Good morning,
I have installed Suricata 7.0.11 under a RHEL10 host (fully updated) and I am receiving errors regarding to use af-packet with XDP driver.
First, Suricata build info:
This is Suricata version 7.0.11 RELEASE
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON PROFILING PROFILE_LOCKING TLS TLS_C11 MAGIC RUST POPCNT64
SIMD support: SSE_2
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version Clang 19.1.7 (Red Hat, Inc. 19.1.7-2.el10), C version 201112
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.51, linked against LibHTP v0.5.51
Suricata Configuration:
AF_PACKET support: yes
AF_XDP support: yes
DPDK support: no
eBPF support: yes
XDP support: yes
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
LUA support: yes
libluajit: no
GeoIP2 support: no
JA3 support: yes
JA4 support: yes
Non-bundled htp: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
Landlock support: yes
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.84.1 (e71f9a9a9 2025-01-27) (Red Hat 1.84.1-1.el10)
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.84.1 (66221abde 2024-11-19)
Python support: yes
Python path: /usr/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: yes
Profiling locks enabled: yes
Profiling rules enabled: yes
Plugin support (experimental): yes
DPDK Bond PMD: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /opt/suricata
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
–prefix /opt/suricata
–sysconfdir /etc
–localstatedir /var
–datarootdir /opt/suricata/share
Host: x86_64-pc-linux-gnu
Compiler: clang (exec name) / clang++ (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -fPIC -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
My config regarding af-packet section:
af-packet:
- interface: enp5s0
threads: auto
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
xdp-mode: driver
xdp-filter-file: /etc/suricata/ebpf/xdp_filter.bpf
bypass: yes
use-mmap: yes
ring-size: 200000
buffer-size: 64535
bpf-filter: ip and not proto 112
tpacket-v3: yes
And error is:
[29137 - Suricata-Main] 2025-07-20 08:38:19 Error: ebpf: Unable to load eBPF objects in ‘/etc/suricata/ebpf/xdp_filter.bpf’: Operation not supported
[29137 - Suricata-Main] 2025-07-20 08:38:19 Warning: af-packet: enp5s0: failed to load XDP filter file
[29137 - Suricata-Main] 2025-07-20 08:38:19 Perf: af-packet: enp5s0: cluster_flow: 4 cores, using 4 threads
[29137 - Suricata-Main] 2025-07-20 08:38:19 Info: runmodes: enp5s0: creating 4 threads
[29138 - W#01-enp5s0] 2025-07-20 08:38:19 Error: af-packet: Can’t find eBPF map fd for ‘flow_table_v6’
Any idea where is the error?? There is no error when I have compiled suricata with ebpf …
type or paste code here