Hi,
I am testing Suricata 6.0.1 on CentOS8.1 with AF-PACKET and XDP support and it looks like it is working, the number of bypassed packets keeps rising in stats. However, when starting Suricata it prints out 2 lines from libbpf I am not sure about. Are those lines ok and can I safely ignore them?
21/1/2021 -- 12:20:42 - <Config> - Enabling tpacket v3 capture on iface ens1f0
21/1/2021 -- 12:20:42 - <Config> - Using queue based cluster mode for AF_PACKET (iface ens1f0)
21/1/2021 -- 12:20:42 - <Config> - Using bypass kernel functionality for AF_PACKET (iface ens1f0)
libbpf: elf: skipping unrecognized data section(8) .eh_frame
libbpf: elf: skipping relo section(9) .rel.eh_frame for section(8) .eh_frame
21/1/2021 -- 12:20:42 - <Info> - Successfully loaded eBPF file '/usr/libexec/suricata/ebpf/xdp_filter.bpf' on 'ens1f0'
21/1/2021 -- 12:20:43 - <Info> - Found 19 RX RSS queues for 'ens1f0'
21/1/2021 -- 12:20:43 - <Perf> - 19 RSS queues, so using 19 threads
The library libbpf was installed as follows:
git clone https://github.com/libbpf/libbpf.git && cd libbpf/src/
make && sudo make install
sudo make install_headers
sudo ldconfig
and I used the standard ebpf/xdp_filter.bpf XDP filter in suricata.yaml configuration.
The af-packet configuration is as follows:
af-packet:
- interface: ens1f0
cluster-id: 99
cluster-type: cluster_qm # symmetric hashing is a must!
xdp-mode: driver
xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf
bypass: yes
defrag: no
use-mmap: yes
mmap-locked: yes
tpacket-v3: yes
ring-size: 200000
block-size: 65536
My only doubts so far are about:
libbpf: elf: skipping unrecognized data section(8) .eh_frame
libbpf: elf: skipping relo section(9) .rel.eh_frame for section(8) .eh_frame
as I am new to XDP and I couldn’t find a satisfiable answer on Google.
Can I ignore them or is it something I should worry about?
Thanks in advance!
Lukas