suricata-ebpf: remove rlimit setting

BPFire runs 6.10.11 kernel which does not require rlimit setting. fix error below: strace -s1024 -f -o /tmp/suricata.txt suricata -c /etc/suricata/suricata-xdp.yaml --af-packet -vvv bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/suricata-red0-flow_table_v4", bpf_fd=0, file_flags=0, path_fd=0}, 20) = -1 ENOENT (No such file or directory) prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=RLIM64_INFINITY, rlim_max=RLIM64_INFINITY}, NULL) = -1 EPERM (Operation not permitted) sendto(3, "<171>Oct 15 16:54:13 suricata: [ERRCODE: SC_ERR_MEM_ALLOC(1)] - Unable to lock memory: Operation not permitted (1)", 114, MSG_NOSIGNAL, NULL, 0) = 114 sendto(3, "<172>Oct 15 16:54:13 suricata: [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Error when loading XDP filter file", 104, MSG_NOSIGNAL, NULL, 0) = 104 Signed-off-by: Vincent Li <[email protected]>
vincentmli · Oct 15, 2024 · b07ee72 · b07ee72
1 parent a5b0388
commit b07ee72
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 18 deletions.
diff --git a/ebpf/xdp_filter.c b/ebpf/xdp_filter.c
@@ -110,6 +110,7 @@ struct {
     __type(key,   struct flowv4_keys);
     __type(value, struct pair);
     __uint(max_entries, 32768);
+    __uint(map_flags, BPF_F_NO_PREALLOC);
 } flow_table_v4 SEC(".maps");
 
 struct {
@@ -121,6 +122,7 @@ struct {
     __type(key,   struct flowv6_keys);
     __type(value, struct pair);
     __uint(max_entries, 32768);
+    __uint(map_flags, BPF_F_NO_PREALLOC);
 } flow_table_v6 SEC(".maps");
 
 #if ENCRYPTED_TLS_BYPASS

diff --git a/src/util-ebpf.c b/src/util-ebpf.c
@@ -398,15 +398,6 @@ int EBPFLoadMultiXDPFile(AFPIfaceConfig *aconf, const char *path, uint32_t prio,
         return -1;
     }
 
-    /* Sending the eBPF code to the kernel requires a large amount of
-     * locked memory so we set it to unlimited to avoid a ENOPERM error */
-    struct rlimit r = {RLIM_INFINITY, RLIM_INFINITY};
-    if (setrlimit(RLIMIT_MEMLOCK, &r) != 0) {
-        SCLogError(SC_ERR_MEM_ALLOC, "Unable to lock memory: %s (%d)",
-                   strerror(errno), errno);
-        return -1;
-    }
-
     xdp_opts.open_filename = path;
     p = xdp_program__create(&xdp_opts);
     err = libxdp_get_error(p);
@@ -522,15 +513,6 @@ int EBPFLoadFile(const char *iface, const char *path, const char * section,
         return -1;
     }
 
-    /* Sending the eBPF code to the kernel requires a large amount of
-     * locked memory so we set it to unlimited to avoid a ENOPERM error */
-    struct rlimit r = {RLIM_INFINITY, RLIM_INFINITY};
-    if (setrlimit(RLIMIT_MEMLOCK, &r) != 0) {
-        SCLogError(SC_ERR_MEM_ALLOC, "Unable to lock memory: %s (%d)",
-                   strerror(errno), errno);
-        return -1;
-    }
-
     /* Open the eBPF file and parse it */
     bpfobj = bpf_object__open(path);
     long error = libbpf_get_error(bpfobj);