Project

General

Profile

Actions

Feature #3310

open

ease suricata configuration with xdp

Added by Peter Manev about 5 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

In cases where XDP is used some configuration changes are made in ebpf/xdp_filter.c - for example flow4/flow6 tables, RSS/CPU queues/maps.
I wonder if this can be part or mapped from within the suricata.yaml config so there is only one place to edit.

/* Set BUILD_CPUMAP to 0 if you want to run XDP bypass on kernel
 * older than 4.15 */
#define BUILD_CPUMAP        0
/* Increase CPUMAP_MAX_CPUS if ever you have more than 64 CPUs */
#define CPUMAP_MAX_CPUS     64

/* Set to 1 to bypass encrypted packets of TLS sessions. Suricata will
 * be blind to these packets or forged packets looking alike. */
#define ENCRYPTED_TLS_BYPASS   0 

/* Set it to 0 if for example you plan to use the XDP filter in a
 * network card that don't support per CPU value (like netronome) */
#define USE_PERCPU_HASH     0
/* Set it to 0 if your XDP subsystem don't handle XDP_REDIRECT (like netronome) */
#define GOT_TX_PEER         0

/* set to non 0 to load balance in hardware mode on RSS_QUEUE_NUMBERS queues
 * and unset BUILD_CPUMAP (number must be a power of 2 for netronome) */
#define RSS_QUEUE_NUMBERS   32

/* no vlan tracking: set it to 0 if you don't use VLAN for tracking. Can
 * also be used as workaround of some hardware offload issue */
#define VLAN_TRACKING    0
...
...
struct bpf_map_def SEC("maps") flow_table_v4 = {
#if USE_PERCPU_HASH
    .type = BPF_MAP_TYPE_PERCPU_HASH,
#else
    .type = BPF_MAP_TYPE_HASH,
#endif
    .key_size = sizeof(struct flowv4_keys),
    .value_size = sizeof(struct pair),
    .max_entries = 627680,
};

struct bpf_map_def SEC("maps") flow_table_v6 = {
#if USE_PERCPU_HASH
    .type = BPF_MAP_TYPE_PERCPU_HASH,
#else
    .type = BPF_MAP_TYPE_HASH,
#endif
    .key_size = sizeof(struct flowv6_keys),
    .value_size = sizeof(struct pair),
    .max_entries = 632768,
};

Actions #1

Updated by Victor Julien about 5 years ago

  • Status changed from New to Feedback
  • Assignee set to Eric Leblond
  • Target version set to TBD

I suppose some of the settings could be communicated to the bpf program using a config map. Others are compile time things.

Eric, any ideas on how to improve this?

Actions #2

Updated by Victor Julien about 5 years ago

  • Description updated (diff)
Actions #3

Updated by Victor Julien about 2 years ago

  • Status changed from Feedback to New
  • Assignee changed from Eric Leblond to Community Ticket
Actions

Also available in: Atom PDF