Bug #8014: Timeouts of FLOW_STATE_CAPTURE_BYPASSED is harcoded using constant FLOW_BYPASSED_TIMEOUT and not the yaml configurable value - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #8014

open

Timeouts of FLOW_STATE_CAPTURE_BYPASSED is harcoded using constant FLOW_BYPASSED_TIMEOUT and not the yaml configurable value

Added by Amir Boussejra 3 days ago. Updated 3 days ago.

Status:

In Review

Priority:

Normal

Assignee:

Amir Boussejra

Target version:

9.0.0-beta1

Affected Versions:

7.0.12

Effort:

low

Difficulty:

Label:

Description

On monitoring my bpf map `flow_table_v4`, I realized the timeouts did not follow the yaml configuration I had in the `suricata.yaml` config

```
flow-timeouts:
default:
emergency-established: 100
emergency-new: 10
established: 300
new: 30
bypassed: 5
emergency-bypassed: 5
```

I realised it was because the function used to get the flow timeouts `FlowGetTimeoutPolicy` and `FlowGetFlowTimeoutDirect` were not using the config value but a hardcoded constant (which is FLOW_STATE_CAPTURE_BYPASSED`) in the case of a `FLOW_STATE_CAPTURE_BYPASSED`.

We could apply this diff to use the `flow-timeouts.bypassed` config value:

Not sure if this patch is okey or if we want to add a config field `flow-timeouts.capture-bypassed` to distinguish timeout between `local_bypass` vs `capture_bypass`.

I can push the above patch if you want.

Files

clipboard-202510221433-jdgnd.png (86.6 KB) clipboard-202510221433-jdgnd.png

Amir Boussejra, 10/22/2025 12:33 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #8014

Timeouts of FLOW_STATE_CAPTURE_BYPASSED is harcoded using constant FLOW_BYPASSED_TIMEOUT and not the yaml configurable value

Updated by Victor Julien 3 days ago

Updated by Amir Boussejra 3 days ago