首頁 ndpi 正文
PF_RING實現分析
http://bbs.chinaunix.net/thread-1943951-1-1.html 版權所有,轉載請註明出處
獨孤九賤
內核版本:Linux 2.6.30.9
PF_RING版本:4.1.0
最近看了一個PF_RING的實現,看了個大概,發上來大家討論討論,共同學習。
一、什麼是PF_RING
PF_RING是一個第三方的內核數據包捕獲接口,類似於libpcap,它的官方網址是: http://www.ntop.org/PF_RING.html
二、爲什麼需要PF_RING
一切爲了效率,按照其官方網站上的測試數據,在Linux平臺之上,其效率至少高於libpcap 50% - 60%,甚至是一倍。更好的是,PF_RING提供了一個修改版本的libpcap,使之建立在PF_RING接口之上。這樣,原來使用libpcap的程序,就可以自然過渡了。
三、聲明
1、這不是“零拷貝”,研究“零拷貝”的估計要失望,如果繼續看下去的話;
2、這不是包截獲接口,如果需要攔截、修改內核數據包,請轉向Netfilter;
3、本文只分析了PF_RING最基礎的部份。關於DNA、TNAPI,BPF等內容不包含在內。
四、源碼的獲取
svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/
最近好像全流行svn了。
五、編譯和使用
接口分爲兩部份,一個是內核模塊,一個是用戶態的庫
cd my_pf_ring_goes_here
cd kernel
make
sudo insmod ./pf_ring.ko
cd ../userland
make
在源碼目錄中,關於用戶態的庫有使用的現成的例子,很容易依葫蘆畫瓢。後文也會提到用戶態庫的實現的簡單分析,可以兩相比照,很容易上手。而且源碼目錄中有一個PDF文檔,有詳細的API介紹,建議使用前閱讀。
六、實現分析初步
1、核心思路
A、在內核隊列層註冊Hook,獲取數據幀。
B、在內核創建一個環形隊列(這也是叫RING的原因),用於存儲數據,並使用mmap映射到用戶空間。這樣,避免用戶態的系統調用,也是提高性能的關鍵所在。
C、創建了一個新的套接字類型PF_RING,用戶態通過它與內核通信。
2、模塊初始化
模塊源碼只有一個文件,在目錄樹kernel/pf_ring.c,嗯,還有一個頭文件,在kernel/linux下
static int __init ring_init(void)
{
int i, rc;
printk("[PF_RING] Welcome to PF_RING %s ($Revision: 4012 $)\n"
"(C) 2004-09 L.Deri <[email][email protected] [/email]>\n", RING_VERSION);
//註冊名爲PF_RING的新協議
if((rc = proto_register(&ring_proto, 0)) != 0)
return(rc);
複製代碼
ring_proto的定義爲
#if(LINUX_VERSION_CODE > KERNEL_VERSION(2,6,11))
static struct proto ring_proto = {
.name = "PF_RING",
.owner = THIS_MODULE,
.obj_size = sizeof(struct ring_sock),
};
#endif
複製代碼
初始化四個鏈表,它們的作用,後文會分析到:
//初始化四個鏈表
INIT_LIST_HEAD(&ring_table); /* List of all ring sockets. */
INIT_LIST_HEAD(&ring_cluster_list); /* List of all clusters */
INIT_LIST_HEAD(&ring_aware_device_list); /* List of all devices on which PF_RING has been registered */
INIT_LIST_HEAD(&ring_dna_devices_list); /* List of all dna (direct nic access) devices */
複製代碼
device_ring_list是一個指針數組,它的每一個元素對應一個網絡設備,後文也會分析它的使用:
/*
For each device, pf_ring keeps a list of the number of
available ring socket slots. So that a caller knows in advance whether
there are slots available (for rings bound to such device)
that can potentially host the packet
*/
for (i = 0; i < MAX_NUM_DEVICES; i++)
INIT_LIST_HEAD(&device_ring_list[i]);
複製代碼
//爲新協議註冊sock
sock_register(&ring_family_ops);
複製代碼
ring_family_ops定義爲
static struct net_proto_family ring_family_ops = {
.family = PF_RING,
.create = ring_create,
.owner = THIS_MODULE,
};
複製代碼
這樣,當用戶空間創建PF_RING時,例如,
fd = socket(PF_RING, SOCK_RAW, htons(ETH_P_ALL));
複製代碼
ring_create將會被調用
//註冊通知鏈表
register_netdevice_notifier(&ring_netdev_notifier);
/* 工作模式語法檢查 */
if(transparent_mode > driver2pf_ring_non_transparent)
transparent_mode = standard_linux_path;
複製代碼
PF_RING一共有三種工作模式:
typedef enum {
standard_linux_path = 0, /* Business as usual */
driver2pf_ring_transparent = 1, /* Packets are still delivered to the kernel */
driver2pf_ring_non_transparent = 2 /* Packets not delivered to the kernel */
} direct2pf_ring;
複製代碼
第一種最簡單,這裏僅分析第一種
//輸出工作信息參數
printk("[PF_RING] Ring slots %d\n", num_slots);
printk("[PF_RING] Slot version %d\n",
RING_FLOWSLOT_VERSION);
printk("[PF_RING] Capture TX %s\n",
enable_tx_capture ? "Yes [RX+TX]" : "No [RX only]");
printk("[PF_RING] Transparent Mode %d\n",
transparent_mode);
printk("[PF_RING] IP Defragment %s\n",
enable_ip_defrag ? "Yes" : "No");
printk("[PF_RING] Initialized correctly\n");
複製代碼
num_slots爲槽位總數,系統採用數組來實現雙向環形隊列,它也就代表數組的最大元素。
版本信息:不用多說了。不過我的版本在2.6.18及以下都沒有編譯成功,後來使用2.6.30.9搞定之。
enable_tx_capture:是否啓用發送時的數據捕獲,對於大多數應用而言,都是在接收時處理。
enable_ip_defrag:爲用戶提供一個接口,是否在捕獲最重組IP分片。
