Optimization #5453
openaf-packet ips: floods packets that should be learned
Description
For testing I configured an IPS test box with 2 interfaces where the external interface had an IP address and the internal address did not. I then used af-packet in ips mode to create the bridge.
Packets seen on the external interface for the hosts on IP address are copied through to the internal interface, this was somewhat expected given what I new by Suricata, but is not what is expected by someone more familiar with the Linux (or BSDs) ethernet bridging support.
Typically an ethernet bridge will have arp tables and learn which mac addresses are on each side of the interface, only "flooding" when it doesn't know what to do with a packet. This would prevent packets destined for the IPS host itself from being "flooded" out the other interface. This would be done by basically mark an arp table within Suricata that knows on which side of the bridge MAC addresses live.
Of course this is not an issue when the 2 interfaces being bridged do not have IP addresses, as in that case you want it to behave more like a coupler.
I also wonder if STP (spanning tree protocol) should be investigated as well, as its also supported and enabled by default in the built-in ethernet bridge modes in Linux and the BSDs.
Updated by Jason Ish over 1 year ago
Just a thought, with learning and implementing a bridge more feature complete to Linux's bridged, you could group multilple interfaces into the bridge, and do IPS on something that resembles a "switch", such as on a piece of hardware with multiple ports.
Updated by Victor Julien 9 months ago
Not sure if all these things are in scope. The whole idea of our bridge is that its really simple. Perhaps we should just warn / error out if the interfaces have addresses assigned to them.