(strcmp(iface->dev, ptv->iface) != 0);

            LiveDevice *out_iface = LiveGetDevice(ptv->out_iface);

            if (out_iface == NULL)

                FatalError("AF_PACKET device %s not found. Aborting..", ptv->out_iface);

            if (iface->mtu != out_iface->mtu) {

                SCLogWarning("MTU on %s (%d) and %s (%d) are not equal, transmission of packets "

                             "bigger than %d will fail.",

                        iface->dev, iface->mtu, out_iface->dev, out_iface->mtu,

                        MIN(out_iface->mtu, iface->mtu));

            }

            peerslist.peered += 2;

            break;

        }

    }

    AFPPeerUpdate(ptv);

    SCReturnInt(TM_ECODE_OK);

}

static int AFPPeersListWaitTurn(AFPPeer *peer)

{

    /* If turn is zero, we already have started threads once */

    if (peerslist.turn == 0)

        return 0;

    if (peer->turn == SC_ATOMIC_GET(peerslist.reached))

        return 0;

    return 1;

}

static void AFPPeersListReachedInc(void)

{

    if (peerslist.turn == 0)

        return;

    if ((SC_ATOMIC_ADD(peerslist.reached, 1) + 1) == peerslist.turn) {

        (void)SC_ATOMIC_SET(peerslist.reached, 0);

        /* Set turn to 0 to skip synchronization when ReceiveAFPLoop is

         * restarted.

         */

        peerslist.turn = 0;

    }

}

static int AFPPeersListStarted(void)

{

    return !peerslist.turn;

}

/**

 * \brief Clean the global peers list.

 */

void AFPPeersListClean(void)

{

    AFPPeer *pitem;

    while ((pitem = TAILQ_FIRST(&peerslist.peers))) {

        TAILQ_REMOVE(&peerslist.peers, pitem, next);

        AFPPeerClean(pitem);

    }

}

/**

 * @}

 */

/**

 * \brief Registration Function for DecodeAFP.

 * \todo Unit tests are needed for this module.

 */

void TmModuleDecodeAFPRegister (void)

{

    tmm_modules[TMM_DECODEAFP].name = "DecodeAFP";

    tmm_modules[TMM_DECODEAFP].ThreadInit = DecodeAFPThreadInit;

    tmm_modules[TMM_DECODEAFP].Func = DecodeAFP;

    tmm_modules[TMM_DECODEAFP].ThreadExitPrintStats = NULL;

    tmm_modules[TMM_DECODEAFP].ThreadDeinit = DecodeAFPThreadDeinit;

    tmm_modules[TMM_DECODEAFP].cap_flags = 0;

    tmm_modules[TMM_DECODEAFP].flags = TM_FLAG_DECODE_TM;

}

static int AFPCreateSocket(AFPThreadVars *ptv, char *devname, int verbose);

static inline void AFPDumpCounters(AFPThreadVars *ptv)

{

#ifdef PACKET_STATISTICS

    struct tpacket_stats kstats;

    socklen_t len = sizeof (struct tpacket_stats);

    if (getsockopt(ptv->socket, SOL_PACKET, PACKET_STATISTICS,

                &kstats, &len) > -1) {

        SCLogDebug("(%s) Kernel: Packets %" PRIu32 ", dropped %" PRIu32 "",

                ptv->tv->name,

                kstats.tp_packets, kstats.tp_drops);

        StatsAddUI64(ptv->tv, ptv->capture_kernel_packets, kstats.tp_packets);

        StatsAddUI64(ptv->tv, ptv->capture_kernel_drops, kstats.tp_drops);

        (void) SC_ATOMIC_ADD(ptv->livedev->drop, (uint64_t) kstats.tp_drops);

        (void) SC_ATOMIC_ADD(ptv->livedev->pkts, (uint64_t) kstats.tp_packets);

        const uint64_t value = SC_ATOMIC_GET(ptv->mpeer->send_errors);

        if (value > ptv->send_errors_logged) {

            StatsAddUI64(ptv->tv, ptv->capture_afp_send_err, value - ptv->send_errors_logged);

            ptv->send_errors_logged = value;

        }

    }

#endif

}

/**

 * \brief AF packet write function.

 *

 * This function has to be called before the memory

 * related to Packet in ring buffer is released.

