next/599/20241012/v1

configure.ac

@@ -1846,60 +1846,77 @@
                 AS_HELP_STRING([--enable-napatech],[Enabled Napatech Devices]),
                 [ enable_napatech=$enableval ],
                 [ enable_napatech=no])
-    AC_ARG_ENABLE(napatech_bypass,
-                AS_HELP_STRING([--disable-napatech-bypass],[Disable Bypass feature on Napatech cards]),
-                [ napatech_bypass=$enableval ],
-                [ napatech_bypass=yes])
-    AC_ARG_WITH(napatech_includes,
-                [  --with-napatech-includes=DIR   napatech include directory],
-                [with_napatech_includes="$withval"],[with_napatech_includes="/opt/napatech3/include"])
-    AC_ARG_WITH(napatech_libraries,
-                [  --with-napatech-libraries=DIR  napatech library directory],
-                [with_napatech_libraries="$withval"],[with_napatech_libraries="/opt/napatech3/lib"])
-
-    if test "$enable_napatech" = "yes"; then
-        CPPFLAGS="${CPPFLAGS} -I${with_napatech_includes}"
-        LDFLAGS="${LDFLAGS} -L${with_napatech_libraries}"
-        LIBS="${LIBS} -lntapi"
-        AC_CHECK_HEADER(nt.h,NAPATECH="yes",NAPATECH="no")
-        if test "$NAPATECH" != "no"; then
-            NAPATECH=""
-            AC_CHECK_LIB(ntapi, NT_Init,NAPATECH="yes",NAPATECH="no")
-        fi
-
-        if test "$NAPATECH" = "no"; then
+    AS_IF([test "x$enable_napatech" = "xyes"], [
+        if test "x$enable_shared" = "xno"; then
             echo
-            echo "  ERROR! libntapi library not found"
+            echo "   ERROR! napatech cannot be enabled with --disable-shared"
             echo
             exit 1
-        else
-            AC_CHECK_LIB(numa, numa_available,, LIBNUMA="no")
-            if test "$LIBNUMA" = "no"; then
+        fi
+        AC_ARG_ENABLE(napatech_bypass,
+                    AS_HELP_STRING([--disable-napatech-bypass],[Disable Bypass feature on Napatech cards]),
+                    [ napatech_bypass=$enableval ],
+                    [ napatech_bypass=yes])
+        AC_ARG_WITH(napatech_includes,
+                    [  --with-napatech-includes=DIR   napatech include directory],
+                    [with_napatech_includes="$withval"],[with_napatech_includes="/opt/napatech3/include"])
+        AC_ARG_WITH(napatech_libraries,
+                    [  --with-napatech-libraries=DIR  napatech library directory],
+                    [with_napatech_libraries="$withval"],[with_napatech_libraries="/opt/napatech3/lib"])
+
+        if test "$enable_napatech" = "yes"; then
+            CPPFLAGS="${CPPFLAGS} -I${with_napatech_includes}"
+            LDFLAGS="${LDFLAGS} -L${with_napatech_libraries}"
+            LIBS="${LIBS} -lntapi"
+            AC_CHECK_HEADER(nt.h,NAPATECH="yes",NAPATECH="no")
+            if test "$NAPATECH" != "no"; then
+                NAPATECH=""
+                AC_CHECK_LIB(ntapi, NT_Init,NAPATECH="yes",NAPATECH="no")
+            fi
+
+            if test "$NAPATECH" = "no"; then
                 echo
-                echo "  WARNING: libnuma is required to use Napatech auto-config"
-                echo "      libnuma is not found.  Go get it"
-                echo "      from http://github.com/numactl/numactl or your distribution:"
-                echo "          Ubuntu: apt-get install libnuma-dev"
-                echo "          Fedora: dnf install numactl-devel"
-                echo "          CentOS/RHEL: yum install numactl-devel"
+                echo "  ERROR! libntapi library not found"
                 echo
                 exit 1
+            else
+                AC_CHECK_LIB(numa, numa_available,, LIBNUMA="no")
+                if test "$LIBNUMA" = "no"; then
+                    echo
+                    echo "  WARNING: libnuma is required to use Napatech auto-config"
+                    echo "      libnuma is not found.  Go get it"
+                    echo "      from http://github.com/numactl/numactl or your distribution:"
+                    echo "          Ubuntu: apt-get install libnuma-dev"
+                    echo "          Fedora: dnf install numactl-devel"
+                    echo "          CentOS/RHEL: yum install numactl-devel"
+                    echo
+                    exit 1
+                fi
             fi
-        fi
 
