Bug #2289
closedaf-packet bpf filtering failed to select multiple vlan
Description
Hello,
- intro
This issue is not related to Suricata but common to all tools using BPF (ex: tcpdump).
- problem
- we are receiving 8021q traffic on the interface on which suricata is listening
- we only want to inspect traffic on specific vlan
- using bpf (af-packet), we tried filtering on 'vlan X or vlan Y' and '(vlan X) or (vlan Y)' but neither worked
We are aware that the problem is due to the bpf code generation which writes it so that Y is supposed to be encapsulated in X. This is documented in several places, including [1]
Still writing this issue after discussing it w/ Eric Leblond @suricon, in case some (e)BPF-fu can solve this :)
[1] https://taosecurity.blogspot.ch/2008/12/bpf-for-ip-or-vlan-traffic.html
Updated by Eric Leblond over 6 years ago
My current eBPF branch has a eBPF filter dedicated to VLAN filtering: https://github.com/regit/suricata/blob/ebpf-4.0-v5/src/ebpf/vlan_filter.c
I still need to test it but it should implement what you want. Let me know if you need something more (like additional filtering).
Updated by Julien Bachmann about 6 years ago
Eric Leblond wrote:
My current eBPF branch has a eBPF filter dedicated to VLAN filtering: https://github.com/regit/suricata/blob/ebpf-4.0-v5/src/ebpf/vlan_filter.c
I still need to test it but it should implement what you want. Let me know if you need something more (like additional filtering).
Thanks for the documentation posted today/yesterday! I was actually looking back at this and wasn't sure how to use it :)
Updated by Eric Leblond over 5 years ago
Should we consider it as done as eBPF vlan_filter is in 4.1 and providing the feature ?
Updated by Victor Julien over 5 years ago
Eric can you point to the solution? Preferably a doc link.
Updated by Eric Leblond over 5 years ago
- Status changed from New to Resolved
Documentation can be found here: https://suricata.readthedocs.io/en/suricata-4.1.0/capture-hardware/ebpf-xdp.html#setup-ebpf-filter
Updated by Andreas Herz almost 5 years ago
- Status changed from Resolved to Closed