//創建/proc目錄
ring_proc_init();
//註冊設備句柄
register_device_handler();
pfring_enabled = 1; //工作標誌
return 0;
}
複製代碼
register_device_handler註冊了一個協議,用於數據包的獲取:
/* Protocol hook */
static struct packet_type prot_hook;
void register_device_handler(void) {
//只有在第一種模式下,才用這種方式接收數據
if(transparent_mode != standard_linux_path) return;
prot_hook.func = packet_rcv;
prot_hook.type = htons(ETH_P_ALL);
dev_add_pack(&prot_hook);
}
void register_device_handler(void) {
if(transparent_mode != standard_linux_path) return;
prot_hook.func = packet_rcv;
prot_hook.type = htons(ETH_P_ALL);
dev_add_pack(&prot_hook);
}
複製代碼
2、創建套接字
Linux的套按字的內核接口,使用了兩個重要的數據結構:
struct socket和struct sock,這本來並沒有什麼,不過令人常常迷惑的是,前者常常被縮寫爲sock,即:
struct socket *sock;
這樣,“sock”就容易造成混淆了。還好,後者常常被縮寫爲sk……
我這裏寫sock指前者,sk指後者,如果不小心寫混了,請參考上下文區分 。
關於這兩個結構的含義,使用等等,可以參考相關資料以獲取詳細信息,如《Linux情景分析》。我的個人網站 www.skynet.org.cn 上也分析了Linux
socket的實現。可以參考。這裏關於socket的進一步信息,就不詳細分析了。
這裏的創建套接字,內核已經在系統調用過程中,準備好了sock,主要就是分析sk,併爲sk指定一系列的操作函數,如bind、mmap、poll等等。
如前所述,套接字的創建,是通過調用ring_create函數來完成的:
static int ring_create(
#if(LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24))
struct net *net,
#endif
struct socket *sock, int protocol)
{
struct sock *sk;
struct ring_opt *pfr;
int err;
#if defined(RING_DEBUG)
printk("[PF_RING] ring_create()\n");
#endif
/* 權限驗證 ? */
if(!capable(CAP_NET_ADMIN))
return -EPERM;
//協議簇驗證
if(sock->type != SOCK_RAW)
return -ESOCKTNOSUPPORT;
//協議驗證
if(protocol != htons(ETH_P_ALL))
return -EPROTONOSUPPORT;
err = -ENOMEM;
// 分配sk
// options are.
#if(LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,11))
sk = sk_alloc(PF_RING, GFP_KERNEL, 1, NULL);
#else
#if(LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24))
// BD: API changed in 2.6.12, ref:
// [url]http://svn.clkao.org/svnweb/linux/revision/?rev=28201[/url]
sk = sk_alloc(PF_RING, GFP_ATOMIC, &ring_proto, 1);
#else
sk = sk_alloc(net, PF_INET, GFP_KERNEL, &ring_proto);
#endif
#endif
//分配失敗
if(sk == NULL)
goto out;
//這裏很重要,設定sock的ops,即對應用戶態的bind、connect諸如此類操作的動作
sock->ops = &ring_ops;
//初始化sock結構(即sk)各成員,並設定與套接字socket(即sock)的關聯
sock_init_data(sock, sk);
#if(LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,11))
sk_set_owner(sk, THIS_MODULE);
#endif
err = -ENOMEM;
#define ring_sk_datatype(__sk) ((struct ring_opt *)__sk)
#define ring_sk(__sk) ((__sk)->sk_protinfo)
//作者喜歡用小寫的宏
//這裏分配一個struct ring_opt結構,這個結構比較重要,其記錄了ring的選項信息。
在sk中,使用sk_protinfo成員指向之,這樣就建立了sock->sk->ring_opt的關聯。可以通過套接字很容易獲取Ring的信息。
ring_sk(sk) = ring_sk_datatype(kmalloc(sizeof(*pfr), GFP_KERNEL));
//分配失敗
if(!(pfr = ring_sk(sk))) {
sk_free(sk);
goto out;
}
//初始化各成員
memset(pfr, 0, sizeof(*pfr));
//激活標誌
pfr->ring_active = 0; /* We activate as soon as somebody waits for packets */
//通道ID
pfr->channel_id = RING_ANY_CHANNEL;
//RING的每個槽位的桶的大小,其用來存儲捕獲的數據幀,這個值,用戶態也可以使用setsocketopt來調整
pfr->bucket_len = DEFAULT_BUCKET_LEN;
//過濾器hash桶
pfr->handle_hash_rule = handle_filtering_hash_bucket;
//初始化等待隊列
init_waitqueue_head(&pfr->ring_slots_waitqueue);
//初始化RING的鎖
rwlock_init(&pfr->ring_index_lock);
rwlock_init(&pfr->ring_rules_lock);
//初始化使用計數器
atomic_set(&pfr->num_ring_users, 0);
INIT_LIST_HEAD(&pfr->rules);
//設定協議簇
sk->sk_family = PF_RING;
//設定sk的destuct函數
sk->sk_destruct = ring_sock_destruct;
//sk入隊
ring_insert(sk);
#if defined(RING_DEBUG)
printk("[PF_RING] ring_create() - created\n");
#endif
return(0);
out:
return err;
複製代碼
在模塊初始化中,初始化過四個鏈表。其中一個是ring_table,ring_insert將剛剛創建的套接字插入其中。其封裝引進了一個struct ring_element 結構:
/*
* ring_insert()
*
* store the sk in a new element and add it
* to the head of the list.
