Version 0.97

configure.ac

@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.69])
-AC_INIT(extFilter, 0.95, [email protected])
+AC_INIT(extFilter, 0.97, [email protected])
 
 DPDK_HOME=
 DPDK_TARGET=

include/dtypes.h

@@ -26,6 +26,12 @@ enum port_types
 	P_TYPE_SENDER
 };
 
+enum operation_modes
+{
+	OP_MODE_MIRROR,
+	OP_MODE_INLINE
+};
+
 struct rte_mempool;
 
 struct pool_holder_t

include/flow.h

@@ -36,6 +36,7 @@
 
 #include "params.h"
 #include "arr.h"
+#include "dtypes.h"
 
 //#define _SIMPLE_HASH 1
 
@@ -77,6 +78,10 @@ struct flow_base_t
 			free(infos.tracking.ssl_information[0].pkt_buffer);
 		if(infos.tracking.ssl_information[1].pkt_buffer != nullptr)
 			free(infos.tracking.ssl_information[1].pkt_buffer);
+		if(infos.tracking.ssl_information[0].mempool != nullptr)
+			rte_mempool_put(((struct pool_holder_t*)infos.tracking.ssl_information[0].mempool)->mempool, infos.tracking.ssl_information[0].mempool);
+		if(infos.tracking.ssl_information[1].mempool != nullptr)
+			rte_mempool_put(((struct pool_holder_t*)infos.tracking.ssl_information[1].mempool)->mempool, infos.tracking.ssl_information[1].mempool);
 		infos.tracking.flow_specific_user_data = nullptr;
 		infos.tracking.http_informations[0].temp_buffer = nullptr;
 		infos.tracking.http_informations[1].temp_buffer = nullptr;

include/http.h

@@ -20,6 +20,8 @@
 #pragma once
 
 #include <api.h>
+#include <rte_config.h>
+#include <rte_malloc.h>
 #include <rte_mempool.h>
 #include "dtypes.h"
 

include/main.h

@@ -47,6 +47,7 @@ struct lcore_params {
 	uint8_t port_type;
 	uint8_t queue_id;
 	uint8_t lcore_id;
+	uint8_t mapto;
 } __rte_cache_aligned;
 
 struct lcore_rx_queue {
@@ -228,8 +229,6 @@ class extFilter: public Poco::Util::ServerApplication
 
 	static uint64_t _tsc_hz;
 
-	int _num_of_senders;
-
 	int _numa_on;
 	uint32_t _enabled_port_mask;
 
@@ -255,6 +254,7 @@ class extFilter: public Poco::Util::ServerApplication
 	Poco::Net::IPAddress _cmdline_ip;
 	uint8_t _dpdk_send_port;
 	TriesManager _tries;
+	operation_modes _operation_mode;
 };
 
 

include/params.h

@@ -19,6 +19,9 @@
 
 #pragma once
 
+#include <rte_config.h>
+#include <rte_malloc.h>
+
 class FlowStorage;
 struct rte_mempool;
 class NotifyManager;
@@ -45,6 +48,7 @@ struct memory_configs_t
 	memory_config_t ipv4;
 	memory_config_t ipv6;
 	uint32_t http_entries;
+	uint32_t ssl_entries;
 };
 
 

include/sender.h

@@ -321,6 +321,8 @@ class ESender : public BSender
 		struct params params;
 		uint8_t *mac;
 		uint8_t *to_mac;
+		int answer_duplication;
+		struct rte_mempool *clone_pool;
 	};
 	ESender(struct nparams &params, uint8_t port, struct rte_mempool *mp, WorkerThread *wt);
 	~ESender();
@@ -332,8 +334,8 @@ class ESender : public BSender
 		return size;
 	}
 
-	void sendPacketIPv4(const uint8_t *l3_pkt, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, bool f_reset, bool f_psh);
-	void sendPacketIPv6(const uint8_t *l3_pkt, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, bool f_reset, bool f_psh);
+	void sendPacketIPv4(const uint8_t *l3_pkt, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, bool f_reset, bool f_psh, bool to_server = false);
+	void sendPacketIPv6(const uint8_t *l3_pkt, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, bool f_reset, bool f_psh, bool to_server = false);
 	void HTTPRedirectIPv4(const uint8_t *pkt, uint32_t acknum, uint32_t seqnum, bool f_psh, const char *redir_url, size_t r_len);
 	void HTTPRedirectIPv6(const uint8_t *pkt, uint32_t acknum, uint32_t seqnum, bool f_psh, const char *redir_url, size_t r_len);
 	void SendRSTIPv4(const uint8_t *pkt, uint32_t acknum, uint32_t seqnum);
@@ -345,7 +347,9 @@ class ESender : public BSender
 	uint8_t _port;
 	struct ether_hdr _eth_hdr;
 	struct rte_mempool *_mp;
+	struct rte_mempool *_clone_pool;
 	WorkerThread *_wt;
+	int _answer_duplication;
 };
 
