Draft: Introduce support for DPDK secondary mode for workers runmode #7433
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…DPDK lcore threading
Up to now, DPDK workers run as pthreads. In DPDK terms, this has meant that they've been running as non-registered non-EAL threads. This limits funcionality of certain DPDK libraries (e.g. not using per-lcore cache for rte_mempool or rte_ring limitations). It is possible to register pthreads so they become registered non-EAL threads. This mitigates the aforementioned limitations. https://doc.dpdk.org/guides/prog_guide/env_abstraction_layer.html#non-eal-pthread-support However, running Suricata as a secondary process would defy this approach. According to the DPDK documentation, registered non-EAL pthread behaves like a non-registered non-EAL pthread. Support for running Suricata as a secondary process is a planned extension of work. https://doc.dpdk.org/api/rte__lcore_8h.html#a71e6840cf1fe8950cce8fd88d0859bce
Flag `--libs-only-L` of pkg-config should output a path where libdpdk is stored. This usually happens when DPDK is installed manually (from source) into a custom location. On the other hand, there is no output when installing DPDK with a package manager. For that reason, the linker flag `-Wl,-R,` remain incomplete. The flag `-Wl,-R,` then binds incorrectly with the following output of pkg-config. The output of `pkg-config --libs libdpdk` contains linker flag `--as-need` to remove unnecessary libraries during the linking. It is silently skipped and the binary is linked with all of the DPDK libraries.
Implement secondary mode operation in Suricata. Receive packets over DPDK rings. To each worker assign a separate ring. Provide configuration options specific for the secondary mode along with possibility to specify arbitrary ring name. Add relevant documentation.
Flag introduces a lock to the Flow objects that makes the Flow object unavailable to packet threads but still available to management threads. When a new packet of the flow is received, the packet threads should, instead of using the existing one, create a new flow record. The lock is expected to be used for possibly soon-to-be-evicted flows where touching the existing flow would not be correct.
… as a secondary process Prefitler app receives the traffic and enqueues it to the rings to Suricata. Suricata can do bypass (add/update/delete) operations on flows through a bypass channel that is between Prefilter and Suricata. One Prefilter core can distribute to multiple Suricata workers. Prefilter can be enabled in the configuration process with flags `--enable-dpdk --enable-dpdk-apps`.
Codecov Report
@@ Coverage Diff @@
## master #7433 +/- ##
==========================================
- Coverage 75.91% 75.89% -0.02%
==========================================
Files 656 656
Lines 189943 190004 +61
==========================================
+ Hits 144189 144208 +19
- Misses 45754 45796 +42
Flags with carried forward coverage won't be shown. Click here to find out more. |
3 tasks
|
@lukashino do you need feedback on this ? |
|
This is supposed to be a preview PR. I would like to get feedback on this, however, I believe in a short span I will push a new version with more things so we might just wait for that one. Thanks. |
|
Ok, then waiting for the next :-) |
|
Can you push a rebased version of this? |
Closed
3 tasks
|
Rebased and updated version continues in #7818 |
victorjulien
added a commit
to victorjulien/suricata
that referenced
this pull request
Dec 4, 2024
Default decoder event alert was very sparse, not even logging packet type and pcap_cnt. Expand support for this record type. It will be more useful with the ethernet headers and packet field, but these are still disabled by default. Ticket: OISF#7433.
victorjulien
added a commit
to victorjulien/suricata
that referenced
this pull request
Dec 4, 2024
Default decoder event alert was very sparse, not even logging packet type and pcap_cnt. Expand support for this record type. It will be more useful with the ethernet headers and packet field, but these are still disabled by default. Ticket: OISF#7433.
victorjulien
added a commit
to victorjulien/suricata
that referenced
this pull request
Dec 5, 2024
Default decoder event alert was very sparse, not even logging packet type and pcap_cnt. Expand support for this record type. It will be more useful with the ethernet headers and packet field, but these are still disabled by default. Ticket: OISF#7433.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Link to redmine ticket about Suricata secondary process support.
Link to redmine ticket about prefilter application.
This is a follow-up of #7283 which incorporates two Redmine tickets together, one for Suricata secondary mode support and the other for adding an app that would run as a primary process. The PR extends the work of #7283 by continuing in reaching the prefilter concept. As of now, the prefilter configures the provided NICs according to the YAML configuration and then passes packets to Suricata through DPDK rings. It also uses a message system between Suricata and Prefilter for asynchronous bypass method. Suricata can also load Prefilter configuration by reading Prefilter's shared configuration stored in a memory zone. The prefilter is intended to be architecturally flexible (not depending on any hardcoded module) but as of now, for some use-cases, the prefilter uses Suricata library.
Use flags
--enable-dpdk --enable-dpdk-appsto enable Prefilter in the configuration process.The plan is to have a shared DPDK configuration codebase for prefilter and Suricata. As of result, prior to the compilation of the prefilter app, Suricata needs to be first compiled and installed (together with headers and library). Makefile target
dpdk-apps-prereqshould solve the issue. After the Suricata library is installed, it needs to be added to the list of shared libraries (ldconfig) or at least editLD_LIBRARY_PATHvariable. Makefile targetdpdk-appscompiles the prefitler app. The finalprefilterbinary can be found indpdk/prefilter/buildfolder.Changelog from #7283: