Due to a rounding calculation in *flow-manager.c*, the variable *rows_per_sec* was set to 0 in the case of flows.hash-size < 10. This caused Flow Manager to not time out any flows during Suricata runtime. The fix proposes to ensure the...Adam Kiripolsky
The flag *g_flowv4_ok* in source-af-packet.c is never set to false, due to how logically structured the adjacent condition is. The bug caused the error message to never be printed by any threadAdam Kiripolsky
The XDP filter *xdp_filter.c* incorrectly bypasses packets when VLAN_TRACKING is enabled. The VLAN tag is extracted in the wrong byte order, resulting in the bypass being applied to packets with a different real VLAN tag. This issu...Adam Kiripolsky
h1. Reproducibility test I used Suricata in **AF_PACKET** runmode with **EBPF** bypass. To see the results more clearly, I have created a test branch: https://github.com/adaki4/suricata/tree/reproduce-wrong-worker-bypass-stats-v1 ...Adam Kiripolsky
In my opinion, it is a bug, as the original behavior does not make sense (using the BypassedCheckFuncInit function and checking only after that whether it exists).Adam Kiripolsky
At the initialization stage, BypassManager should check whether any BypassedCheckFunc has been registered. Instead, BM calls BypassedCheckFuncInit, then checks again whether it has been registered. I propose checking whether any Byp...Adam Kiripolsky
While investigating this issue on Suricata versions 8.0.0 and main-8.0.x, I noticed the following capture-bypass flow behavior. All flows that did not time out before Suricata shut down were injected into the worker's local queues and...Adam Kiripolsky
h1. Problem: When a worker times out a capture-bypassed flow, it does not call the necessary functions to update the flow statistics. Gathering statistics can be a costly operation, as it depends on the @BypassUpdate@ callback imple...Adam Kiripolsky
h1. Problem: Suricata fails to record statistics for capture-bypassed flows (e.g., eBPF) if the engine shuts down before a flow timeout occurs. This happens because the @BypassUpdate@ callback, which gathers stats for capture-bypasse...Adam Kiripolsky