 #endif

include/stats.h

@@ -19,12 +19,17 @@
 
 #pragma once
 
+#include <rte_config.h>
+#include <rte_malloc.h>
+
 struct LatencyCounters
 {
 	uint64_t total_cycles;
 	uint64_t total_pkts;
 	uint64_t blocked_cycles;
+	uint64_t unblocked_cycles;
 	uint64_t blocked_pkts;
+	uint64_t unblocked_pkts;
 };
 
 struct ThreadStats
@@ -45,6 +50,10 @@ struct ThreadStats
 	uint64_t reassembled_flows;
 	struct LatencyCounters latency_counters;
 	uint64_t dpi_no_mempool_http;
+	uint64_t dpi_no_mempool_ssl;
+	uint64_t dpi_ssl_partial_packets;
+	uint64_t dpi_alloc_ssl;
+	uint64_t dpi_alloc_http;
 
 	uint64_t ssl_packets;
 	uint64_t http_packets;
@@ -91,5 +100,5 @@ struct ThreadStats
 	{
 		memset(this, 0, sizeof(ThreadStats));
 	}
-};
+} __rte_cache_aligned;;
 

include/worker.h

@@ -34,11 +34,7 @@
 #include "dpdk.h"
 #include "sender.h"
 #include "http.h"
-
-//#define EXTF_GC_INTERVAL	1000 // us
-//#define EXTF_ALL_GC_INTERVAL 1 // seconds
-
-//#define EXT_DPI_FLOW_TABLE_MAX_IDLE_TIME 30 /** In seconds. **/
+#include "ssl.h"
 
 #define EXTFILTER_CAPTURE_BURST_SIZE 32
 #define EXTFILTER_WORKER_BURST_SIZE 32
@@ -98,13 +94,15 @@ class WorkerThread : public DpdkWorkerThread
 	struct rte_mbuf* _sender_buf[EXTFILTER_WORKER_BURST_SIZE];
 	ESender *_snd;
 	struct rte_mempool *_dpi_http_mempool;
+	struct rte_mempool *_dpi_ssl_mempool;
 
+	struct rte_mempool *_pkt_info_mempool;
 	uint8_t _worker_id;
 	uint32_t ipv4_flow_mask;
 	uint32_t ipv6_flow_mask;
 public:
 
-	WorkerThread(uint8_t worker_id, const std::string& name, WorkerConfig &workerConfig, dpi_library_state_t* state, int socketid, struct ESender::nparams &sp, struct rte_mempool *mp, struct rte_mempool *dpi_http_mempool);
+	WorkerThread(uint8_t worker_id, const std::string& name, WorkerConfig &workerConfig, dpi_library_state_t* state, int socketid, struct ESender::nparams &sp, struct rte_mempool *mp, struct rte_mempool *dpi_http_mempool, struct rte_mempool *dpi_ssl_mempool);
 	~WorkerThread();
 
 	bool checkURLBlocked(const char *host, size_t host_len, const char *uri, size_t uri_len, dpi_pkt_infos_t* pkt);
@@ -159,9 +157,34 @@ class WorkerThread : public DpdkWorkerThread
 		}
 		res->init();
 		res->mempool = _dpi_http_mempool;
+		m_ThreadStats.dpi_alloc_http++;
+		return res;
+	}
+
+	inline struct rte_mempool *getHTTPMempool()
+	{
+		return _dpi_http_mempool;
+	}
+
+	inline struct ssl_state *allocateSSLState()
+	{
+		struct ssl_state *res;
+		if(rte_mempool_get(_dpi_ssl_mempool, (void **)&res) != 0)
+		{
+			_logger.error("Unable to allocate memory for the ssl buffer");
+			return nullptr;
+		}
+		res->init();
+		res->mempool = _dpi_ssl_mempool;
+		m_ThreadStats.dpi_alloc_ssl++;
 		return res;
 	}
 
