-
Notifications
You must be signed in to change notification settings - Fork 1.7k
DPDK rte_flow traffic drop filter v2 #13891
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -239,3 +239,71 @@ Encapsulation stripping | |
| Suricata supports stripping the hardware-offloaded encapsulation stripping on | ||
| the supported NICs. Currently, VLAN encapsulation stripping is supported. | ||
| VLAN encapsulation stripping can be enabled with `vlan-strip-offload`. | ||
|
|
||
| Drop filter | ||
| ----------------------------- | ||
|
|
||
| Drop filter can improve the performance of Suricata by filtering | ||
| used-predefined flows directly in the Network interface card. The user can | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. also, since NIC is mentioned previously, you could either use acronym (NIC) or lowercase the "Network". |
||
| specify unwanted flows before the start of Suricata. These flows are not going to be | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Generally, I would avoid mentioning "flows" and focus more on the traffic patterns (or a more suitable term). |
||
| inspected by Suricata and will be ignored for the whole run of the program. | ||
| On some PMDs, the statistics of the dropped flows are gathered and stored in eve.json. | ||
|
|
||
| The syntax for drop filter in Suricata is similar to the dpdk-testpmd application | ||
| rule syntax, although in Suricata, only the "pattern" section is applicable. | ||
| The user can define multiple rules, either to match specific flow | ||
| or a range of flows (e.g. using ip or port masks). | ||
|
|
||
| Patterns currently supported by this feature are listed in | ||
| "src/util-dpdk-rte-flow-pattern.c" in "enum index next_item[]" | ||
| and their corresponding attributes in "enum index item_<pattern>[]". | ||
|
|
||
| .. literalinclude:: ../../../src/util-dpdk-rte-flow-pattern.c | ||
| :language: c | ||
| :start-at: /* --- start pattern enum --- */ | ||
| :end-at: /* --- end pattern enum --- */ | ||
|
|
||
|
|
||
| This feature is supported and tested only on NICs with mlx5, ice, and i40e drivers. | ||
| Some of the drivers also support collecting statistics about dropped flows | ||
| (visible in dpdk.rte_flow_filtered in eve.json). | ||
| The level of functionality varies between these cards, as specified below: | ||
|
|
||
| * ice: | ||
|
|
||
| The driver does not support broad (wildcard) patterns; some pattern item has to have | ||
| specification, e.g., ``pattern eth / ipv4 / end`` raises an error but | ||
| ``pattern eth / ipv4 src is x / end`` or ``pattern eth / ipv4 / tcp src is x`` works fine. | ||
| It also supports gathering statistics of the filtered packets, but only | ||
| when all of the rules match one specific flow (e.g. mask can not be used). | ||
|
|
||
| * i40e: | ||
|
|
||
| The driver does not support different item sets on the same pattern item type, | ||
| e.g., if the first rule is in the form ``pattern eth / ipv4 src is x / end``, | ||
| then any other rule containing an ipv4 pattern type must exclusively use the src attribute. | ||
| Statistics of the filtered packets are not supported. | ||
|
|
||
| * mlx5: | ||
|
|
||
| The driver is the most versatile PMD, supporting a wide range of patterns. | ||
| It also supports gathering statistics of the filtered packets without any other constraints. | ||
|
|
||
|
|
||
| The configuration for the drop filter can be found and modified in the | ||
| DPDK section of the suricata.yaml file. | ||
|
|
||
| Below is a sample configuration that demonstrates how to filter specific flow and a range of flows: | ||
|
|
||
| :: | ||
|
|
||
| ... | ||
| dpdk: | ||
| eal-params: | ||
| proc-type: primary | ||
|
|
||
| interfaces: | ||
| - interface: 0000:3b:00.0 | ||
| drop-filter: | ||
| - rule: "pattern eth / ipv4 src is 192.11.120.50 / tcp / end" | ||
| - rule: "pattern eth / ipv4 src is 170.22.40.0 src mask 255.255.255.0 / tcp / end" | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -47,6 +47,7 @@ | |
| #include "util-dpdk-ice.h" | ||
| #include "util-dpdk-ixgbe.h" | ||
| #include "util-dpdk-rss.h" | ||
| #include "util-dpdk-rte-flow.h" | ||
| #include "util-time.h" | ||
| #include "util-conf.h" | ||
| #include "suricata.h" | ||
|
|
@@ -142,6 +143,7 @@ DPDKIfaceConfigAttributes dpdk_yaml = { | |
| .tx_descriptors = "tx-descriptors", | ||
| .copy_mode = "copy-mode", | ||
| .copy_iface = "copy-iface", | ||
| .drop_filter = "drop-filter", | ||
| }; | ||
|
|
||
| /** | ||
|
|
@@ -339,6 +341,7 @@ static void DPDKDerefConfig(void *conf) | |
|
|
||
| if (SC_ATOMIC_SUB(iconf->ref, 1) == 1) { | ||
| DPDKDeviceResourcesDeinit(&iconf->pkt_mempools); | ||
| iconf->RteRulesFree(&iconf->drop_filter); | ||
| SCFree(iconf); | ||
| } | ||
| SCReturn; | ||
|
|
@@ -356,6 +359,7 @@ static void ConfigInit(DPDKIfaceConfig **iconf) | |
| SC_ATOMIC_INIT(ptr->ref); | ||
| (void)SC_ATOMIC_ADD(ptr->ref, 1); | ||
| ptr->DerefFunc = DPDKDerefConfig; | ||
| ptr->RteRulesFree = RteFlowRuleStorageFree; | ||
| ptr->flags = 0; | ||
|
|
||
| *iconf = ptr; | ||
|
|
@@ -1027,6 +1031,10 @@ static int ConfigLoad(DPDKIfaceConfig *iconf, const char *iface) | |
| if (retval < 0) | ||
| SCReturnInt(retval); | ||
|
|
||
| retval = ConfigLoadRteFlowRules(if_root, dpdk_yaml.drop_filter, &iconf->drop_filter); | ||
| if (retval < 0) | ||
| SCReturnInt(retval); | ||
|
|
||
| SCReturnInt(0); | ||
| } | ||
|
|
||
|
|
@@ -1835,10 +1843,10 @@ static void *ParseDpdkConfigAndConfigureDevice(const char *iface) | |
| if (ldev_instance == NULL) { | ||
| FatalError("Device %s is not registered as a live device", iface); | ||
| } | ||
| for (uint16_t i = 0; i < iconf->threads; i++) { | ||
| ldev_instance->dpdk_vars = iconf->pkt_mempools; | ||
| iconf->pkt_mempools = NULL; | ||
| } | ||
|
|
||
| ldev_instance->dpdk_vars = iconf->pkt_mempools; | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This should have been moved out of this commit. |
||
| iconf->pkt_mempools = NULL; | ||
|
|
||
| return iconf; | ||
| } | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/used-predefined flows/user-predefined traffic patterns/