From 8b29912521946d529abd6e324a37ec40766f60ba Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri, 18 Oct 2024 17:11:43 +0000
Subject: [PATCH] suricata-xdp: resolve memlock and stack smashing

suricata XDP support requires xdp-tools with
libbpf 1.4 to resolve stack smash issue.

also workaround memlock operation not permitted
by running suricata as root since load/attach
XDP program requires root privilige anyway.

see: https://github.com/vincentmli/BPFire/issues/54

Usage scenario:

since suricata IPS XDP capture mode works as
layer 2 bridge, BPFire netfilter firewall, NAT
IP route  will be bypassed. no IP address should
be assigned to red0 and green0 interface.

172.16.1.0/24          inline              172.16.1.0/24
red network<-->red0(xdp)<-->green0(xdp)<-->green network

we can run setup command to assign IP/Mask 0.0.0.0/0.0.0.0
to red0 and green0, then reboot BPFire, BPFire DHCP
will stops working after reboot. green network client
can get DHCP IP from upstream dhcp server.

start suricata manually

suricata -c /etc/suricata/suricata-xdp.yaml --af-packet
xdp_filter.bpf program will be attached to red0 and gree0
interface

not sure if we should add GUI for suricata XDP capture mode
since this is not common use case.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 config/suricata/suricata-xdp.yaml | 6 +++---
 lfs/suricata                      | 2 +-
 make.sh                           | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/config/suricata/suricata-xdp.yaml b/config/suricata/suricata-xdp.yaml
index 454af358f..de61cb137 100644
--- a/config/suricata/suricata-xdp.yaml
+++ b/config/suricata/suricata-xdp.yaml
@@ -600,9 +600,9 @@ asn1-max-frames: 256
 ##
 
 # Run suricata as user and group.
-run-as:
-  user: suricata
-  group: suricata
+#run-as:
+#  user: suricata
+#  group: suricata
 
 # Suricata core dump configuration. Limits the size of the core dump file to
 # approximately max-dump. The actual core dump size will be a multiple of the
diff --git a/lfs/suricata b/lfs/suricata
index 1f282321a..39c016f25 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 52e2d64a9afe1e231fdc4b0aed8f920a5b80d5f8a0a78b41641069356947b3003902f9117f113b526f499379e1b1f1885461396713a748d4b3fb50571eec2fa3
+$(DL_FILE)_BLAKE2 = eef2500a22d581b37dafe496a57e664e6cb3aed879f138df5708ffd350bc985b4af875907c7e6cd0cf746ad6495e60414beaecf6069ba9d68b963831359362fc
 
 install : $(TARGET)
 
diff --git a/make.sh b/make.sh
index c0ed5fc27..0210e0b39 100755
--- a/make.sh
+++ b/make.sh
@@ -1399,7 +1399,6 @@ buildipfire() {
   lfsmake2 colm
   lfsmake2 ragel
   lfsmake2 hyperscan
-  lfsmake2 suricata
   lfsmake2 ids-ruleset-sources
   lfsmake2 ipblocklist-sources
   lfsmake2 squid
@@ -1686,6 +1685,7 @@ buildipfire() {
   lfsmake2 bpftool
   lfsmake2 llvm-project
   lfsmake2 xdp-tools
+  lfsmake2 suricata
   lfsmake2 knot
   lfsmake2 spectre-meltdown-checker
   lfsmake2 zabbix_agentd