Actions
Bug #6726
closedstream: stream.drop-invalid drops valid traffic
Description
In AF_PACKET IPS mode, so in bridge mode, traffic for a simple ab test against a simple webserver fails with a timeout.
6.0.x is not affected.
Actions
Added by Victor Julien almost 2 years ago. Updated over 1 year ago.
Description
In AF_PACKET IPS mode, so in bridge mode, traffic for a simple ab test against a simple webserver fails with a timeout.
6.0.x is not affected.
Bisected it to:
7e725c650d7d73814c1572ac8db48814b1c89333 is the first bad commit
commit 7e725c650d7d73814c1572ac8db48814b1c89333
Author: Philippe Antoine <contact@catenacyber.fr>
Date: Thu Apr 28 09:49:38 2022 +0200
flow: optionally use livedev for hash
So that in a setup with different interfaces capturing different
networks, flows do not get mixed up
Ticket: #5270
Confirmed that setting livedev.use-for-tracking to false makes it work again.
The work to do here is to add support for livedev tracking in IPS mode, where there will generally be 2 livedevs. One per direction.
Victor Julien wrote in #note-6:
The work to do here is to add support for livedev tracking in IPS mode, where there will generally be 2 livedevs. One per direction.
I don't know exactly how the livedev is obtained in the Suricata code, but when using the host stack interface in netmap mode the connection can "appear" to be using the same physical device for both endpoints. For example, the two netmap interface specs when using a host stack endpoint in FreeBSD are em0 and em0^ . Netmap's code handles interpreting and mapping those endpoints, but those values are not how some direct OS calls will return the endpoints. Those calls may return only the physical layer em0 and omit the "^" suffix that denotes a netmap host stack endpoint.
This may be something to be aware of and take into consideration in netmap mode when using livedev as part of tracking in IPS mode.