*/
static inline void ring_insert(struct sock *sk)
{
struct ring_element *next;
struct ring_opt *pfr;
#if defined(RING_DEBUG)
printk("[PF_RING] ring_insert()\n");
#endif
//分配element
next = kmalloc(sizeof(struct ring_element), GFP_ATOMIC);
if(next != NULL) {
//記錄sk
next->sk = sk;
write_lock_bh(&ring_mgmt_lock);
//入隊
list_add(&next->list, &ring_table);
write_unlock_bh(&ring_mgmt_lock);
} else {
if(net_ratelimit())
printk("[PF_RING] net_ratelimit() failure\n");
}
//累計使用計數器
ring_table_size++;
//ring_proc_add(ring_sk(sk));
//記錄進程PID
pfr = (struct ring_opt *)ring_sk(sk);
pfr->ring_pid = current->pid;
}
複製代碼
3 、分配隊列空間
用戶態在創建了套接字後,接下來就調用bind函數,綁定套接字,而PF_RING實際做的就是爲RING分配相應的空間。也就是說,一個套接字,都有一個與之對應的RING。這樣,有多個進程同時使用PF_RING,也沒有問題:
sa.sa_family = PF_RING;
snprintf(sa.sa_data, sizeof(sa.sa_data), "%s", device_name);
rc = bind(ring->fd, (struct sockaddr *)&sa, sizeof(sa));
複製代碼
因爲前一步創建套接字時,爲sk指定了其ops:
static struct proto_ops ring_ops = {
.family = PF_RING,
.owner = THIS_MODULE,
/* Operations that make no sense on ring sockets. */
.connect = sock_no_connect,
.socketpair = sock_no_socketpair,
.accept = sock_no_accept,
.getname = sock_no_getname,
.listen = sock_no_listen,
.shutdown = sock_no_shutdown,
.sendpage = sock_no_sendpage,
.sendmsg = sock_no_sendmsg,
/* Now the operations that really occur. */
.release = ring_release,
.bind = ring_bind,
.mmap = ring_mmap,
.poll = ring_poll,
.setsockopt = ring_setsockopt,
.getsockopt = ring_getsockopt,
.ioctl = ring_ioctl,
.recvmsg = ring_recvmsg,
};
複製代碼
這樣,當bing系統調用觸發時,ring_bind函數將被調用:
* Bind to a device */
static int ring_bind(struct socket *sock, struct sockaddr *sa, int addr_len)
{
struct sock *sk = sock->sk;
struct net_device *dev = NULL;
#if defined(RING_DEBUG)
printk("[PF_RING] ring_bind() called\n");
#endif
/*
* Check legality
*/
if(addr_len != sizeof(struct sockaddr))
return -EINVAL;
if(sa->sa_family != PF_RING)
return -EINVAL;
if(sa->sa_data == NULL)
return -EINVAL;
/* Safety check: add trailing zero if missing */
sa->sa_data[sizeof(sa->sa_data) - 1] = '\0';
#if defined(RING_DEBUG)
printk("[PF_RING] searching device %s\n", sa->sa_data);
#endif
if((dev = __dev_get_by_name(
#if(LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24))
&init_net,
#endif
sa->sa_data)) == NULL) {
#if defined(RING_DEBUG)
printk("[PF_RING] search failed\n");
#endif
return(-EINVAL);
} else
return(packet_ring_bind(sk, dev));
}
複製代碼
在做了一些必要的語法檢查後,函數轉向packet_ring_bind:
/*
* We create a ring for this socket and bind it to the specified device
*/
static int packet_ring_bind(struct sock *sk, struct net_device *dev)
{
u_int the_slot_len;
u_int32_t tot_mem;
struct ring_opt *pfr = ring_sk(sk);
// struct page *page, *page_end;
if(!dev)
return(-1);
#if defined(RING_DEBUG)
printk("[PF_RING] packet_ring_bind(%s) called\n", dev->name);
#endif
/* **********************************************
* *************************************
* * *
* * FlowSlotInfo *
* * *
* ************************************* <-+
* * FlowSlot * |
* ************************************* |
* * FlowSlot * |
* ************************************* +- num_slots
* * FlowSlot * |
* ************************************* |
* * FlowSlot * |
* ************************************* <-+
*
* ********************************************** */
