Hi team,
I’m integrating Suricata inside a container on a BlueField DPU and I need advice on the best way to deliver all traffic from p0 and p1 to the container for IDS inspection.
Current setup (summary):
-
DPU: BlueField‑2 (ConnectX‑6 Dx) — I can provide firmware and DOCA versions if needed.
-
On the host/DPU, interfaces
p0andp1appear (and their representors). -
I want a container with Suricata to see/analyze all traffic from both interfaces (ingress and egress) with good performance.
Things I’ve considered / tried:
-
Creating an additional port
P3and mapping it to Suricata (does this make sense?). -
Using SF / representors and OVS and connecting the container.
-
Disabling offloads on the interfaces so Suricata doesn’t lose visibility (is this always necessary?).
Specific questions:
-
To allow Suricata to see all traffic and achieve good performance in a container on a DPU, do you recommend:
-
exposing representors/PFs and using OVS + forward flows to the container, or
-
creating an additional port like P3 / SF and connecting it directly to the container?
-
-
If I go with representors + OVS, what is the recommended pattern to connect Suricata in a container considering performance and Suricata compatibility?
-
Are there special BF/MLX5/DOCA settings I should enable/disable (e.g., PORT_OWNER_*, offloads, XDP, tc offload) to ensure Suricata does not miss packets or metadata?
-
Any known limitations when running Suricata in a container on a DPU (metadata loss, checksum offload issues, timestamps, hardware steering)?
-
What logs or outputs would be useful for you to evaluate the situation? (e.g.,
mlxfwmanager --query,ip link,ovs-vsctl show,dmesg, DOCA/kernel/Suricata versions).
Thanks in advance — any topology examples (commands or diagrams) would be extremely helpful.