Project

General

Profile

Actions

Bug #3801

open

Problem harware bypassing with Netronome

Added by Odin Jenseg over 4 years ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata version: 5.0.4-dev

Relevant af-packet config:

af-packet:
- cluster-type: cluster_qm
  xdp-filter-file: /etc/suricata/xdp_filter.bpf
  xdp-mode: hw
  use-percpu-hash: false

Using the default xdp_filter.c located in ebpf folder with the following settings:

 39 /* Set BUILD_CPUMAP to 0 if you want to run XDP bypass on kernel
 40  * older than 4.15 */
 41 #define BUILD_CPUMAP        0
 42 /* Increase CPUMAP_MAX_CPUS if ever you have more than 64 CPUs */
 43 #define CPUMAP_MAX_CPUS     64
 44 
 45 /* Set to 1 to bypass encrypted packets of TLS sessions. Suricata will
 46  * be blind to these packets or forged packets looking alike. */
 47 #define ENCRYPTED_TLS_BYPASS    0
 48 
 49 /* Set it to 0 if for example you plan to use the XDP filter in a
 50  * network card that don't support per CPU value (like netronome) */
 51 #define USE_PERCPU_HASH     0
 52 /* Set it to 0 if your XDP subsystem don't handle XDP_REDIRECT (like netronome) */
 53 #define GOT_TX_PEER         0
 54 
 55 /* set to non 0 to load balance in hardware mode on RSS_QUEUE_NUMBERS queues
 56  * and unset BUILD_CPUMAP (number must be a power of 2 for netronome) */
 57 #define RSS_QUEUE_NUMBERS   16
 58 
 59 /* no vlan tracking: set it to 0 if you don't use VLAN for tracking. Can
 60  * also be used as workaround of some hardware offload issue */
 61 #define VLAN_TRACKING    1

Suricata starts running fine, and it is possible to see that the XDP code is offloaded to the NIC.

1. Running bpftool map dump name flow_table_v4:
Is is possible to see that Suricata add keys to the map, but it seems like the xdp_filter fails at bpf_map_lookup_elem, since we are not observing any XDP_DROP or any of the key values is updates with bypassed pkts and bytes.

Trying to debug this, is seems that the struct key added by Suricata in flow_table_v4 is not the same that is generated by xdp_filter.

We were able to get the bypass to work by setting vlan0 and vlan1 to 0 in AFPXDPBypassCallback in source-af-packet.c:

keys[0]->vlan0 = 0;
keys[0]->vlan1 = 0;

and set VLAN_TRACKING = 0 in xdp_filter.c.

Actions #1

Updated by Odin Jenseg almost 4 years ago

Seems that I found the error. The VLAN id in xdp_filter.c need to be converted to host byte order:

vlan0 = __constant_ntohs(vhdr->h_vlan_TCI) & 0x0fff;
vlan1 = __constant_ntohs(vhdr->h_vlan_TCI) & 0x0fff;

Also, use-for-tracking: false does not work, if VLAN_TRACKING is false in xdp_filter.c since the Packet struct will contain the vlan ID and be used as a part of the key in bpf map.

Actions #2

Updated by Victor Julien over 1 year ago

  • Assignee set to Community Ticket
Actions #3

Updated by Philippe Antoine 5 months ago

  • Target version set to TBD
Actions

Also available in: Atom PDF