<div dir="ltr"><div><p class="gmail-p1" style="margin:0px;font:11px Menlo">Hi Eric ad Amar,</p><p class="gmail-p2" style="margin:0px;font:11px Menlo;min-height:13px"><span class="gmail-Apple-converted-space"> </span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo">Defining a specific interface didn't help. Continue to not work.</p><p class="gmail-p1" style="margin:0px;font:11px Menlo">I tested nftables:</p><p class="gmail-p1" style="margin:0px;font:11px Menlo"># nft list ruleset</p><p class="gmail-p2" style="margin:0px;font:11px Menlo;min-height:13px"><span class="gmail-Apple-converted-space"> </span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo">table ip filter {</p><p class="gmail-p2" style="margin:0px;font:11px Menlo;min-height:13px"><span class="gmail-Apple-converted-space"> </span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo"><span class="gmail-Apple-converted-space">        </span>chain IPS {</p><p class="gmail-p2" style="margin:0px;font:11px Menlo;min-height:13px"><span class="gmail-Apple-converted-space"> </span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo"><span class="gmail-Apple-converted-space">                </span>type filter hook forward priority 10; policy accept;</p><p class="gmail-p2" style="margin:0px;font:11px Menlo;min-height:13px"><span class="gmail-Apple-converted-space"> </span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo"><span class="gmail-Apple-converted-space">                </span>queue num 0</p><p class="gmail-p2" style="margin:0px;font:11px Menlo;min-height:13px"><span class="gmail-Apple-converted-space"> </span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo"><span class="gmail-Apple-converted-space">        </span>}</p><p class="gmail-p2" style="margin:0px;font:11px Menlo;min-height:13px"><span class="gmail-Apple-converted-space"> </span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo">}</p><p class="gmail-p2" style="margin:0px;font:11px Menlo;min-height:13px"><span class="gmail-Apple-converted-space"> </span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo">and suricata process the packets (like iptables+nfqueue does):</p><p class="gmail-p1" style="margin:0px;font:11px Menlo">[32436] 28/3/2019 -- 11:00:03 - (source-nfq.c:989) <Notice> (ReceiveNFQThreadExitStats) -- (W-Q0) Treated: Pkts 8524, Bytes 860854, Errors 5546</p><p class="gmail-p1" style="margin:0px;font:11px Menlo">However it doesn't detect anything, not alerts, no drops. Looks like suricata cannot see payloads ? <span class="gmail-Apple-converted-space">                                           </span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo">The strange thing is sometimes it works. Looks like a random behavior <span class="gmail-Apple-converted-space">                             </span></p><p class="gmail-p2" style="margin:0px;font:11px Menlo;min-height:13px"><span class="gmail-Apple-converted-space">                                                                     </span></p><p class="gmail-p1" style="margin:0px;font:11px Menlo">Do you have any suggestion ?</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(175,173,36)">





























</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo">Thanks</p></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 27, 2019 at 11:26 PM Amar <<a href="mailto:amar@countersnipe.com">amar@countersnipe.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div id="gmail-m_-3133001762439489812edo-message"><div></div>Hello Breno</div><div id="gmail-m_-3133001762439489812edo-message"><br></div><div id="gmail-m_-3133001762439489812edo-message">Sorry if I have missed an earlier communication, but what does “sometimes it doesn’t work very well” mean? Could you be more specific please?</div><div id="gmail-m_-3133001762439489812edo-message"><br></div><div id="gmail-m_-3133001762439489812edo-message">Thank you</div><div id="gmail-m_-3133001762439489812edo-message"><br></div><div id="gmail-m_-3133001762439489812edo-message">Amar</div><div id="gmail-m_-3133001762439489812edo-message">Making sense of Technology</div><div id="gmail-m_-3133001762439489812edo-meta"></div><div id="gmail-m_-3133001762439489812edo-original"><div><br><br><blockquote type="cite" style="margin:1ex 0px 0px;border-left:1px solid rgb(204,204,204);padding-left:0.5ex"><div>On Mar 28, 2019 at 2:32 AM, <<a href="mailto:breno.silva@gmail.com" target="_blank">Breno Silva</a>> wrote:<br><br></div><div><div dir="ltr">Hello all,<div><br></div><div>I have an appliance where multiple interfaces are configured in bridge (ie. br0) mode. Trying to run suricata inline (nfq) on a bridged applicance sometimes doesn't work very well for and looks like it is a known issue for years. I cannot use afpacket/netmap or other "true" bridge approached. Must continue with nfqueue,</div><div><br></div><div>Do we have any update on this topic? some solution?</div><div>I heard Victor saying it is a netfilter issue, do we have any feedback from netfilter core team ?</div><div><br></div><div>Thinking about the possibility to use ebtables with some nfqueue support. Should be possible ?</div><div><br></div><div>Thanks</div></div>

</div></blockquote></div></div></div></blockquote></div>