Project

General

Profile

Actions
Copy link

Bug #7216

open
JL VJ

stats: drop_reason counters don't support tunneled connections

Bug #7216: stats: drop_reason counters don't support tunneled connections

Added by Jamie Lavigne over 1 year ago. Updated 12 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Affected Versions:
7.0.3
Effort:
Difficulty:
Label:
Needs Suricata-Verify test

Description

Suricata 7 introduces useful new drop_reason stats counters, but the actual drop reasons aren't reflected in the counters when packets dropped are encapsulated inside a tunnel. In our case, our infrastructure uses a Geneve tunnel layer and Suricata inspects the encapsulated packets inside. However, when Suricata makes a drop decision on one of the inner packets, that decision is not reflected in any of the drop_reason counters except for "tunnel_packet_drop".

We recently investigated a case where packets were being dropped by the app-layer exception policy, but investigating was difficult because drops were only reflected under the opaque "tunnel_packet_drop" counter:

drop_reason:{
    ...
    applayer_error:0,
    applayer_error_delta:0,
    ...
    tunnel_packet_drop:139,
    tunnel_packet_drop_delta:139
}

Replaying similar traffic without the geneve encapsulation layer, the stats are much more useful and directly identify the cause:

drop_reason:{
    ...
    applayer_error:3,
    applayer_error_delta:3,
    ...
    tunnel_packet_drop:0,
    tunnel_packet_drop_delta:0
}

Subtasks 1 (1 open0 closed)

Bug #7525: stats: drop_reason counters don't support tunneled connections (7.0.x backport)AssignedOISF DevActions

JF Updated by Juliana Fajardini Reichow over 1 year ago Actions
Copy link
 #1

  • Target version changed from TBD to 7.0.9

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #2

  • Target version changed from 7.0.9 to 8.0.0-beta1

OT Updated by OISF Ticketbot about 1 year ago Actions
Copy link
 #3

  • Subtask #7525 added

OT Updated by OISF Ticketbot about 1 year ago Actions
Copy link
 #4

  • Label deleted (Needs backport to 7.0)

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #5

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1

VJ Updated by Victor Julien 10 months ago Actions
Copy link
 #6

  • Target version changed from 8.0.0-rc1 to 9.0.0-beta1

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
 #7

Jamie, would you have a pcap / SV test to reproduce this ?

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
 #8

  • Label Needs Suricata-Verify test added

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
 #9

  • Status changed from New to Feedback

VJ Updated by Victor Julien 6 months ago Actions
Copy link
 #10

  • Status changed from Feedback to Assigned
  • Assignee changed from OISF Dev to Victor Julien

SB Updated by Shivani Bhardwaj 6 months ago Actions
Copy link
 #11

  • Subject changed from drop_reason counters don't support tunneled connections to stats: drop_reason counters don't support tunneled connections

PA Updated by Philippe Antoine 12 days ago Actions
Copy link
 #12

  • Status changed from Assigned to In Review
Actions
Copy link

Also available in: PDF Atom