Skip to content

Capture bypass stats gather v3#15219

Closed
adaki4 wants to merge 2 commits into
OISF:mainfrom
adaki4:capture-bypass-stats-gather-v3
Closed

Capture bypass stats gather v3#15219
adaki4 wants to merge 2 commits into
OISF:mainfrom
adaki4:capture-bypass-stats-gather-v3

Conversation

@adaki4

@adaki4 adaki4 commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

Changes

  • Changed based on issues in previous PR
  • Rebased to main
  • Created SV PR, linked below

Links to tickets: 8440, 8442

Previous PR: #15189

SV_BRANCH=OISF/suricata-verify#3027

adaki4 added 2 commits April 16, 2026 19:31
@adaki4
capture-bypass: force check of bypassed flows
20059ec 
This commit forces timeout check of all flows in the flow table at the
shutdown stage of Suricata.

Gathering of capture-bypassed flow statistics was left to the bypass
capture method via BypassUpdate callback. Until now, capture-bypassed
flows that did not timeout had their statistics unchecked in the period
between last check and shutdown. This commit forces gathering of
statistics from these flows.

Ticket: 8440
@adaki4
capture-bypass: fix worker timeout bypassed flows
b81cf1a 
Forbid worker to timeout capture-bypassed flows, as it does not have the
necessary components (BypassUpdate callback) to gather the necessary
statistics from the flows to make this decisions. Leave the
processing of bypass-capture flows only to FlowManager.

Ticket: 8442
@adaki4 adaki4 requested a review from victorjulien as a code owner April 16, 2026 18:15
@adaki4 adaki4 mentioned this pull request Apr 16, 2026
Closed
@codecov

codecov Bot commented Apr 16, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.65%. Comparing base (214e47b) to head (b81cf1a).
⚠️ Report is 29 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #15219      +/-   ##
==========================================
- Coverage   82.68%   82.65%   -0.04%     
==========================================
  Files         993      993              
  Lines      271880   271899      +19     
==========================================
- Hits       224807   224733      -74     
- Misses      47073    47166      +93
Flag Coverage Δ
fuzzcorpus 60.99% <5.88%> (-0.01%) ⬇️
livemode 18.36% <100.00%> (-0.01%) ⬇️
netns 22.63% <100.00%> (-0.01%) ⬇️
pcap 45.26% <94.11%> (-0.04%) ⬇️
suricata-verify 66.25% <100.00%> (-0.08%) ⬇️
unittests 58.84% <13.79%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

lukashino
lukashino approved these changes Apr 19, 2026
View reviewed changes

@lukashino lukashino left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I approve the changes.

SV test is an extra verification -- not required to be merged. Generally, I would be inclined to accept Phillipe's work (OISF/suricata-verify#2969) into SV tests and later on port these SV tests -- it would save some test time (shuts down immediately, after all packets were transmitted and are not waiting, e.g. 5 seconds).

victorjulien
victorjulien reviewed Apr 29, 2026
View reviewed changes
Comment thread src/flow-private.h
* flows for new flows and/or it's memcap limit it reached. In this state the
* flow engine with evaluate flows with lower timeout settings. */
#define FLOW_EMERGENCY 0x01
#define FLOW_SHUTDOWN 0x02

@victorjulien victorjulien Apr 29, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this needs a comment explaining what it is used for.

@adaki4 adaki4 Apr 30, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I will add a description containing how it affects FlowManager in the shutdown stage.

victorjulien
victorjulien reviewed Apr 29, 2026
View reviewed changes
Comment thread src/flow-hash.c
FLOWLOCK_WRLOCK(f);
const bool timedout = (timeout_check && FlowIsTimedOut(tv_id, f, p->ts, emerg));
bool timedout = (timeout_check && FlowIsTimedOut(tv_id, f, p->ts, emerg));
#ifdef CAPTURE_OFFLOAD

@victorjulien victorjulien Apr 29, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can this move into FlowIsTimedOut?

@adaki4 adaki4 Apr 30, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay.

@adaki4 adaki4 mentioned this pull request Apr 30, 2026
Closed
@adaki4

adaki4 commented Apr 30, 2026

Copy link
Copy Markdown
Contributor Author

Continues in #15289

@adaki4 adaki4 closed this Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@victorjulien victorjulien victorjulien left review comments

@lukashino lukashino lukashino approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adaki4 @lukashino @victorjulien