|
|
|
|
@ -356,6 +356,64 @@ Confirm you have the XDP filter engaged in the output (example)::
|
|
|
|
|
...
|
|
|
|
|
...
|
|
|
|
|
|
|
|
|
|
Pinned maps usage
|
|
|
|
|
-----------------
|
|
|
|
|
|
|
|
|
|
Pnned maps stay attached to the system if the creating process disappear and
|
|
|
|
|
they can also be accessed by external tools. In Suricata bypass case, this can be
|
|
|
|
|
used to keep active bypassed flow tables so Suricata is not hit by previsouly bypassed flows when
|
|
|
|
|
restarting. In the socket filter case, this can be used to maintain a map from tools outside
|
|
|
|
|
of Suricata.
|
|
|
|
|
|
|
|
|
|
To used pinned maps, you first have to mount the `bpf` pseudo filesystem ::
|
|
|
|
|
|
|
|
|
|
sudo mount -t bpf none /sys/fs/bpf
|
|
|
|
|
|
|
|
|
|
Pinned maps will be accessible as file from the `/sys/fs/bpf` directory. Suricata
|
|
|
|
|
will pinned them under the name `suricata-$IFACE_NAME-$MAP_NAME`.
|
|
|
|
|
|
|
|
|
|
To active pinned maps for a interface, set `pinned-maps` to `true` in the `af-packet`
|
|
|
|
|
configuration of this interface ::
|
|
|
|
|
|
|
|
|
|
- interface: eth3
|
|
|
|
|
pinned-maps: true
|
|
|
|
|
|
|
|
|
|
This option can be used to expose the maps of a socket filter to other processes.
|
|
|
|
|
This allows for example, the external handling of a blacklist or white list of
|
|
|
|
|
IP addresses. See `scbpf` tool avalable in the `ebpf/scpbf` directory for an example
|
|
|
|
|
of external list handling.
|
|
|
|
|
|
|
|
|
|
In the case of XDP, the eBPF filter is attached to the interface so if you
|
|
|
|
|
activate `pinned-maps` the eBPF will remain attached to the interface and
|
|
|
|
|
the maps will remain accessible upon Suricata start.
|
|
|
|
|
If XDP bypass is activated, Suricata will try at start to open the pinned maps
|
|
|
|
|
`flow_v4_table` and `flow_v6_table`. If they are present, this means the XDP filter
|
|
|
|
|
is still there and Suricata will just use them instead of attaching the XDP file to
|
|
|
|
|
the interface.
|
|
|
|
|
|
|
|
|
|
So it you want to reload the XDP filter, you need to remove the files from `/sys/fs/bpf/`
|
|
|
|
|
before starting Suricata.
|
|
|
|
|
|
|
|
|
|
In case, you are not using bypass, this means that the uses maps are managed from outside
|
|
|
|
|
Suricata. As their names are not known by Suricata, you need to specify a name of map to look
|
|
|
|
|
for that will be used to check for the presence of the XDP filter ::
|
|
|
|
|
|
|
|
|
|
- interface: eth3
|
|
|
|
|
pinned-maps: true
|
|
|
|
|
pinned-maps-name: ipv4_drop
|
|
|
|
|
xdp-filter-file: /etc/suricata/ebpf/xdp_filter.bpf
|
|
|
|
|
|
|
|
|
|
If XDP bypass is used in IPS mode stopping Suricata will trigger a interruption in the traffic.
|
|
|
|
|
To fix that you can use the `pinned-maps-switch` option that will create a direct interface
|
|
|
|
|
to interface forwarding if ever the switch is activated. Switch will be activated when Suricata
|
|
|
|
|
is exiting but it can also be activated by an external monitoring tool ::
|
|
|
|
|
|
|
|
|
|
- interface: eth3
|
|
|
|
|
pinned-maps: true
|
|
|
|
|
pinned-maps-switch: g_switch
|
|
|
|
|
xdp-filter-file: /etc/suricata/ebpf/xdp_filter.bpf
|
|
|
|
|
bypass: true
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Getting live info about bypass
|
|
|
|
|
------------------------------
|
|
|
|
|
|
Eric Leblond
6 years ago
committed by
Victor Julien