webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

suricata-xdp: resolve memlock and stack smashing

Browse Source 
suricata XDP support requires xdp-tools with
libbpf 1.4 to resolve stack smash issue.

also workaround memlock operation not permitted
by running suricata as root since load/attach
XDP program requires root privilige anyway.

see: https://github.com/vincentmli/BPFire/issues/54

Usage scenario:

since suricata IPS XDP capture mode works as
layer 2 bridge, BPFire netfilter firewall, NAT
IP route  will be bypassed. no IP address should
be assigned to red0 and green0 interface.

172.16.1.0/24          inline              172.16.1.0/24
red network<-->red0(xdp)<-->green0(xdp)<-->green network

we can run setup command to assign IP/Mask 0.0.0.0/0.0.0.0
to red0 and green0, then reboot BPFire, BPFire DHCP
will stops working after reboot. green network client
can get DHCP IP from upstream dhcp server.

start suricata manually

suricata -c /etc/suricata/suricata-xdp.yaml --af-packet
xdp_filter.bpf program will be attached to red0 and gree0
interface

not sure if we should add GUI for suricata XDP capture mode
since this is not common use case.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This commit is contained in:
Vincent Li
2024-10-18 17:11:43 +00:00
parent 3e17c7b30b
commit 8b29912521
3 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
config/suricata/suricata-xdp.yaml
View File

@@ -600,9 +600,9 @@ asn1-max-frames: 256
##
# Run suricata as user and group.
run-as:
user: suricata
group: suricata
#run-as:
# user: suricata
# group: suricata
# Suricata core dump configuration. Limits the size of the core dump file to
# approximately max-dump. The actual core dump size will be a multiple of the

2
lfs/suricata
View File

@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_BLAKE2 = 52e2d64a9afe1e231fdc4b0aed8f920a5b80d5f8a0a78b41641069356947b3003902f9117f113b526f499379e1b1f1885461396713a748d4b3fb50571eec2fa3
$(DL_FILE)_BLAKE2 = eef2500a22d581b37dafe496a57e664e6cb3aed879f138df5708ffd350bc985b4af875907c7e6cd0cf746ad6495e60414beaecf6069ba9d68b963831359362fc
install : $(TARGET)

2
make.sh
View File

@@ -1399,7 +1399,6 @@ buildipfire() {
lfsmake2 colm
lfsmake2 ragel
lfsmake2 hyperscan
lfsmake2 suricata
lfsmake2 ids-ruleset-sources
lfsmake2 ipblocklist-sources
lfsmake2 squid
@@ -1686,6 +1685,7 @@ buildipfire() {
lfsmake2 bpftool
lfsmake2 llvm-project
lfsmake2 xdp-tools
lfsmake2 suricata
lfsmake2 knot
lfsmake2 spectre-meltdown-checker
lfsmake2 zabbix_agentd