af-packet: respect vlan.use-for-tracking in eBPF bypass#15458
Closed
ssam18 wants to merge 4 commits into
Closed
Conversation
AFPBypassCallback and AFPXDPBypassCallback populate the flow_table_v4 and flow_table_v6 eBPF maps using p->vlan_id[N] directly. When the matching xdp_filter.c program is built with VLAN_TRACKING=0 (i.e. vlan.use-for-tracking is false in suricata.yaml), the kernel side writes vlan0 and vlan1 as 0 on every map lookup, so userspace inserts that carry the real VLAN id never match and per-flow bypass counters stay at zero. Apply g_vlan_mask to each vlan_id assignment, matching the masking pattern already used by flow-hash.c. When vlan.use-for-tracking is true, g_vlan_mask is 0xffff and behaviour is unchanged. Original patch by John Graat on Redmine ticket 8242. Rebased to current main and dropped the now-removed vlan2 field. Ticket: 8242
for SV to run tests based on the presence of this feature
This was referenced May 25, 2026
|
NOTE: This PR may contain new authors. |
Contributor
catenacyber
requested changes
May 28, 2026
catenacyber
left a comment
catenacyber
left a comment
Contributor
There was a problem hiding this comment.
I think we need CI to run the test
so as to run ebpf live tests
Ticket: 7674 Allows a compile-time option AFPACKET_TEST_REPLAY, that allows to set a configuration max-packets per afpacket interface, after which the PktAcqLoop stops. This allows suricata-verify tests to run with tcpreplay, and know when to stop
Contributor
|
Please open a new PR instead of force-pushing |
|
Sure. Will do from next time |
Contributor
|
Please do it this time |
5 tasks
Contributor
Author
|
Closing in favour of #15469 as per @catenacyber's request. Same 4 commits (the vlan-mask fix + EBPF feature + the two SV/CI plumbing picks from #15415), opened as a fresh PR rather than additions on top of this branch. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Make sure these boxes are checked accordingly before submitting your Pull Request. Thank you.
Contribution style:
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
Our Contribution agreements:
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Changes (if applicable):
(including schema descriptions)
https://redmine.openinfosecfoundation.org/projects/suricata/issues
Link to ticket: https://redmine.openinfosecfoundation.org/issues/8242
Supersedes #15430.
AFPBypassCallbackandAFPXDPBypassCallbackinsrc/source-af-packet.cnow ANDp->vlan_id[N]withg_vlan_maskbefore writing it into the eBPFflow_table_v4/flow_table_v6map keys, so the userspace key matches the kernel side whenvlan.use-for-trackingis false (kernel side writes zero, so userspace must too).Affects all 8 insert sites across the two callbacks (IPv4 and IPv6, forward and reverse half-flows), matching the masking pattern already used 30+ times in
src/flow-hash.c.Original patch by John Graat on Redmine #8242, rebased onto current main. The patch in the ticket targeted a
vlan2field that has since been removed from theflowvN_keysstruct insrc/util-ebpf.h, so onlyvlan0andvlan1are masked here.The
features: add EBPF as a featurecommit is cherry-picked from #15446 so the companion suricata-verify test in OISF/suricata-verify#3113 (which usesrequires: features: EBPF) can run against this build independently of #15446 merging first.Provide values to any of the below to override the defaults.
link to the pull request in the respective
_BRANCHvariable.SV_REPO=
SV_BRANCH=OISF/suricata-verify#3113
SU_REPO=
SU_BRANCH=