Bug #8242
openeBPF maps created by Suricata don't take vlan.use-for-tracking into account
Description
Hi,
I was testing with eBPF/XDP on one of my servers (Intel X710). I have VLAN tracking disabled so vlan.use-for-tracking=0 in my suricata.yaml.
In the supplied eBPF code xdp_filter.c, VLAN_TRACKING was set to 0 before compilation into .bpf.
No matter what I tried, all hardware bypass counters remained 0. Then I started dumping the underlying BPF map (bpftool map dump name flow_table_v4) to see what was in there and saw that vlan0 was filled with the VLAN on which the data was captured. This should have been 0 in my opinion as I don't want to track the VLAN id. The loaded BPF code always fills vlan0 and vlan1 with 0 and so there would never be a match in the map filled by Suricata.
I fixed it in source-af-packet.c and now bypass does work for both IPv4 and IPv6. See attachment for a patch.
Could someone please review and apply the patch if agreed upon?
Thanks, John
Files
Updated by Victor Julien 4 days ago
Hi John, any chance you'll be able to contribute this through our regular process?
Please see: https://docs.suricata.io/en/latest/devguide/contributing/index.html
Updated by John Graat 4 days ago
- Label Needs backport added
Victor Julien wrote in #note-1:
Hi John, any chance you'll be able to contribute this through our regular process?
Please see: https://docs.suricata.io/en/latest/devguide/contributing/index.html
Yes, I will do that somewhere next week.
John