PF_RING as a Plugin

Suricata 8.0 moves PF_RING support to a dynamically loaded plugin. For convenience, this plugin is still bundled with Suricata, but it may be removed from the Suricata source tree into its own repository in a future release.

Upgrading

Suricata 8.0 continues to respect the --enable-pfring compile time option, as well as the --pfring* command line options, and also the pfring section of the configuration file.

Note

When the PF_RING plugin is eventually removed from the Suricata source tree these options may be removed and/or changed as this would allow the PF_RING plugin to have its own release cycle and make changes independent of Suricata.

However, the pfring plugin must be loaded before it can be used. If doing a fresh build of Suricata with PF_RING support, the suricata.yaml configuration file should be configured to load the plugin already, for example:

plugins:
  - /usr/lib/suricata/pfring.so

If you are upgrading, you will need to add the location of pfring.so to the plugins section of your suricata.yaml manually.

Then your existing PF_RING command line options and configuration should continue to work.

Caveats

Currently builing the PF_RING plugin is not compatible with the --disable-shared configure argument.