Project

General

Profile

Actions
Copy link

Bug #6250

open

libbpf: elf: legacy map definitions in 'maps' section are not supported by libbpf v1.0+

Added by Vincent Li 9 months ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
7.0.0, 6.0.14, 7.0.1, git master
Effort:
Difficulty:
Label:

Description

Hi

I followed https://docs.suricata.io/en/latest/capture-hardware/ebpf-xdp.html to compile most recent github libbpf and suricata. when I run:

suricata -c ./suricata-ebpf.yaml --pidfile /var/run/suricata.pid --af-packet -vvv

I got:

libbpf: elf: legacy map definitions in 'maps' section are not supported by libbpf v1.0+
Error: ebpf: Unable to load eBPF objects in '/usr/libexec/suricata/ebpf/xdp_filter.bpf': Operation not supported [EBPFLoadFile:util-ebpf.c:342]
Warning: af-packet: enp4s0f0: failed to load XDP filter file [ParseAFPConfig:runmode-af-packet.c:579]

libbpf: elf: legacy map definitions in 'maps' section are not supported by libbpf v1.0+
Error: ebpf: Unable to load eBPF objects in '/usr/libexec/suricata/ebpf/xdp_filter.bpf': Operation not supported [EBPFLoadFile:util-ebpf.c:342]
Warning: af-packet: enp4s0f1: failed to load XDP filter file [ParseAFPConfig:runmode-af-packet.c:579]

I think the legacy eBPF map definition needs to be updated to be BTF defined eBPF map, I could send up PR to update the map definition. what do you think?

Actions
Copy link
 #1

Updated by Vincent Li 9 months ago

Here is my suricata-ebpf.yaml config:

af-packet:
  - interface: enp4s0f0
    # Number of receive threads. "auto" uses the number of cores
    #threads: auto
    threads: 1
    # Default clusterid. AF_PACKET will load balance packets based on flow.
    cluster-id: 99    cluster-type: cluster_flow
    # In some fragmentation cases, the hash can not be computed. If "defrag" is set
    # to yes, the kernel will do the needed defragmentation before sending the packets.
    defrag: yes    
    copy-mode: tap
    copy-iface: enp4s0f1
    xdp-mode: driver
    pinned-maps: true
    pinned-maps-name: flow_table_v4
    xdp-filter-file:  /usr/libexec/suricata/ebpf/xdp_filter.bpf
    #bypass: yes
    use-mmap: yes
    ring-size: 200000

    #  For eBPF and XDP setup including bypass, filter and load balancing, please
    #  see doc/userguide/capture-hardware/ebpf-xdp.rst for more info.

  # Put default values here. These will be used for an interface that is not
  # in the list above.
  - interface: enp4s0f1
    threads: 1
    cluster-id: 100
    cluster-type: cluster_flow
    defrag: yes
    copy-mode: ips
    copy-iface: enp4s0f0
    xdp-mode: driver
    pinned-maps: true    pinned-maps-name: flow_table_v4
    xdp-filter-file:  /usr/libexec/suricata/ebpf/xdp_filter.bpf
    #bypass: yes
    use-mmap: yes
    ring-size: 200000
Actions
Copy link
 #2

Updated by Vincent Li 9 months ago

there is an already report here https://redmine.openinfosecfoundation.org/issues/6088, https://github.com/OISF/suricata/pull/9334 should be able to address this issue

Actions
Copy link

Also available in: Atom PDF