Skip to content

Vxlan tunnel 7717 v2.3 #14369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
catenacyber wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Vxlan tunnel 7717 v2.3 #14369

catenacyber wants to merge 5 commits into from
+50 −42

Conversation

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Nov 24, 2025

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7717

Describe changes:

  • Treat vxlan as its own tunnel in order to be able to log ARP over VXLAN
  • ebpf: check maps compatibility (and realize that our current ebpf does not handle 3 layers of vlan)

SV_BRANCH=OISF/suricata-verify#2521

Let me know if you want to handle the ebpf maps commit separately

These are the first commits of #14290 with a dedicated ticket

#14020 rebased to get attention and green CI

Note: there are other structures that may benefit from such an optimization : git grep "enum " src/*.h | grep ';' | grep -v ');'

For example in struct SSLState_ :

    enum TlsStateClient client_state;
    enum TlsStateServer server_state;

@catenacyber
decode: use PacketIsTunnelChild
9e0a62c 
Instead of directly accessing the field

Will allow PacketTunnelType to hold the precise tunnel type like
DECODE_TUNNEL_ERSPANII with a modification of PacketIsTunnelChild
@catenacyber
decode: store tunnel protocol in packet structure
1f7ad26 
So that we know for a packet which precise type of tunnel it
is (like erspan2).
@catenacyber
ebpf: check maps compatibility
b9bb71c 
ebpf program does not handle 3 layers of vlan
@catenacyber
decode/xvlan: treat as its own tunnel
084128d 
Ticket: 7717

Allows for instance to process/log ARP packets over VXLAN.

That means we need to decode the ethernet layer above vxlan
instead of skipping it as part of the vxlan, even if the vxlan
decoder still checks the ethernet layer to avoid FPs.
@catenacyber
decode: use compact uint8_t instead of enum in struct
7db942d 
to save memory
@catenacyber catenacyber mentioned this pull request Nov 24, 2025
Closed
@codecov
Copy link

codecov bot commented Nov 24, 2025

Codecov Report

❌ Patch coverage is 88.88889% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.19%. Comparing base (459e259) to head (7db942d).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14369      +/-   ##
==========================================
- Coverage   84.19%   84.19%   -0.01%     
==========================================
  Files        1012     1012              
  Lines      261796   261800       +4     
==========================================
- Hits       220414   220412       -2     
- Misses      41382    41388       +6
Flag Coverage Δ
fuzzcorpus 63.28% <61.11%> (+<0.01%) ⬆️
livemode 18.73% <0.00%> (-0.01%) ⬇️
pcap 44.61% <61.11%> (-0.01%) ⬇️
suricata-verify 64.96% <88.88%> (-0.02%) ⬇️
unittests 59.23% <44.44%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

suricata-qa commented Nov 24, 2025

Information: QA ran without warnings.

Pipeline = 28509

jasonish
jasonish reviewed Nov 25, 2025
View reviewed changes
src/decode.h
uint8_t ttype; // enum PacketTunnelType

/* tunnel protocol */
uint8_t tproto; // enum DecodeTunnelProto
Copy link
Member

@jasonish jasonish Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this ever read?

Copy link
Contributor Author

@catenacyber catenacyber Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is read in #14290 follow up commits

We may also want to log it in a flow event

@catenacyber catenacyber mentioned this pull request Nov 27, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish jasonish left review comments

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@catenacyber @suricata-qa @jasonish