PF_RING as a Plugin
Suricata 8.0 moves PF_RING support to a dynamically loaded plugin. For convenience, this plugin is still bundled with Suricata, but it may be removed from the Suricata source tree into its own repository in a future release.
Upgrading
Suricata 8.0 continues to respect the --enable-pfring
compile time
option, as well as the --pfring*
command line options, and also
the pfring
section of the configuration file.
Note
When the PF_RING plugin is eventually removed from the Suricata source tree these options may be removed and/or changed as this would allow the PF_RING plugin to have its own release cycle and make changes independent of Suricata.
However, the pfring
plugin must be loaded before it can be
used. If doing a fresh build of Suricata with PF_RING support, the
suricata.yaml
configuration file should be configured to load the
plugin already, for example:
plugins:
- /usr/lib/suricata/pfring.so
If you are upgrading, you will need to add the location of
pfring.so
to the plugins
section of your suricata.yaml
manually.
Then your existing PF_RING command line options and configuration should continue to work.
Caveats
Currently builing the PF_RING plugin is not compatible with the
--disable-shared
configure argument.