docker-suricata
docker-suricata copied to clipboard
jasonish
Enable eBPF support for Suricata.
Hi,
This PR enables eBPF support for Suricata. https://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html
I'd like to use eBPF to speed up packet processing. Let me know what you think!
Have you tried loading an ebpf program while Suricata is running inside the container?
Have you tried loading an ebpf program while Suricata is running inside the container?
I haven't yet, because I don't have Suricata in IPS mode on my Kubernetes cluster yet. I expect to be working on this in the coming days.
Hi @Jeroen0494, great and thank you for this project!
I guess we need a mechanism to select filters and and (re)load them in kernel (docs) - kind of hot reloader.
With regards to the previous comment and the way how this is operationalised, it seems useful to suggest to add a minimal example to the README, how eBPF support in Suricata can be leveraged in a container.
Maybe due to increased configuration requirements for an eBPF Suricata container, this is better served in a separate Containerfile with a different image name?
While in some places it is rumoured that one needs to run a --privileged container to gain eBPF support in containers, others have shown that distinct configuration can avoid this. This article contains a nice write up on how eBPF can be used on Linux- and Mac-based container hosts.
Maybe the information in that article is useful enough for providing additional hints to a minimally reproducible example of using Suricata with eBPF in a Docker container, documented in the README?
Closing as ebpf is enabled in the 6.0, 7.0 and git master containers already as can be seen with --build-info.
Please open a new PR if more is required, or additional documentation can be added. I do not use ebpf support myself and won't have time to look at it in the near future so won't be getting that done myself.