[Oisf-users] Suricata and XDP

Nelson, Cooper cnelson at ucsd.edu
Fri Jun 21 21:20:42 UTC 2019 

Still getting these errors:

[35502] 21/6/2019 -- 14:17:39 - (util-ebpf.c:393) <Error> (EBPFLoadFile) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Permission issue when loading eBPF object (check libbpf error on stdout)
[35502] 21/6/2019 -- 14:17:39 - (runmode-af-packet.c:535) <Warning> (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when loading XDP filter file
[35502] 21/6/2019 -- 14:17:39 - (util-runmodes.c:297) <Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 20 thread(s)
[35744] 21/6/2019 -- 14:17:39 - (source-af-packet.c:2763) <Error> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6'
[35502] 21/6/2019 -- 14:17:58 - (util-ebpf.c:393) <Error> (EBPFLoadFile) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Permission issue when loading eBPF object (check libbpf error on stdout)
[35502] 21/6/2019 -- 14:17:58 - (runmode-af-packet.c:535) <Warning> (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when loading XDP filter file

-----Original Message-----
From: Eric Leblond <eric at regit.org> 
Sent: Friday, June 21, 2019 1:43 PM
To: Nelson, Cooper <cnelson at ucsd.edu>; Peter Manev <petermanev at gmail.com>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata and XDP


As you are using a hipster kernel you should be able to try the CPU_MAP redirect. Here the load balancing is also done by IP pair. Advantage other the lb.bpf approach is that the skb creation will be load balanced on all CPUs defined in the map:

--
Eric
> 
> -Coop
>  
> -----Original Message-----
> From: Peter Manev <petermanev at gmail.com>
> Sent: Friday, June 21, 2019 2:09 AM
> To: Nelson, Cooper <cnelson at ucsd.edu>
> Cc: Eric Leblond <eric at regit.org>;
> oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata and XDP
> 
> 
> Ive seen a similar err like that once before here - 
> https://lists.openinfosecfoundation.org/pipermail/oisf-users/2018-Sept
> ember/016170.html though i dont think it the same case or related 
> necessarily.
> 
> 
> --
> Regards,
> Peter Manev

More information about the Oisf-users mailing list