[Oisf-users] AF_Packet + Multiple interfaces + BPF oddities
Andreas Herz
andi at geekosphere.org
Tue Aug 30 20:16:29 UTC 2016
On 29/08/16 at 15:13, Andrew Thrift wrote:
> Hi List,
>
> I have Suricata 3.1.1 on Ubuntu Xenial. I have successfully
> configured Suricata to use AF_Packet and to listen on multiple
> interfaces, however when I enable BPF filtering on multiple
> interfaces, it seems to stop reception of packets on enp2s0, enp3s0
> and enp4s0.
>
> e.g. with the following configuration:
>
> #10Gigabit port1
> - interface: enp1s0
> cluster-id: 98
> cluster-type: cluster_flow
> defrag: yes
> bpf-filter: vlan 12
> #10Gigabit port2
> - interface: enp2s0
> cluster-id: 99
> cluster-type: cluster_flow
> defrag: yes
> bpf-filter: vlan 12
> #1Gbit port1
> - interface: enp3s0
> cluster-id: 100
> cluster-type: cluster_flow
> defrag: yes
> bpf-filter: vlan 11
> #1Gbit port2
> - interface: enp4s0
> cluster-id: 101
> cluster-type: cluster_flow
> defrag: yes
> bpf-filter: vlan 11
>
> Suricata will receive traffic on vlan 12 on enp1s0, but all later
> interfaces will NOT "see" packets.
>
> If I remove the BPF filter from enp3s0 and enp4s0 they will start to
> receive all packets (including on vlan11), but enp2s0 will NOT see
> packets on vlan12.
>
>
> Is this expected behaviour ?
I don't think so. Can you put this as a bug report on our redmine issue
tracker?
Also include which network cards you're using. Looks like we need
someone to reproduce it maybe.
--
Andreas Herz
More information about the Oisf-users
mailing list