Unable to install eBPF for CentOS7?

When AF_PACKET is enabled on CentOS7, IPS mode cannot Drop packets but only alert.So I upgraded CentOS7 kernel and installed eBPF, Why does suricata always show the following error?

runmode-af-packet.c:474:16: error: no member named ‘ebpf_t_config’ in
‘struct AFPIfaceConfig_’
aconf->ebpf_t_config.mode = AFP_MODE_XDP_BYPASS;
~~~~~ ^
runmode-af-packet.c:474:37: error: use of undeclared identifier
‘AFP_MODE_XDP_BYPASS’
aconf->ebpf_t_config.mode = AFP_MODE_XDP_BYPASS;
^
runmode-af-packet.c:475:16: error: no member named ‘ebpf_t_config’ in
‘struct AFPIfaceConfig_’
aconf->ebpf_t_config.flags |= EBPF_XDP_CODE;
~~~~~ ^

Can you please share what is your kernel and suricata version?
Also how you build it and the IPS section of the config - to cover the basic setup.

Since AF-Packet was started before, IPS mode could not drop packets but only display warnings.

CentOS7 kernel version 5.10

Suricata - 6.0.0 version

IPS configuration in AF - PACKET mode

af-packet:

• interface: eth0
  threads: 1
  defrag: no
  cluster-type: cluster_flow
  cluster-id: 98
  copy-mode: ips
  copy-iface: eth1
  buffer-size: 64535
  use-mmap: yes
• interface: eth1
  threads: 1
  cluster-id: 97
  defrag: no
  cluster-type: cluster_flow
  copy-mode: ips
  copy-iface: eth0
  buffer-size: 64535
  use-mmap: yes

Do you mind sharing suricata --build-info too please ?

OK

001625×523 58.1 KB

002579×587 29.9 KB

003957×534 55 KB

About eBPF, I can’t compile Suricata on CentOS7, but I can compile it on Ubuntu!

Can you try adding

tpacket-v3: no
to your af-packet config in both sections. Any better?

No effect.

In suricata gateway-scenario, CentOS7 does not support IPS of AF-PACKET.

I gave up CentOS7 in favor of Ubuntu.

Hi,
Just for clarification -
So everything in terms of Suricata versions and compile line is the same but it does not compile on CentOS7 - correct?
(or it compiles but does not drop packets ?)
What was the kernel level on the CentOS you tried running it ?

The correct explanation should be in CentOS7 environment:
Suricata did not compile successfully when eBPF was installed.
Without eBPF, although Suricata compiles successfully, IPS mode cannot drop packets and only displays warnings.
I tried kernel versions of CentOS7: 3.10.0-1160 and 5.10.0, without success.

This is in the case of af-packet.

Hi, I’m facing almost the same errors as jydr, but giving it up with CentOS7, at least until EOL, is the most unlike solution.

I’m trying to compile Suricata 6.0.1 with Hyperscan and eBPF & XDP support on CentOS 7 with kernel 4.4

