[Oisf-users] Suricata and XDP

Eric Leblond eric at regit.org
Fri Jun 21 21:38:25 UTC 2019 

Hi,

On Fri, 2019-06-21 at 21:20 +0000, Nelson, Cooper wrote:
> Still getting these errors:

You should see libbpf output here if Suricata can access stdout. I
always get that on failure.

> [35502] 21/6/2019 -- 14:17:39 - (util-ebpf.c:393) <Error>
> (EBPFLoadFile) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Permission issue
> when loading eBPF object (check libbpf error on stdout)
> [35502] 21/6/2019 -- 14:17:39 - (runmode-af-packet.c:535) <Warning>
> (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when
> loading XDP filter file
> [35502] 21/6/2019 -- 14:17:39 - (util-runmodes.c:297) <Info>
> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 20 thread(s)
> [35744] 21/6/2019 -- 14:17:39 - (source-af-packet.c:2763) <Error>
> (ReceiveAFPThreadInit) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] -
> Can't find eBPF map fd for 'flow_table_v6'
> [35502] 21/6/2019 -- 14:17:58 - (util-ebpf.c:393) <Error>
> (EBPFLoadFile) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Permission issue
> when loading eBPF object (check libbpf error on stdout)
> [35502] 21/6/2019 -- 14:17:58 - (runmode-af-packet.c:535) <Warning>
> (ParseAFPConfig) -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when
> loading XDP filter file

This is weird. I don't understand you don't get error from libbpf.

> 
> -----Original Message-----
> From: Eric Leblond <eric at regit.org> 
> Sent: Friday, June 21, 2019 1:43 PM
> To: Nelson, Cooper <cnelson at ucsd.edu>; Peter Manev <
> petermanev at gmail.com>
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata and XDP
> 
> 
> As you are using a hipster kernel you should be able to try the
> CPU_MAP redirect. Here the load balancing is also done by IP pair.
> Advantage other the lb.bpf approach is that the skb creation will be
> load balanced on all CPUs defined in the map:
> 
> --
> Eric
> > -Coop
> >  
> > -----Original Message-----
> > From: Peter Manev <petermanev at gmail.com>
> > Sent: Friday, June 21, 2019 2:09 AM
> > To: Nelson, Cooper <cnelson at ucsd.edu>
> > Cc: Eric Leblond <eric at regit.org>;
> > oisf-users at lists.openinfosecfoundation.org
> > Subject: Re: [Oisf-users] Suricata and XDP
> > 
> > 
> > Ive seen a similar err like that once before here - 
> > https://lists.openinfosecfoundation.org/pipermail/oisf-users/2018-Sept
> > ember/016170.html though i dont think it the same case or related 
> > necessarily.
> > 
> > 
> > --
> > Regards,
> > Peter Manev

More information about the Oisf-users mailing list