Bug #8242
openeBPF maps created by Suricata don't take vlan.use-for-tracking into account
Description
Hi,
I was testing with eBPF/XDP on one of my servers (Intel X710). I have VLAN tracking disabled so vlan.use-for-tracking=0 in my suricata.yaml.
In the supplied eBPF code xdp_filter.c, VLAN_TRACKING was set to 0 before compilation into .bpf.
No matter what I tried, all hardware bypass counters remained 0. Then I started dumping the underlying BPF map (bpftool map dump name flow_table_v4) to see what was in there and saw that vlan0 was filled with the VLAN on which the data was captured. This should have been 0 in my opinion as I don't want to track the VLAN id. The loaded BPF code always fills vlan0 and vlan1 with 0 and so there would never be a match in the map filled by Suricata.
I fixed it in source-af-packet.c and now bypass does work for both IPv4 and IPv6. See attachment for a patch.
Could someone please review and apply the patch if agreed upon?
Thanks, John
Files
Updated by Victor Julien 26 days ago
Hi John, any chance you'll be able to contribute this through our regular process?
Please see: https://docs.suricata.io/en/latest/devguide/contributing/index.html
Updated by John Graat 26 days ago
- Label Needs backport added
Victor Julien wrote in #note-1:
Hi John, any chance you'll be able to contribute this through our regular process?
Please see: https://docs.suricata.io/en/latest/devguide/contributing/index.html
Yes, I will do that somewhere next week.
John