Bug #7216
openstats: drop_reason counters don't support tunneled connections
Description
Suricata 7 introduces useful new drop_reason stats counters, but the actual drop reasons aren't reflected in the counters when packets dropped are encapsulated inside a tunnel. In our case, our infrastructure uses a Geneve tunnel layer and Suricata inspects the encapsulated packets inside. However, when Suricata makes a drop decision on one of the inner packets, that decision is not reflected in any of the drop_reason counters except for "tunnel_packet_drop".
We recently investigated a case where packets were being dropped by the app-layer exception policy, but investigating was difficult because drops were only reflected under the opaque "tunnel_packet_drop" counter:
drop_reason:{
...
applayer_error:0,
applayer_error_delta:0,
...
tunnel_packet_drop:139,
tunnel_packet_drop_delta:139
}
Replaying similar traffic without the geneve encapsulation layer, the stats are much more useful and directly identify the cause:
drop_reason:{
...
applayer_error:3,
applayer_error_delta:3,
...
tunnel_packet_drop:0,
tunnel_packet_drop_delta:0
}
Updated by Juliana Fajardini Reichow about 1 year ago
- Target version changed from TBD to 7.0.9
Updated by Victor Julien 10 months ago
- Target version changed from 7.0.9 to 8.0.0-beta1
Updated by Victor Julien 7 months ago
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Updated by Victor Julien 5 months ago
- Target version changed from 8.0.0-rc1 to 9.0.0-beta1
Updated by Philippe Antoine 4 months ago
Jamie, would you have a pcap / SV test to reproduce this ?
Updated by Victor Julien 28 days ago
- Status changed from Feedback to Assigned
- Assignee changed from OISF Dev to Victor Julien
Updated by Shivani Bhardwaj 14 days ago
- Subject changed from drop_reason counters don't support tunneled connections to stats: drop_reason counters don't support tunneled connections