<div dir="ltr">Hi,<div><br></div><div>I am running Ubuntu 18.04 server with kernel 5.0.0-32-generic<font color="#000000" face="Menlo"><span style="font-size:16px;font-variant-ligatures:no-common-ligatures">, </span></font>  following <a href="https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html">https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html</a> to test the xdp_filter global bypass feature. Ideally I want to xdp redirect packet even when suricata is down. I made the changes in xdp_filter.c and recompile it as below:</div><div><br></div><div><br></div><div>





<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><b>diff --git a/ebpf/xdp_filter.c b/ebpf/xdp_filter.c</b></span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><b>index 9ef2d92f7..0053f16b1 100644</b></span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><b>--- a/ebpf/xdp_filter.c</b></span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><b>+++ b/ebpf/xdp_filter.c</b></span></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(51,187,200)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">@@ -58,7 +58,7 @@</span></p>
<p class="gmail-p3" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);min-height:19px"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span>/* no vlan tracking: set it to 0 if you don't use VLAN for tracking. Can</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">  </span>* also be used as workaround of some hardware offload issue */</span></p>
<p class="gmail-p4" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(195,55,32)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">-#define VLAN_TRACKING<span class="gmail-Apple-converted-space">    </span>1</span></p>
<p class="gmail-p5" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(52,188,38)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">+#define VLAN_TRACKING<span class="gmail-Apple-converted-space">    </span>0</span></p>
<p class="gmail-p3" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);min-height:19px"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span>struct vlan_hdr {</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">     </span>__u16<span class="gmail-Apple-converted-space">      </span>h_vlan_TCI;</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">@@ -176,7 +176,7 @@</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> struct bpf_map_def SEC("maps") tx_peer_int = {</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span>};</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span>#endif</span></p>
<p class="gmail-p3" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);min-height:19px"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span></span></p>
<p class="gmail-p4" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(195,55,32)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">-#define USE_GLOBAL_BYPASS <span class="gmail-Apple-converted-space">  </span>0</span></p>
<p class="gmail-p5" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(52,188,38)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">+#define USE_GLOBAL_BYPASS <span class="gmail-Apple-converted-space">  </span>1</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span>#if USE_GLOBAL_BYPASS</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span>/* single entry to indicate if global bypass switch is on */</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space"> </span>struct bpf_map_def SEC("maps") global_bypass = {</span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">then I started the suricata as:</span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)">





</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">#strace -e trace=bpf<span class="gmail-Apple-converted-space">  </span>suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid<span class="gmail-Apple-converted-space">  </span>--af-packet<span class="gmail-Apple-converted-space">  </span>-vvv</span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">..............CUT.........</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">[</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(175,173,36)">5405</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">] </span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">13/11/2019 -- 08:13:06</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> - (</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(82,48,225)">runmode-af-packet.c</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">272</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">) <</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(175,173,36)">Info</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">> (</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">ParseAFPConfig</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">) -- AF_PACKET IPS mode activated enp4s0f0->enp4s0f1</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">[</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(175,173,36)">5405</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">] </span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">13/11/2019 -- 08:13:06</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> - (</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(82,48,225)">runmode-af-packet.c</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">328</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">) <</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(175,173,36)">Config</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">> (</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">ParseAFPConfig</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">) -- Using queue based cluster mode for AF_PACKET (iface enp4s0f0)</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">[</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(175,173,36)">5405</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">] </span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">13/11/2019 -- 08:13:06</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> - (</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(82,48,225)">runmode-af-packet.c</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">:</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">391</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">) <</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(175,173,36)">Config</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">> (</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">ParseAFPConfig</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">) -- Using pinned maps on iface enp4s0f0</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/suricata-enp4s0f0-flow_table_v4", bpf_fd=0}, 112) = -1 ENOENT (No such file or directory)</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SOCKET_FILTER, insn_cnt=2, insns=0x7fffb3a31a10, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=0, prog_flags=0}, 112) = 8</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SOCKET_FILTER, insn_cnt=2, insns=0x7fffb3a31a10, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=0, prog_flags=0, ...}, 112) = 8</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_ARRAY, key_size=4, value_size=32, max_entries=1, map_flags=0, inner_map_fd=0}, 112) = 8</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SOCKET_FILTER, insn_cnt=5, insns=0x7fffb3a319f0, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=0, prog_flags=0}, 112) = -1 EINVAL (Invalid argument)</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(0x12 /* BPF_??? */, 0x7fffb3a31980, 112) = 8</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(0x12 /* BPF_??? */, 0x7fffb3a31980, 112) = -1 EINVAL (Invalid argument)</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERCPU_HASH, key_size=16, value_size=16, max_entries=32768, map_flags=0, inner_map_fd=0, ...}, 112) = 7</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERCPU_HASH, key_size=40, value_size=16, max_entries=32768, map_flags=0, inner_map_fd=0, ...}, 112) = 8</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(BPF_MAP_CREATE, {map_type=0x10 /* BPF_MAP_TYPE_??? */, key_size=4, value_size=4, max_entries=64, map_flags=0, inner_map_fd=0, ...}, 112) = 9</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_ARRAY, key_size=4, value_size=4, max_entries=64, map_flags=0, inner_map_fd=0, ...}, 112) = 10</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_ARRAY, key_size=4, value_size=4, max_entries=1, map_flags=0, inner_map_fd=0, ...}, 112) = 11</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_DEVMAP, key_size=4, value_size=4, max_entries=1, map_flags=0, inner_map_fd=0, ...}, 112) = 12</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_ARRAY, key_size=4, value_size=4, max_entries=1, map_flags=0, inner_map_fd=0, ...}, 112) = 13</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_ARRAY, key_size=1, value_size=1, max_entries=1, map_flags=0, inner_map_fd=0, ...}, 112) = -1 EINVAL (Invalid argument)</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">libbpf: failed to create map (name: 'global_bypass'): Invalid argument(-22)</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">libbpf: failed to load object '/usr/libexec/suricata/ebpf/xdp_filter.bpf'</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(195,55,32);background-color:rgb(255,255,255)"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">[</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(175,173,36)">5405</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">] </span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">13/11/2019 -- 08:13:06</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"> - (</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(82,48,225)">util-ebpf.c</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">:</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">400</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">) <</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><b>Error</b></span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">> (</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">EBPFLoadFile</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">) -- [</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(175,173,36)">ERRCODE</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">: </span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">SC_ERR_INVALID_VALUE</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">(</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(175,173,36)">130</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">)] - </span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">Unable to load eBPF object: Invalid argument (-22)</span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">


