-        AC_DEFINE([HAVE_NAPATECH],[1],(Napatech capture card support))
-        if test "$napatech_bypass" = "yes"; then
-            AC_CHECK_LIB(ntapi, NT_FlowOpenAttrInit,NTFLOW="yes",NTFLOW="no")
-            if test "$NTFLOW" = "yes"; then
-                echo "   Napatech Flow Processing is Enabled (--disable-napatech-bypass if not needed)"
-                AC_DEFINE([NAPATECH_ENABLE_BYPASS],[1],(Napatech flowdirector support))
+            AC_DEFINE([HAVE_NAPATECH],[1],(Napatech capture card support))
+            if test "$napatech_bypass" = "yes"; then
+                AC_CHECK_LIB(ntapi, NT_FlowOpenAttrInit,NTFLOW="yes",NTFLOW="no")
+                if test "$NTFLOW" = "yes"; then
+                    echo "   Napatech Flow Processing is Enabled (--disable-napatech-bypass if not needed)"
+                    AC_DEFINE([NAPATECH_ENABLE_BYPASS],[1],(Napatech flowdirector support))
+                else
+                    echo "Napatech Flow Processing is not available"
+                fi
             else
-                echo "Napatech Flow Processing is not available"
+                echo "Napatech Flow Processing is Disabled."
             fi
-        else
-            echo "Napatech Flow Processing is Disabled."
         fi
+        ])
+
+    if test "x$enable_napatech" = "xyes"; then
+        AM_CONDITIONAL([BUILD_NAPATECH], [true])
+        napatech_comment=""
+    else
+        AM_CONDITIONAL([BUILD_NAPATECH], [false])
+        napatech_comment="#"
     fi
+    AC_SUBST([napatech_comment])
 
   # libmaxminddb
     AC_ARG_ENABLE(geoip,
@@ -2513,6 +2530,7 @@ AC_CONFIG_FILES(examples/plugins/ci-capture/Makefile)
 AC_CONFIG_FILES(examples/lib/simple/Makefile examples/lib/simple/Makefile.example)
 AC_CONFIG_FILES(plugins/Makefile)
 AC_CONFIG_FILES(plugins/pfring/Makefile)
+AC_CONFIG_FILES(plugins/napatech/Makefile)
 
 AC_OUTPUT
 

doc/userguide/upgrade.rst

@@ -77,6 +77,8 @@ Major changes
     - sip.to
     - sip.content_type
     - sip.content_length
+- Napatech support has been moved to a capture plugin. See :doc:`Napatech plugin
+  <upgrade/8.0-napatech-plugin>`.
 