//計算每一個槽位所需的內存空間
the_slot_len = sizeof(u_char) /* flowSlot.slot_state */
#ifdef RING_MAGIC
+ sizeof(u_char)
#endif
+ sizeof(struct pfring_pkthdr)
+ pfr->bucket_len /* flowSlot.bucket */ ;
/*
對於槽位空間的計算,有意思的是
typedef struct flowSlot {
#ifdef RING_MAGIC
u_char magic; /* It must alwasy be zero */
#endif
u_char slot_state; /* 0=empty, 1=full */
u_char bucket; /* bucket[bucketLen] */
} FlowSlot;
對照結構定義和上面的計算公式:
1、作者好像把magic和slog_state的順序給搞反了,不過還好,它們都是u_char,對結果不影響
2、bucket,桶的大小,這個桶就是拿來裝要捕獲的數據包了,雖然它在結構中定義是一個成員,事實上,
它由兩個部份組成,一個是包的首部信息,這個結構的定義同libpcap很接近。另一個纔是包的空間。
*/
//總共的環形隊列內存所需空間,包含一個隊列控制信息FlowSlotInfo和若干個(由變量num_slots決定)槽位空間
tot_mem = sizeof(FlowSlotInfo) + num_slots * the_slot_len;
//確保按整數頁分配,mmap也要求這樣
if(tot_mem % PAGE_SIZE)
tot_mem += PAGE_SIZE - (tot_mem % PAGE_SIZE);
//分配內存空間
pfr->ring_memory = rvmalloc(tot_mem);
if(pfr->ring_memory != NULL) {
printk("[PF_RING] successfully allocated %lu bytes at 0x%08lx\n",
(unsigned long)tot_mem, (unsigned long)pfr->ring_memory);
} else {
printk("[PF_RING] ERROR: not enough memory for ring\n");
return(-1);
}
// memset(pfr->ring_memory, 0, tot_mem); // rvmalloc does the memset already
//初始化各成員
//內存指定,因爲分配的內存開始部份是sizeof(FlowSlotInfo),所以可以做這樣的強制轉換,很容易互相取值
pfr->slots_info = (FlowSlotInfo *) pfr->ring_memory;
//跳過控制信息,指向槽位指針.事實上,它就是一個一維數組了,可以計算出合適的索引值,取到數組(RING)中的任意槽位值
pfr->ring_slots = (char *)(pfr->ring_memory + sizeof(FlowSlotInfo));
//版本信息
pfr->slots_info->version = RING_FLOWSLOT_VERSION;
//登記單個槽的大小
pfr->slots_info->slot_len = the_slot_len;
//登記bucket大小,從前面特別註釋的bucket的分配看,bucket_len這個大小並不代表bucket成員的實際大小——它不包含struct pfring_pkthdr
pfr->slots_info->data_len = pfr->bucket_len;
//登記實際分配到的槽位數量,這裏不用num_slots,難道是怕rvmalloc偷吃?
pfr->slots_info->tot_slots =
(tot_mem - sizeof(FlowSlotInfo)) / the_slot_len;
//登記實際分配的內存總數
pfr->slots_info->tot_mem = tot_mem;
//採樣速率??
pfr->slots_info->sample_rate = 1;
printk("[PF_RING] allocated %d slots [slot_len=%d][tot_mem=%u]\n",
pfr->slots_info->tot_slots, pfr->slots_info->slot_len,
pfr->slots_info->tot_mem);
#ifdef RING_MAGIC
{
int i;
for (i = 0; i < pfr->slots_info->tot_slots; i++) {
unsigned long idx = i * pfr->slots_info->slot_len;
FlowSlot *slot = (FlowSlot *) & pfr->ring_slots[idx];
slot->magic = RING_MAGIC_VALUE;
slot->slot_state = 0;
}
}
#endif
//這些控制變量可以在環的入隊操作中看到它們的作用
pfr->sample_rate = 1; /* No sampling */
pfr->insert_page_id = 1, pfr->insert_slot_id = 0;
pfr->rules_default_accept_policy = 1, pfr->num_filtering_rules = 0;
ring_proc_add(ring_sk(sk), dev);
//記錄與之相應的設備信息,例如,如果在eth0上打開了5 個PF_RING, bind
//被調用5次,分配了5個環形隊列空間。eth0上隨之分配5個elem,它們指向與
//之對應的ring,然後根據設備索引號民全部加入至了device_ring_list
//當有數據報文從指定接口進入時,可以很容易地在device_ring_list中找到相應的設備
//然後再遍歷鏈表,再找到與之相應的ring
if(dev->ifindex < MAX_NUM_DEVICES) {
device_ring_list_element *elem;
/* printk("[PF_RING] Adding ring to device index %d\n", dev->ifindex); */
elem = kmalloc(sizeof(device_ring_list_element), GFP_ATOMIC);
if(elem != NULL) {
elem->the_ring = pfr;
INIT_LIST_HEAD(&elem->list);
write_lock(&ring_list_lock);
list_add(&elem->list, &device_ring_list[dev->ifindex]);
write_unlock(&ring_list_lock);
/* printk("[PF_RING] Added ring to device index %d\n", dev->ifindex); */
}
}
/*
IMPORTANT
Leave this statement here as last one. In fact when
the ring_netdev != NULL the socket is ready to be used.
