Skip to content

output/ipv6: Add per-output configuration option to shorten IPv6 IP addresses#14819

Closed
jlucovsky wants to merge 7 commits intoOISF:mainfrom
jlucovsky:7399/2
Closed

output/ipv6: Add per-output configuration option to shorten IPv6 IP addresses#14819
jlucovsky wants to merge 7 commits intoOISF:mainfrom
jlucovsky:7399/2

Conversation

@jlucovsky
Copy link
Contributor

Continuation of #14816

Display IPv6 addresses in long (default) or shortened form per RFC-5952, based on the per-output configuration setting. Each of these outputs will display shortened IPv6 addresses when the per-output config setting ipv6-addr-shorten is yes.

  • EVE output
  • Fast output
  • Alert-debug output
  • Alert syslog output

Here's an example of an IPv6 address with its shortened value::

fe80:0000:0000:0000:020c:29ff:faf2:ab42
fe80::20c:29ff:faf2:ab42

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7399

Describe changes:

  • Document configuration settings affecting IPv6 address display
  • Default settings in suricata.yaml.in
  • Utility function that generates shortened IPv6 addresses per RFC-5952
  • EVE modifications to honor config setting
  • Alert-debug/fast/syslog modifications to honor config setting.

Updates:

  • Formatting fixup
  • s-v: added missing suricata.yaml config file for tests where shortened IPv6 addrs are expected.

Provide values to any of the below to override the defaults.

  • To use a Suricata-Verify or Suricata-Update pull request,
    link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=OISF/suricata-verify#2789
SU_REPO=
SU_BRANCH=

Issue: 7399

Utility function to shorten IPv6 addresses per RFC-5952
Issue: 7399

Add option for EVE and alert output to shorten IPv6 addresses.

The default is to not shorten; set ipv6-addr-shorten to yes
to display shortened IPv6 addresses in output.
Issue: 7399

Add a IPv6 print utility function that accepts a parameter indicating
whether the address should be in long or short form.
Issue: 7399

Determine the EVE IPv6 address display and use that when generating
external display representation.
Issue: 7399

Add shorten ipv6 setting to file context.
When configured, display the short form of the IPv6 address.

Issue: 7399
Issue: 7399

Document the IPv6 display behavior and how to display IPv6 addresses in
their shortened form (per RFC-5952).
@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline = 29600

Copy link
Contributor

@catenacyber catenacyber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the work,

CI : ✅
Code : will leave some remarks
Commits segmentation : 🟠 I would have less commits like the first one introducing SCIPv6Shorten should be merged with the first one using it (same for commit output/ipv6: Add output IPv6 shorten option which just adds line in suricata.yaml.in without reading them)
Commit messages : nice
Git ID set : looks fine for me
CLA : you already contributed
Doc update : cool
Redmine ticket : ok
Rustfmt : ok
Tests : README welcome but look ok
Dependencies added: none

let mut ipv6_str = String::with_capacity(39);
let _ = std::fmt::Write::write_fmt(&mut ipv6_str, format_args!("{}", ipv6));

// Sufficient room?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

debug validation that this never happens ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The unittests exercise this logic ... suggestions for how to make the tests immune to a debug-validation check?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but... "configure: error: debug_validation can't be enabled with enabled unittests!" isn't that so?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, maybe the unit tests should not exercise this if Suricata itself never reaches this code


// Copy string + NULL termination
std::ptr::copy_nonoverlapping(ipv6_str.as_ptr(), out_buf as *mut u8, ipv6_str.len());
std::ptr::write((out_buf as *mut u8).add(ipv6_str.len()), 0u8);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a simpler way to do this in rust @jasonish ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes.. Perhaps use crate::ffi::strings::copy_to_c_char, see SCSha256HashBufferToHex for an example on copying a Rust string to a C output pointer.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks; will adjust.


struct ShortenResult {
string: String,
len: usize,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we not use the string.len() ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is unittest code -- the callers of this function verify the expected len -- is string.len() preferred over comparison with len?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer string.len() over len to avoid adding a field, unless there is a reason to do otherwise

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will make the change and remove len member.


char srcip[46], dstip[46];
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it exepcted that there are remaining cases with
git grep PrintInet | grep AF_INET6 ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes -- with a caveat. All usages that result in log output should be covered by this change.
Not covered with this PR are:

  • log-httplog.c
  • log-tcp-data.c
  • log-tlsstore.c
    Is coverage for those logs necessary?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding the "Decision Required" label to highlight this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is coverage for those logs necessary?

That was kind of my question seeing log-httplog.c

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Http-log is scheduled for removal in 9.

I will add shortening for the tcp-data log and an s-v test.

@jufajardini jufajardini added the decision-required Waiting on deliberation from the team label Feb 17, 2026
filename: alert-debug.log #The name of the file in the default logging directory.
append: yes/no #If this option is set to yes, the last filled fast.log-file will not be
# overwritten while restarting Suricata.
# Shorten IPv6 addresses per RFC5952 as they are added to the fast log. The default is no.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: not fast.log ? :P

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch; will update.

if (SCIPv6Shorten(src, dst, size)) {
return dst;
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very nitty, but: unneeded extra line?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will remove.


char srcip[46], dstip[46];
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding the "Decision Required" label to highlight this.

let mut ipv6_str = String::with_capacity(39);
let _ = std::fmt::Write::write_fmt(&mut ipv6_str, format_args!("{}", ipv6));

// Sufficient room?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but... "configure: error: debug_validation can't be enabled with enabled unittests!" isn't that so?


pub mod base64;
pub mod datalink;
pub mod ip_addr;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a real picky style nit, but maybe rename to ipaddr?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

makes sense; will do.

@jlucovsky
Copy link
Contributor Author

Continued in #14867

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

decision-required Waiting on deliberation from the team

Development

Successfully merging this pull request may close these issues.

5 participants