Push LXC

  • Updated on Apr 22, 2025
  • Published on Apr 22, 2025
  • 7 minute(s) read
  • aA
 Prev Next

Push LXC works in a similar way to the Push PCAP core functionality. The difference is, instead of writing .pcap files it writes data into the LXC Ring only, allowing the LXC Container to process the data how it wants.

https://docs.fmad.io/docs/fmadio-os-internal-fmadio-ring

Creating a push all traffic into the LXC

Step 1) Create the push LXC

Start by creating a push lxc target. In this case we are pushing to a Suricata instance. The command is shown below

fmadiocli "config push lxc add suricata"

Example output shown below

fmadio@fmadio20v4-733-pro:~$ fmadiocli "config push lxc add suricata"
fmad fmadlua Apr 22 2025 (/opt/fmadio/bin/fmadiolua --nocal /opt/fmadio/bin/fmadiocli config push lxc add suricata )
Disable cycle calibration
[Tue Apr 22 15:14:23 2025] CmdLine [config push lxc add suricata]
[Tue Apr 22 15:14:23 2025] Cmd [config push lxc add suricata ]
Failed to load push config
[Tue Apr 22 15:14:23 2025] New Push LXC target [/opt/fmadio/queue/lxc_suricata]
done 0.021184Sec 0.000353Min
fmadio@fmadio20v4-733-pro:~$

This creates a push config file in

/opt/fmadio/etc/push_lxc.lua

Step 2) Enable 24/7 Push

Using the FMADIO GUI on the CONFIG page, create a new entry

push_lxc

As shown below

Enable all days of the week so it runs 24/7

Step 3) Create a BPF filter (Optional)

Optionally add a BPF filter to what data gets sent to the LXC Ring

fmadiocli "config push lxc filter-bpf suricata \"not vlan 4091\""

Example output below

fmadio@fmadio20v4-733-pro:~$  fmadiocli "config push lxc filter-bpf suricata \"not vlan 4091\""
fmad fmadlua Apr 22 2025 (/opt/fmadio/bin/fmadiolua --nocal /opt/fmadio/bin/fmadiocli config push lxc filter-bpf suricata "not vlan 4091" )
Disable cycle calibration
[Tue Apr 22 15:33:09 2025] CmdLine [config push lxc filter-bpf suricata "not vlan 4091"]
[Tue Apr 22 15:33:09 2025] Cmd [config push lxc filter-bpf suricata "not vlan 4091" ]
[Tue Apr 22 15:33:09 2025] Set LXC target [/opt/fmadio/queue/lxc_suricata] filter bpf to (not vlan 4091)
done 0.006556Sec 0.000109Min
fmadio@fmadio20v4-733-pro:~$

Then confirm the filter is valid by checking the status

fmadiocli "show push lxc status"

Example output

fmadio@fmadio20v4-733-pro:~$ fmadiocli "show push lxc status"
fmad fmadlua Apr 22 2025 (/opt/fmadio/bin/fmadiolua --nocal /opt/fmadio/bin/fmadiocli show push lxc status )
Disable cycle calibration
[Tue Apr 22 15:18:24 2025] CmdLine [show push lxc status]
[Tue Apr 22 15:18:24 2025] Cmd [show push lxc status ]
[Tue Apr 22 15:18:24 2025]
[Tue Apr 22 15:18:24 2025] Ring name                                       : Enable :       From : Description                    : Filter Frame         : Filter BPF
[Tue Apr 22 15:18:24 2025] ------------------------------------------------+--------+------------+--------------------------------+----------------------+-----------------------------------------------------------------
[Tue Apr 22 15:33:58 2025] suricata                                        :   true :        now :                                :                      : not vlan 4091
[Tue Apr 22 15:18:24 2025] ------------------------------------------------+--------+------------+--------------------------------+----------------------+-----------------------------------------------------------------
[Tue Apr 22 15:18:24 2025]
fmadio@fmadio20v4-733-pro:~$

Step 4) Enable the Push

By default Push LXC is disabled, to allow time to configure it before sending data downstream. This can be seen using

fmadiocli "show push lxc status"

In this case we see that “Enable” is set to false per below

Enable it by running

fmadiocli "config push lxc enable suricata"

Example output shown below

fmadio@fmadio20v4-733-pro:~$ fmadiocli "config push lxc enable suricata"
fmad fmadlua Apr 22 2025 (/opt/fmadio/bin/fmadiolua --nocal /opt/fmadio/bin/fmadiocli config push lxc enable suricata )
Disable cycle calibration
[Tue Apr 22 15:25:48 2025] CmdLine [config push lxc enable suricata]
[Tue Apr 22 15:25:48 2025] Cmd [config push lxc enable suricata ]
[Tue Apr 22 15:25:48 2025] Set LXC target [/opt/fmadio/queue/lxc_suricata] Enable
done 0.005407Sec 0.000090Min
fmadio@fmadio20v4-733-pro:~$

Step 4) Restart the Push LXC

Restart the push LXC using the following command

fmadiocli "config push lxc restart"

This both restarts the LXC push and also verifies the configuration file is good. It may take up to 120sec for the operation to complete.

Example output shown below

fmadio@fmadio20v4-733-pro:~$ fmadiocli "config push lxc restart"
fmad fmadlua Apr 22 2025 (/opt/fmadio/bin/fmadiolua --nocal /opt/fmadio/bin/fmadiocli config push lxc restart )
Disable cycle calibration
[Tue Apr 22 15:19:17 2025] CmdLine [config push lxc restart]
[Tue Apr 22 15:19:17 2025] Cmd [config push lxc restart ]
Killing 65143 {push_lxc.lua}
[Tue Apr 22 15:19:17 2025] Resetting ring /opt/fmadio/queue/lxc_suricata
[Tue Apr 22 15:19:17 2025]     cycle calibration disabled
[Tue Apr 22 15:19:17 2025]     RING reset
[Tue Apr 22 15:19:17 2025]     RING file [/opt/fmadio/queue/lxc_suricata]
[Tue Apr 22 15:19:17 2025]     null  output
[Tue Apr 22 15:19:17 2025]     RING[/opt/fmadio/queue/lxc_suricata                    ] Size   : 12595200 16777216
[Tue Apr 22 15:19:17 2025]     RING[/opt/fmadio/queue/lxc_suricata                    ] Version:      100      100
[Tue Apr 22 15:19:17 2025]     RING[/opt/fmadio/queue/lxc_suricata                    ] Put:0 0 0x7f2291a60000
[Tue Apr 22 15:19:17 2025]     RING[/opt/fmadio/queue/lxc_suricata                    ] Get:0 0 0x7f2291a61000
wait for respawn 0/120
wait for respawn 1/120
wait for respawn 2/120
wait for respawn 3/120
wait for respawn 4/120
wait for respawn 5/120
.
.
.
wait for respawn 42/120
wait for respawn 43/120
wait for respawn 44/120
process respawned
done 45.515430Sec 0.758591Min
fmadio@fmadio20v4-733-pro:~$

At this point packets captured should be flowing into the LXC ring.

Debugging

First thing to check is are packets going into the LXC Ring. Best way to do that is

fmadiocli "show ring status"

Example output shown below

fmadio@fmadio20v4-733-pro:~$ fmadiocli "show ring status"
fmad fmadlua Apr 22 2025 (/opt/fmadio/bin/fmadiolua --nocal /opt/fmadio/bin/fmadiocli show ring status )
Disable cycle calibration
[Tue Apr 22 15:22:22 2025] CmdLine [show ring status]
[Tue Apr 22 15:22:22 2025] Cmd [show ring status ]
[Tue Apr 22 15:22:22 2025] Name                                     : Path                                                         :     Status :          Pkt Put :          Pkt Get : Pkt Queued : Desc
[Tue Apr 22 15:22:22 2025] -----------------------------------------+--------------------------------------------------------------+------------+------------------+------------------+------------+------------------------------------
[Tue Apr 22 15:22:22 2025] lxc_fshark2                              : /opt/fmadio/queue/lxc_fshark2                                :     online :                0 :                0 :          0 :
[Tue Apr 22 15:22:22 2025] lxc_suricata                             : /opt/fmadio/queue/lxc_suricata                               :     online :                0 :                0 :          0 :
[Tue Apr 22 15:22:22 2025] -----------------------------------------+--------------------------------------------------------------+------------+------------------+------------------+------------+------------------------------------
done 0.024045Sec 0.000401Min
fmadio@fmadio20v4-733-pro:~$

In this example we see 0 packets going in(Put) and 0 packets going out (Get) of the suricata ring.

Correct operation looks like below. In this example the Put and Get counters are constantly increasing, showing both Push (Producer) and LXC Application (Consumer) is ingesting the data.

fmadio@fmadio20v4-733-pro:~$ fmadiocli "show ring status"
fmad fmadlua Apr 22 2025 (/opt/fmadio/bin/fmadiolua --nocal /opt/fmadio/bin/fmadiocli show ring status )
Disable cycle calibration
[Tue Apr 22 15:28:05 2025] CmdLine [show ring status]
[Tue Apr 22 15:28:05 2025] Cmd [show ring status ]
[Tue Apr 22 15:28:05 2025] Name                                     : Path                                                         :     Status :          Pkt Put :          Pkt Get : Pkt Queued : Desc
[Tue Apr 22 15:28:05 2025] -----------------------------------------+--------------------------------------------------------------+------------+------------------+------------------+------------+------------------------------------
[Tue Apr 22 15:28:05 2025] lxc_fshark2                              : /opt/fmadio/queue/lxc_fshark2                                :     online :                0 :                0 :          0 :
[Tue Apr 22 15:28:05 2025] lxc_suricata                             : /opt/fmadio/queue/lxc_suricata                               :     online :          286,717 :          286,717 :          0 :
[Tue Apr 22 15:28:05 2025] -----------------------------------------+--------------------------------------------------------------+------------+------------------+------------------+------------+------------------------------------
done 0.025633Sec 0.000427Min

Reference

Basic VLAN filter

Below is an reference configuration for pushing VLAN 2 traffic only into the suricata FMADIO Ring buffer.

local Config = {}

Config.Target = {}

Config.Target["suricata"] =
{
    ["Enable"]     = true,
    ["Mode"]       = "LXC",
    ["Path"]       = "/opt/fmadio/queue/lxc_suricata",
    ["Desc"]       = "",
    ["CPU"]             = nil,
    ["FollowStart"]= false,
    ["FilterBPF"]  = "vlan 2",
    ["FilterFrame"]  = "",
    ["Decap"]  = nil,
}
return Config