*/
pfr->ring_netdev = dev;
return(0);
}
複製代碼
這個函數中,最重要的三點:
1、整個空間的詳細構成,作者畫了一個簡單的草圖,清晰明瞭。
2、如果取得某個槽位。
3、device_ring_list鏈表的使用。
一些作者有詳細註釋的地方,我就不再重重了。
這一步進行完了後,就有一塊內存了(系統將其看成一個數組),用來存儲捕獲的數據幀。接下來要做的事情。就是把它映射到用戶態。 4、mmap操作
用戶態的接下來調用:
ring->buffer = (char *)mmap(NULL, PAGE_SIZE, PROT_READ|PROT_WRITE,
MAP_SHARED, ring->fd, 0);
複製代碼
進行內存映射。
同樣地,內核調用相應的ring_mmap進行處理。
Ring選項結構通過ring_sk宏與sk 建立關聯
struct ring_opt *pfr = ring_sk(sk);
複製代碼
pfr->ring_memory 即爲分配的環形隊列空間。所以,要mmap操作,實際上就是調用remap_pfn_range函數把pfr->ring_memory 映射到用戶空間即可。這個函數的原型爲:
/**
* remap_pfn_range - remap kernel memory to userspace
* @vma: user vma to map to
* @addr: target user address to start at
* @pfn: physical address of kernel memory
* @size: size of map area
* @prot: page protection flags for this mapping
*
* Note: this is only safe if the mm semaphore is held when called.
*/
int remap_pfn_range(struct vm_area_struct *vma, unsigned long addr,
unsigned long pfn, unsigned long size, pgprot_t prot)
{
複製代碼
關於remap_pfn_range函數的進一步說明,可以參考LDD3,上面有詳細說明和現成的例子。
static int ring_mmap(struct file *file,
struct socket *sock, struct vm_area_struct *vma)
{
struct sock *sk = sock->sk;
struct ring_opt *pfr = ring_sk(sk); //取得pfr指針,也就是相應取得環形隊列的內存空間地址指針
int rc;
unsigned long size = (unsigned long)(vma->vm_end - vma->vm_start);
if(size % PAGE_SIZE) {
#if defined(RING_DEBUG)
printk("[PF_RING] ring_mmap() failed: "
"len is not multiple of PAGE_SIZE\n");
#endif
return(-EINVAL);
}
#if defined(RING_DEBUG)
printk("[PF_RING] ring_mmap() called, size: %ld bytes\n", size);
#endif
if((pfr->dna_device == NULL) && (pfr->ring_memory == NULL)) {
#if defined(RING_DEBUG)
printk("[PF_RING] ring_mmap() failed: "
"mapping area to an unbound socket\n");
#endif
return -EINVAL;
}
//dns設備爲空,即沒有使用dns技術
if(pfr->dna_device == NULL) {
/* if userspace tries to mmap beyond end of our buffer, fail */
//映射空間超限
if(size > pfr->slots_info->tot_mem) {
#if defined(RING_DEBUG)
printk("[PF_RING] ring_mmap() failed: "
"area too large [%ld > %d]\n",
size, pfr->slots_info->tot_mem);
#endif
return(-EINVAL);
}
#if defined(RING_DEBUG)
printk("[PF_RING] mmap [slot_len=%d]"
"[tot_slots=%d] for ring on device %s\n",
pfr->slots_info->slot_len, pfr->slots_info->tot_slots,
pfr->ring_netdev->name);
#endif
//進行內存映射
if((rc =
do_memory_mmap(vma, size, pfr->ring_memory, VM_LOCKED,
0)) < 0)
return(rc);
} else {
/* DNA Device */
if(pfr->dna_device == NULL)
return(-EAGAIN);
switch (pfr->mmap_count) {
case 0:
if((rc = do_memory_mmap(vma, size,
(void *)pfr->dna_device->
packet_memory, VM_LOCKED,
1)) < 0)
return(rc);
break;
case 1:
if((rc = do_memory_mmap(vma, size,
(void *)pfr->dna_device->
descr_packet_memory, VM_LOCKED,
1)) < 0)
return(rc);
break;
case 2:
if((rc = do_memory_mmap(vma, size,
(void *)pfr->dna_device->
phys_card_memory,
(VM_RESERVED | VM_IO), 2)) < 0)
return(rc);
break;
default:
return(-EAGAIN);
}
pfr->mmap_count++;
}
#if defined(RING_DEBUG)
printk("[PF_RING] ring_mmap succeeded\n");
#endif
return 0;
}
複製代碼
實際上的內存映射工作,是由do_memory_mmap來完成的,這個函數實際上基本就是remap_pfn_range的包裹函數。
不過因爲系統支持dna等技術,相應的mode參數有些變化,這裏只分析了最基本的方法:mode == 0
static int do_memory_mmap(struct vm_area_struct *vma,
unsigned long size, char *ptr, u_int flags, int mode)
{
unsigned long start;
unsigned long page;
/* we do not want to have this area swapped out, lock it */
vma->vm_flags |= flags;
start = vma->vm_start;
while (size > 0) {
int rc;
if(mode == 0) {
#if(LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,11))
//根據地址,計算要映射的頁幀
page = vmalloc_to_pfn(ptr);
//進行內存映射
rc = remap_pfn_range(vma, start, page, PAGE_SIZE,
PAGE_SHARED);
#else
page = vmalloc_to_page(ptr);
