Libbpf 1.x with Suricata 6 doesn't support XDP

Loathe · May 22, 2023, 5:37am

Good day.
Almalinux 9 contains libbpf 1.x by default, but when I’m trying to start Suricata 6.x with XDP and eBPF support can see errors below.
With libbpf 0.8.1 it works correct, but ip-features like ip a or ethtool were removed with removing libbpf 1.x
I can’t reinstall it cause it needs libbpf 1.x. Your guide in docs says get the url from git
What I should do to make this work if I have a “new” linux with libbpf 1.x and need xdp support with stable 6 version while waiting for release of 7?

libbpf: prog ‘xdp_hashfilter’: map relo failed to find map for section ‘maps’, off 112
17/5/2023 – 10:29:16 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Unable to load eBPF objects in ‘/usr/libexec/suricata/ebpf/xdp_filter.bpf’: Relocation failed
17/5/2023 – 10:29:16 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when loading XDP filter file
17/5/2023 – 10:29:16 - - all 2 packet processing threads, 4 management threads initialized, engine started.

Suricata Configuration:
AF_PACKET support: yes
eBPF support: yes
XDP support: yes
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no using new api: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no

Unix socket enabled: yes
Detection enabled: yes

Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
GeoIP2 support: no
Non-bundled htp: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
HTTP2 decompression: no

Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.66.1 (90743e729 2023-01-10) (Red Hat 1.66.1-1.el9)
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.66.1
Cargo vendor: yes

Python support: yes
Python path: /usr/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes

Profiling enabled: no
Profiling locks enabled: no

Plugin support (experimental): yes

Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no

Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/

–prefix /usr
–sysconfdir /etc
–localstatedir /var
–datarootdir /usr/share

Host: x86_64-pc-linux-gnu
Compiler: clang (exec name) / g++ (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -std=c11 -march=native -I${srcdir}/…/rust/gen -I${srcdir}/…/rust/dist
PCAP_CFLAGS
SECCFLAGS

Andreas_Herz · May 24, 2023, 10:05pm

Can you share the suricata.yaml file that you use?

I would like to try to reproduce it, because on my ArchLInux system with also a newer libbpf I can’t fully reproduce your case yet. It could be that some of the shipped ebpf files need to be updated.

Can you also try loading vlan_filter.bpf for example?

Loathe · May 25, 2023, 6:37am

vlan filter works fine, I can’t see any errors
[root@dts-test-alma9 ebpf]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens192
17/5/2023 – 10:47:05 - - This is Suricata version 6.0.12 RELEASE running in SYSTEM mode
17/5/2023 – 10:47:12 - - all 2 packet processing threads, 4 management threads initialized, engine started.
I’m using AlmaLinux release 9.2.
and my suricata.yaml
suricata.yaml (73.8 KB)

UPD
In spite of vlan filter works fine, bypass filter gives me the same error
[root@dts-test-alma9 ~]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens192
17/5/2023 – 11:05:08 - - This is Suricata version 6.0.12 RELEASE running in SYSTEM mode
libbpf: prog ‘hashfilter’: map relo failed to find map for section ‘maps’, off 0
17/5/2023 – 11:05:15 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Unable to load eBPF objects in ‘/usr/libexec/suricata/ebpf/bypass_filter.bpf’: Relocation failed
17/5/2023 – 11:05:15 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when loading eBPF filter file
17/5/2023 – 11:05:15 - - all 2 packet processing threads, 4 management threads initialized, engine started.

Loathe · May 25, 2023, 6:42am

But I’m using default xdp programms that was compiled from .c files in ebpf directory while “make”. How can I update those files?

Andreas_Herz · May 25, 2023, 7:03am

Those files might need an update from the development side. This requires more XDP/eBPF knowledge. I can reproduce it with some of the filters now, just got a slightly different reason on the error message (Operation not supported instead of Relocation failed).

If I run it, I also get a different error message from libbpf:

i: suricata: This is Suricata version 7.0.0-rc1 RELEASE running in SYSTEM mode
libbpf: elf: legacy map definitions in 'maps' section are not supported by libbpf v1.0+
E: ebpf: Unable to load eBPF objects in '/bypass_filter.bpf': Operation not supported

So those need to be updated. I created this ticket to track it: Bug #6088: xpd/ebpf: updated shipped bpf files to be supported by libbpf v1.0 and higher - Suricata - Open Information Security Foundation

Loathe · May 25, 2023, 7:08am

Thank you so much! I’ll wait for some updates from developers then.

Topic		Replies	Views
Suricata 6.0.9 no XDP support with libbpf-1.x	2	448	December 6, 2022
Suricata with ebpf Help	8	678	January 10, 2023
Suricata 7.x XDP libbpf 1.x support Developers	1	252	February 28, 2024
Suricata 6.0.11 XDP error	5	461	May 24, 2023
Enable eBPF and XDP mode in Suricata Help	12	112	August 21, 2024

Libbpf 1.x with Suricata 6 doesn't support XDP

Related topics