 *

 * \param pointer to Packet

 * \param version of capture: TPACKET_V2 or TPACKET_V3

 * \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success

 *

 */

static void AFPWritePacket(Packet *p, int version)

{

    struct sockaddr_ll socket_address;

    int socket;

    if (p->afp_v.copy_mode == AFP_COPY_MODE_IPS) {

        if (PacketCheckAction(p, ACTION_DROP)) {

            return;

        }

    }

    if (p->ethh == NULL) {

        SCLogWarning("packet should have an ethernet header");

        return;

    }

    /* Index of the network device */

    socket_address.sll_ifindex = SC_ATOMIC_GET(p->afp_v.peer->if_idx);

    /* Address length*/

    socket_address.sll_halen = ETH_ALEN;

    /* Destination MAC */

    memcpy(socket_address.sll_addr, p->ethh, 6);

    /* Send packet, locking the socket if necessary */

    if (p->afp_v.peer->flags & AFP_SOCK_PROTECT)

        SCMutexLock(&p->afp_v.peer->sock_protect);

    socket = SC_ATOMIC_GET(p->afp_v.peer->socket);

    if (sendto(socket, GET_PKT_DATA(p), GET_PKT_LEN(p), 0, (struct sockaddr *)&socket_address,

                sizeof(struct sockaddr_ll)) < 0) {

        if (SC_ATOMIC_ADD(p->afp_v.peer->send_errors, 1) == 0) {

            SCLogWarning("%s: sending packet failed on socket %d: %s", p->afp_v.peer->iface, socket,

                    strerror(errno));

        }

    }

    if (p->afp_v.peer->flags & AFP_SOCK_PROTECT)

        SCMutexUnlock(&p->afp_v.peer->sock_protect);

}

static void AFPReleaseDataFromRing(Packet *p)

{

    DEBUG_VALIDATE_BUG_ON(PKT_IS_PSEUDOPKT(p));

    /* Need to be in copy mode and need to detect early release

       where Ethernet header could not be set (and pseudo packet) */

    if (p->afp_v.copy_mode != AFP_COPY_MODE_NONE) {

        AFPWritePacket(p, TPACKET_V2);

    }

    BUG_ON(p->afp_v.relptr == NULL);

    union thdr h;

    h.raw = p->afp_v.relptr;

    h.h2->tp_status = TP_STATUS_KERNEL;

    (void)AFPDerefSocket(p->afp_v.mpeer);

    AFPV_CLEANUP(&p->afp_v);

}

#ifdef HAVE_TPACKET_V3

static void AFPReleasePacketV3(Packet *p)

{

    DEBUG_VALIDATE_BUG_ON(PKT_IS_PSEUDOPKT(p));

    /* Need to be in copy mode and need to detect early release

       where Ethernet header could not be set (and pseudo packet) */

    if (p->afp_v.copy_mode != AFP_COPY_MODE_NONE) {

        AFPWritePacket(p, TPACKET_V3);

    }

    PacketFreeOrRelease(p);

}

#endif

static void AFPReleasePacket(Packet *p)

{

    AFPReleaseDataFromRing(p);

    PacketFreeOrRelease(p);

}

/** \internal

 *  \brief recoverable error - release packet and

 *         return AFP_SURI_FAILURE

 */

static inline int AFPSuriFailure(AFPThreadVars *ptv, union thdr h)

{

    h.h2->tp_status = TP_STATUS_KERNEL;

    if (++ptv->frame_offset >= ptv->req.v2.tp_frame_nr) {

        ptv->frame_offset = 0;

    }

    SCReturnInt(AFP_SURI_FAILURE);

}

static inline void AFPReadApplyBypass(const AFPThreadVars *ptv, Packet *p)

{

#ifdef HAVE_PACKET_EBPF

    if (ptv->flags & AFP_BYPASS) {

        p->BypassPacketsFlow = AFPBypassCallback;

        p->afp_v.v4_map_fd = ptv->v4_map_fd;

        p->afp_v.v6_map_fd = ptv->v6_map_fd;

        p->afp_v.nr_cpus = ptv->ebpf_t_config.cpus_count;

    }

    if (ptv->flags & AFP_XDPBYPASS) {

        p->BypassPacketsFlow = AFPXDPBypassCallback;

        p->afp_v.v4_map_fd = ptv->v4_map_fd;

        p->afp_v.v6_map_fd = ptv->v6_map_fd;

        p->afp_v.nr_cpus = ptv->ebpf_t_config.cpus_count;

