Skip to content

Xdp tunnel 7674 v10.1#3045

Open
catenacyber wants to merge 4 commits into
OISF:masterfrom
catenacyber:xdp-tunnel-7674-v10.1
Open

Xdp tunnel 7674 v10.1#3045
catenacyber wants to merge 4 commits into
OISF:masterfrom
catenacyber:xdp-tunnel-7674-v10.1

Conversation

@catenacyber

@catenacyber catenacyber commented Apr 24, 2026

Copy link
Copy Markdown
Collaborator

Ticket

Redmine ticket: https://redmine.openinfosecfoundation.org/issues/7674

#2969 continuation :

  • auto generate a dummy interface if non is provided
  • cleaner commit history
  • tcpreplay with -t top speed
  • AFPACKET_TEST_REPLAY feature tested at init for live tests (instead of for each test)

@catenacyber catenacyber added requires suricata pr Depends on a PR in Suricata framework Has a suricata-verify framework change labels Apr 24, 2026
This was referenced Apr 24, 2026
Closed
Closed
@catenacyber catenacyber force-pushed the xdp-tunnel-7674-v10.1 branch from 1540fc5 to 6e897ea Compare May 19, 2026 20:21
This was referenced May 19, 2026
Closed
Closed
@ssam18 ssam18 mentioned this pull request May 23, 2026
Open
3 tasks
This was referenced Jun 9, 2026
Open
Draft
@catenacyber catenacyber force-pushed the xdp-tunnel-7674-v10.1 branch from 6e897ea to 4b40f08 Compare June 11, 2026 08:54
@catenacyber catenacyber force-pushed the xdp-tunnel-7674-v10.1 branch from 4b40f08 to 7b82bc6 Compare June 14, 2026 20:16
@adaki4

adaki4 commented Jun 17, 2026

Copy link
Copy Markdown

Hey,

I tried out the live test with your Suri branch xdp-tunnel-7674-v16, and I noticed that the live test passes even though there are no capture-bypassed packets logged by Suricata. Is this expected behavior?

I have run it from my Suricata directory such as:
sudo ../suricata-verify/run.py --live

And this was the results:

    Finished `release` profile [optimized] target(s) in 0.12s
Number of concurrent jobs: 8
===> live/decoder-tunnels-02: OK

PASSED:  1
FAILED:  0

This is my eve.json after the test. There is no sign of capture-bypassed packets. I noticed the test passes because in eve.json you check for flow.state == bypassed && flow.bypass == capture, but flow.bypassed.pkts_* can be 0, as in this case:

{"timestamp":"2026-06-17T10:47:58.699681+0000","flow_id":1879210399489037,"in_iface":"sv_53475","event_type":"alert","src_ip":"10.1.2.4","src_port":12345,"dest_ip":"10.1.2.3","dest_port":12345,"proto":"UDP","ip_v":4,"tunnel_id":1,"pkt_src":"vxlan encapsulation","alert":{"action":"allowed","gid":1,"signature_id":1,"rev":0,"signature":"","category":"","severity":3},"tunnel":{"src_ip":"192.168.1.3","src_port":4789,"dest_ip":"192.168.1.2","dest_port":4789,"proto":"UDP","tunnel_id":1,"depth":1,"pkt_src":"wire/pcap"},"app_proto":"failed","direction":"to_server","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":54,"bytes_toclient":0,"bypassed":{"pkts_toserver":0,"pkts_toclient":0,"bytes_toserver":0,"bytes_toclient":0},"start":"2026-06-17T10:47:58.699681+0000","src_ip":"10.1.2.4","dest_ip":"10.1.2.3","src_port":12345,"dest_port":12345}}
{"timestamp":"2026-06-17T10:47:58.699689+0000","flow_id":1879242789606485,"in_iface":"sv_53475","event_type":"alert","src_ip":"10.1.2.40","src_port":12345,"dest_ip":"10.1.2.30","dest_port":12345,"proto":"UDP","ip_v":4,"tunnel_id":1,"pkt_src":"vxlan encapsulation","alert":{"action":"allowed","gid":1,"signature_id":2,"rev":0,"signature":"","category":"","severity":3},"tunnel":{"src_ip":"192.168.1.3","src_port":4789,"dest_ip":"192.168.1.2","dest_port":4789,"proto":"UDP","tunnel_id":1,"depth":1,"pkt_src":"wire/pcap"},"app_proto":"failed","direction":"to_server","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":54,"bytes_toclient":0,"start":"2026-06-17T10:47:58.699689+0000","src_ip":"10.1.2.40","dest_ip":"10.1.2.30","src_port":12345,"dest_port":12345}}
{"timestamp":"2026-06-17T10:47:59.231212+0000","flow_id":1879207991035545,"in_iface":"sv_53475","event_type":"flow","src_ip":"192.168.1.3","src_port":4789,"dest_ip":"192.168.1.2","dest_port":4789,"ip_v":4,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":3,"pkts_toclient":0,"bytes_toserver":288,"bytes_toclient":0,"start":"2026-06-17T10:47:58.699681+0000","end":"2026-06-17T10:47:58.699689+0000","age":0,"state":"new","reason":"shutdown","alerted":false}}
{"timestamp":"2026-06-17T10:47:59.231270+0000","flow_id":1879242789606485,"in_iface":"sv_53475","event_type":"flow","src_ip":"10.1.2.40","src_port":12345,"dest_ip":"10.1.2.30","dest_port":12345,"ip_v":4,"tunnel_id":1,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":54,"bytes_toclient":0,"start":"2026-06-17T10:47:58.699689+0000","end":"2026-06-17T10:47:58.699689+0000","age":0,"state":"new","reason":"shutdown","alerted":true}}
{"timestamp":"2026-06-17T10:47:59.231291+0000","flow_id":1879210399489037,"in_iface":"sv_53475","event_type":"flow","src_ip":"10.1.2.4","src_port":12345,"dest_ip":"10.1.2.3","dest_port":12345,"ip_v":4,"tunnel_id":1,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":108,"bytes_toclient":0,"bypassed":{"pkts_toserver":0,"pkts_toclient":0,"bytes_toserver":0,"bytes_toclient":0},"start":"2026-06-17T10:47:58.699681+0000","end":"2026-06-17T10:47:58.699681+0000","age":0,"state":"bypassed","bypass":"capture","reason":"shutdown","alerted":true}}

