I found a solution to use two VirtIO NICs together with af-packet in Suricata (2). Also I upgraded my suricata to 7 using backports (1)…
Update to Suricata 7 in Debian 12 Bookworm
You can install a much newer Suricata when you use the backports. So just make sure you have something like this in your /etc/apt/sources.list:
deb https://ftp.debian.org/debian/ bookworm-backports contrib main non-free non-free-firmware
# deb-src https://ftp.debian.org/debian/ bookworm-backports contrib main non-free non-free-firmwareThen you can install Suricata using:
apt-get install -t bookworm-backports suricataI’m not sure why but the first time I did this (I’m using Suricata as an IPS) it blocked all my traffic. You may want take a look at all those new policy-rules in your suricata.yaml. The following entry in Suricata FAQ explains it: My traffic gets blocked after upgrading to Suricata 7. Also you can see in the Changelog that this new behaviour came with Suricata 7.
Alternatively make a copy of /etc/suricata and re-install the configuration files (which is what I did). Also I did set the policies to “ignore” for now.
Use two VirtIO NICs with Suricata and af-packet
This one is quiet interesting. Because I did not find a proper reason for it, yet. If I define my VirtIO NIC like this in libvirt:
<interface type='bridge'>
<mac address='..:..:..:..:..:..'/>
<source bridge='ovs-guests'/>
<virtualport type='openvswitch'>
</virtualport>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>then it does not work. If I however define the NIC like this:
<interface type='bridge'>
<mac address='..:..:..:..:..:..'/>
<source bridge='ovs-guests'/>
<virtualport type='openvswitch'>
</virtualport>
<model type='virtio'/>
<driver name='vhost' txmode='iothread' ioeventfd='on' event_idx='off' queues='8' rx_queue_size='1024' tx_queue_size='1024'>
<host csum='off' gso='off' tso4='off' tso6='off' ecn='off' ufo='off' mrg_rxbuf='off'/>
<guest csum='off' tso4='off' tso6='off' ecn='off' ufo='off'/>
</driver>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
</interface>then it does work. Notice that the difference is the part I marked bold. I found this one in the suricata forums in a thread about packetloss using XDP driver in RHEL 8.3… By trying and trying and trying I first noticed it starts working with this part:
<guest csum='off' tso4='off' tso6='off' ecn='off' ufo='off'/>Because if I commented everything within <driver></driver> it still did not work. When I commented the <host/> part and uncommented the <guest/> part it started to work.
It seems to have to do with the parameter csum in <guest/> because as soon as I set csum=’on’ it stops working. I can set all other parameters from above to on – just not csum.