    }

#endif

}

/** \internal

 *  \brief setup packet for AFPReadFromRing

 */

static void AFPReadFromRingSetupPacket(

        AFPThreadVars *ptv, union thdr h, const unsigned int tp_status, Packet *p)

{

    PKT_SET_SRC(p, PKT_SRC_WIRE);

    /* flag the packet as TP_STATUS_USER_BUSY, which is ignore by the kernel, but

     * acts as an indicator that we've reached a frame that is not yet released by

     * us in autofp mode. It will be cleared when the frame gets released to the kernel. */

    h.h2->tp_status |= TP_STATUS_USER_BUSY;

    p->livedev = ptv->livedev;

    p->datalink = ptv->datalink;

    ptv->pkts++;

    AFPReadApplyBypass(ptv, p);

    if (h.h2->tp_len > h.h2->tp_snaplen) {

        SCLogDebug("Packet length (%d) > snaplen (%d), truncating", h.h2->tp_len, h.h2->tp_snaplen);

        ENGINE_SET_INVALID_EVENT(p, AFP_TRUNC_PKT);

    }

    /* get vlan id from header */

    if ((ptv->flags & AFP_VLAN_IN_HEADER) &&

            (tp_status & TP_STATUS_VLAN_VALID || h.h2->tp_vlan_tci)) {

        p->vlan_id[0] = h.h2->tp_vlan_tci & 0x0fff;

        p->vlan_idx = 1;

        p->afp_v.vlan_tci = h.h2->tp_vlan_tci;

    }

    (void)PacketSetData(p, (unsigned char *)h.raw + h.h2->tp_mac, h.h2->tp_snaplen);

    p->ReleasePacket = AFPReleasePacket;

    p->afp_v.relptr = h.raw;

    if (ptv->flags & AFP_NEED_PEER) {

        p->afp_v.mpeer = ptv->mpeer;

        AFPRefSocket(ptv->mpeer);

    } else {

        p->afp_v.mpeer = NULL;

    }

    p->afp_v.copy_mode = ptv->copy_mode;

    p->afp_v.peer = (p->afp_v.copy_mode == AFP_COPY_MODE_NONE) ? NULL : ptv->mpeer->peer;

    /* Timestamp */

    p->ts = (SCTime_t){ .secs = h.h2->tp_sec, .usecs = h.h2->tp_nsec / 1000 };

    SCLogDebug("pktlen: %" PRIu32 " (pkt %p, pkt data %p)", GET_PKT_LEN(p), p, GET_PKT_DATA(p));

    /* We only check for checksum disable */

    if (ptv->checksum_mode == CHECKSUM_VALIDATION_DISABLE) {

        p->flags |= PKT_IGNORE_CHECKSUM;

    } else if (ptv->checksum_mode == CHECKSUM_VALIDATION_AUTO) {

        if (ChecksumAutoModeCheck(ptv->pkts, SC_ATOMIC_GET(ptv->livedev->pkts),

                    SC_ATOMIC_GET(ptv->livedev->invalid_checksums))) {

            ptv->checksum_mode = CHECKSUM_VALIDATION_DISABLE;

            p->flags |= PKT_IGNORE_CHECKSUM;

        }

    } else {

        if (tp_status & TP_STATUS_CSUMNOTREADY) {

            p->flags |= PKT_IGNORE_CHECKSUM;

        }

    }

}

static inline int AFPReadFromRingWaitForPacket(AFPThreadVars *ptv)

{

    union thdr h;

    struct timeval start_time;

    gettimeofday(&start_time, NULL);

    uint64_t busy_loop_iter = 0;

    /* busy wait loop until we have packets available */

    while (1) {

        if (unlikely(suricata_ctl_flags != 0)) {

            break;

        }

        h.raw = (((union thdr **)ptv->ring.v2)[ptv->frame_offset]);

        if (unlikely(h.raw == NULL)) {

            return AFP_READ_FAILURE;

        }

        const unsigned int tp_status = h.h2->tp_status;

        if (tp_status == TP_STATUS_KERNEL) {

            busy_loop_iter++;

            struct timeval cur_time;

            memset(&cur_time, 0, sizeof(cur_time));

            uint64_t milliseconds =

                    ((cur_time.tv_sec - start_time.tv_sec) * 1000) +

                    (((1000000 + cur_time.tv_usec - start_time.tv_usec) / 1000) - 1000);

            if (milliseconds > 1000) {

                break;

