search

vincentmli / docker-suricata

A Suricata Docker image with eBPF XDP SYNPROXY DDOS.
https://hub.docker.com/r/vli39/suricata
MIT License
2 stars 2 forks source link

xdp_synproxy_kern.bpf load failed #1

Closed BurlyLuo closed 9 months ago

BurlyLuo commented 9 months ago

Hello vincentmli. i have tried the docker image0f645e7265d3. but there xdp_synproxy_kern load falied. 

docker run -td --privileged --net=host -v $(pwd)/etc/suricata:/etc/suricata --name=suricata -e SURICATA_OPTIONS="--af-packet=eth0" -e SYNPROXY_PORTS="80,443" vli39/suricata:xdp

root@vm22040:/# grep XDP /var/log/suricata/suricata.log 
10/1/2024 -- 13:55:37 - <Info> - XDP program: /etc/suricata/ebpf/xdp_filter.bpf. Run prio: 100. Chain call actions: XDP_PASS
10/1/2024 -- 13:55:37 - <Info> - XDP program: /etc/suricata/ebpf/xdp_synproxy_kern.bpf. Run prio: 50. Chain call actions: XDP_PASS
10/1/2024 -- 13:55:37 - <Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Unable to attach multi XDP on 'eth0': Invalid argument (-22)
10/1/2024 -- 13:55:37 - <Warning> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when loading XDP filter file
root@vm22040:/# 
root@vm22040:/# xdp-loader load eth0 /etc/suricata/ebpf/xdp_synproxy_kern.bpf -v
Setting rlimit to minimum 1048576
Loading 1 files on interface 'eth0'.
XDP program 0: Run prio: 50. Chain call actions: XDP_PASS

host environment details: multipass vm

root@vm22040:~# lsb_release -a 
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.3 LTS
Release:        22.04
Codename:       jammy
root@vm22040:~# uname -a 
Linux vm22040 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
root@vm22040:~#
vincentmli commented 9 months ago

@BurlyLuo your kernel does not meet the requirement, try upgrade your ubuntu kernel to 6.2.0-1018-lowlatency, that is what I use on Ubuntu 22.04

root@r220:~# apt-cache search linux-image-6.2.0-1018-lowlatency
linux-image-6.2.0-1018-lowlatency - Signed kernel image lowlatency
linux-image-6.2.0-1018-lowlatency-dbgsym - Signed kernel image lowlatency
BurlyLuo commented 9 months ago

Yes, tried with 6.4.0, it worked as expected.

root@vm23040:/# xdp-loader status
CURRENT XDP PROGRAM STATUS:

Interface        Prio  Program name      Mode     ID   Tag               Chain actions
--------------------------------------------------------------------------------------
lo                     <No XDP program loaded!>
eth0                   xdp_dispatcher    skb      80   90f686eb86991928 
 =>              50     syncookie_xdp             83   e8f0b22be24b1a9b  XDP_PASS
 =>              100    xdp_hashfilter            75   d3ee9dcd01d4d8e7  XDP_PASS
docker0                <No XDP program loaded!>

root@vm23040:/# uname -r 
6.4.0-060400-generic
root@vm23040:/#

thank you @vincentmli