</span></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(195,55,32)"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">[</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(175,173,36)">5405</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">] </span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">13/11/2019 -- 08:13:06</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"> - (</span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(82,48,225)">runmode-af-packet.c</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">:</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">532</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">) <</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">Warning</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">> (</span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(52,188,38)">ParseAFPConfig</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">) -- [</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(175,173,36)">ERRCODE</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">: </span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">SC_ERR_INVALID_VALUE</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">(</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(175,173,36)">130</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">)] - </span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">Error when loading XDP filter file</span></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(195,55,32)"><br></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(195,55,32)">Here is my suricata config:</p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(195,55,32)"><br></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(51,187,200);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">af-packet</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">  </span></span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(205,121,35)">- </span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">interface</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> enp4s0f0</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">threads</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> auto</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(51,187,200);background-color:rgb(255,255,255)"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">cluster-id</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"> </span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures;color:rgb(195,55,32)">99</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">cluster-type</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> cluster_qm</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">defrag</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> yes</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">use-mmap</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> yes</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(51,187,200);background-color:rgb(255,255,255)"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">ring-size</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"> </span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures;color:rgb(195,55,32)">200000</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(51,187,200);background-color:rgb(255,255,255)"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">copy-mode</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"> ips</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">copy-iface</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> enp4s0f1</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">xdp-mode</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> driver</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(51,187,200);background-color:rgb(255,255,255)"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">pinned-maps</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"> </span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures;color:rgb(195,55,32)">true</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(51,187,200);background-color:rgb(255,255,255)"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">pinned-maps-name</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"> ipv4_drop</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">xdp-filter-file</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">  </span>/usr/libexec/suricata/ebpf/xdp_filter.bpf</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">  </span></span><span class="gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(205,121,35)">- </span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">interface</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> enp4s0f1</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">threads</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> auto</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(51,187,200);background-color:rgb(255,255,255)"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">cluster-id</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"> </span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures;color:rgb(195,55,32)">100</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">cluster-type</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> cluster_qm</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">defrag</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> yes</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">use-mmap</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> yes</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(51,187,200);background-color:rgb(255,255,255)"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">ring-size</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"> </span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures;color:rgb(195,55,32)">200000</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(51,187,200);background-color:rgb(255,255,255)"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">copy-mode</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"> ips</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">copy-iface</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> enp4s0f0</span></p><p class="gmail-p2" style="margin:0px;font:16px Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">xdp-mode</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"> driver</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(51,187,200);background-color:rgb(255,255,255)"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">pinned-maps</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"> </span><span class="gmail-s6" style="font-variant-ligatures:no-common-ligatures;color:rgb(195,55,32)">true</span></p><p class="gmail-p1" style="margin:0px;font:16px Menlo;color:rgb(51,187,200);background-color:rgb(255,255,255)"><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">pinned-maps-name</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"> ipv4_drop</span></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(195,55,32)">































</p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span></span><span class="gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(51,187,200)">xdp-filter-file</span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(213,59,211)">:</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">  </span>/usr/libexec/suricata/ebpf/xdp_filter.bpf</span></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">any clue?</span></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><br></span></p></div></div>