            }

            continue;

        }

        break;

    }

    if (busy_loop_iter) {

        StatsAddUI64(ptv->tv, ptv->afpacket_spin, busy_loop_iter);

    }

    return AFP_READ_OK;

}

/**

 * \brief AF packet frame ignore logic

 *

 * Given a sockaddr_ll of a frame, use the pkttype_filter_mask to decide if the

 * frame should be ignored. Protect from undefined behavior if there's ever

 * a sll_pkttype that would shift by too much. At this point, only outgoing

 * packets (4) are ignored. The highest value in if_linux.h is PACKET_KERNEL (7),

 * this extra check is being overly cautious.

 *

 * \retval true if the frame should be ignored

 */

static inline bool AFPShouldIgnoreFrame(AFPThreadVars *ptv, const struct sockaddr_ll *sll)

{

    if (unlikely(sll->sll_pkttype > 31))

        return false;

    return (ptv->pkttype_filter_mask & BIT_U32(sll->sll_pkttype)) != 0;

}

/**

 * \brief AF packet read function for ring

 *

 * This function fills

 * From here the packets are picked up by the DecodeAFP thread.

 *

 * \param user pointer to AFPThreadVars

 * \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success

 */

static int AFPReadFromRing(AFPThreadVars *ptv)

{

    union thdr h;

    bool emergency_flush = false;

    const unsigned int start_pos = ptv->frame_offset;

    /* poll() told us there are frames, so lets wait for at least

     * one frame to become available. */

    if (AFPReadFromRingWaitForPacket(ptv) != AFP_READ_OK)

        return AFP_READ_FAILURE;

    /* process the frames in the ring */

    while (1) {

        if (unlikely(suricata_ctl_flags != 0)) {

            break;

        }

        h.raw = (((union thdr **)ptv->ring.v2)[ptv->frame_offset]);

        if (unlikely(h.raw == NULL)) {

            return AFP_READ_FAILURE;

        }

        const unsigned int tp_status = h.h2->tp_status;

        /* if we find a kernel frame we are done */

        if (unlikely(tp_status == TP_STATUS_KERNEL)) {

            break;

        }

        /* if in autofp mode the frame is still busy, return to poll */

        if (unlikely(FRAME_BUSY(tp_status))) {

            break;

        }

        emergency_flush |= ((tp_status & TP_STATUS_LOSING) != 0);

        if ((ptv->flags & AFP_EMERGENCY_MODE) && emergency_flush) {

            h.h2->tp_status = TP_STATUS_KERNEL;

            goto next_frame;

        }

        const struct sockaddr_ll *sll =

                (const struct sockaddr_ll *)((uint8_t *)h.h2 +

                                             TPACKET_ALIGN(sizeof(struct tpacket2_hdr)));

        if (unlikely(AFPShouldIgnoreFrame(ptv, sll)))

            goto next_frame;

        Packet *p = PacketGetFromQueueOrAlloc();

        if (p == NULL) {

            return AFPSuriFailure(ptv, h);

        }

        AFPReadFromRingSetupPacket(ptv, h, tp_status, p);

        if (TmThreadsSlotProcessPkt(ptv->tv, ptv->slot, p) != TM_ECODE_OK) {

            return AFPSuriFailure(ptv, h);

        }

next_frame:

        if (++ptv->frame_offset >= ptv->req.v2.tp_frame_nr) {

            ptv->frame_offset = 0;

            /* Get out of loop to be sure we will reach maintenance tasks */

            if (ptv->frame_offset == start_pos)

                break;

        }

    }

    if (emergency_flush) {

        AFPDumpCounters(ptv);

    }

    SCReturnInt(AFP_READ_OK);

}

#ifdef HAVE_TPACKET_V3

static inline void AFPFlushBlock(struct tpacket_block_desc *pbd)

{

    pbd->hdr.bh1.block_status = TP_STATUS_KERNEL;

}

static inline int AFPParsePacketV3(AFPThreadVars *ptv, struct tpacket_block_desc *pbd, struct tpacket3_hdr *ppd)

{

    Packet *p = PacketGetFromQueueOrAlloc();

    if (p == NULL) {

        SCReturnInt(AFP_SURI_FAILURE);

    }

    PKT_SET_SRC(p, PKT_SRC_WIRE);

    AFPReadApplyBypass(ptv, p);

    ptv->pkts++;