[SSC-395] XDP filter for bypassed traffic #10
+803
−146
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rahim-rani
reviewed
Dec 12, 2024
|
|
||
| # A simple script to speed up build/test/debug iterations for XDP stuff. | ||
|
|
||
| if [ "$#" -lt 1 ]; then |
There was a problem hiding this comment.
not equal to 1 so it breaks if too many args are supplied
ebpf/build-xdp.sh
Outdated
| if [ -z ${RTK_SENSOR_HOSTNAME} ]; then | ||
| echo "RTK_SENSOR_HOSTNAME is not set. Skipping scp." | ||
| exit 0 | ||
| else |
rahim-rani
approved these changes
Dec 19, 2024
Also added a "--debug" flag to build-xdp.sh which will generate a BPF with debug symbols. llvm-objdump can then be used to generate an annotated assembly listing, which can be used in conjunction with syslog messages to determine what happened when the kernel refuses to load a given BPF program.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR includes the initial implementation of the XDP stream filter, which will drop traffic that has been bypassed by Suricata.
Once a flow hits a bypass rule in Suricata, it's added to "flow_table_v4", which is an ebpf table that allows flows to be looked up by tuple. The XDP stream filter checks the table when it gets new traffic; if the flow matches, then the traffic is dropped, which saves CPU cycles.
The XDP stream filter currently only works with mirroring deployments. Support for internal tap will be added later. An HLD is needed for that work.
Related PRs:
Add the stream filter to the build (awn)
Testing has been performed on both virtual and physical sensors.
There are no plans to merge these changes back to the OSIF Suricata repo.
Make sure these boxes are signed before submitting your Pull Request -- thank you.
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Link to redmine ticket:
Describe changes:
Provide values to any of the below to override the defaults.
To use a pull request use a branch name like
pr/NwhereNis thepull request number.
Alternatively,
SV_BRANCHmay also be a link to anOISF/suricata-verify pull-request.