mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 10:35:53 +02:00
8b29912521
suricata XDP support requires xdp-tools with libbpf 1.4 to resolve stack smash issue. also workaround memlock operation not permitted by running suricata as root since load/attach XDP program requires root privilige anyway. see: https://github.com/vincentmli/BPFire/issues/54 Usage scenario: since suricata IPS XDP capture mode works as layer 2 bridge, BPFire netfilter firewall, NAT IP route will be bypassed. no IP address should be assigned to red0 and green0 interface. 172.16.1.0/24 inline 172.16.1.0/24 red network<-->red0(xdp)<-->green0(xdp)<-->green network we can run setup command to assign IP/Mask 0.0.0.0/0.0.0.0 to red0 and green0, then reboot BPFire, BPFire DHCP will stops working after reboot. green network client can get DHCP IP from upstream dhcp server. start suricata manually suricata -c /etc/suricata/suricata-xdp.yaml --af-packet xdp_filter.bpf program will be attached to red0 and gree0 interface not sure if we should add GUI for suricata XDP capture mode since this is not common use case. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>