Hello,
To prevent amongst other suricata from choking up on elephant streams, In would like to have certain traffic to bypass suricata or drop dead before reaching suricata. Reading the docs and fora, this seems the way to achieve this: 19.4. eBPF and XDP — Suricata 7.0.0-rc2-dev documentation
But before proceding, is it possible to use this setup with suricata v7 and DPDK ? Or is there an option with DPDK itself (prefilter?)?
Thanks!
Andre
Hi @atbohmer,
yes, with DPDK you can still bypass flow “locally” (that means Suricata does the internal bypass and that means Suricata receives the packets but drops them immediately after the decoding stage).
In terms of XDP, on some NICs you can have your eBPF program running in the hardware itself (directly on the card). That would theoretically make that slightly better alternative than what is supported by Suricata (but I wasn’t able to test it as I didn’t have a chance to try such card) - I think Netronome makes those cards.
If I remember correctly, in your other post you mentioned you have Intel E810 NICs. Those I believe do not have hardware support of eBPF programs. That means the eBPF program runs on the driver level (at best). As this is already on the software side, this makes it architecturally similar to DPDK solution. However, I believe DPDK is more flexible with packet decoding.
From that perspective and from my point of view - unless you have HW-supported eBPF card and (if I remember correctly) DPDK setup ready then I think it might be best for you to just enable bypass in Suricata and see how it goes.
Just a note: It would be very interesting to integrate DPDK rte_flow support into Suricata as that would allow bypass of packets on hardware level in DPDK mode and on multiple NICs (e.g. even on Nvidia/Intel NICs)
https://doc.dpdk.org/guides/prog_guide/rte_flow.html
1 Like
Thanks for the thoughtfull insight and suggestions! Continuing the Suricata and DPDK saga 
Great work!
1 Like