Project

General

Profile

Actions

Bug #4214

open

Honor vlan: use-for-tracking in ebpf maps

Added by Odin Jenseg almost 2 years ago. Updated 9 months ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

In XDP and EBPF filters, it is possible to "disable" vlan used for tracking, but Suricata does not honor this config when adding keys to EBPF maps.

Will provide PR.

Actions #2

Updated by Odin Jenseg almost 2 years ago

A second thought, it might make more sense to remove VLAN_TRACKING in https://github.com/OISF/suricata/tree/master/ebpf?

Actions #3

Updated by Eric Leblond almost 2 years ago

Odin Jenseg wrote in #note-2:

A second thought, it might make more sense to remove VLAN_TRACKING in https://github.com/OISF/suricata/tree/master/ebpf?

We may have some cases where vlan could be use to differentiate IP addresses.

IMO, it would make sense to have a version of the eBPF filter that does not contain the fields so we can spare some memory and computation. Problem is that Suricata would need to send two different set of keys in the eBPF calls. It should be doable but it will increase a bit more the complexity of the code.

Actions #4

Updated by Odin Jenseg over 1 year ago

Agree, it make more sense to be able to do this. Would it make sense with my PR, to not include VLAN tags in the key if vlan use for tracking is disabled in Suricata.

If I understand the code correct now; vlan is still used as a ebpf key if vlan used for tracking is disabled in Suricata and makes the VLAN_TRACKING flag not usable in EBPF/XDP filters.

Actions #5

Updated by Philippe Antoine 9 months ago

  • Status changed from New to In Review
Actions #6

Updated by Philippe Antoine 9 months ago

  • Target version set to 7.0rc1
Actions

Also available in: Atom PDF