Support #4506
closedPacketBypassCallback
Description
Hello,
The PacketBypassCallback function (void PacketBypassCallback(Packet *p)) called only one time per stream. I check that with debugger. I think is not normal, with the stream bypass enabled, when the stream bypass triggered all packets must be bypassed.
I use suricata 6.0.1 (debian package), with NFQ.
Files
Updated by Victor Julien almost 3 years ago
- Tracker changed from Bug to Support
This works as designed. The purpose of the callback is to enable a bypass in the capture method. After this Suricata expects to no longer see packets for the flow.
Updated by Roger Vulliez almost 3 years ago
Sorry, but how suricata can ignore packets (local or capture mode) if the callback is only call once per flow. It souldn't be called for all packets of flow ?
Updated by Jason Ish almost 3 years ago
Roger Vulliez wrote in #note-2:
Sorry, but how suricata can ignore packets (local or capture mode) if the callback is only call once per flow. It souldn't be called for all packets of flow ?
No, the idea is that the capture method knows the details of the flow and no longer passes packets on that flow to Suricata anymore. One good example is a custom capture card that supports bypass. Suricata notifies the card of the flow it wants bypassed, the card will then track that flow and not send packets on that flow to Suricata, freeing up Suricata for other packets.
Updated by Roger Vulliez almost 3 years ago
OK, I use NFQ, if I understand correctly only the first packet have to be bypassed is marked (bypass-mark), in firawall rules I have to copy this mark to connection and no queueing those pakects to suricata ?
chain output-ips{
type filter hook output priority 1;
ct mark *bypass-mark* accept
queue 0-1
}
chain output-ips-mark{
type filter hook input priority 2;
ct mark set mark
}
Same for input.
Another thing, I tried with iperf and it doesn't trigger a bypass, so I use wget to download a file, but in this article (https://www.stamus-networks.com/blog/2016/09/28/suricata-bypass-feature) it works. Do you have an idea?
Updated by Andreas Herz about 2 years ago
- Status changed from New to Assigned
- Assignee set to Roger Vulliez
Does it work with wget and only the iperf traffic does not work?
Updated by Victor Julien about 2 years ago
- Status changed from Assigned to Feedback
Updated by Philippe Antoine 11 months ago
- Status changed from Feedback to Closed
Closing as waiting for feedback. Feel free to reopen with more info