[Oisf-users] Suricata and XDP

Eric Leblond eric at regit.org
Fri Jun 21 20:43:26 UTC 2019


Hi,

On Fri, 2019-06-21 at 18:14 +0000, Nelson, Cooper wrote:
> That is the same thing as far as I can tell, so it's probably not my
> system.

I've just used lb.bpf from latest master and it behaves correctly on my
Debian with a 4.19.

> Details of that specific error are here:
> 
> https://lwn.net/Articles/740157/
> 
> > The eBPF in-kernel verifier
> There are inherent security and stability risks with allowing user-
> space code to run inside the kernel. So, a number of checks are
> performed on every eBPF program before it is loaded. The first test
> ensures that the eBPF program terminates and does not contain any
> loops that could cause the kernel to lock up. This is checked by
> doing a depth-first search of the program's control flow graph (CFG).
> Unreachable instructions are strictly prohibited; any program that
> contains unreachable instructions will fail to load.
> 
> > The second stage is more involved and requires the verifier to
> > simulate the execution of the eBPF program one instruction at a
> > time. The virtual machine state is checked before and after the
> > execution of every instruction to ensure that register and stack
> > state are valid. Out of bounds jumps are prohibited, as is
> > accessing out-of-range data.
> 
> It would be helpful if there was a way to check the 'lb.bpf' file
> against the kernel verifier using some sort of verbose logging, to
> see exactly why it is failing.  It would be much easier to debug in
> that case (any ideas Eric?).

bpftool seems to be able to do something on inspection. I don't know
the exact syntax.

> I very much want to get this working as I'm fairly certain it will
> resolve the #2725 support ticket.

As you are using a hipster kernel you should be able to try the CPU_MAP
redirect. Here the load balancing is also done by IP pair. Advantage
other the lb.bpf approach is that the skb creation will be load
balanced on all CPUs defined in the map:

https://suricata.readthedocs.io/en/suricata-4.1.4/capture-hardware/ebpf-xdp.html#the-xdp-cpu-redirect-case

Doc is not great on this feature, let me know if you need help.

--
Eric
> 
> -Coop
>  
> -----Original Message-----
> From: Peter Manev <petermanev at gmail.com> 
> Sent: Friday, June 21, 2019 2:09 AM
> To: Nelson, Cooper <cnelson at ucsd.edu>
> Cc: Eric Leblond <eric at regit.org>; 
> oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata and XDP
> 
> 
> Ive seen a similar err like that once before here - 
> https://lists.openinfosecfoundation.org/pipermail/oisf-users/2018-September/016170.html
> though i dont think it the same case or related necessarily.
> 
> 
> --
> Regards,
> Peter Manev



More information about the Oisf-users mailing list