Enable eBPF support for Suricata.

[Jeroen0494]

Hi,

This PR enables eBPF support for Suricata. https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html

I'd like to use eBPF to speed up packet processing. Let me know what you think!

[jasonish]

Have you tried loading an ebpf program while Suricata is running inside the container?

[Jeroen0494]

Have you tried loading an ebpf program while Suricata is running inside the container?

I haven't yet, because I don't have Suricata in IPS mode on my Kubernetes cluster yet. I expect to be working on this in the coming days.

[maxgio92]

Hi @Jeroen0494, great and thank you for this project!

I guess we need a mechanism to select filters and and (re)load them in kernel (docs) - kind of hot reloader.

[almereyda]

With regards to the previous comment and the way how this is operationalised, it seems useful to suggest to add a minimal example to the README, how eBPF support in Suricata can be leveraged in a container.

Maybe due to increased configuration requirements for an eBPF Suricata container, this is better served in a separate Containerfile with a different image name?

While in some places it is rumoured that one needs to run a --privileged container to gain eBPF support in containers, others have shown that distinct configuration can avoid this. This article contains a nice write up on how eBPF can be used on Linux- and Mac-based container hosts.

• Run eBPF Programs in Docker using docker-bpf | Hemslo Wang’s Blog

Maybe the information in that article is useful enough for providing additional hints to a minimally reproducible example of using Suricata with eBPF in a Docker container, documented in the README?

[jasonish]

Closing as ebpf is enabled in the 6.0, 7.0 and git master containers already as can be seen with --build-info.

Please open a new PR if more is required, or additional documentation can be added. I do not use ebpf support myself and won't have time to look at it in the near future so won't be getting that done myself.