From a4a69c3e713a0170ef660eb60cf7acd9505c0df7 Mon Sep 17 00:00:00 2001 From: Lukas Sismis Date: Thu, 15 Sep 2022 15:21:40 +0200 Subject: [PATCH] doc/dpdk: add IPS setup docs for DPDK mode Ticket: #5511 --- doc/userguide/configuration/suricata-yaml.rst | 4 ++ .../setting-up-ipsinline-for-linux.rst | 71 +++++++++++++++++++ 2 files changed, 75 insertions(+) diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index b7497d1bb9..27d6949b91 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -753,6 +753,8 @@ After 'mpm-algo', you can enter one of the following algorithms: ac, hs and ac-k On `x86_64` hs (Hyperscan) should be used for best performance. +.. _suricata-yaml-threading: + Threading --------- @@ -1905,6 +1907,8 @@ computers etc.) Packet Acquisition ------------------ +.. _dpdk-capture-module: + Data Plane Development Kit (DPDK) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/doc/userguide/setting-up-ipsinline-for-linux.rst b/doc/userguide/setting-up-ipsinline-for-linux.rst index 2656f765cc..b804665c8d 100644 --- a/doc/userguide/setting-up-ipsinline-for-linux.rst +++ b/doc/userguide/setting-up-ipsinline-for-linux.rst @@ -177,6 +177,8 @@ running but this also means that the blocking feature will not be present. Settings up IPS at Layer 2 -------------------------- +.. _afp-ips-l2-mode: + AF_PACKET IPS mode ~~~~~~~~~~~~~~~~~~ @@ -276,3 +278,72 @@ and eBPF load balancing looks like the following: :: The eBPF file ``/usr/libexec/suricata/ebpf/lb.bpf`` may not be present on disk. See :ref:`ebpf-xdp` for more information. + +DPDK IPS mode +~~~~~~~~~~~~~~~~~~ + +In the same way as you would configure AF_PACKET IPS mode, you can configure the DPDK capture module. +Prior to starting with IPS (inline) setup, it is recommended to go over :ref:`dpdk-capture-module` manual page +to understand the setup essentials. + +DPDK IPS mode, similarly to AF-Packet, uses two interfaces. Packets received on the first network interface +(``0000:3b:00.1``) are transmitted by the second network interface (``0000:3b:00.0``) and similarly, +packets received on the second interface (``0000:3b:00.0``) are transmitted +by the first interface (``0000:3b:00.1``). Packets are not altered in any way in this mode. + +The following configuration snippet configures Suricata DPDK IPS mode between two NICs: :: + + dpdk: + eal-params: + proc-type: primary + + interfaces: + - interface: 0000:3b:00.1 + threads: 4 + promisc: true + multicast: true + checksum-checks: true + checksum-checks-offload: true + mempool-size: 262143 + mempool-cache-size: 511 + rx-descriptors: 4096 + tx-descriptors: 4096 + copy-mode: ips + copy-iface: 0000:3b:00.0 + mtu: 3000 + + - interface: 0000:3b:00.0 + threads: 4 + promisc: true + multicast: true + checksum-checks: true + checksum-checks-offload: true + mempool-size: 262143 + mempool-cache-size: 511 + rx-descriptors: 4096 + tx-descriptors: 4096 + copy-mode: ips + copy-iface: 0000:3b:00.1 + mtu: 3000 + +The previous DPDK configuration snippet outlines several things to consider: + +- ``copy-mode`` - see Section :ref:`afp-ips-l2-mode` for more details. +- ``copy-iface`` - see Section :ref:`afp-ips-l2-mode` for more details. +- ``threads`` - all interface entries must have their thread count configured + and paired/connected interfaces must be configured with the same amount of threads. +- ``mtu`` - MTU must be the same on both paired interfaces. + +DPDK capture module also requires having CPU affinity set in the configuration file. For the best performance, +every Suricata worker should be pinned to a separate CPU core that is not shared with any other Suricata thread +(e.g. management threads). +The following snippet shows a possible :ref:`suricata-yaml-threading` configuration set-up for DPDK IPS mode. :: + + threading: + set-cpu-affinity: yes + cpu-affinity: + - management-cpu-set: + cpu: [ 0 ] + - worker-cpu-set: + cpu: [ 2,4,6,8,10,12,14,16 ] +