Project

General

Profile

Actions

Support #4506

open

PacketBypassCallback

Added by Roger Vulliez 4 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Hello,

The PacketBypassCallback function (void PacketBypassCallback(Packet *p)) called only one time per stream. I check that with debugger. I think is not normal, with the stream bypass enabled, when the stream bypass triggered all packets must be bypassed.

I use suricata 6.0.1 (debian package), with NFQ.


Files

suricata.yaml (72.7 KB) suricata.yaml Roger Vulliez, 06/02/2021 01:20 PM
Actions #1

Updated by Victor Julien 4 months ago

  • Tracker changed from Bug to Support

This works as designed. The purpose of the callback is to enable a bypass in the capture method. After this Suricata expects to no longer see packets for the flow.

Actions #2

Updated by Roger Vulliez 4 months ago

Sorry, but how suricata can ignore packets (local or capture mode) if the callback is only call once per flow. It souldn't be called for all packets of flow ?

Actions #3

Updated by Jason Ish 4 months ago

Roger Vulliez wrote in #note-2:

Sorry, but how suricata can ignore packets (local or capture mode) if the callback is only call once per flow. It souldn't be called for all packets of flow ?

No, the idea is that the capture method knows the details of the flow and no longer passes packets on that flow to Suricata anymore. One good example is a custom capture card that supports bypass. Suricata notifies the card of the flow it wants bypassed, the card will then track that flow and not send packets on that flow to Suricata, freeing up Suricata for other packets.

Actions #4

Updated by Roger Vulliez 4 months ago

OK, I use NFQ, if I understand correctly only the first packet have to be bypassed is marked (bypass-mark), in firawall rules I have to copy this mark to connection and no queueing those pakects to suricata ?

        chain output-ips{
                type filter hook output priority 1;

                ct mark *bypass-mark* accept
                queue 0-1
        }

        chain output-ips-mark{
                type filter hook input priority 2;

                ct mark set mark
        }

Same for input.

Another thing, I tried with iperf and it doesn't trigger a bypass, so I use wget to download a file, but in this article (https://www.stamus-networks.com/blog/2016/09/28/suricata-bypass-feature) it works. Do you have an idea?

Actions

Also available in: Atom PDF