I also tried adding stats.log to your test, and there is also only the item flow_bypassed.local_capture_pkts and no flow_bypassed.pkts:


capture.kernel_packets                                       | Total                     | 3
capture.afpacket.polls                                       | Total                     | 58
capture.afpacket.poll_timeout                                | Total                     | 17
capture.afpacket.poll_data                                   | Total                     | 1
decoder.pkts                                                 | Total                     | 3
decoder.bytes                                                | Total                     | 288
decoder.ipv4                                                 | Total                     | 6
decoder.ethernet                                             | Total                     | 6
decoder.udp                                                  | Total                     | 6
decoder.vxlan                                                | Total                     | 3
decoder.avg_pkt_size                                         | Total                     | 96
decoder.max_pkt_size                                         | Total                     | 96
flow.total                                                   | Total                     | 3
flow.udp                                                     | Total                     | 3
flow.wrk.spare_sync_avg                                      | Total                     | 100
flow.wrk.spare_sync                                          | Total                     | 1
flow_bypassed.local_capture_pkts                             | Total                     | 1
flow_bypassed.local_capture_bytes                            | Total                     | 54
detect.alert                                                 | Total                     | 2
app_layer.flow.failed_udp                                    | Total                     | 3
flow.end.state.new                                           | Total                     | 2
flow.end.state.capture_bypassed                              | Total                     | 1
flow.mgr.rows_per_sec                                        | Total                     | 24248
flow.spare                                                   | Total                     | 9900
memcap.pressure                                              | Total                     | 37
memcap.pressure_max                                          | Total                     | 37
defrag.memuse                                                | Total                     | 16777216
flow.recycler.recycled                                       | Total                     | 3
flow.recycler.queue_max                                      | Total                     | 3
tcp.memuse                                                   | Total                     | 24903680
tcp.reassembly_memuse                                        | Total                     | 4587520
http.byterange.memuse                                        | Total                     | 168384
http.byterange.memcap                                        | Total                     | 104857600
ippair.memuse                                                | Total                     | 398144
ippair.memcap                                                | Total                     | 16777216
host.memuse                                                  | Total                     | 382144
host.memcap                                                  | Total                     | 16777216
detect.thresholds.memuse                                     | Total                     | 1216576
detect.thresholds.memcap                                     | Total                     | 16777216
flow.memuse                                                  | Total                     | 7234304

Could this potentially be an issue with the dummy interface and eBPF?

@catenacyber

catenacyber commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator Author

Not sure there is an issue

It takes time to install the bypass when packets for the same flow may already be in the afpacket queue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

framework Has a suricata-verify framework change requires suricata pr Depends on a PR in Suricata

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catenacyber @adaki4