Skip to content

Xdp tunnel 7674 v10#15102

Closed
catenacyber wants to merge 12 commits intoOISF:mainfrom
catenacyber:xdp-tunnel-7674-v10
Closed

Xdp tunnel 7674 v10#15102
catenacyber wants to merge 12 commits intoOISF:mainfrom
catenacyber:xdp-tunnel-7674-v10

Conversation

@catenacyber
Copy link
Copy Markdown
Contributor

@catenacyber catenacyber commented Mar 25, 2026

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7674

Describe changes:

  • introduces configurable tunnel_id to distinguish same-looking (same 5-tuple) flows encapsulated in different tunnels
  • adds a config option to "skip" the packets that are not part of a tunnel on interfaces receiving tunneled traffic
  • handle xdp bypass of these encapsulated flows
  • use this new tunnel_id as a multi-tenant selector
  • EBPF is now in suricata --build-info list of features
  • ebpf: remove unused macro
  • test: new afpacket max-packets feature

SV_BRANCH=OISF/suricata-verify#2969

#15028 needed rebase

PS : My branch xdp-tunnel-7674-v9.1 has only the 4 easy commits (code refactoring, no new functionality)

catenacyber and others added 12 commits March 25, 2026 17:59
@catenacyber
decode: store tunnel protocol in packet structure
f00f029 
So that we know for a packet which precise type of tunnel it
is (like erspan2).
@catenacyber
flow: factorize duplicated code for hashing
71a9ff0
@catenacyber
flow: adds a tunnel identifier
42f3b2c 
Ticket: 7674

To distinguish flows with the same 5-tuple but coming from different
configured tunnel sources.

For vxlan, we need to call
1. PacketTunnelPktSetup with vxlan header
2. Call a new DecodeVXLANtunnel which
  - sets the tunnel id
  - call DecodeEthernet on data after vxlan header as before
@catenacyber
ebpf: factorize duplicated code for key setting
6c77d64
@catenacyber
xdp: handle erspan2 tunnels
b488f78 
Ticket: 7674
@catenacyber
xdp: handle vxlan tunnels
eb6f2f8 
Ticket: 7674
@catenacyber
detect: tunnel_id can be a selector for multi-tenants
2a51961 
Tciket: 7674
@catenacyber
flow: add config option to skip non-tunneled packets
a3d2dbb 
Ticket: 7674

On interfaces meant to receive only tunneled traffic
@catenacyber
features: add EBPF as a feature
45d0629 
for SV to run tests based on the presence of this feature
@catenacyber
ci: add new xdp build with live tests
f4bec28 
so as to run ebpf live tests
@catenacyber
ebpf: remove unused macro
3b68878
@catenacyber
test: new afpacket max-packets feature
405d482 
Ticket: 7674

Allows a compile-time option AFPACKET_TEST_REPLAY, that allows
to set a configuration max-packets per afpacket interface,
after which the PktAcqLoop stops.

This allows suricata-verify tests to run with tcpreplay,
and know when to stop
@catenacyber catenacyber mentioned this pull request Mar 25, 2026
Closed
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 25, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 54.54545% with 135 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.59%. Comparing base (dce2dee) to head (405d482).
⚠️ Report is 35 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #15102      +/-   ##
==========================================
- Coverage   82.63%   82.59%   -0.05%     
==========================================
  Files         990      991       +1     
  Lines      271599   271825     +226     
==========================================
+ Hits       224429   224501      +72     
- Misses      47170    47324     +154
Flag Coverage Δ
fuzzcorpus 60.99% <21.21%> (-0.07%) ⬇️
livemode 18.33% <12.79%> (-0.06%) ⬇️
netns 18.36% <17.17%> (-0.04%) ⬇️
pcap 45.22% <23.23%> (-0.07%) ⬇️
suricata-verify 66.13% <54.20%> (-0.05%) ⬇️
unittests 58.80% <16.49%> (-0.05%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link
Copy Markdown

suricata-qa commented Mar 25, 2026

Information: QA ran without warnings.

Pipeline = 30551

@catenacyber catenacyber added the needs rebase Needs rebase to main label Apr 2, 2026
@catenacyber catenacyber mentioned this pull request Apr 2, 2026
Closed
@catenacyber
Copy link
Copy Markdown
Contributor Author

catenacyber commented Apr 2, 2026

Rebased in #15151

@catenacyber catenacyber closed this Apr 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees

No one assigned

Labels

needs rebase Needs rebase to main

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@catenacyber @suricata-qa