Actions
Bug #8699
open
AK
AK
XDP bypass VLAN byte order
Bug #8699:
XDP bypass VLAN byte order
Affected Versions:
Effort:
Difficulty:
Label:
Description
The XDP filter xdp_filter.c incorrectly bypasses packets when VLAN_TRACKING is enabled.
The VLAN tag is extracted in the wrong byte order, resulting in the bypass being applied to packets with a different real VLAN tag.
This issue can be reproduced using the attached files by following the steps:
1. Create a pair of virtual interfaces with:
ip link add veth_tx type veth peer name veth_rx && ip link set veth_rx up && ip link set veth_tx up
2. Configure Suricata with ebpf in the Suricata dir and build:
./configure --enable-ebpf --enable-ebpf-build && make
3. Run Suricata with
src/suricata -S ./rules/drop-all.rules -c ./suricata-vlan.yaml -l /tmp -vvvv --af-packet --set af-packet.0.interface=veth_rx --set af-packet.0.xdp-filter-file=ebpf/xdp_filter.bpf
4. Replay included pcap with:
tcpreplay -i veth_tx vlan.pcap
5. Shutdown Suricata. Without the fix, Suricata does not bypass any packets, e.g. stats.flow_bypassed.pkts == 0, with the fix, the counter is greater than 0.
Files
OT Updated by OISF Ticketbot 3 days ago
- Subtask #8700 added
OT Updated by OISF Ticketbot 3 days ago
- Label deleted (
Needs backport to 8.0)
AK Updated by Adam Kiripolsky 2 days ago
- Status changed from New to In Review
LS Updated by Lukas Sismis about 21 hours ago
Actions