Suricata

Bisected it to:

7e725c650d7d73814c1572ac8db48814b1c89333 is the first bad commit
commit 7e725c650d7d73814c1572ac8db48814b1c89333
Author: Philippe Antoine <contact@catenacyber.fr>
Date:   Thu Apr 28 09:49:38 2022 +0200

    flow: optionally use livedev for hash

    So that in a setup with different interfaces capturing different
    networks, flows do not get mixed up

    Ticket: #5270

Confirmed that setting livedev.use-for-tracking to false makes it work again.

Victor Julien wrote in #note-6:

The work to do here is to add support for livedev tracking in IPS mode, where there will generally be 2 livedevs. One per direction.

I don't know exactly how the livedev is obtained in the Suricata code, but when using the host stack interface in netmap mode the connection can "appear" to be using the same physical device for both endpoints. For example, the two netmap interface specs when using a host stack endpoint in FreeBSD are em0 and em0^ . Netmap's code handles interpreting and mapping those endpoints, but those values are not how some direct OS calls will return the endpoints. Those calls may return only the physical layer em0 and omit the "^" suffix that denotes a netmap host stack endpoint.

This may be something to be aware of and take into consideration in netmap mode when using livedev as part of tracking in IPS mode.

https://github.com/OISF/suricata/pull/10869