Support #4506
closed
Added by Roger Vulliez almost 3 years ago.
Updated 11 months ago.
Description
Hello,
The PacketBypassCallback function (void PacketBypassCallback(Packet *p)) called only one time per stream. I check that with debugger. I think is not normal, with the stream bypass enabled, when the stream bypass triggered all packets must be bypassed.
I use suricata 6.0.1 (debian package), with NFQ.
Files
- Tracker changed from Bug to Support
This works as designed. The purpose of the callback is to enable a bypass in the capture method. After this Suricata expects to no longer see packets for the flow.
Sorry, but how suricata can ignore packets (local or capture mode) if the callback is only call once per flow. It souldn't be called for all packets of flow ?
Roger Vulliez wrote in #note-2:
Sorry, but how suricata can ignore packets (local or capture mode) if the callback is only call once per flow. It souldn't be called for all packets of flow ?
No, the idea is that the capture method knows the details of the flow and no longer passes packets on that flow to Suricata anymore. One good example is a custom capture card that supports bypass. Suricata notifies the card of the flow it wants bypassed, the card will then track that flow and not send packets on that flow to Suricata, freeing up Suricata for other packets.
OK, I use NFQ, if I understand correctly only the first packet have to be bypassed is marked (bypass-mark), in firawall rules I have to copy this mark to connection and no queueing those pakects to suricata ?
chain output-ips{
type filter hook output priority 1;
ct mark *bypass-mark* accept
queue 0-1
}
chain output-ips-mark{
type filter hook input priority 2;
ct mark set mark
}
Same for input.
Another thing, I tried with iperf and it doesn't trigger a bypass, so I use wget to download a file, but in this article (
https://www.stamus-networks.com/blog/2016/09/28/suricata-bypass-feature) it works. Do you have an idea?
- Status changed from New to Assigned
- Assignee set to Roger Vulliez
Does it work with wget and only the iperf traffic does not work?
- Status changed from Assigned to Feedback
- Status changed from Feedback to Closed
Closing as waiting for feedback. Feel free to reopen with more info
Also available in: Atom
PDF