Task #5560
opendpdk: Design a test-case for Suricata running as a secondary process
Added by Lukas Sismis about 2 years ago. Updated almost 2 years ago.
Description
Suggest how to test Suricata running as a secondary process (further called secondary mode) while receiving packets through DPDK rings.
The format of DPDK rings are specified in the configuration file.
The main requirement is to only use the built-in, default DPDK application that will enqueue packets to the DPDK rings.
Files
suri-secondary-testcase.png (58.6 KB) suri-secondary-testcase.png | Lukas Sismis, 09/27/2022 02:38 PM | ||
suricata.yaml.2thr.secondarytest.ips (73.9 KB) suricata.yaml.2thr.secondarytest.ips | IPS Suricata configuration for the secondary mode | Lukas Sismis, 09/27/2022 02:57 PM | |
suricata.yaml.2thr.secondarytest.ids (74.7 KB) suricata.yaml.2thr.secondarytest.ids | IDS Suricata configuration for the secondary mode | Lukas Sismis, 09/27/2022 02:57 PM |
Updated by Lukas Sismis about 2 years ago
- File suri-secondary-testcase.png suri-secondary-testcase.png added
- File suricata.yaml.2thr.secondarytest.ids suricata.yaml.2thr.secondarytest.ids added
- File suricata.yaml.2thr.secondarytest.ips suricata.yaml.2thr.secondarytest.ips added
The proposed architecture for the IPS test case is as shown in the attached picture. The IDS test case would terminate packet processing in Suricata.
DPKD-TESTPMD is the default application that comes with DPDK package and is used in many DPDK tests. In this test, it would be used together with NET_RING PMD (https://doc.dpdk.org/guides/nics/pcap_ring.html#rings-based-pmd) for creating DPDK rings and connecting dpdk-testpmd with Suricata.
An instance of testpmd application - dpdk-testpmd#1 - runs as a primary process and initializes all resources required for the test - meaning it initializes BOTH virtual devices (RX_RING and TX_RING) and afterward it starts transmitting packets to the RX_RING. RX_RING is a ring to which dpdk-testpmd#1 transmits packets and through which Suricata receives packets. TX_RING is a ring to which Suricata transmits packets and through which dpdk-testpmd#2 receives packets.
Suricata, running as a secondary process, dequeues(receives) packets from the RX_RING and after processing them it enqueues them to the TX_RING. The second instance of testpmd application - dpdk-testpmd#1 - runs as a secondary process as well. It dequeues packets of the TX_RING and release packets (puts mbufs back to the original pktmbuf mempool).
Example configuration for DPDK IDS mode (packet processing ends in Suricata and no transmission is required):
Run dpdk-testpmd#1 with:
sudo dpdk-testpmd -v -l 14,16,18 -n 4 --no-pci --vdev="net_ring_rxring" -- --portmask=0x1 --nb-ports 1 --nb-cores 2 --rxq 2 --txq 2 --forward-mode=txonly
The second instance - dpdk-testpmd#2 - is not run in this test as packets are released by Suricata.
Run Suricata with config suricata.yaml.2thr.secondarytest.ids
and with the command:
sudo /home/local/xsismi01/suricata/usr/bin/suricata -c /home/local/xsismi01/measure-suri/suricata-host/configs/dpdk/testpmd/suricata.yaml.2thr.secondarytest.ids -S /dev/null --dpdk -vvv
Example configuration for DPDK IPS mode (as shown in the picture):
Run dpdk-testpmd#1 with:
sudo dpdk-testpmd -v -l 14,16,18 -n 4 --no-pci --vdev="net_ring_rxring" --vdev="net_ring_txring" -- --portmask=0x1 --nb-ports 1 --nb-cores 2 --rxq 2 --txq 2 --forward-mode=txonly
Run dpdk-testpmd#2 with:
sudo dpdk-testpmd -v -l 8,10,12 -n 4 --no-pci --vdev="net_ring_txring" --proc-type secondary -- --portmask=0x2 --nb-ports 1 --nb-cores 2 --rxq 2 --txq 2 --forward-mode=rxonly
Run Suricata with config suricata.yaml.2thr.secondarytest.ips
and with the command:
sudo /home/local/xsismi01/suricata/usr/bin/suricata -c /home/local/xsismi01/measure-suri/suricata-host/configs/dpdk/testpmd/suricata.yaml.2thr.secondarytest.ips -S /dev/null --dpdk -vvv
Shutdown:
The primary application should always be the last application to shut down since it deinitializes virtual devices (DPDK rings) (which it initialized at the beginning of the test case). The ring devices would otherwise be still used with the other application and that would lead to the segmentation fault.
Updated by Lukas Sismis about 2 years ago
So far, the current implementation can be found at:
https://github.com/lukashino/suricata/tree/b8e8b464e435a2797e7c6954d5863ec1bfa262e6
Or in the follow-ups of branch feat/5203-primary-app-v5 in the https://github.com/lukashino/suricata
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Victor Julien almost 2 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1