Skip to content

Xdp tunnel 7674 v16#15603

Closed
catenacyber wants to merge 13 commits into
OISF:mainfrom
catenacyber:xdp-tunnel-7674-v16
Closed

Xdp tunnel 7674 v16#15603
catenacyber wants to merge 13 commits into
OISF:mainfrom
catenacyber:xdp-tunnel-7674-v16

Conversation

@catenacyber

@catenacyber catenacyber commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7674

Describe changes:

  • introduces configurable tunnel_id to distinguish same-looking (same 5-tuple) flows encapsulated in different tunnels
  • adds a config option to "skip" the packets that are not part of a tunnel on interfaces receiving tunneled traffic
  • handle xdp bypass of these encapsulated flows
  • use this new tunnel_id as a multi-tenant selector
  • EBPF is now in suricata --build-info list of features
  • ebpf: remove unused macro
  • test: new afpacket max-packets feature

SV_BRANCH=OISF/suricata-verify#3045

#15415 with needed rebase

On top of first #15446

@catenacyber catenacyber mentioned this pull request Jun 11, 2026
Closed
@codecov

codecov Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 54.84950% with 135 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.87%. Comparing base (28b10fb) to head (41bcc02).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #15603      +/-   ##
==========================================
- Coverage   82.90%   82.87%   -0.03%     
==========================================
  Files        1006     1007       +1     
  Lines      273648   273876     +228     
==========================================
+ Hits       226869   226987     +118     
- Misses      46779    46889     +110
Flag Coverage Δ
fuzzcorpus 61.31% <21.73%> (-0.05%) ⬇️
livemode 18.40% <13.04%> (-0.02%) ⬇️
netns 22.78% <17.39%> (-0.05%) ⬇️
pcap 45.13% <23.74%> (-0.10%) ⬇️
suricata-verify 66.67% <54.51%> (-0.05%) ⬇️
unittests 58.48% <16.72%> (-0.06%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa

suricata-qa commented Jun 11, 2026

Copy link
Copy Markdown

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.app_layer.flow.ftp_data 771 740 95.98%

Pipeline = 31954

catenacyber and others added 13 commits June 14, 2026 22:17
@catenacyber
ebpf: factorize duplicated code for key setting
7c76e2c
@catenacyber
features: add EBPF as a feature
b740c9c 
for SV to run tests based on the presence of this feature
@catenacyber
ebpf: remove unused macro
680f7d4
@catenacyber
flow: use livedev for ftp-hash
802cefc 
Completes commit 7e725c6

autofp-scheduler with value ftp-hash ends up using
FlowGetIpPairProtoHash which ignores the ports for ftp-looking
flows so that the ftp and ftp-data flow get processed by the
same thread.

As for the other cases, we want to use every other parameter
to compute the flow hash, inclusing the live device
@catenacyber
flow: factorize duplicated code for hashing
28e7dfb
@catenacyber
decode: store tunnel protocol in packet structure
4d0e856 
So that we know for a packet which precise type of tunnel it
is (like erspan2).
@catenacyber
flow: adds a tunnel identifier
e3e632b 
Ticket: 7674

To distinguish flows with the same 5-tuple but coming from different
configured tunnel sources.

For vxlan, we need to call
1. PacketTunnelPktSetup with vxlan header
2. Call a new DecodeVXLANtunnel which
  - sets the tunnel id
  - call DecodeEthernet on data after vxlan header as before
@catenacyber
xdp: handle erspan2 tunnels
22ae063 
Ticket: 7674
@catenacyber
xdp: handle vxlan tunnels
ebbf175 
Ticket: 7674
@catenacyber
detect: tunnel_id can be a selector for multi-tenants
41be3a4 
Tciket: 7674
@catenacyber
flow: add config option to skip non-tunneled packets
c3e52c7 
Ticket: 7674

On interfaces meant to receive only tunneled traffic
@catenacyber
ci: add new xdp build with live tests
a9b5d21 
so as to run ebpf live tests
@catenacyber
test: new afpacket max-packets feature
41bcc02 
Ticket: 7674

Allows a compile-time option AFPACKET_TEST_REPLAY, that allows
to set a configuration max-packets per afpacket interface,
after which the PktAcqLoop stops.

This allows suricata-verify tests to run with tcpreplay,
and know when to stop
@catenacyber catenacyber force-pushed the xdp-tunnel-7674-v16 branch from 6ec593f to 41bcc02 Compare June 14, 2026 20:17
@suricata-qa

suricata-qa commented Jun 14, 2026

Copy link
Copy Markdown

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.app_layer.flow.ftp_data 604 624 103.31%

Pipeline = 32034

@catenacyber catenacyber mentioned this pull request Jun 23, 2026
Closed
@catenacyber

catenacyber commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

Replaced by #15710

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish will be requested when the pull request is marked ready for review jasonish is a code owner
@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini will be requested when the pull request is marked ready for review jufajardini is a code owner
@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien will be requested when the pull request is marked ready for review victorjulien is a code owner

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catenacyber @suricata-qa