page = kvirt_to_pa(ptr);
rc = remap_page_range(vma, start, page, PAGE_SIZE,
PAGE_SHARED);
#endif
} else if(mode == 1) {
rc = remap_pfn_range(vma, start,
__pa(ptr) >> PAGE_SHIFT,
PAGE_SIZE, PAGE_SHARED);
} else {
rc = remap_pfn_range(vma, start,
((unsigned long)ptr) >> PAGE_SHIFT,
PAGE_SIZE, PAGE_SHARED);
}
if(rc) {
#if defined(RING_DEBUG)
printk("[PF_RING] remap_pfn_range() failed\n");
#endif
return(-EAGAIN);
}
start += PAGE_SIZE;
ptr += PAGE_SIZE;
if(size > PAGE_SIZE) {
size -= PAGE_SIZE;
} else {
size = 0;
}
}
return(0);
}
複製代碼
嗯,跳過了太多的細節,不過其mmap最核心的東東已經呈現出來。
如果要共享內核與用戶空間內存,這倒是個現成的可借鑑的例子。
5、數據包的入隊操作
做到這一步,準備工作基本上就完成了。因爲PF_RING在初始化中,註冊了prot_hook。其func指針指向packet_rcv函數:
當數據報文進入Linux網絡協議棧隊列時,netif_receive_skb會遍歷這些註冊的Hook:
int netif_receive_skb(struct sk_buff *skb)
{
list_for_each_entry_rcu(ptype, &ptype_all, list) {
if (ptype->dev == null_or_orig || ptype->dev == skb->dev ||
ptype->dev == orig_dev) {
if (pt_prev)
ret = deliver_skb(skb, pt_prev, orig_dev);
pt_prev = ptype;
}
}
}
複製代碼
相應的Hook函數得到調用:
static inline int deliver_skb(struct sk_buff *skb,
struct packet_type *pt_prev,
struct net_device *orig_dev)
{
atomic_inc(&skb->users); //注意,這裏引用計數器被增加了
return pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
}
複製代碼
packet_rcv隨之執行環形隊列的入隊操作:
static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
struct packet_type *pt, struct net_device *orig_dev)
{
int rc;
//忽略本地環回報文
if(skb->pkt_type != PACKET_LOOPBACK) {
//進一步轉向,最後一個參數直接使用-1,從上下文來看,寫爲RING_ANY_CHANNEL(其實也是-1)似乎可讀性更強,
//這裏表示,如果從packet_rcv進入隊列,由通道ID是“未指定的”,由skb_ring_handler來處理
rc = skb_ring_handler(skb,
(skb->pkt_type == PACKET_OUTGOING) ? 0 : 1,
1, -1 /* unknown channel */);
} else
rc = 0;
kfree_skb(skb); //所以,這裏要做相應的減少
return(rc);
}
複製代碼
static int skb_ring_handler(struct sk_buff *skb, //要捕獲的數據包
u_char recv_packet, //數據流方向,>0表示是進入(接收)方向
u_char real_skb /* 1=real skb, 0=faked skb */ ,
short channel_id) //通道ID
{
struct sock *skElement;
int rc = 0, is_ip_pkt;
struct list_head *ptr;
struct pfring_pkthdr hdr;
int displ;
struct sk_buff *skk = NULL;
struct sk_buff *orig_skb = skb;
#ifdef PROFILING
uint64_t rdt = _rdtsc(), rdt1, rdt2;
#endif
//skb合法檢查,包括數據流的方向
if((!skb) /* Invalid skb */
||((!enable_tx_capture) && (!recv_packet))) {
/*
An outgoing packet is about to be sent out
but we decided not to handle transmitted
packets.
*/
return(0);
}
#if defined(RING_DEBUG)
if(1) {
struct timeval tv;
skb_get_timestamp(skb, &tv);
printk
("[PF_RING] skb_ring_handler() [skb=%p][%u.%u][len=%d][dev=%s][csum=%u]\n",
skb, (unsigned int)tv.tv_sec, (unsigned int)tv.tv_usec,
skb->len,
skb->dev->name == NULL ? "<NULL>" : skb->dev->name,
skb->csum);
}
#endif
//如果通道ID未指定,根據進入的報文設備索引,設定之
#if(LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21))
if(channel_id == RING_ANY_CHANNEL /* Unknown channel */ )
channel_id = skb->iif; /* Might have been set by the driver */
#endif
#if defined (RING_DEBUG)
/* printk("[PF_RING] channel_id=%d\n", channel_id); */
#endif
#ifdef PROFILING
rdt1 = _rdtsc();
#endif
if(recv_packet) {
/* Hack for identifying a packet received by the e1000 */
if(real_skb)
displ = SKB_DISPLACEMENT;
else
displ = 0; /* Received by the e1000 wrapper */
} else
displ = 0;
//解析數據報文,並判斷是否爲IP報文
is_ip_pkt = parse_pkt(skb, displ, &hdr);
//分片處理,是一個可選的功能項,事實上,對大多數包捕獲工具而言,它們好像都不使用底層庫來完成這一功能
/* (de)Fragmentation < [email protected] >
*/
if(enable_ip_defrag
&& real_skb && is_ip_pkt && recv_packet && (ring_table_size > 0)) {
} else {
#if defined (RING_DEBUG)
printk("[PF_RING] Do not seems to be a fragmented ip_pkt[iphdr=%p]\n",
iphdr);
#endif
}
}
}
//按慣例,在報文的捕獲首部信息中記錄捕獲的時間戳
