Suricata 6.0.11 XDP error

Hello team,

I’m experiencing some XDP issues on my new system. It’s the first time I’m trying out an AMD based platform so I’m not sure if it’s a hardware or software problem.

Both kernel + suricata are builded with XDP support.

Suri AF-Config:

• interface: eth0
  …
  cluster-type: cluster_qm
  xdp-mode: driver
  xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf
  bypass: yes
  …

I’m getting the following messages:

- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Unable to load eBPF objects in ‘/usr/libexec/suricata/ebpf/xdp_filter.bpf’: Operation not supported

- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when loading XDP filter file

- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can’t find eBPF map fd for ‘flow_table_v6’

Beside these error messages suricata is running fine (just no XDP sup.). I guess there is some kind off fallback implemented?
Any ideas on how to fix this XDP issue?

System info:
CPU: AMD Threadripper Pro 59x
NIC: Intel X710 SFP+
Kernel: 6.1
Driver: i40e
Suricata: 6.0.11
libbpf: 1.1.0

Thanks in advance,
Jiivas

Can you post suricata --build-info and also ethtool eth0 and ethtool -i eth0?

Hello Andreas,

thank you for your reply.

suricata --build-info:

This is Suricata version 6.0.11 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 12.2.0, C version 201112
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.43, linked against LibHTP v0.5.43
Suricata Configuration:
AF_PACKET support: yes
eBPF support: yes
XDP support: yes
PF_RING support: no
NFQueue support: yes
NFLOG support: yes
IPFW support: no
Netmap support: no using new api: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: yes
Prelude support: no
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
GeoIP2 support: yes
Non-bundled htp: yes
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes
HTTP2 decompression: yes
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.63.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.65.0
Cargo vendor: yes
Python support: yes
Python path: /usr/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Plugin support (experimental): yes
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
–prefix /usr
–sysconfdir /etc
–localstatedir /var
–datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -std=c11 -I${srcdir}/…/rust/gen -I${srcdir}/…/rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

ethtool eth0

Settings for eth0:
Supported ports: [ FIBRE ]
Supported link modes: 1000baseX/Full
10000baseSR/Full
Supported pause frame use: Symmetric Receive-only
Supports auto-negotiation: Yes
Supported FEC modes: Not reported
Advertised link modes: 1000baseX/Full
10000baseSR/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Advertised FEC modes: Not reported
Speed: 1000Mb/s
Duplex: Full
Auto-negotiation: on
Port: FIBRE
PHYAD: 0
Transceiver: internal
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes

ethtool -i eth0

driver: i40e
version: 6.1.20-sbox
firmware-version: 6.01 0x800035cf 1.1747.0
expansion-rom-version:
bus-info: 0000:61:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: yes

What distribution is this?
The driver version looks strange 6.1.20-sbox with the one in kernels and official being in the 2.xx.yy version range.

The file /usr/libexec/suricata/ebpf/xdp_filter.bpf is present and correct?

Hi Andreas,

it’s a debian based distro with a custom 6.1 kernel (6.1.20-sbox). The ebpf files are present and I assume that they are correct.

ls -la /usr/libexec/suricata/ebpf/

-rw-r–r-- 1 root root 2336 Apr 14 12:49 bypass_filter.bpf
-rw-r–r-- 1 root root 1384 Apr 14 12:49 filter.bpf
-rw-r–r-- 1 root root 1880 Apr 14 12:49 lb.bpf
-rw-r–r-- 1 root root 872 Apr 14 12:49 vlan_filter.bpf
-rw-r–r-- 1 root root 4888 Apr 14 12:49 xdp_filter.bpf
-rw-r–r-- 1 root root 4824 Apr 14 12:49 xdp_lb.bpf

Can you retry this with an official debian kernel? Maybe the custom kernel is missing some crucial parts or the build was not made with that one in mind.