Skip to content

Vxlan tunnel 7717 v2.2 #14020

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Vxlan tunnel 7717 v2.2 #14020

wants to merge 5 commits into from
+50 −42

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7717

Describe changes:

  • Treat vxlan as its own tunnel in order to be able to log ARP over VXLAN
  • ebpf: check maps compatibility (and realize that our current ebpf does not handle 3 layers of vlan)

SV_BRANCH=OISF/suricata-verify#2521

Let me know if you want to handle the ebpf maps commit separately

These are the first commits of #13839 with a dedicated ticket

#14018 without enum PacketLXTypes changes

Note: there are other structures that may benefit from such an optimization : git grep "enum " src/*.h | grep ';' | grep -v ');'

For example in struct SSLState_ :

    enum TlsStateClient client_state;
    enum TlsStateServer server_state;

@catenacyber
decode: use PacketIsTunnelChild
820fb60 
Instead of directly accessing the field

Will allow PacketTunnelType to hold the precise tunnel type like
DECODE_TUNNEL_ERSPANII with a modification of PacketIsTunnelChild
@catenacyber
decode: store tunnel protocol in packet structure
2b97caf 
So that we know for a packet which precise type of tunnel it
is (like erspan2).
@catenacyber
ebpf: check maps compatibility
ba6983c 
ebpf program does not handle 3 layers of vlan
@catenacyber
decode/xvlan: treat as its own tunnel
6aa364d 
Ticket: 7717

Allows for instance to process/log ARP packets over VXLAN.

That means we need to decode the ethernet layer above vxlan
instead of skipping it as part of the vxlan, even if the vxlan
decoder still checks the ethernet layer to avoid FPs.
@catenacyber
decode: use compact uint8_t instead of enum in struct
b4b9209 
to save memory
@catenacyber catenacyber mentioned this pull request Oct 13, 2025
Closed
@codecov Codecov
Copy link

codecov bot commented Oct 13, 2025

Codecov Report

❌ Patch coverage is 88.88889% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.84%. Comparing base (16d124c) to head (b4b9209).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14020      +/-   ##
==========================================
- Coverage   83.87%   83.84%   -0.03%     
==========================================
  Files        1011     1011              
  Lines      275671   275675       +4     
==========================================
- Hits       231207   231144      -63     
- Misses      44464    44531      +67
Flag Coverage Δ
fuzzcorpus 63.41% <61.11%> (-0.10%) ⬇️
livemode 19.37% <0.00%> (-0.08%) ⬇️
pcap 44.79% <61.11%> (+0.03%) ⬆️
suricata-verify 65.17% <88.88%> (+0.02%) ⬆️
unittests 59.14% <44.44%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.uptime 654 630 96.33%

Pipeline = 27974

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catenacyber @suricata-qa