/* BD - API changed for time keeping */
#if(LINUX_VERSION_CODE < KERNEL_VERSION(2,6,14))
if(skb->stamp.tv_sec == 0)
do_gettimeofday(&skb->stamp);
hdr.ts.tv_sec = skb->stamp.tv_sec, hdr.ts.tv_usec = skb->stamp.tv_usec;
#elif(LINUX_VERSION_CODE < KERNEL_VERSION(2,6,22))
if(skb->tstamp.off_sec == 0)
__net_timestamp(skb);
hdr.ts.tv_sec = skb->tstamp.off_sec, hdr.ts.tv_usec =
skb->tstamp.off_usec;
#else /* 2.6.22 and above */
if(skb->tstamp.tv64 == 0)
__net_timestamp(skb);
hdr.ts = ktime_to_timeval(skb->tstamp);
#endif
//除了時間,還有長度,熟悉libpcap的話,這些操作應該很眼熟
hdr.len = hdr.caplen = skb->len + displ;
/* Avoid the ring to be manipulated while playing with it */
read_lock_bh(&ring_mgmt_lock);
/* 前面在創建sk時,已經看過ring_insert的入隊操作了,現在要檢查它的成員
* 它們的關係是,通過ring_table的成員,獲取到element,它裏面封裝了sk,
*通過ring_sk宏,就可以得到ring_opt指針
*/
list_for_each(ptr, &ring_table) {
struct ring_opt *pfr;
struct ring_element *entry;
entry = list_entry(ptr, struct ring_element, list);
skElement = entry->sk;
pfr = ring_sk(skElement);
//看來要加入社團,條件還是滿多的,pfr不能爲空,未指定集羣cluster_id,槽位不能爲空,方向要正確,綁定的網絡設備
//得對上號
//另一種可能就是對bonding的支持,如果設備是從屬設備,則應校驗其主設備
if((pfr != NULL)
&& (pfr->cluster_id == 0 /* No cluster */ )
&& (pfr->ring_slots != NULL)
&& is_valid_skb_direction(pfr->direction, recv_packet)
&& ((pfr->ring_netdev == skb->dev)
|| ((skb->dev->flags & IFF_SLAVE)
&& (pfr->ring_netdev == skb->dev->master)))) {
/* We've found the ring where the packet can be stored */
/* 從新計算捕獲幀長度,是因爲可能因爲巨型幀的出現——超過了桶能容納的長度 */
int old_caplen = hdr.caplen; /* Keep old lenght */
hdr.caplen = min(hdr.caplen, pfr->bucket_len);
/* 入隊操作 */
add_skb_to_ring(skb, pfr, &hdr, is_ip_pkt, displ, channel_id);
hdr.caplen = old_caplen;
rc = 1; /* Ring found: we've done our job */
}
}
/* [2] Check socket clusters */
list_for_each(ptr, &ring_cluster_list) {
ring_cluster_element *cluster_ptr;
struct ring_opt *pfr;
cluster_ptr = list_entry(ptr, ring_cluster_element, list);
if(cluster_ptr->cluster.num_cluster_elements > 0) {
u_int skb_hash = hash_pkt_cluster(cluster_ptr, &hdr);
skElement = cluster_ptr->cluster.sk[skb_hash];
if(skElement != NULL) {
pfr = ring_sk(skElement);
if((pfr != NULL)
&& (pfr->ring_slots != NULL)
&& ((pfr->ring_netdev == skb->dev)
|| ((skb->dev->flags & IFF_SLAVE)
&& (pfr->ring_netdev ==
skb->dev->master)))
&& is_valid_skb_direction(pfr->direction, recv_packet)
) {
/* We've found the ring where the packet can be stored */
add_skb_to_ring(skb, pfr, &hdr,
is_ip_pkt, displ,
channel_id);
rc = 1; /* Ring found: we've done our job */
}
}
}
}
read_unlock_bh(&ring_mgmt_lock);
#ifdef PROFILING
rdt1 = _rdtsc() - rdt1;
#endif
#ifdef PROFILING
rdt2 = _rdtsc();
#endif
/* Fragment handling */
if(skk != NULL)
kfree_skb(skk);
if(rc == 1) {
if(transparent_mode != driver2pf_ring_non_transparent) {
rc = 0;
} else {
if(recv_packet && real_skb) {
#if defined(RING_DEBUG)
printk("[PF_RING] kfree_skb()\n");
#endif
kfree_skb(orig_skb);
}
}
}
#ifdef PROFILING
rdt2 = _rdtsc() - rdt2;
rdt = _rdtsc() - rdt;
#if defined(RING_DEBUG)
printk
("[PF_RING] # cycles: %d [lock costed %d %d%%][free costed %d %d%%]\n",
(int)rdt, rdt - rdt1,
(int)((float)((rdt - rdt1) * 100) / (float)rdt), rdt2,
(int)((float)(rdt2 * 100) / (float)rdt));
#endif
#endif
//printk("[PF_RING] Returned %d\n", rc);
return(rc); /* 0 = packet not handled */
}
上面跳過了對cluster(集羣)的分析,PF_RING允許同時對多個接口捕獲報文,而並不是一個。這就是集羣。看一下它用戶態的註釋就一目瞭然了:
/* Syntax
ethX@1,5 channel 1 and 5
ethX@1-5 channel 1,2...5
ethX@1-3,5-7 channel 1,2,3,5,6,7
*/
複製代碼
進一步的入隊操作,是通過add_skb_to_ring來完成的:
static int add_skb_to_ring(struct sk_buff *skb,
struct ring_opt *pfr,
struct pfring_pkthdr *hdr,
