Skip to content

Vxlan tunnel 7717 v2.1 #14018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

Vxlan tunnel 7717 v2.1 #14018

wants to merge 5 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7717

Describe changes:

  • Treat vxlan as its own tunnel in order to be able to log ARP over VXLAN
  • ebpf: check maps compatibility (and realize that our current ebpf does not handle 3 layers of vlan)

SV_BRANCH=OISF/suricata-verify#2521

Let me know if you want to handle the ebpf maps commit separately

These are the first commits of #13839 with a dedicated ticket

#14014 with cleaner history and SV rebased on latest

Note: there are other structures that may benefit from such an optimization : git grep "enum " src/*.h | grep ';' | grep -v ');'

For example in struct SSLState_ :

    enum TlsStateClient client_state;
    enum TlsStateServer server_state;

@catenacyber
decode: use PacketIsTunnelChild
820fb60 
Instead of directly accessing the field

Will allow PacketTunnelType to hold the precise tunnel type like
DECODE_TUNNEL_ERSPANII with a modification of PacketIsTunnelChild
@catenacyber catenacyber mentioned this pull request Oct 13, 2025
Closed
@catenacyber
decode: store tunnel protocol in packet structure
2b97caf 
So that we know for a packet which precise type of tunnel it
is (like erspan2).
@catenacyber
ebpf: check maps compatibility
ba6983c 
ebpf program does not handle 3 layers of vlan
@catenacyber
decode/xvlan: treat as its own tunnel
6aa364d 
Ticket: 7717

Allows for instance to process/log ARP packets over VXLAN.

That means we need to decode the ethernet layer above vxlan
instead of skipping it as part of the vxlan, even if the vxlan
decoder still checks the ethernet layer to avoid FPs.
@catenacyber
decode: use compact uint8_t instead of enum in struct
c0f8420 
to save memory
@catenacyber catenacyber force-pushed the vxlan-tunnel-7717-v2.1 branch from 08a9479 to c0f8420 Compare October 13, 2025 10:02
@catenacyber catenacyber mentioned this pull request Oct 13, 2025
Draft
@codecov Codecov
Copy link

codecov bot commented Oct 13, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 88.88889% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.84%. Comparing base (16d124c) to head (c0f8420).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14018      +/-   ##
==========================================
- Coverage   83.87%   83.84%   -0.03%     
==========================================
  Files        1011     1011              
  Lines      275671   275675       +4     
==========================================
- Hits       231207   231132      -75     
- Misses      44464    44543      +79
Flag Coverage Δ
fuzzcorpus 63.41% <61.11%> (-0.10%) ⬇️
livemode 19.33% <0.00%> (-0.12%) ⬇️
pcap 44.78% <61.11%> (+0.02%) ⬆️
suricata-verify 65.16% <88.88%> (+0.01%) ⬆️
unittests 59.14% <44.44%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline = 27969

victorjulien
victorjulien reviewed Oct 13, 2025
View reviewed changes
src/decode.h

struct PacketL2 {
enum PacketL2Types type;
uint8_t type; // enum PacketL2Types
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this will safe anything due to alignment requirements of the pointer that follows

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right.

victorjulien
victorjulien reviewed Oct 13, 2025
View reviewed changes
src/decode.h

struct PacketL3 {
enum PacketL3Types type;
uint8_t type; // enum PacketL3Types
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alignment of pointers in hdrs will lead to this not saving any space I think

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On 32-bit architecture, it would, right ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't optimize for 32 bit anymore, in fact we're considering dropping official support for it

victorjulien
victorjulien reviewed Oct 13, 2025
View reviewed changes
src/decode.h
};

struct PacketL4 {
enum PacketL4Types type;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

again I expect no practical effect here due to alignment

@catenacyber catenacyber mentioned this pull request Oct 13, 2025
Open
@catenacyber
Copy link
Contributor Author

Next in #14020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@victorjulien victorjulien victorjulien left review comments

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@catenacyber @suricata-qa @victorjulien