Open scoolor opened 10 months ago
vincentmli
commented
10 months ago @scoolor I think the App-Layer protocol could be corrected or ignored as long as suricata can start up ok, the ebpf attach error seems to be your kernel not supporting syncookie_xdp, try kernel with version 6.2 or above
vincentmli
commented
10 months ago @scoolor also if you ever run into Can't find eBPF map fd for 'flow_table_v6', the workaround is to run xdp-loader unload interface-name -a in suricata container, that could remove all previous left over programs/maps, then stop the suricata container, and re-launch the suricata docker. I wish there is better clean way :)
scoolor
commented
10 months ago @scoolor also if you ever run into
Can't find eBPF map fd for 'flow_table_v6', the workaround is to run xdp-loader unload interface-name -a, that could remove all previous left over programs/maps in suricata container, then stop the suricata container, and re-launch the suricata docker. I wish there is better clean way :)
First and foremost, I would like to express my heartfelt thanks for your prompt and detailed response. Your guidance has been crucial for my understanding of this issue, and I am very grateful for the time you took out of your busy schedule to assist me.
Following your suggestion, I am going to attempt checking and confirming if the kernel version is the root cause of the issue. I understand that this might be a key factor leading to the problem, so I plan to conduct some necessary checks and adjustments on my system as per your guidance.
Thank you once again for your help and valuable time. Your expertise and willing support mean a lot to me.
vincentmli
commented
10 months ago @scoolor ah sorry I missed your kernel version information Kernel version: 4.15.0-210-generic, it is not supported, you can upgrade your kernel to 6.2 or above
Description
While running Suricata 6.0.9 in a Docker container, I encountered multiple issues related to eBPF/XDP loading and app-layer protocol configuration. The errors indicate problems with loading XDP programs and missing configurations for app-layer protocols. Additionally, there is an issue with finding eBPF map file descriptors.
Environment
Steps to Reproduce
root@ci:/opt/docker-suricata/6.0# sudo docker run --rm -it --net=host --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice --privileged suricata:latest -i eth0 17/1/2024 -- 07:44:38 - - This is Suricata version 6.0.9 RELEASE running in SYSTEM mode
17/1/2024 -- 07:44:38 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
17/1/2024 -- 07:44:38 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
17/1/2024 -- 07:44:38 - - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
17/1/2024 -- 07:44:38 - - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules
libbpf: elf: skipping unrecognized data section(7) .xdp_run_config
libbpf: elf: skipping unrecognized data section(7) xdp_metadata
libbpf: prog 'xdp_dispatcher': BPF program load failed: Invalid argument
libbpf: prog 'xdp_dispatcher': failed to load: -22
libbpf: failed to load object '/usr/lib/x86_64-linux-gnu/bpf/xdp-dispatcher.o'
libbpf: elf: skipping unrecognized data section(7) xdp_metadata
libbpf: prog 'xdp_dispatcher': BPF program load failed: Invalid argument
libbpf: prog 'xdp_dispatcher': failed to load: -22
libbpf: failed to load object '/usr/lib/x86_64-linux-gnu/bpf/xdp-dispatcher.o'
libxdp: Failed to load dispatcher: Invalid argument
libxdp: Falling back to loading single prog without dispatcher
libbpf: prog 'xdp_hashfilter': BPF program load failed: Invalid argument
libbpf: prog 'xdp_hashfilter': failed to load: -22
libbpf: failed to load object '/etc/suricata/ebpf/xdp_filter.bpf'
17/1/2024 -- 07:44:38 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Unable to attach multi XDP on 'eth0': Invalid argument (-22)
17/1/2024 -- 07:44:38 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when loading XDP filter file
libbpf: elf: skipping unrecognized data section(7) xdp_metadata
libbpf: prog 'xdp_dispatcher': BPF program load failed: Invalid argument
libbpf: prog 'xdp_dispatcher': failed to load: -22
libbpf: failed to load object '/usr/lib/x86_64-linux-gnu/bpf/xdp-dispatcher.o'
libbpf: elf: skipping unrecognized data section(7) xdp_metadata
libbpf: prog 'xdp_dispatcher': BPF program load failed: Invalid argument
libbpf: prog 'xdp_dispatcher': failed to load: -22
libbpf: failed to load object '/usr/lib/x86_64-linux-gnu/bpf/xdp-dispatcher.o'
libxdp: Failed to load dispatcher: Invalid argument
libxdp: Falling back to loading single prog without dispatcher
libbpf: failed to find valid kernel BTF
libbpf: Error loading vmlinux BTF: -3
libbpf: failed to load object '/etc/suricata/ebpf/xdp_synproxy_kern.bpf'
17/1/2024 -- 07:44:38 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Unable to attach multi XDP on 'eth0': No such process (-3)
17/1/2024 -- 07:44:38 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when loading XDP filter file
17/1/2024 -- 07:44:38 - - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Can't find eBPF map fd for 'flow_table_v6'
17/1/2024 -- 07:44:38 - - all 1 packet processing threads, 4 management threads initialized, engine started.
syncookie_xdp not attached!