int is_ip_pkt, int displ, short channel_id)
{
//add_skb_to_ring函數比較複雜,因爲它要處理過濾器方面的問題。
//關於PF_RING的過濾器,可以參考[url]http://luca.ntop.org/Blooms.pdf[/url]
//獲取更多內容。這裏不做詳細討論了。或者留到下回分解吧。
//最終入隊操作,是通過調用dd_pkt_to_ring來實現的。
add_pkt_to_ring(skb, pfr, hdr, displ, channel_id,
offset, mem);
}
複製代碼
static void add_pkt_to_ring(struct sk_buff *skb,
struct ring_opt *pfr,
struct pfring_pkthdr *hdr,
int displ, short channel_id,
int offset, void *plugin_mem)
{
char *ring_bucket;
int idx;
FlowSlot *theSlot;
int32_t the_bit = 1 << channel_id;
#if defined(RING_DEBUG)
printk("[PF_RING] --> add_pkt_to_ring(len=%d) [pfr->channel_id=%d][channel_id=%d]\n",
hdr->len, pfr->channel_id, channel_id);
#endif
//檢查激活標誌
if(!pfr->ring_active)
return;
if((pfr->channel_id != RING_ANY_CHANNEL)
&& (channel_id != RING_ANY_CHANNEL)
&& ((pfr->channel_id & the_bit) != the_bit))
return; /* Wrong channel */
//寫鎖
write_lock_bh(&pfr->ring_index_lock);
//獲取前一次插入的位置索引
idx = pfr->slots_info->insert_idx;
//調用get_insert_slot獲取當前要捕獲數據報文的合適的槽位
//這裏idx++後,指向了下一次插入的位置索引
idx++, theSlot = get_insert_slot(pfr);
//累計計數器
pfr->slots_info->tot_pkts++;
//沒位子了,累計丟包計數器,返回之
if((theSlot == NULL) || (theSlot->slot_state != 0)) {
/* No room left */
pfr->slots_info->tot_lost++;
write_unlock_bh(&pfr->ring_index_lock);
return;
}
//獲取當前槽位的桶
ring_bucket = &theSlot->bucket;
//支持插件??在最開始處記錄插件信息??
if((plugin_mem != NULL) && (offset > 0))
memcpy(&ring_bucket[sizeof(struct pfring_pkthdr)], plugin_mem, offset);
if(skb != NULL) {
//重新計算捕獲幀長度
hdr->caplen = min(pfr->bucket_len - offset, hdr->caplen);
if(hdr->caplen > 0) {
#if defined(RING_DEBUG)
printk("[PF_RING] --> [caplen=%d][len=%d][displ=%d][parsed_header_len=%d][bucket_len=%d][sizeof=%d]\n",
hdr->caplen, hdr->len, displ,
hdr->parsed_header_len, pfr->bucket_len,
sizeof(struct pfring_pkthdr));
#endif
//拷貝捕獲的數據報文,前面空了兩個欄位:一個是pkthdr首部,一個是插件offset長度
//這裏經過了一次數據拷貝,對於完美主義者,這並不是一個好的方法。但是PF_RING定位於一個
//通用的接口庫,似乎只有這麼做了。否則,追求“零拷貝”,爲了避免這一次拷貝,只有逐個修改網卡驅動了。
skb_copy_bits(skb, -displ,
&ring_bucket[sizeof(struct pfring_pkthdr) + offset], hdr->caplen);
} else {
if(hdr->parsed_header_len >= pfr->bucket_len) {
static u_char print_once = 0;
if(!print_once) {
printk("[PF_RING] WARNING: the bucket len is [%d] shorter than the plugin parsed header [%d]\n",
pfr->bucket_len, hdr->parsed_header_len);
print_once = 1;
}
}
}
}
//記錄首部
memcpy(ring_bucket, hdr, sizeof(struct pfring_pkthdr)); /* Copy extended packet header */
//前面idx已經自加過了,判斷是否隊列已滿,若滿,歸零,否則更新插入索引
if(idx == pfr->slots_info->tot_slots)
pfr->slots_info->insert_idx = 0;
else
pfr->slots_info->insert_idx = idx;
#if defined(RING_DEBUG)
printk("[PF_RING] ==> insert_idx=%d\n", pfr->slots_info->insert_idx);
#endif
//累計插入計數器
pfr->slots_info->tot_insert++;
//槽位就緒標記,用戶空間可以來取了
theSlot->slot_state = 1;
write_unlock_bh(&pfr->ring_index_lock);
//有的時候會出現,用戶空間取不到的情況,如隊列爲空。這樣,用戶空間調用poll等待數據。這裏做相應的喚醒處理
/* wakeup in case of poll() */
if(waitqueue_active(&pfr->ring_slots_waitqueue))
wake_up_interruptible(&pfr->ring_slots_waitqueue);
}
複製代碼
槽位的計算:
在ring_bind函數中,分配空間後,使用ring_slots做爲槽位指針。事實上,這裏要計算槽位,就是通過索引號 * 槽位長度來得到:
static inline FlowSlot *get_insert_slot(struct ring_opt *pfr)
{
if(pfr->ring_slots != NULL) {
FlowSlot *slot =
(FlowSlot *) & (pfr->
ring_slots[pfr->slots_info->insert_idx *
pfr->slots_info->slot_len]);
#if defined(RING_DEBUG)
printk
("[PF_RING] get_insert_slot(%d): returned slot [slot_state=%d]\n",
pfr->slots_info->insert_idx, slot->slot_state);
#endif
return(slot);
} else {
#if defined(RING_DEBUG)
printk("[PF_RING] get_insert_slot(%d): NULL slot\n",
pfr->slots_info->insert_idx);
#endif
return(NULL);
}
}
複製代碼
相關文章
一个纸杯
2018-09-04 02:36:13
。