runmode-af-packet.c: In function ‘ParseAFPConfig’:
runmode-af-packet.c:474:14: error: ‘AFPIfaceConfig’ has no member named ‘ebpf_t_config’ 
     aconf->ebpf_t_config.mode = AFP_MODE_XDP_BYPASS;
          ^
runmode-af-packet.c:474:37: error: ‘AFP_MODE_XDP_BYPASS’ undeclared (first use in this function) 
     aconf->ebpf_t_config.mode = AFP_MODE_XDP_BYPASS;
                                 ^
runmode-af-packet.c:474:37: note: each undeclared identifier is reported only once for each function it appears in
runmode-af-packet.c:475:14: error: ‘AFPIfaceConfig’ has no member named ‘ebpf_t_config’ 
     aconf->ebpf_t_config.flags |= EBPF_XDP_CODE;
          ^
runmode-af-packet.c:475:39: error: ‘EBPF_XDP_CODE’ undeclared (first use in this function) 
     aconf->ebpf_t_config.flags |= EBPF_XDP_CODE;
                                   ^
runmode-af-packet.c:483:22: error: ‘AFPIfaceConfig’ has no member named ‘ebpf_t_config’ 
         if (aconf->ebpf_t_config.flags & EBPF_PINNED_MAPS) {
                  ^
runmode-af-packet.c:483:46: error: ‘EBPF_PINNED_MAPS’ undeclared (first use in this function) if (aconf->ebpf_t_config.flags & EBPF_PINNED_MAPS) {
                                          ^
In file included from util-debug-filters.h:29:0,
             from util-debug.h:32,
             from suricata-common.h:502,
             from runmode-af-packet.c:33:
runmode-af-packet.c:485:70: error: invalid application of ‘sizeof’ to incomplete type ‘struct ebpf_timeout_config’  
             struct ebpf_timeout_config *ebt = SCCalloc(1, sizeof(struct ebpf_timeout_config));
                                                                  ^
util-mem.h:53:46: note: in definition of macro ‘SCCalloc’
 #define SCCalloc(nm, sz) SCCallocFunc((nm), (sz))
                                          ^
runmode-af-packet.c:489:40: error: ‘AFPIfaceConfig’ has no member named ‘ebpf_t_config’
                 memcpy(ebt, &(aconf->ebpf_t_config), sizeof(struct ebpf_timeout_config));
                                    ^
runmode-af-packet.c:489:65: error: invalid application of ‘sizeof’ to incomplete type ‘struct ebpf_timeout_config’
                 memcpy(ebt, &(aconf->ebpf_t_config), sizeof(struct ebpf_timeout_config));
                                                             ^
runmode-af-packet.c:491:29: error: ‘EBPFCheckBypassedFlowCreate’ undeclared (first use in this function)
                         EBPFCheckBypassedFlowCreate,
                         ^
runmode-af-packet.c:495:51: error: ‘EBPFUpdateFlow’ undeclared (first use in this function)
         BypassedFlowManagerRegisterUpdateFunc(EBPFUpdateFlow, NULL);
                                               ^
runmode-af-packet.c:503:31: error: ‘XDP_FLAGS_SKB_MODE’ undeclared (first use in this function)
         aconf->xdp_mode = XDP_FLAGS_SKB_MODE;
                           ^
runmode-af-packet.c:508:35: error: ‘XDP_FLAGS_DRV_MODE’ undeclared (first use in this function)
             aconf->xdp_mode = XDP_FLAGS_DRV_MODE;
                               ^
runmode-af-packet.c:510:35: error: ‘XDP_FLAGS_HW_MODE’ undeclared (first use in this function)
             aconf->xdp_mode = XDP_FLAGS_HW_MODE;
                               ^
runmode-af-packet.c:511:22: error: ‘AFPIfaceConfig’ has no member named ‘ebpf_t_config’
             aconf->ebpf_t_config.flags |= EBPF_XDP_HW_MODE;
                  ^
runmode-af-packet.c:511:47: error: ‘EBPF_XDP_HW_MODE’ undeclared (first use in this function)
             aconf->ebpf_t_config.flags |= EBPF_XDP_HW_MODE;
                                           ^
runmode-af-packet.c:523:22: error: ‘AFPIfaceConfig’ has no member named ‘ebpf_t_config’
             aconf->ebpf_t_config.cpus_count = 1;
                  ^
runmode-af-packet.c:532:9: error: implicit declaration of function ‘EBPFLoadFile’ [-Werror=implicit-function-declaration]
     int ret = EBPFLoadFile(aconf->iface, aconf->xdp_filter_file, "xdp",
     ^
runmode-af-packet.c:534:38: error: ‘AFPIfaceConfig’ has no member named ‘ebpf_t_config’
                            &aconf->ebpf_t_config);
                                  ^
runmode-af-packet.c:544:17: error: implicit declaration of function ‘EBPFSetupXDP’ [-Werror=implicit-function-declaration]
             ret = EBPFSetupXDP(aconf->iface, aconf->xdp_filter_fd, aconf->xdp_mode);
             ^
runmode-af-packet.c:559:29: error: implicit declaration of function ‘EBPFBuildCPUSet’ [-Werror=implicit-function-declaration]
                         EBPFBuildCPUSet(node, aconf->iface);
                         ^
runmode-af-packet.c:568:21: error: implicit declaration of function ‘EBPFSetPeerIface’ [-Werror=implicit-function-declaration]
      EBPFSetPeerIface(aconf->iface, aconf->out_iface);

Maybe worth trying with a later kernel version.

Sorry for the late answer Peter, but no success with kernel 5.4 and 5.10.

How do you compile libbpf (from git master) ?

yes, from git master,
but I had to install clang from scl due to requirement(clang >= 3.9), now I have 5.1.
Also had to extra install elfutils-libelf-devel and ./configure suricata with –with-clang= parameter, because otherwise configure complains that pcap.h not found

Maybe could be worth say, that I try to compile it on VM(without suitable NIC), not sure if it could be that problem.

Hm not sure if it is a HW issue - i mean if a suitable NIC is there or not , the compile is for Suricata/libpf not the NIC (then it can complain later of course).

Here is form what i remember , sometimes i had to manually update ldconf:

cd /opt && \
git clone https://github.com/libbpf/libbpf && cd libbpf/src/ && \
make clean && make && \
make install && make install_headers && \
ldconfig

then (and remove any previous ones if they exist)

echo "/usr/local/lib64" > /etc/ld.so.conf.d/local.conf
ldconfig 

or (depending on arch/install paths)

echo "/usr/lib64" > /etc/ld.so.conf.d/local.conf
ldconfig 

I’ve spent almost the whole weekend over it, and it seems that CentOS 7 doesn’t have support for eBPF even after the kernel upgrade, or I haven’t figured out how to get it up and running.

Everything start at this error:

runmode-af-packet.c:474:14: error: ‘AFPIfaceConfig’ has no member named ‘ebpf_t_config’

I traced this error through compilation process and in source-af-packet.h is definition HAVE_PACKET_EBPF

#ifdef HAVE_PACKET_EBPF
    struct ebpf_timeout_config ebpf_t_config;
#endif

which is defined in configure.ac

AC_CHECK_DECL([PACKET_FANOUT_EBPF],
        AC_DEFINE([HAVE_PACKET_EBPF],[1],[Recent ebpf fanout support is available]),
        [],
        [[#include <linux/if_packet.h>]])

PACKET_FANOUT_EBPF, should be defined in linux/if_packet.h but it’s missing. I tried to write it to by myself(just for testing) and it passed, but I got following error from sockets. Then I gave it up and tried to install CentOS Stream where everything seems to work quite well.

Tell me if I’m wrong but it seems, that CentOS 7 is useless when I need eBPF.

It could very well be some of that and/or some other lib dependencies too.
While troubleshooting different installs I have found out the hard way that the version of libelf1 is of big importance too.