decode/vxlan: support envelope header stripping #11472
Conversation
By default a VXLAN packet is handled by splitting off the encapsulated packet into it's own Packet, that remains coupled with the original Packet to allow verdicts to be set in IPS mode. For the original "root" packet, payload inspection is disabled, but detection like IP, ports and other non-payload properties can still be inspected. There cases where all packets will be VXLAN encapsulated, and the headers before the encapsulation matter little. One example is AWS network mirror, where packets are delivered over VXLAN. This is inefficient, as for each real packet there are 2 packets going through the pipeline. This patch introduces an option to strip the envelope headers, and let the encapsulated packet "take over" the Packet. The `decoder.vxlan.mode=strip` option will strip the headers.
| #define VXLAN_DEFAULT_PORT 4789 | ||
| #define VXLAN_DEFAULT_PORT_S "4789" | ||
|
|
||
| enum TunnelPacketMode { |
There was a problem hiding this comment.
would move this into decode.h, but maybe only after adding support for other protocols like geneve, erspan, etc
| default: | ||
| SCLogDebug("VXLAN found unsupported Ethertype - expected IPv4, IPv6, VLAN, or ARP"); | ||
| ENGINE_SET_INVALID_EVENT(p, VXLAN_UNKNOWN_PAYLOAD_TYPE); | ||
| /* TODO check further that we strip only once per real packet */ |
There was a problem hiding this comment.
concern here is that we may strip things that we don't want to strip, leading to a bypass
| PacketClearL2(p); | ||
| PacketClearL3(p); | ||
| PacketClearL4(p); | ||
| // TODO clear things more: tuple, events? |
There was a problem hiding this comment.
need to clear more of the packet: addr, port, ipproto, decode events. Need to review flags too.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #11472 +/- ##
==========================================
+ Coverage 82.52% 82.58% +0.06%
==========================================
Files 938 938
Lines 248297 248317 +20
==========================================
+ Hits 204917 205083 +166
+ Misses 43380 43234 -146
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
Information: ERROR: QA failed on SURI_TLPW2_autofp_suri_time.
Pipeline 21468 |
|
Information: QA ran without warnings. Pipeline 21474 |
Should it be the case for other protocols than vxlan ? |
|
@victorjulien should we close this old PR until you plan to work back on this ? |
|
999c74d is another alternative : let ebpf XDP do the vxlan stripping so Suricata does not bother with it ;-) |
|
Yet another solution may be routing to a virtual interface and letting the linux kernel to the work like |
By default a VXLAN packet is handled by splitting off the encapsulated packet into it's own Packet, that remains coupled with the original Packet to allow verdicts to be set in IPS mode. For the original "root" packet, payload inspection is disabled, but detection like IP, ports and other non-payload properties can still be inspected.
There cases where all packets will be VXLAN encapsulated, and the headers before the encapsulation matter little. One example is AWS network mirror, where packets are delivered over VXLAN. This is inefficient, as for each real packet there are 2 packets going through the pipeline.
This patch introduces an option to strip the envelope headers, and let the encapsulated packet "take over" the Packet.
The
decoder.vxlan.mode=stripoption will strip the headers.SV_BRANCH=OISF/suricata-verify#1972