Bug #6588
open
bridge 'ips' modes don't pass TCP traffic in virtual env
Added by Francis Trudeau almost 2 years ago.
Updated 19 days ago.
Description
Tested using:
Suricata version 8.0.0-dev (d005fff7b 2023-11-24)
Suricata version 7.0.3-dev (aae6beaa5 2023-11-22)
Suricata version 7.0.3-dev (c8a7204b1 2023-11-02)
In a Debian 12 Qemu VM using either e1000 or virtio NICs.
Test sensor has two detection NICs, straddling two virtual networks. Each virtual network has a VM, one acting as a client (10.1.11.1/16) and one acting as a server (10.1.12.1/16). I ran inetsim on the 'server'.
When attempting a TCP connection from client to server using any method it fails. The SYN packets from the server never make it back to the client. See attached pcaps.
Files
Related issues
2 (2 open — 0 closed)
IPS did not pass traffic with or without pass rules:
pass ip any any <> any any (msg:"IP pass"; sid:3031; rev:1;)
pass tcp any any <> any any (msg:"TCP pass"; sid:3032; rev:1;)
Hi @ftrudeau,
have you tested the functionality with other capture modes as well?
Can't it be possible there is a configuration issue?
Sorry, ok, I followed your comments in other tickets and I see there is some underlying issue with the setup/Suricata. Considering it works neither with AFP or with DPDK it seems like the capture modules is not the one to blame.
Lukas Sismis wrote in #note-3:
Hi @ftrudeau,
have you tested the functionality with other capture modes as well?
Can't it be possible there is a configuration issue?
See this related bug:
https://redmine.openinfosecfoundation.org/issues/6587
If I create a bridge and use the same config file, except with '-i br0' instead of '--dpdk', I see detections.
This is also happening with '--af-packet'
- Related to Bug #6587: bridge 'tap' modes don't alert on TCP protocol rules in virtual env added
- Assignee changed from OISF Dev to Lukas Sismis
- Subject changed from DPDK 'ips' mode doesn't pass TCP traffic to bridge 'ips' modes don't pass TCP traffic in virtual env
- Assignee changed from Lukas Sismis to Community Ticket
These modes are generally functioning well on real hw, so it's unclear what is different in VM setups.
- Related to Bug #5871: ips/af-packet: doesn't work between 2 virtio devices added
I have not had issues using the e1000 virtual interfaces, and it's generally the solution others run into as well.
virtio is a known issue, ticket #5871.
An issue, even with e1000, is that offloads need to be disabled on the host as well as the virtual NIC, or at least in my experience, things begin to break.
I wonder if we can close this in favor of #5871?
Also available in: Atom
PDF