Bug #7216
opendrop_reason counters don't support tunneled connections
Description
Suricata 7 introduces useful new drop_reason stats counters, but the actual drop reasons aren't reflected in the counters when packets dropped are encapsulated inside a tunnel. In our case, our infrastructure uses a Geneve tunnel layer and Suricata inspects the encapsulated packets inside. However, when Suricata makes a drop decision on one of the inner packets, that decision is not reflected in any of the drop_reason counters except for "tunnel_packet_drop".
We recently investigated a case where packets were being dropped by the app-layer exception policy, but investigating was difficult because drops were only reflected under the opaque "tunnel_packet_drop" counter:
drop_reason:{ ... applayer_error:0, applayer_error_delta:0, ... tunnel_packet_drop:139, tunnel_packet_drop_delta:139 }
Replaying similar traffic without the geneve encapsulation layer, the stats are much more useful and directly identify the cause:
drop_reason:{ ... applayer_error:3, applayer_error_delta:3, ... tunnel_packet_drop:0, tunnel_packet_drop_delta:0 }
Updated by Juliana Fajardini Reichow about 2 months ago
- Target version changed from TBD to 7.0.9