[Oisf-users] suricata 4.1 eBpf load balance
Eric Leblond
eric at regit.org
Tue Oct 2 13:03:52 UTC 2018
Hello,
I've just pushed https://github.com/regit/suricata/tree/ebpf-update-3
Could you give a try ? It should work better.
BR,
--
Eric Leblond
On Wed, 2018-09-19 at 15:02 +0800, mazhuang at 17paipai.cn wrote:
> Hi Konstantin
> af-packet:
> - interface: ens4f1
> threads: 40
> cluster-id: 99
> cluster-type: cluster_ebpf
> defrag: yes
> ebpf-lb-file: /etc/suricata/ebpf/lb.bpf
> use-mmap: yes
>
> mazhuang at 17paipai.cn
> >
> > From: Konstantin Klinger
> > Date: 2018-09-19 12:23
> > To: Michał Purzyński
> > CC: mazhuang at 17paipai.cn; Open Information Security Foundation
> > Subject: Re: [Oisf-users] suricata 4.1 eBpf load balance
> > Hi,
> >
> > I would be interested how you have included this bpf filter into
> > your config?
> >
> > Cheers,
> >
> > Konstantin
> >
> > --
> > Konstantin Klinger
> > Security Content Engineer
> > Threat Detection & Hunting (TDH)
> >
> > +49 160 95476260
> > konstantin.klinger at dcso.de
> >
> > dcso.de
> > blog.dcso.de
> >
> > PGP: 180D C5B3 3C68 5C9A FB58 6F33 400E 5A35 3307 8D46
> >
> > DCSO Deutsche Cyber-Sicherheitsorganisation GmbH • EUREF-Campus
> > 22 • 10829 Berlin, Germany
> > Geschäftsführer: Dr.-Ing. Gunnar Siebert, Sitz der Gesellschaft:
> > Berlin,
> > Amtsgericht Charlottenburg HRB 172382
> >
> > Am 18.09.2018 um 20:22 schrieb Michał Purzyński <
> > michalpurzynski1 at gmail.com>:
> >
> > > Can you stop sending screenshoots and just C&P logs instead?
> > >
> > > On Tue, Sep 18, 2018 at 7:53 AM mazhuang at 17paipai.cn <
> > > mazhuang at 17paipai.cn> wrote:
> > > > Hi Eric
> > > > I'sure have vlan in my traccic.
> > > >
> > > >
> > > > mazhuang at 17paipai.cn
> > > > >
> > > > > From: Eric Leblond
> > > > > Date: 2018-09-18 22:06
> > > > > To: mazhuang at 17paipai.cn; Peter Manev
> > > > > CC: oisf-users
> > > > > Subject: Re: Re: [Oisf-users] suricata 4.1 eBpf load balance
> > > > > Hello,
> > > > >
> > > > > On Tue, 2018-09-18 at 21:42 +0800, mazhuang at 17paipai.cn
> > > > > wrote:
> > > > > > Hi Eric
> > > > > > I used the new lb.c error report as shown below
> > > > > > No permissions? The figure lb.bpf is readable
> > > > >
> > > > > OK, let me do some tests and tries here.
> > > > >
> > > > > Just to be sure, do you have VLAN in your traffic ?
> > > > >
> > > > > BR,
> > > > > --
> > > > > Eric
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > mazhuang at 17paipai.cn
> > > > > > >
> > > > > > > From: Eric Leblond
> > > > > > > Date: 2018-09-18 21:24
> > > > > > > To: mazhuang at 17paipai.cn; Peter Manev
> > > > > > > CC: oisf-users
> > > > > > > Subject: Re: [Oisf-users] suricata 4.1 eBpf load balance
> > > > > > > Hello,
> > > > > > >
> > > > > > > On Tue, 2018-09-18 at 21:14 +0800, mazhuang at 17paipai.cn
> > > > > wrote:
> > > > > > > > Hi Peter
> > > > > > > > I'm using the suricata source code itself:
> > > > > > > > https://github.com/OISF/suricata/blob/master/ebpf/lb.c
> > > > > > >
> > > > > > > This code do not support VLAN maybe this is your issue.
> > > > > > >
> > > > > > > I've pushed a new version with VLAN support:
> > > > > > >
> > > > > > > https://github.com/regit/suricata/tree/ebpf-update
> > > > > > >
> > > > > > > Can you give it a try ?
> > > > > > >
> > > > > > > You can or use the branch or copy the lb.c to your source
> > > > > tree.
> > > > > > >
> > > > > > > BR,
> > > > > > > --
> > > > > > > Eric Leblond
> > > > > > >
> > > > > > > >
> > > > > > > > mazhuang at 17paipai.cn
> > > > > > > > >
> > > > > > > > > From: Peter Manev
> > > > > > > > > Date: 2018-09-18 21:12
> > > > > > > > > To: mazhuang
> > > > > > > > > CC: Open Information Security Foundation
> > > > > > > > > Subject: Re: [Oisf-users] suricata 4.1 eBpf load
> > > > > balance
> > > > > > > > > On Tue, Sep 18, 2018 at 2:48 PM mazhuang at 17paipai.cn
> > > > > > > > > <mazhuang at 17paipai.cn> wrote:
> > > > > > > > > >
> > > > > > > > > > Hi All
> > > > > > > > > > I followed
> > > > > > > > >
> > > > > > >
> > > > > https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html#setup-ebpf-load-balancing
> > > > > > > > > this tutorial to configure ebpf load balancing, but
> > > > > the result
> > > > > > > was
> > > > > > > > > only one core processing the data
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Suricata Version:4.1
> > > > > > > > > > OS:Centos 7
> > > > > > > > > > Kernel:Linux yg 4.18.8-1.el7.elrepo.x86_64 #1
> > > > > SMP Sat Sep
> > > > > > > 15
> > > > > > > > > 10:10:09 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
> > > > > > > > > > CPU:Intel(R) Xeon(R) CPU E5-2640 v4 @ 2.40GHz
> > > > > x2
> > > > > > > > > > Memory:128G
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Can you share your balancer (lb.bpf) so i can try to
> > > > > reproduce?
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Regards,
> > > > > > > > > Peter Manev
> > > > > > > > >
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Suricata IDS Users mailing list:
> > > > > > > oisf-users at openinfosecfoundation.org
> > > > > > > > Site: http://suricata-ids.org | Support:
> > > > > > > > http://suricata-ids.org/support/
> > > > > > > > List:
> > > > > > > >
> > > > > > >
> > > > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > > > > > >
> > > > > > > > Conference: https://suricon.net
> > > > > > > > Trainings: https://suricata-ids.org/training/
> > > > > > > --
> > > > > > > Eric Leblond <eric at regit.org>
> > > > > > >
> > > > > --
> > > > > Eric Leblond <eric at regit.org>
> > > > >
> > > >
> > > > _______________________________________________
> > > > Suricata IDS Users mailing list:
> > > > oisf-users at openinfosecfoundation.org
> > > > Site: http://suricata-ids.org | Support:
> > > > http://suricata-ids.org/support/
> > > > List:
> > > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > >
> > > > Conference: https://suricon.net
> > > > Trainings: https://suricata-ids.org/training/
> >
> > > _______________________________________________
> > > Suricata IDS Users mailing list:
> > > oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support:
> > > http://suricata-ids.org/support/
> > > List:
> > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > > Conference: https://suricon.net
> > > Trainings: https://suricata-ids.org/training/
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
--
Eric Leblond <eric at regit.org>
More information about the Oisf-users
mailing list