Bug #3801
openProblem harware bypassing with Netronome
Description
Suricata version: 5.0.4-dev
Relevant af-packet config:
af-packet: - cluster-type: cluster_qm xdp-filter-file: /etc/suricata/xdp_filter.bpf xdp-mode: hw use-percpu-hash: false
Using the default xdp_filter.c located in ebpf folder with the following settings:
39 /* Set BUILD_CPUMAP to 0 if you want to run XDP bypass on kernel 40 * older than 4.15 */ 41 #define BUILD_CPUMAP 0 42 /* Increase CPUMAP_MAX_CPUS if ever you have more than 64 CPUs */ 43 #define CPUMAP_MAX_CPUS 64 44 45 /* Set to 1 to bypass encrypted packets of TLS sessions. Suricata will 46 * be blind to these packets or forged packets looking alike. */ 47 #define ENCRYPTED_TLS_BYPASS 0 48 49 /* Set it to 0 if for example you plan to use the XDP filter in a 50 * network card that don't support per CPU value (like netronome) */ 51 #define USE_PERCPU_HASH 0 52 /* Set it to 0 if your XDP subsystem don't handle XDP_REDIRECT (like netronome) */ 53 #define GOT_TX_PEER 0 54 55 /* set to non 0 to load balance in hardware mode on RSS_QUEUE_NUMBERS queues 56 * and unset BUILD_CPUMAP (number must be a power of 2 for netronome) */ 57 #define RSS_QUEUE_NUMBERS 16 58 59 /* no vlan tracking: set it to 0 if you don't use VLAN for tracking. Can 60 * also be used as workaround of some hardware offload issue */ 61 #define VLAN_TRACKING 1
Suricata starts running fine, and it is possible to see that the XDP code is offloaded to the NIC.
1. Running bpftool map dump name flow_table_v4:
Is is possible to see that Suricata add keys to the map, but it seems like the xdp_filter fails at bpf_map_lookup_elem, since we are not observing any XDP_DROP or any of the key values is updates with bypassed pkts and bytes.
Trying to debug this, is seems that the struct key added by Suricata in flow_table_v4 is not the same that is generated by xdp_filter.
We were able to get the bypass to work by setting vlan0 and vlan1 to 0 in AFPXDPBypassCallback in source-af-packet.c:
keys[0]->vlan0 = 0; keys[0]->vlan1 = 0;
and set VLAN_TRACKING = 0 in xdp_filter.c.
Updated by Odin Jenseg over 3 years ago
Seems that I found the error. The VLAN id in xdp_filter.c need to be converted to host byte order:
vlan0 = __constant_ntohs(vhdr->h_vlan_TCI) & 0x0fff;
vlan1 = __constant_ntohs(vhdr->h_vlan_TCI) & 0x0fff;
Also, use-for-tracking: false does not work, if VLAN_TRACKING is false in xdp_filter.c since the Packet struct will contain the vlan ID and be used as a part of the key in bpf map.