PF_RING support

[jmartini89]

Hello! Would be great to have PF_RING support in Suricata's image.

As of jasonish/suricata:7.0.0:

`Error: suricata: PF_RING not enabled. Make sure to pass --enable-pfring to configure when building.

[jasonish]

The main issue here is that the host still needs to have PF_RING installed itself for the kernel module. Then I'm not sure how in-sync the library version that Suricata is compiled with needs to be with the kernel module, at which point you might need to be building your own Suricata anyways.

Typically I keep these inline with RPM compile time features, which means everything needs to be available by the distro itself.

[jmartini89]

AFAIK user-land and kernel-land PF_RING libraries are (usually) compatible on different versions.

A possible solution would be to build a specifically tagged Suricata image, including PF_RING version on the image tag.

I'm not sure about Red Hat Linux based distributions, but on Debian PF_RING is not an available package.

EDIT: about PF_RING compatibility: we're using PF_RING 8.2.0 userland in a containerized application, while host machine runs 8.4.0 or newer. For tests on local machine I'm actually using dev branch (> 8.4.0) compiled kernel module.

[jmartini89]

Upon further testing, PF_RING backward compatibility is not assured. As @jasonish suggested, custom Suricata image building is needed.

Closing the issue, thanks anyway :)