Conversation
Instead of directly accessing the field Will allow PacketTunnelType to hold the precise tunnel type like DECODE_TUNNEL_ERSPANII with a modification of PacketIsTunnelChild
So that we know for a packet which precise type of tunnel it is (like erspan2).
ebpf program does not handle 3 layers of vlan
Ticket: 7717 Allows for instance to process/log ARP packets over VXLAN. That means we need to decode the ethernet layer above vxlan instead of skipping it as part of the vxlan, even if the vxlan decoder still checks the ethernet layer to avoid FPs.
to save memory
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #14369 +/- ##
==========================================
- Coverage 84.19% 84.19% -0.01%
==========================================
Files 1012 1012
Lines 261796 261800 +4
==========================================
- Hits 220414 220412 -2
- Misses 41382 41388 +6
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
Information: QA ran without warnings. Pipeline = 28509 |
| uint8_t ttype; // enum PacketTunnelType | ||
|
|
||
| /* tunnel protocol */ | ||
| uint8_t tproto; // enum DecodeTunnelProto |
There was a problem hiding this comment.
It is read in #14290 follow up commits
We may also want to log it in a flow event
There was a problem hiding this comment.
would like to see the field added in that PR here then
Think we should also squash this commit into the commit introducing the fields
There was a problem hiding this comment.
So, removing this commit for the first PR
|
Friendly ping @victorjulien ? |
| keys[0]->port16[1] = p->dp; | ||
| keys[0]->vlan0 = p->vlan_id[0]; | ||
| keys[0]->vlan1 = p->vlan_id[1]; | ||
| keys[0]->vlan2 = p->vlan_id[2]; |
There was a problem hiding this comment.
program looks like it could be easily extended to support vlan2, should that be considered instead?
There was a problem hiding this comment.
Not so easy, bu I try something
| uint8_t ttype; // enum PacketTunnelType | ||
|
|
||
| /* tunnel protocol */ | ||
| uint8_t tproto; // enum DecodeTunnelProto |
There was a problem hiding this comment.
would like to see the field added in that PR here then
Think we should also squash this commit into the commit introducing the fields
|
Next version in #14820 |
4 participants
Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7717
Describe changes:
SV_BRANCH=OISF/suricata-verify#2521
Let me know if you want to handle the ebpf maps commit separately
These are the first commits of #14290 with a dedicated ticket
#14020 rebased to get attention and green CI
Note: there are other structures that may benefit from such an optimization :
git grep "enum " src/*.h | grep ';' | grep -v ');'For example in
struct SSLState_: