af-xdp: Add AF_XDP socket support

AF_XDP support is a recent technology introduced that aims at improving capture performance. With this update, Suricata now provides a new capture source 'af-xdp' that attaches an eBPF program to the network interface card. Packets received in the NIC queue are forwarded to a RX ring in user-space, bypassing the Linux network stack. Note, there is a configuration option (force-xdp-mode) that forces the packet through the normal Linux network stack. libxdp and libbpf is required for this feature and is compile time configured. This capture source operates on single and multi-queue NIC's via suricata.yaml. Here, various features can be enabled, disabled or edited as required by the use case. This feature currently only supports receiving packets via AF_XDP, no TX support has been developed. Ticket: https://redmine.openinfosecfoundation.org/issues/3306 Additional reading: https://www.kernel.org/doc/html/latest/networking/af_xdp.html
e-cite · Dec 3, 2022 · 6e128f4 · 6e128f4
1 parent 7d1a8cc
commit 6e128f4
Show file tree

Hide file tree

Showing 18 changed files with 1,687 additions and 2 deletions.
diff --git a/configure.ac b/configure.ac
@@ -1346,6 +1346,31 @@
             [[#include <linux/net_tstamp.h>]])
     ])
 
+  # AF_XDP support
+    AC_ARG_ENABLE(af-xdp,
+           AS_HELP_STRING([--disable-af-xdp], [Disable AF_XDP support [default=enabled]]),
+                        [enable_af_xdp=$enableval],[enable_af_xdp=yes])
+
+    AS_IF([test "x$enable_af_xdp" = "xyes"], [
+        # Check for the availability of elf
+        AC_CHECK_LIB(elf,elf_begin,,[enable_af_xdp=no])
+
+        # Conditionally check headers, only when found will it 'continue'
+        AS_IF([test "x$enable_af_xdp" = "xyes"],
+            # Check for the availability of libxdp
+            AC_CHECK_HEADERS([xdp/xsk.h],,[enable_af_xdp=no])
+            AC_CHECK_LIB([xdp],[xsk_umem__create],,[enable_af_xdp=no]))
+
+        AS_IF([test "x$enable_af_xdp" = "xyes"],
+            # Check for the availability of libbpf
+            AC_CHECK_HEADERS([bpf/libbpf.h],,[enable_af_xdp=no])
+            AC_CHECK_LIB([bpf],[bpf_object__open],,[enable_af_xdp=no]))
+
+        # Are all required libs installed, yes=HAVE_AF_XDP
+        AS_IF([test "x$enable_af_xdp" = "xyes"],
+            AC_DEFINE([HAVE_AF_XDP],[1],[AF_XDP support is available]))
+    ])
+
   # DPDK support
     AC_ARG_ENABLE(dpdk,
             AS_HELP_STRING([--enable-dpdk], [Enable DPDK support [default=no]]),
@@ -2537,6 +2562,7 @@ AC_OUTPUT
 
 SURICATA_BUILD_CONF="Suricata Configuration:
   AF_PACKET support:                       ${enable_af_packet}
+  AF_XDP support:                          ${enable_af_xdp}
   DPDK support:                            ${enable_dpdk}
   eBPF support:                            ${enable_ebpf}
   XDP support:                             ${have_xdp}

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -445,6 +445,7 @@ noinst_HEADERS = \
 	respond-reject.h \
 	respond-reject-libnet11.h \
 	runmode-af-packet.h \
+	runmode-af-xdp.h \
 	runmode-dpdk.h \
 	runmode-erf-dag.h \
 	runmode-erf-file.h \
@@ -463,6 +464,7 @@ noinst_HEADERS = \
 	rust-context.h \
 	rust.h \
 	source-af-packet.h \
+	source-af-xdp.h \
 	source-dpdk.h \
 	source-erf-dag.h \
 	source-erf-file.h \
@@ -609,6 +611,7 @@ noinst_HEADERS = \
 	util-storage.h \
 	util-streaming-buffer.h \
 	util-syslog.h \
+	util-sysfs.h \
 	util-thash.h \
 	util-threshold-config.h \
 	util-time.h \
@@ -1053,6 +1056,7 @@ libsuricata_c_a_SOURCES = \
 	respond-reject.c \
 	respond-reject-libnet11.c \
 	runmode-af-packet.c \
+	runmode-af-xdp.c \
 	runmode-dpdk.c \
 	runmode-erf-dag.c \
 	runmode-erf-file.c \
@@ -1070,6 +1074,7 @@ libsuricata_c_a_SOURCES = \
 	runmode-windivert.c \
 	rust-context.c \
 	source-af-packet.c \
+	source-af-xdp.c \
 	source-dpdk.c \
 	source-erf-dag.c \
 	source-erf-file.c \
@@ -1210,6 +1215,7 @@ libsuricata_c_a_SOURCES = \
 	util-strlcpyu.c \
 	util-strptime.c \
 	util-syslog.c \
+	util-sysfs.c \
 	util-thash.c \
 	util-threshold-config.c \
 	util-time.c \

diff --git a/src/decode.h b/src/decode.h
@@ -78,6 +78,9 @@ enum PktSrcEnum {
 #ifdef HAVE_PF_RING_FLOW_OFFLOAD
 #include "source-pfring.h"
 #endif
+#ifdef HAVE_AF_XDP
+#include "source-af-xdp.h"
+#endif
 
 #include "decode-ethernet.h"
 #include "decode-gre.h"
@@ -497,6 +500,9 @@ typedef struct Packet_
 #endif
 #ifdef HAVE_NAPATECH
         NapatechPacketVars ntpv;
+#endif
+#ifdef HAVE_AF_XDP
+        AFXDPPacketVars afxdp_v;
 #endif
         /* A chunk of memory that a plugin can use for its packet vars. */
         uint8_t plugin_v[PLUGIN_VAR_SIZE];