EBPF bypass filter module not loadable on Debian 12 stable for X710 NIC (Operation not Supported)

Help
1

Hi, unfortunately, my suricata instance does not load the compiled EBPF bypass module. This is what suricata.log says:

...
[352563 - Suricata-Main] 2025-04-07 13:34:05 Error: ebpf: Unable to load eBPF objects in '/usr/lib/suricata/ebpf/bypass_filter.bpf': Operation not supported
[352563 - Suricata-Main] 2025-04-07 13:34:05 Warning: af-packet: ens1f0: failed to load eBPF filter file
[352563 - Suricata-Main] 2025-04-07 13:34:06 Info: runmodes: ens1f0: creating 14 threads
[352669 - W#01-ens1f0] 2025-04-07 13:34:06 Error: af-packet: Can't find eBPF map fd for 'flow_table_v6'
...

This is Suricata version 7.0.10-1 RELEASE
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64 
SIMD support: SSE_4_2 SSE_4_1 SSE_3 SSE_2 
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 12.2.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.50, linked against LibHTP v0.5.50

Suricata Configuration:
  AF_PACKET support:                       yes
  AF_XDP support:                          yes
  DPDK support:                            yes
  eBPF support:                            yes
  XDP support:                             yes

The EBPF modules were compiled on the same systems, so there shouldn’t be a library incompatiblility.

I tried it both with and without changing uid/gid in suricata config.

Please include the following information with your help request:

  • Suricata version

Suricata 7.0.10

  • Operating system and/or Linux distribution

Debian stable 12 w/ Kernel 6.1.0-32-amd64

  • How you installed Suricata (from source, packages, something else)

Built Debian packages from source by myself

Best regards,
maja

2

Interesting. How did you build the packages and how did you configure the eBPF use? For me, using the Debian packages from bookworm-backports, I was able to enable eBPF on one of the interfaces:

af-packet:
  - interface: wlp3s0 
    threads: 16
    cluster-id: 97
    cluster-type: cluster_flow # choose any type suitable
    defrag: yes
    # eBPF file containing a 'filter' function that will be inserted into the
    # kernel and used as load balancing function
    ebpf-filter-file:  /usr/lib/suricata/ebpf/vlan_filter.bpf
    ring-size: 200000

See:

❯ sudo cat /var/log/suricata/suricata.log
[2717395 - Suricata-Main] 2025-04-11 00:25:19 Notice: suricata: This is Suricata version 7.0.10 RELEASE running in SYSTEM mode
[2717395 - Suricata-Main] 2025-04-11 00:25:19 Info: cpu: CPUs/cores online: 16
[2717395 - Suricata-Main] 2025-04-11 00:25:19 Info: suricata: Setting engine mode to IDS mode by default
[2717395 - Suricata-Main] 2025-04-11 00:25:19 Info: exception-policy: master exception-policy set to: auto
[2717396 - Suricata-Main] 2025-04-11 00:25:19 Info: logopenfile: fast output device (regular) initialized: fast.log
[2717396 - Suricata-Main] 2025-04-11 00:25:19 Warning: logopenfile: Error connecting to socket "/tmp/files.sock": No such file or directory (will keep trying)
[2717396 - Suricata-Main] 2025-04-11 00:25:19 Info: logopenfile: Setting logging socket of non-blocking in live mode.
[2717396 - Suricata-Main] 2025-04-11 00:25:19 Info: logopenfile: eve-log output device (unix_stream) initialized: /tmp/files.sock
[2717396 - Suricata-Main] 2025-04-11 00:25:19 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[2717396 - Suricata-Main] 2025-04-11 00:25:19 Info: logopenfile: stats output device (regular) initialized: stats.log
[2717396 - Suricata-Main] 2025-04-11 00:25:19 Info: detect: 1 rule files processed. 1 rules successfully loaded, 0 rules failed, 0
[2717396 - Suricata-Main] 2025-04-11 00:25:19 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[2717396 - Suricata-Main] 2025-04-11 00:25:19 Info: detect: 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only
[2717396 - Suricata-Main] 2025-04-11 00:25:19 Info: ebpf: Successfully loaded eBPF file '/usr/lib/suricata/ebpf/vlan_filter.bpf' on 'wlp3s0'
[2717396 - Suricata-Main] 2025-04-11 00:25:19 Warning: af-packet: wlp3s0: AF_PACKET tpacket-v3 is recommended for non-inline operation
[2717396 - Suricata-Main] 2025-04-11 00:25:19 Info: runmodes: wlp3s0: creating 16 threads
[2717396 - Suricata-Main] 2025-04-11 00:25:19 Info: unix-manager: unix socket '/var/run/suricata-command.socket'
[2717457 - W#01-wlp3s0] 2025-04-11 00:25:21 Info: af-packet: Activated eBPF filter on socket
[2717458 - W#02-wlp3s0] 2025-04-11 00:25:23 Info: af-packet: Activated eBPF filter on socket
[2717459 - W#03-wlp3s0] 2025-04-11 00:25:26 Info: af-packet: Activated eBPF filter on socket
[2717460 - W#04-wlp3s0] 2025-04-11 00:25:30 Info: af-packet: Activated eBPF filter on socket
[2717461 - W#05-wlp3s0] 2025-04-11 00:25:33 Info: af-packet: Activated eBPF filter on socket
[2717462 - W#06-wlp3s0] 2025-04-11 00:25:36 Info: af-packet: Activated eBPF filter on socket
[2717463 - W#07-wlp3s0] 2025-04-11 00:25:53 Info: af-packet: Activated eBPF filter on socket

This is on Debian 12 with kernel 6.12.12.

Are you trying to run Suricata as an unprivileged user? Then you might need some additional capabilities.

failed to open BPF object file: Operation not supported (Android Build via xmake) · Issue #720 · libbpf/libbpf · GitHub also suggest it might be a compiler version issue, so maybe related to your custom build. Maybe you can try building the packages in a way close to the how the versions from the Debian archive are built: Files · debian/bookworm-backports · suricata packaging team / pkg-suricata · GitLab

3

My config looks is as follows:

  - interface: ens1f1
    threads: 12
    cluster-id: 21
    cluster-type: cluster_qm
    defrag: no
    rollover: no
    use-mmap: yes
    mmap-locked: yes
    tpacket-v3: yes
    ring-size: 787000
    block-size: 1048576
    use-emergency-flush: yes
    checksum-checks: auto
    bpf-filter: [redacted]
    ebpf-filter-file: /usr/lib/suricata/ebpf/bypass_filter.bpf

I use the helper files from the bookworm backport packages source code to compile my own pkg from a slightly modified current suricata source (only some changes in the c-code).

I compile and run it on Debian 12 with kernel 6.1.0-32-amd64 and the included standard compilers and tools.

I tried both running it with and without changing uid/guid in the run-as section suricata.yaml, in both cases with the effect described above.

4

Weird. Very mysterious.

Can you share the invocation of your build run (e.g. gbp or dpkg-buildpackage)?
Did you build in a chroot (if so, which one)?
What does file /usr/lib/suricata/ebpf/bypass_filter.bpf say?

5

I am building the package with dpkg-buildpackage -b -uc -us -rfakeroot.

The output of the file command is /usr/lib/suricata/ebpf/bypass_filter.bpf: ELF 64-bit LSB relocatable, eBPF, version 1 (SYSV), not stripped.

6

if you have the root privilege, operation not supported might mean your kernel missing some eBPF related config, you can try manually load the bypass_filter.bpf by utility like xdp-loader -vvv that will give you verbose log to tell you what you might be missing.