Skip to content

Xdp tunnel 7674 v15#15415

Closed
catenacyber wants to merge 12 commits into
OISF:mainfrom
catenacyber:xdp-tunnel-7674-v15
Closed

Xdp tunnel 7674 v15#15415
catenacyber wants to merge 12 commits into
OISF:mainfrom
catenacyber:xdp-tunnel-7674-v15

Conversation

@catenacyber

@catenacyber catenacyber commented May 19, 2026

Copy link
Copy Markdown
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7674

Describe changes:

  • introduces configurable tunnel_id to distinguish same-looking (same 5-tuple) flows encapsulated in different tunnels
  • adds a config option to "skip" the packets that are not part of a tunnel on interfaces receiving tunneled traffic
  • handle xdp bypass of these encapsulated flows
  • use this new tunnel_id as a multi-tenant selector
  • EBPF is now in suricata --build-info list of features
  • ebpf: remove unused macro
  • test: new afpacket max-packets feature

SV_BRANCH=OISF/suricata-verify#3045

#15254 with needed rebase

PS : My branch xdp-tunnel-7674-v9.1 has only the 4 easy commits (code refactoring, no new functionality)

catenacyber and others added 12 commits May 19, 2026 22:11
@catenacyber
decode: store tunnel protocol in packet structure
d250107 
So that we know for a packet which precise type of tunnel it
is (like erspan2).
@catenacyber
flow: factorize duplicated code for hashing
9f39e2f
@catenacyber
flow: adds a tunnel identifier
fe4235f 
Ticket: 7674

To distinguish flows with the same 5-tuple but coming from different
configured tunnel sources.

For vxlan, we need to call
1. PacketTunnelPktSetup with vxlan header
2. Call a new DecodeVXLANtunnel which
  - sets the tunnel id
  - call DecodeEthernet on data after vxlan header as before
@catenacyber
ebpf: factorize duplicated code for key setting
6ba20e9
@catenacyber
xdp: handle erspan2 tunnels
4ec0e42 
Ticket: 7674
@catenacyber
xdp: handle vxlan tunnels
29d861a 
Ticket: 7674
@catenacyber
detect: tunnel_id can be a selector for multi-tenants
cb20daf 
Tciket: 7674
@catenacyber
flow: add config option to skip non-tunneled packets
e1cebea 
Ticket: 7674

On interfaces meant to receive only tunneled traffic
@catenacyber
features: add EBPF as a feature
75e452e 
for SV to run tests based on the presence of this feature
@catenacyber
ci: add new xdp build with live tests
ea71db4 
so as to run ebpf live tests
@catenacyber
ebpf: remove unused macro
93bb554
@catenacyber
test: new afpacket max-packets feature
7e996bb 
Ticket: 7674

Allows a compile-time option AFPACKET_TEST_REPLAY, that allows
to set a configuration max-packets per afpacket interface,
after which the PktAcqLoop stops.

This allows suricata-verify tests to run with tcpreplay,
and know when to stop
@catenacyber catenacyber mentioned this pull request May 19, 2026
Closed
@codecov

codecov Bot commented May 19, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 54.84950% with 135 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.60%. Comparing base (bf64b52) to head (7e996bb).
⚠️ Report is 172 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #15415      +/-   ##
==========================================
- Coverage   82.62%   82.60%   -0.03%     
==========================================
  Files         996      997       +1     
  Lines      271731   271959     +228     
==========================================
+ Hits       224529   224645     +116     
- Misses      47202    47314     +112
Flag Coverage Δ
fuzzcorpus 60.84% <21.73%> (-0.07%) ⬇️
livemode 18.32% <13.04%> (-0.01%) ⬇️
netns 22.66% <17.39%> (-0.10%) ⬇️
pcap 45.05% <23.74%> (+<0.01%) ⬆️
suricata-verify 66.39% <54.51%> (-0.01%) ⬇️
unittests 58.40% <16.72%> (-0.05%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa

suricata-qa commented May 19, 2026

Copy link
Copy Markdown

WARNING:

field baseline test %
SURI_TLPW2_single_stats_chk
.uptime 391 403 103.07%
SURI_TLPR1_stats_chk
.app_layer.flow.ftp_data 601 621 103.33%

Pipeline = 31610

@catenacyber catenacyber mentioned this pull request May 21, 2026
Closed
@catenacyber catenacyber marked this pull request as draft May 21, 2026 13:41
@catenacyber

catenacyber commented May 21, 2026

Copy link
Copy Markdown
Contributor Author

Draft : first part in #15434

This was referenced May 28, 2026
Open
Closed
@catenacyber catenacyber added the needs rebase Needs rebase to main label Jun 7, 2026
This was referenced Jun 9, 2026
Open
Draft
@catenacyber

catenacyber commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

Rebased in #15603

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees

No one assigned

Labels

needs rebase Needs rebase to main

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catenacyber @suricata-qa