Enable eBPF and XDP mode in Suricata

Help
1

Please include the following information with your help request:

  • Suricata version ->7.0.6
  • Operating system and/or Linux distribution → Ubuntu 22 Server
  • How you installed Suricata (from source, packages, something else) → apt

here are the problems i encountered:

  1. first i tried to enable XDP by putting “bypass: true” on my interface, af_packets section and getting warning like this [3301] Warning: af-packet: ens3f0np0: XDP filter set but XDP support is not built-in then after running suricata --build-info it printed “eBPF support: no, XDP support: no”
  2. now, i know that i need to enable the mode in suricata and after reading the documentation multiple times, it need to be on the./configure level meaning i havet rebuild/compile the suricata using the git. so i did but i encountered many problems:
  • i use the “git clone GitHub - OISF/suricata: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.”, then i run everything including the make file then i get an error from the rust, which says
    Making install in src
    make[2]: Entering directory ‘/home/rayyan/download/ebpf_suricata/src’
    CC main.o
    CC alert-debuglog.o
    In file included from output-file.h:29,
    from output.h:40,
    from alert-debuglog.c:47:
    rust.h:24:10: fatal error: rust-bindings.h: No such file or directory
    24 | #include “rust-bindings.h”
    | ^~~~~~~~~~~~~~~~~
    compilation terminated.
    make[2]: *** [Makefile:3380: alert-debuglog.o] Error 1
    make[2]: Leaving directory ‘/home/rayyan/download/ebpf_suricata/src’
    make[1]: *** [Makefile:500: install-recursive] Error 1
    make[1]: Leaving directory ‘/home/rayyan/download/ebpf_suricata’
    make: *** [Makefile:925: install-full] Error 2

any thoughts on how to enable eBPF and XDP mode in suricata the simple way?

2

Hello,

I think it is related to the upgraded cbindgen which broke the build.

What is your cbindgen version?
cbindgen --version

If it is 0.27.0 then the problem is likely related.
The problem is fixed in master and will be fixed in 7.0.7

Until then you can build it using the older cbindgen version by uninstalling the current cbindgen and installing the older version by using:
cargo install cbindgen@0.26.0

Otherwise you can also try make clean && make -j to retry the compilation.
Edit: it has been fixed in main-7.0.x branch (future 7.0.7 branch)

Can you confirm the cbindgen version?

3

image
confirmed, cbindgen is version 0.27.0. and did downgraded to 0.26.0 after checking

image
image589×1026 31.7 KB

still got the same issue with the rust-bindings.h

4

should i downgrade to suricata 6.0.0 to avoid this issue?

5

You can try make clean and then compile it again
Alternatively, you can do a compilation from a fresh folder - clone Suricata to a different folder or remove and reclone to the same one.
Alternatively#2, you can switch to main-7.0.x git checkout main-7.0.x

Suricata 6.0.x is the end of life so there is no support, I think the issue would be present there anyway.

Edit: can you confirm that your cbindgen is really 0.26.0 after the downgrade?

1 Like
6

image
apparently it has different version accross user. trying to recompile right now

7

image
image1104×340 12.4 KB

new error has been produced after compiling. this is using git branch from main-7.0.x and cbindgen 0.26.0.
image
these are executed not in sudo

8

great to hear that!
Btw just to confirm can you now build Suricata without ebpf switches?

Can you verify you installed all the required ebpf dependencies?
I think the only one should be
sudo apt install libbpf-dev
Then use both ebpf switches:
--enable-ebpf --enable-ebpf-build with the configure script.

9

Can you verify you installed all the required ebpf dependencies?
I think the only one should be:
sudo apt install libbpf-dev

image
image1076×284 15.5 KB

Then use both ebpf switches:
--enable-ebpf --enable-ebpf-build with the configure script.

image
image1160×435 11.7 KB

confirmed, successfully make/compile without the ebpf flags

image
image885×1020 39 KB

what should i do from here? i can tell that the esbpf source code are having issues

10

You can check dependencies and steps from this build - it is from Debian but same/similar instructions should apply for Ubuntu

I wanted to suggest to check you have the latest version but yes, you have the same as me.
On my PC it is:

dpkg -s libbpf-dev | grep Version
Version: 1:0.5.0-1ubuntu22.04.1

This also find me the function on my PC - does it for you?

grep bpf_set_link_xdp_fd /usr/include/bpf/libbpf.h

It’s likely some linking issue, I can compile well on my machine (and it is compiled within Suri CI) so code should not be the issue.

11

image
yeah it doesnt show anything, how do i fix this linking issue? is it with the sudo ldconfig provided within the documentation?

image
image732×223 10.1 KB

12

I would try to:

  1. remove and install libbpf-dev again

  2. remove libbpf-dev and install it manually

ldconfig is needed after manual install of the ebpf library to update library sources in the system

1 Like
13

resolved! thank you. that fixes the linking problem by reinstalling.

image
image1919×875 72.7 KB

For everyone: i cant tell which one is the “only” solution, but you have to go through all of this as this was written "step-by-step: by me and @lukashino

1 Like