Xdp_filter - suricata

ozgur · January 17, 2023, 11:18am

Hi everyone,
I am working xdp_filter with suricata. I added rule about to drop icmp packets. This is af-packet section in suricata.yaml:
af-packet:

interface: wlp0s20f3
#Number of receive threads. “auto” uses the number of cores
#threads: auto
#Default clusterid. AF_PACKET will load balance packets based on flow.
cluster-id: 99
cluster-type: cluster_cpu
defrag: yes
xdp-mode: soft
xdp-filter-file: /home/ozgurkeskin/Projects/suricata/ebpf/xdp_filter.bpf
xdp-cpu-redirect: [“all”]
bypass: yes
use-mmap: yes
ring-size: 200000

When I started ping to 8.8.8.8 suricata can not drop icmp packets. Any help would be great!
Best regards,

pevma · January 17, 2023, 2:00pm

Hi,
Any error during Suricata start? What does the filter bpf do actually?

ozgur · January 18, 2023, 7:19am

Hi Peter,
I didn’t face any error message during Suricata start. I checked logs it seem fine.
xdp_filter aims “XDP bypass allows Suricata to tell the kernel that packets for some flows have to be dropped via the XDP mechanism. This is an early drop that occurs before the datagram reaches the Linux kernel network stack.”

Andreas_Herz · January 18, 2023, 2:28pm

What version are you running?
How does your suricata.yaml look like?
How do you start suricata?

ozgur · January 19, 2023, 7:33am

Hi Andreas,
This is Suricata version 7.0.0-rc1-dev (4c7ca2c36 2022-12-22)
Run command
/usr/bin/suricata -c /home/ozgurkeskin/Projects/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet=wlp0s20f3 -vvv
And I attached suricata.yaml.
suricata.yaml (79.7 KB)

Andreas_Herz · January 24, 2023, 2:51pm

Did you update the xdp_filter.bpf file or did you use a shipped one?

ozgur · January 25, 2023, 6:30am

I used shipped one but I have to update maps declaration.Here is the link about problem.

ozgur · May 31, 2023, 10:38am

Hi Andreas, is there any update about my issue?

Andreas_Herz · May 31, 2023, 11:33am

Yes see Libbpf 1.x with Suricata 6 doesn't support XDP - #6 by Loathe and also Bug #6088: xdp/ebpf: updated shipped bpf files to be supported by libbpf v1.0 and higher - Suricata - Open Information Security Foundation so it needs to be updated to make it work, which is not done yet

ozgur · May 31, 2023, 12:15pm

Hi Andreas

I did this refactor about legacy map definitions and then builded ebpf files again. Start suricata with no error. When I entered drop rule in suritaca.rules file in order to drop all icmp trafic it is not working.

Loathe · June 1, 2023, 7:00am

Hello, it seems you are using Suricata as IPS. In this mode official docs tells you should use 2 interfaces like router or firewall, one for incoming traffic and one for outgoing. To make this work you should also set ipv[4 or 6].ip_forward to 1 in your system (sysctl -a | grep forward can help to find it). And then add symmetric parameters in your af-packet section for both interfaces:
af-packet:

interface: eth0
copy-mode: ips
copy-iface: eth1
interface: eth1
copy-mode: ips
copy-iface: eth0
I have not tested it myself, cause we use Suricata as IDS, but official docs says it (13. Setting up IPS/inline for Linux — Suricata 6.0.12 documentation)

Topic		Replies	Views
Dropping Traffic Using Suricata with XDP Help ips , suricata , xdp	1	88	April 25, 2024
Af-xdp cannot run as normal after build suricata source code with xdp flag Developers suricata , xdp	3	714	January 17, 2023
High Kernel drops count when downloading somethings Help xdp	3	422	May 16, 2022
XDP filter: skipping unrecognized data section Help	4	1075	January 28, 2021
High number of kernel_drops Help	13	3370	March 2, 2021

Xdp_filter - suricata

Related Topics