+	inline struct rte_mempool *getSSLMempool()
+	{
+		return _dpi_ssl_mempool;
+	}
+
 	inline uint8_t getWorkerID()
 	{
 		return _worker_id;

src/cmdlinetask.cpp

@@ -372,10 +372,15 @@ static void display_worker_stats(struct cmdline* cl,const ThreadStats &stats)
 	cmdline_printf(cl, "  Total bytes: %" PRIu64 "\n", stats.total_bytes);
 	cmdline_printf(cl, "  HTTP packets: %" PRIu64 "\n", stats.http_packets);
 	cmdline_printf(cl, "  SSL/TLS packets: %" PRIu64 "\n", stats.ssl_packets);
+	cmdline_printf(cl, "  SSL/TLS partial packets: %" PRIu64 "\n", stats.dpi_ssl_partial_packets);
 
-	cmdline_printf(cl, "  SSL/TLS max packet size: %" PRIu32 "\n", ssl_max_packet_size);
-	cmdline_printf(cl, "  SSL/TLS mallocs: %" PRIu64 "\n", ssl_mallocs);
-	cmdline_printf(cl, "  SSL/TLS reallocs: %" PRIu64 "\n", ssl_reallocs);
+	cmdline_printf(cl, "  Allocs:\n");
+	cmdline_printf(cl, "    HTTP: %" PRIu64 "\n", stats.dpi_alloc_http);
+	cmdline_printf(cl, "    SSL: %" PRIu64 "\n", stats.dpi_alloc_ssl);
+
+//	cmdline_printf(cl, "  SSL/TLS max packet size: %" PRIu32 "\n", ssl_max_packet_size);
+//	cmdline_printf(cl, "  SSL/TLS mallocs: %" PRIu64 "\n", ssl_mallocs);
+//	cmdline_printf(cl, "  SSL/TLS reallocs: %" PRIu64 "\n", ssl_reallocs);
 
 	if(stats.ip_packets && stats.total_bytes)
 	{
@@ -412,6 +417,7 @@ static void display_worker_stats(struct cmdline* cl,const ThreadStats &stats)
 	cmdline_printf(cl, "      SSL  : %" PRIu64 "\n", stats.seen_already_blocked_ssl_ipv6);
 	cmdline_printf(cl, "  DPI errors:\n");
 	cmdline_printf(cl, "    No memory http: %" PRIu64 "\n",stats.dpi_no_mempool_http);
+	cmdline_printf(cl, "    No memory ssl: %" PRIu64 "\n",stats.dpi_no_mempool_ssl);
 	cmdline_printf(cl, "  Flows:\n");
 	cmdline_printf(cl, "    IPv4:\n");
 	cmdline_printf(cl, "      New:       %" PRIu64 "\n", stats.new_flow);

src/http.cpp

@@ -44,14 +44,10 @@ int on_url_ext (http_parser *p, const char* at, size_t length, dpi_pkt_infos_t*
 			length = d->uri.buf_size - d->uri.length;
 		if(likely(length > 0))
 		{
-			if(d->uri.length != 0)
-			{
-				rte_memcpy(d->uri.buf + d->uri.length, at, length);
-				d->uri.length += length;
-			} else {
-				rte_memcpy(d->uri.buf, at, length);
-				d->uri.length = length;
-			}
+			for(size_t i = 0; i < length; i++)
+				d->uri.buf[d->uri.length++] = at[i];
+//			rte_memcpy(d->uri.buf + d->uri.length, at, length);
+//			d->uri.length += length;
 		}
 	}
 	return 0;
@@ -108,17 +104,10 @@ int on_header_value_ext(http_parser *p, const char *at, size_t length, dpi_pkt_i
 			case http::hstate_host:
 				if(d->host_r.length + length > d->host_r.buf_size)
 					length = d->host_r.buf_size - d->host_r.length;
-				if(length > 0)
-				{
-					if(d->host_r.length != 0)
-					{
-						rte_memcpy(d->host_r.buf + d->host_r.length, at, length);
-						d->host_r.length += length;
-					} else {
-						rte_memcpy(d->host_r.buf, at, length);
-						d->host_r.length = length;
-					}
-				}
+				for(size_t i = 0; i < length; i++)
+					d->host_r.buf[d->host_r.length++] = at[i];
+//				rte_memcpy(d->host_r.buf + d->host_r.length, at, length);
+//				d->host_r.length += length;
 				break;
 			default:
 				break;