If I had a software environment that utilized DPDK to read packets directly off a NIC, and this system operated as the DPDK primary, configured the NIC, and retrieved packets, would I be able to pass packets to Suricata (version 7.0) via DPDK as well? Does Suricata support receiving packets from a ring instead of a NIC?
Additionally, Suricata is intended to run as a primary process only.
Since we already have a primary process in control of the packets from the NIC, we don’t want to share access to the NIC with any other processes. To this end, we found the DPDK MemIF driver that has both sides of the connection run as primary and would allow us to send the packets from our main process into Suricata and possibly decide which packets make it to Suricata if we want.
We’ve successfully gotten Suricata to receive from one of these memory interfaces on one thread, but for some reason multiple threads don’t work well with memif in our first attempts. I’m continuing to explore whether I can get multithreaded access to these memory interfaces to work as I want them to.
Separately, why is autofp not available on DPDK? I can start digging into it too, but I’m curious if there’s some terrifying pitfall behind why it’s not supported already. If we need more than one memory interface, it would make sense to make as many memory interfaces as packet acquisition threads.
The work adds support for running Suricata workers as a secondary process and receive packets from the primary application through DPDK rings. This would also cover your autofp usecase where some cores of the primary process would receive packets from the NIC and forward these packets to Suricata where the number of primary and secondary can be different.
The PR already contains README with build and configuration instructions on how to get DPDK Prefilter (autofp mode) up and running.
Let me know if you get stuck at something. Feedback is very much appreciated.