Capture bypass worker flow timeout v2#15733
Open
adaki4 wants to merge 5 commits into
Open
Conversation
This commit forces timeout check of all flows in the flow table at the shutdown stage of Suricata. Gathering of capture-bypassed flow statistics was left to the bypass capture method via BypassUpdate callback. Until now, capture-bypassed flows that did not timeout had their statistics unchecked in the period between last check and shutdown. This commit forces gathering of statistics from these flows. Ticket: 8440
This change prevents capture-bypassed flows to be removed from the flow table by a worker thread. If a flow like this is de-initialized any other way than how FlowManager handles de-initialization of capture-bypassed flows, the underlying bypass method is not aware that it should not filter-out the flow anymore (e.g. EBPF map is not updated). This can lead to a resource leak, such as EBPF map being fully filled out and bypass being incapable of filtering any new flows. Until now, this issue happened in a case when capture-bypassed flow has reached its timeout (as in suricata.yaml flow-timeouts.x.bypassed), but worker thread was the first who pre-emptively de-initialized the flow, before FlowManager could perform proper de-initialization. Ticket: 8442
for SV to run tests based on the presence of this feature
so as to run ebpf live tests
Ticket: 7674 Allows a compile-time option AFPACKET_TEST_REPLAY, that allows to set a configuration max-packets per afpacket interface, after which the PktAcqLoop stops. This allows suricata-verify tests to run with tcpreplay, and know when to stop
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #15733 +/- ##
==========================================
- Coverage 82.96% 82.96% -0.01%
==========================================
Files 1003 1003
Lines 275031 275051 +20
==========================================
- Hits 228192 228190 -2
- Misses 46839 46861 +22
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR resolves an issue where Suricata does not check the statistics of bypassed flows that have been timed out by workers.
Changes:
SV_BRANCH=OISF/suricata-verify#3195
Links to ticket: 8442
Previous PR: #15331