Project

General

Profile

Actions

Bug #8699

open
AK AK

XDP bypass VLAN byte order

Bug #8699: XDP bypass VLAN byte order

Added by Adam Kiripolsky 3 days ago. Updated about 21 hours ago.

Status:
In Review
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The XDP filter xdp_filter.c incorrectly bypasses packets when VLAN_TRACKING is enabled.

The VLAN tag is extracted in the wrong byte order, resulting in the bypass being applied to packets with a different real VLAN tag.

This issue can be reproduced using the attached files by following the steps:

1. Create a pair of virtual interfaces with:

ip link add veth_tx type veth peer name veth_rx && ip link set veth_rx up && ip link set veth_tx up

2. Configure Suricata with ebpf in the Suricata dir and build:

./configure --enable-ebpf --enable-ebpf-build && make

3. Run Suricata with

src/suricata -S ./rules/drop-all.rules -c ./suricata-vlan.yaml  -l /tmp -vvvv --af-packet --set af-packet.0.interface=veth_rx --set af-packet.0.xdp-filter-file=ebpf/xdp_filter.bpf

4. Replay included pcap with:

tcpreplay -i veth_tx vlan.pcap

5. Shutdown Suricata. Without the fix, Suricata does not bypass any packets, e.g. stats.flow_bypassed.pkts == 0, with the fix, the counter is greater than 0.


Files

vlan.pcap (11.8 KB) vlan.pcap Adam Kiripolsky, 07/01/2026 10:34 AM
drop-all.rules (183 Bytes) drop-all.rules Adam Kiripolsky, 07/01/2026 10:36 AM
suricata-vlan.yaml (84.6 KB) suricata-vlan.yaml Adam Kiripolsky, 07/01/2026 10:36 AM

Subtasks 1 (1 open0 closed)

Bug #8700: XDP bypass VLAN byte order (8.0.x backport)AssignedAdam KiripolskyActions

OT Updated by OISF Ticketbot 3 days ago Actions #1

  • Subtask #8700 added

OT Updated by OISF Ticketbot 3 days ago Actions #2

  • Label deleted (Needs backport to 8.0)

AK Updated by Adam Kiripolsky 2 days ago Actions #3

  • Status changed from New to In Review
Actions

Also available in: PDF Atom