[Oisf-users] suricata 4.1 eBpf load balance

mazhuang at 17paipai.cn mazhuang at 17paipai.cn
Wed Sep 19 07:02:11 UTC 2018 

Hi Konstantin
af-packet:
  - interface: ens4f1
    threads: 40
    cluster-id: 99
    cluster-type: cluster_ebpf
    defrag: yes
    ebpf-lb-file:  /etc/suricata/ebpf/lb.bpf
    use-mmap: yes



mazhuang at 17paipai.cn
 
From: Konstantin Klinger
Date: 2018-09-19 12:23
To: Michał Purzyński
CC: mazhuang at 17paipai.cn; Open Information Security Foundation
Subject: Re: [Oisf-users] suricata 4.1 eBpf load balance
Hi,

I would be interested how you have included this bpf filter into your config?

Cheers, 

Konstantin 

-- 
Konstantin Klinger
Security Content Engineer
Threat Detection & Hunting (TDH)

+49 160 95476260
konstantin.klinger at dcso.de

dcso.de
blog.dcso.de

PGP: 180D C5B3 3C68 5C9A FB58 6F33 400E 5A35 3307 8D46
 
DCSO Deutsche Cyber-Sicherheitsorganisation GmbH • EUREF-Campus
22 • 10829 Berlin, Germany
Geschäftsführer: Dr.-Ing. Gunnar Siebert, Sitz der Gesellschaft: Berlin,
Amtsgericht Charlottenburg HRB 172382

Am 18.09.2018 um 20:22 schrieb Michał Purzyński <michalpurzynski1 at gmail.com>:

Can you stop sending screenshoots and just C&P logs instead?

On Tue, Sep 18, 2018 at 7:53 AM mazhuang at 17paipai.cn <mazhuang at 17paipai.cn> wrote:
Hi Eric
    I'sure have vlan in my traccic.



mazhuang at 17paipai.cn
 
From: Eric Leblond
Date: 2018-09-18 22:06
To: mazhuang at 17paipai.cn; Peter Manev
CC: oisf-users
Subject: Re: Re: [Oisf-users] suricata 4.1 eBpf load balance
Hello,
 
On Tue, 2018-09-18 at 21:42 +0800, mazhuang at 17paipai.cn wrote:
> Hi Eric
>     I used the new lb.c error report as shown below
>     No permissions? The figure lb.bpf is readable
 
OK, let me do some tests and tries here.
 
Just to be sure, do you have VLAN in your traffic ?
 
BR,
--
Eric
 
> 
> 
> 
> mazhuang at 17paipai.cn
> >  
> > From: Eric Leblond
> > Date: 2018-09-18 21:24
> > To: mazhuang at 17paipai.cn; Peter Manev
> > CC: oisf-users
> > Subject: Re: [Oisf-users] suricata 4.1 eBpf load balance
> > Hello,
> >  
> > On Tue, 2018-09-18 at 21:14 +0800, mazhuang at 17paipai.cn wrote:
> > > Hi Peter
> > >     I'm using the suricata source code itself:
> > > https://github.com/OISF/suricata/blob/master/ebpf/lb.c
> >  
> > This code do not support VLAN maybe this is your issue.
> >  
> > I've pushed a new version with VLAN support:
> >  
> > https://github.com/regit/suricata/tree/ebpf-update
> >  
> > Can you give it a try ?
> >  
> > You can or use the branch or copy the lb.c to your source tree.
> >  
> > BR,
> > --
> > Eric Leblond
> >  
> > >
> > > mazhuang at 17paipai.cn
> > > > 
> > > > From: Peter Manev
> > > > Date: 2018-09-18 21:12
> > > > To: mazhuang
> > > > CC: Open Information Security Foundation
> > > > Subject: Re: [Oisf-users] suricata 4.1 eBpf load balance
> > > > On Tue, Sep 18, 2018 at 2:48 PM mazhuang at 17paipai.cn
> > > > <mazhuang at 17paipai.cn> wrote:
> > > > >
> > > > > Hi All
> > > > >     I followed
> > > > 
> > https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html#setup-ebpf-load-balancing
> > > >  this tutorial to configure ebpf load balancing, but the result
> > was
> > > > only one core processing the data
> > > > >
> > > > >
> > > > >     Suricata Version:4.1
> > > > >     OS:Centos 7
> > > > >     Kernel:Linux yg 4.18.8-1.el7.elrepo.x86_64 #1 SMP Sat Sep
> > 15
> > > > 10:10:09 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
> > > > >     CPU:Intel(R) Xeon(R) CPU E5-2640 v4 @ 2.40GHz x2
> > > > >     Memory:128G
> > > > 
> > > > 
> > > > Can you share your balancer (lb.bpf) so i can try to reproduce?
> > > > 
> > > > 
> > > > 
> > > > --
> > > > Regards,
> > > > Peter Manev
> > > > 
> > >
> > > _______________________________________________
> > > Suricata IDS Users mailing list: 
> > oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support:
> > > http://suricata-ids.org/support/
> > > List:
> > > 
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > > Conference: https://suricon.net
> > > Trainings: https://suricata-ids.org/training/
> > --
> > Eric Leblond <eric at regit.org>
> >  
-- 
Eric Leblond <eric at regit.org>
 
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/ 
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180919/c7d1fd98/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Catch(09-19-14-59-24).jpg
Type: image/jpeg
Size: 293295 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180919/c7d1fd98/attachment-0001.jpg>

More information about the Oisf-users mailing list