[tcpdump-workers] Legacy Linux kernel support

Guy Harris gharris at sonic.net
Wed Apr 1 23:48:54 EDT 2020

On Apr 1, 2020, at 4:14 PM, Mario Rugiero via tcpdump-workers <tcpdump-workers at lists.tcpdump.org> wrote:

> I haven't yet been able to test it, which is why I've been delaying
> writing about this,
> but these two commits[0][1], which according to these threads[2][3]
> are the ones fixing
> the timeout issue, have been applied to CentOS 7 default kernel,
> 3.10.0-1062.el7.

So this is about the mmapped PF_PACKET bug where it delivers an empty buffer when it times out, and does *not* wake up the reader when a buffer is delivered, causing empty buffers to pile up unread, and forcing libpcap to periodically poll the mmapped ring buffer to see if anything was delivered without notification?

If so, then this:


i.e. [0] fixes it, by doing wakeups when a buffer is *delivered* (rather than when a packet is *added* to the buffer, which is pointless) and this:


i.e. [1] arranges that empty buffers aren't delivered when a timeout occurs.

has_broken_tpacket_v3() is checking whether the kernel has that fix or not, based on the kernel version number; to quote the comment in front of it:

 * Some versions of TPACKET_V3 have annoying bugs/misfeatures
 * around which we have to work.  Determine if we have those
 * problems or not.
 * 3.19 is the first release with a fixed version of
 * TPACKET_V3.  We treat anything before that as
 * not having a fixed version; that may really mean
 * it has *no* version.

so it checks for versions prior to 3.19.

That routine is used in set_poll_timeout(); if it returns "true" (a non-zero value), meaning TPACKET_V3 has the bug, the poll() done to wait for packets to arrive is given a non-zero timeout, so that the socket is checked for packets even if no wakeup is delivered by the socket, to drain the empty buffers.

> It can also be seen by comparing vanilla 3.10[4] with the CentOS
> sources[5], diffing
> the files located at net/packet/af_packet.c.
> This *should* mean it works without the workaround.

It should work without the workaround...

...on systems with the fix.

*NOT* all versions of the Linux kernel with TPACKET_V3 necessarily have the fix.  Version 3.19 and later have the fix; earlier versions have it *only* if whoever built the kernel (e.g., the distribution developer) backported the fix.

So we can't assume the workaround is unnecessary, and remove it, unless we either 1) require a 3.19 or later kernel if we're going to use TPACKET_V3 or 2) *somehow* can detect kernels to which the fix was backported.

More information about the tcpdump-workers mailing list