Project

General

Profile

Actions
Copy link

Bug #5771

open

xdp: Flows with nested VLANs are not bypassed by XDP filter

Added by Lukas Sismis over 2 years ago. Updated 19 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Even though the eBPF (XDP) and Suricata structures are ready to handle nested VLANs (VLAN in VLAN) after my testing all packets were passed to Suricata.

I've found this when trying out TLS bypass - bypass TLS flow after TLS handshake. I am attaching a single TLS stream where after adding a VLAN all packets are forwarded to Suricata even though they should be bypassed after the handshake (after ~23 packets).

Files

shmu-tls-vlan-stream.pcap (439 KB) shmu-tls-vlan-stream.pcap Lukas Sismis, 01/02/2023 09:10 AM
Actions
Copy link
 #1

Updated by Lukas Sismis over 2 years ago

  • Subject changed from xdp: Flows with nested VLANs are not bypassed] to xdp: Flows with nested VLANs are not bypassed by XDP filter
Actions
Copy link
 #2

Updated by Lukas Sismis over 2 years ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by Philippe Antoine 20 days ago

Is this still the case in 8 ?

Actions
Copy link
 #4

Updated by Philippe Antoine 19 days ago

  • Status changed from New to Feedback

Seems to be working for me :

Using a rule alert tls any any -> any any (sid: 43; bypass;). and your pcap I get no tls event and
```
"flow_bypassed": {
"local_pkts": 0,
"local_bytes": 0,
"local_capture_pkts": 65,
"local_capture_bytes": 27835,
```

and without using the rule, I get the tls event and zeroes in stats bypass

Actions
Copy link

Also available in: Atom PDF