Skip to content

Xdp tunnel 7674 v6.8 #13839

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

Xdp tunnel 7674 v6.8 #13839

wants to merge 11 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7674

Describe changes:

  • on top of Vxlan tunnel 7717 v1 #13302
  • introduces configurable tunnel_id to distinguish same-looking (same 5-tuple) flows encapsulated in different tunnels
  • adds a config option to "skip" the packets that are not part of a tunnel on interfaces receiving tunneled traffic
  • handle xdp bypass of these encapsulated flows
  • use this new tunnel_id as a multi-tenant selector

Provide values to any of the below to override the defaults.

SV_BRANCH=OISF/suricata-verify#2522

#13748 with

  • better option to skip non-tunneled traffic only on interfaces receiving tunneled traffic

catenacyber and others added 11 commits September 12, 2025 11:14
@catenacyber
decode: use PacketIsTunnelChild
faec3ce 
Instead of directly accessing the field

Will allow PacketTunnelType to hold the precise tunnel type like
DECODE_TUNNEL_ERSPANII with a modification of PacketIsTunnelChild
@catenacyber
decode: merge DecodeTunnelProto into PacketTunnelType
4a84481 
So that we know for a packet which precise type of tunnel it
is (like erspan2).
@catenacyber
ebpf: check maps compatibility
2ad49ae 
ebpf program does not handle 3 layers of vlan
@catenacyber
decode/xvlan: treat as its own tunnel
54e360a 
Ticket: 7717

Allows for instance to process/log ARP packets over VXLAN.

That means we need to decode the ethernet layer above vxlan
instead of skipping it as part of the vxlan, even if the vxlan
decoder still checks the ethernet layer to avoid FPs.
@catenacyber
flow: factorize duplicated code for hashing
5fba6a8
@catenacyber
flow: adds a tunnel identifier
591a64f 
Ticket: 7674

To distinguish flows with the same 5-tuple but coming from different
tunnel sources.
@catenacyber
ebpf: factorize duplicated code for key setting
71d6681
@catenacyber
xdp: handle erspan2 tunnels
3b65d4c 
Ticket: 7674
@catenacyber
xdp: handle vxlan tunnels
9c89f8a 
Ticket: 7674
@catenacyber
detect: tunnel_id can be a selector for multi-tenants
c039a17 
Tciket: 7674
@catenacyber
flow: add config option to skip non-tunneled packets
92be36f 
Ticket: 7674

On interfaces meant to receive only tunneled traffic
@catenacyber catenacyber mentioned this pull request Sep 12, 2025
Closed
@codecov Codecov
Copy link

codecov bot commented Sep 12, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 56.83230% with 139 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.53%. Comparing base (9ed5ac7) to head (92be36f).
⚠️ Report is 57 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #13839      +/-   ##
==========================================
- Coverage   83.72%   83.53%   -0.19%     
==========================================
  Files        1011     1012       +1     
  Lines      275169   277655    +2486     
==========================================
+ Hits       230383   231939    +1556     
- Misses      44786    45716     +930
Flag Coverage Δ
fuzzcorpus 63.04% <30.12%> (+0.01%) ⬆️
livemode 18.73% <11.18%> (-0.26%) ⬇️
pcap 44.89% <30.43%> (+0.14%) ⬆️
suricata-verify 65.10% <54.91%> (-0.03%) ⬇️
unittests 58.63% <18.55%> (-0.53%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline = 27416

@catenacyber catenacyber added this to the 9.0 milestone Sep 14, 2025
@victorjulien
Copy link
Member

I wonder how we can test this and if it is feasible to add it to a CI/QA pipeline. Is XDP too low level to use in the docker based CI here?

@catenacyber
Copy link
Contributor Author

I wonder how we can test this and if it is feasible to add it to a CI/QA pipeline. Is XDP too low level to use in the docker based CI here?

I will give a try.

Generally speaking, there are many tickets about XDP without a good test framework.
And same goes for unix-socket.

When I am doing that, you can still review the first commits which are in #13302 ;-)

@catenacyber catenacyber marked this pull request as draft September 25, 2025 13:43
@catenacyber
Copy link
Contributor Author

Draft because needs to deal with #13302 changes requested first

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
9.0
Development

Successfully merging this pull request may close these issues.
3 participants
@catenacyber @suricata-qa @victorjulien