Bug #6588
openbridge 'ips' modes don't pass TCP traffic in virtual env
Description
Tested using:
Suricata version 8.0.0-dev (d005fff7b 2023-11-24)
Suricata version 7.0.3-dev (aae6beaa5 2023-11-22)
Suricata version 7.0.3-dev (c8a7204b1 2023-11-02)
In a Debian 12 Qemu VM using either e1000 or virtio NICs.
Test sensor has two detection NICs, straddling two virtual networks. Each virtual network has a VM, one acting as a client (10.1.11.1/16) and one acting as a server (10.1.12.1/16). I ran inetsim on the 'server'.
When attempting a TCP connection from client to server using any method it fails. The SYN packets from the server never make it back to the client. See attached pcaps.
Files
FT Updated by Francis Trudeau over 2 years ago
IPS did not pass traffic with or without pass rules:
pass ip any any <> any any (msg:"IP pass"; sid:3031; rev:1;)
pass tcp any any <> any any (msg:"TCP pass"; sid:3032; rev:1;)
FT Updated by Francis Trudeau over 2 years ago
related: https://redmine.openinfosecfoundation.org/issues/6587
As mentioned in the other bug, I am finding the same behavior using af-packet in tap and IPS mode.
LS Updated by Lukas Sismis over 2 years ago
Hi @ftrudeau,
have you tested the functionality with other capture modes as well?
Can't it be possible there is a configuration issue?
Sorry, ok, I followed your comments in other tickets and I see there is some underlying issue with the setup/Suricata. Considering it works neither with AFP or with DPDK it seems like the capture modules is not the one to blame.
FT Updated by Francis Trudeau over 2 years ago
Lukas Sismis wrote in #note-3:
Hi @ftrudeau,
have you tested the functionality with other capture modes as well?
Can't it be possible there is a configuration issue?
See this related bug:
https://redmine.openinfosecfoundation.org/issues/6587
If I create a bridge and use the same config file, except with '-i br0' instead of '--dpdk', I see detections.
This is also happening with '--af-packet'
VJ Updated by Victor Julien over 2 years ago
- Related to Bug #6587: bridge 'tap' modes don't alert on TCP protocol rules in virtual env added
PA Updated by Philippe Antoine 9 months ago
- Assignee changed from OISF Dev to Lukas Sismis
VJ Updated by Victor Julien 5 months ago
- Subject changed from DPDK 'ips' mode doesn't pass TCP traffic to bridge 'ips' modes don't pass TCP traffic in virtual env
- Assignee changed from Lukas Sismis to Community Ticket
These modes are generally functioning well on real hw, so it's unclear what is different in VM setups.
JI Updated by Jason Ish 5 months ago
I have not had issues using the e1000 virtual interfaces, and it's generally the solution others run into as well.
virtio is a known issue, ticket #5871.
An issue, even with e1000, is that offloads need to be disabled on the host as well as the virtual NIC, or at least in my experience, things begin to break.
I wonder if we can close this in favor of #5871?