...
...
+Pinned maps usage
+-----------------
+
+Pnned maps stay attached to the system if the creating process disappear and
+they can also be accessed by external tools. In Suricata bypass case, this can be
+used to keep active bypassed flow tables so Suricata is not hit by previsouly bypassed flows when
+restarting. In the socket filter case, this can be used to maintain a map from tools outside
+of Suricata.
+
+To used pinned maps, you first have to mount the `bpf` pseudo filesystem ::
+
+ sudo mount -t bpf none /sys/fs/bpf
+
+Pinned maps will be accessible as file from the `/sys/fs/bpf` directory. Suricata
+will pinned them under the name `suricata-$IFACE_NAME-$MAP_NAME`.
+
+To active pinned maps for a interface, set `pinned-maps` to `true` in the `af-packet`
+configuration of this interface ::
+
+ - interface: eth3
+ pinned-maps: true
+
+This option can be used to expose the maps of a socket filter to other processes.
+This allows for example, the external handling of a blacklist or white list of
+IP addresses. See `scbpf` tool avalable in the `ebpf/scpbf` directory for an example
+of external list handling.
+
+In the case of XDP, the eBPF filter is attached to the interface so if you
+activate `pinned-maps` the eBPF will remain attached to the interface and
+the maps will remain accessible upon Suricata start.
+If XDP bypass is activated, Suricata will try at start to open the pinned maps
+`flow_v4_table` and `flow_v6_table`. If they are present, this means the XDP filter
+is still there and Suricata will just use them instead of attaching the XDP file to
+the interface.
+
+So it you want to reload the XDP filter, you need to remove the files from `/sys/fs/bpf/`
+before starting Suricata.
+
+In case, you are not using bypass, this means that the uses maps are managed from outside
+Suricata. As their names are not known by Suricata, you need to specify a name of map to look
+for that will be used to check for the presence of the XDP filter ::
+
+ - interface: eth3
+ pinned-maps: true
+ pinned-maps-name: ipv4_drop
+ xdp-filter-file: /etc/suricata/ebpf/xdp_filter.bpf
+
+If XDP bypass is used in IPS mode stopping Suricata will trigger a interruption in the traffic.
+To fix that you can use the `pinned-maps-switch` option that will create a direct interface
+to interface forwarding if ever the switch is activated. Switch will be activated when Suricata
+is exiting but it can also be activated by an external monitoring tool ::
+
+ - interface: eth3
+ pinned-maps: true
+ pinned-maps-switch: g_switch
+ xdp-filter-file: /etc/suricata/ebpf/xdp_filter.bpf
+ bypass: true
+
Getting live info about bypass
------------------------------
projects / thirdparty / suricata.git / commitdiff
