So you say, you have let’s say one interface from which you want to pass packets to both/multiple applications?
Then I can think of deploying OVS or VPP. It makes deployment of such applications more manageable but it definitely takes some toll on the performance - and my knowledge there is somewhat limited there.
I imagine your topology like this:
[IF] -> DPDK_APP1
-> DPDK_Suricata
virtual devices, handled by Suricata, connected (with tap) to the real interfaces
I do not think there is such a thing as a software TAP in the DPDK natively. That TAP functionality must be provided by some application. And that can be e.g. OVS. OVS most likely will need to do 2 packet copies where each copy will be forwarded to the individual application.
Note the application runs in parallel.
Note2: I’ve found this 55.2. Multi-process sharing in https://doc.dpdk.org/guides/nics/tap.html but I have never tried so cannot really speak much about it.
[IF] -> OVS -> DPDK_APP1
-> DPDK_Suricata
Alternatively, you could do a hardware TAP if possible and use 2 interfaces (if you have access to HW and have a spare port). I believe that can lead to easy software architecture and good performance.
The secondary mode can be useful on topology like where you would use net_ring virtual device to connect two applications together. This in contrast to the OVS solution would make the applications run in a pipeline (where the slowest app would slow down the whole pipeline of applications but on the other hand - no packet copies would happen).
[IF] -> DPDK_APP1 -> DPDK_Suricata
So my suggestion:
- look if a hardware TAP is possible
- look at OVS/similar applications for distributing packets between applications
- try the secondary mode branch from my repo that was suggested earlier