 Removals
 ~~~~~~~~

doc/userguide/upgrade/8.0-napatech-plugin.rst

@@ -0,0 +1,42 @@
+:orphan: Document only referenced from upgrade.rst
+
+Napatech as a Plugin
+====================
+
+Suricata 8.0 moves Napatech packet capture support to a dynamically loaded
+plugin. For convenience, this plugin is still bundled with Suricata, but it
+may be removed from the Suricata source tree into its own repository in a
+future release.
+
+Upgrading
+---------
+
+Suricata 8.0 continues to respect the ``--enable-napatech`` compile time
+option, as well as the ``--napatech`` command-line options, and also
+the ``napatech`` section of the configuration file.
+
+.. note:: When the Napatech capture plugin is eventually removed from the
+          Suricata source tree these options may be removed and/or changed
+          as this would allow the Napatech capture plugin to have its own
+          release cycle and make changes independent of Suricata.
+
+However, the ``napatech`` capture plugin must be loaded before it can be
+used. If doing a fresh build of Suricata with Napatech support, the
+``suricata.yaml`` configuration file should be configured to load the
+plugin already, for example::
+
+  plugins:
+    - /usr/lib/suricata/napatech.so
+
+If you are upgrading, you will need to add the location of
+``napatech.so`` to the ``plugins`` section of your ``suricata.yaml``
+manually, as shown above.
+
+Existing Napatech command-line options and configuration should continue to work.
+
+Caveats
+-------
+
+Currently building the Napatech capture plugin is not compatible with the
+``--disable-shared`` configure argument.
+

plugins/Makefile.am

@@ -3,3 +3,7 @@ SUBDIRS =
 if BUILD_PFRING
 SUBDIRS += pfring
 endif
+
+if BUILD_NAPATECH
+SUBDIRS += napatech
+endif

plugins/napatech/Makefile.am

@@ -0,0 +1,13 @@
+pkglib_LTLIBRARIES = napatech.la
+
+napatech_la_SOURCES = runmode-napatech.c source-napatech.c util-napatech.c plugin.c
+napatech_la_LDFLAGS = -module -avoid-version -shared
+napatech_la_LIBADD = -lntapi
+
+noinst_HEADERS = \
+	runmode-napatech.h \
+	source-napatech.h \
+	util-napatech.h
+
+install-exec-hook:
+	cd $(DESTDIR)$(pkglibdir) && $(RM) $(pkglib_LTLIBRARIES)

plugins/napatech/README.md

@@ -0,0 +1,34 @@
+# Napatech Plugin Capture Plugin
+
+## Building
+
+To build this plugin, configure Suricata with the `--enable-napatech` and
+optionally the `--with-napatech-includes` and
+`--with-napatech-libraries` command line options.
+
+## Running
+```
+/usr/local/suricata/bin/suricata \
+    --set plugins.0=/usr/local/lib/suricata/napatech.so \
+    --capture-plugin=napatech
+```
+
+### --set plugins.0=/usr/local/lib/suricata/napatech.so
+
+This command line option tells Suricata about this plugin. This could also
+be done in `suricata.yaml` with the following section:
+```
+plugins:
+  - /usr/local/lib/suricata/napatech.so
+```
+
+### --capture-plugin=napatech
+
+This is the option that tells Suricata to use a plugin for capture, much like
+`--pcap` tells Suricata to use libpcap or `--af-packet` tells Suricata to use
+AF_PACKET. Here we are telling it to look for a loaded plugin of the name
+`napatech` to provide the capture method.
+
+There is another command line option `--capture-plugin-args` to pass arbitrary
+data on the command line to a capture plugin, but this plugin does not yet handle
+data provided through this command line parameter.

plugins/napatech/plugin.c

@@ -0,0 +1,56 @@
+/* Copyright (C) 2020-2024 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#include "suricata-common.h"
+#include "suricata-plugin.h"
+
+#include "decode.h"
+#include "source-napatech.h"
+#include "runmode-napatech.h"
+#include "util-device.h"
+
+void InitCapturePlugin(const char *args, int plugin_slot, int receive_slot, int decode_slot)
+{
+    LiveBuildDeviceList("plugin");
+    RunModeNapatechRegister(plugin_slot);
+    TmModuleReceiveNapatechRegister(receive_slot);
+    TmModuleDecodeNapatechRegister(decode_slot);
+}
+
+void SCPluginInit(void)
+{
+    SCCapturePlugin *plugin = SCCalloc(1, sizeof(SCCapturePlugin));
+    if (plugin == NULL) {
+        FatalError("Failed to allocate memory for capture plugin");
+    }
+    plugin->name = "napatech";
+    plugin->Init = InitCapturePlugin;
+    plugin->GetDefaultMode = RunModeNapatechGetDefaultMode;
+    SCPluginRegisterCapture(plugin);
+}
+
+const SCPlugin PluginRegistration = {
+    .name = "napatech",
+    .author = "Open Information Security Foundation",
+    .license = "GPLv2",
+    .Init = SCPluginInit,
+};
+
+const SCPlugin *SCPluginRegister()
+{
+    return &PluginRegistration;
+}