[Oisf-users] Suricata Inline (NFQ) + bridge interface - any news ?

Breno Silva breno.silva at gmail.com
Thu Mar 28 16:06:57 UTC 2019


Hi Eric ad Amar,



Defining a specific interface didn't help. Continue to not work.

I tested nftables:

# nft list ruleset



table ip filter {



        chain IPS {



                type filter hook forward priority 10; policy accept;



                queue num 0



        }



}



and suricata process the packets (like iptables+nfqueue does):

[32436] 28/3/2019 -- 11:00:03 - (source-nfq.c:989) <Notice>
(ReceiveNFQThreadExitStats) -- (W-Q0) Treated: Pkts 8524, Bytes 860854,
Errors 5546

However it doesn't detect anything, not alerts, no drops. Looks like
suricata cannot see payloads ?

The strange thing is sometimes it works. Looks like a random behavior




Do you have any suggestion ?

Thanks

On Wed, Mar 27, 2019 at 11:26 PM Amar <amar at countersnipe.com> wrote:

> Hello Breno
>
> Sorry if I have missed an earlier communication, but what does “sometimes
> it doesn’t work very well” mean? Could you be more specific please?
>
> Thank you
>
> Amar
> Making sense of Technology
>
>
> On Mar 28, 2019 at 2:32 AM, <Breno Silva <breno.silva at gmail.com>> wrote:
>
> Hello all,
>
> I have an appliance where multiple interfaces are configured in bridge
> (ie. br0) mode. Trying to run suricata inline (nfq) on a bridged applicance
> sometimes doesn't work very well for and looks like it is a known issue for
> years. I cannot use afpacket/netmap or other "true" bridge approached. Must
> continue with nfqueue,
>
> Do we have any update on this topic? some solution?
> I heard Victor saying it is a netfilter issue, do we have any feedback
> from netfilter core team ?
>
> Thinking about the possibility to use ebtables with some nfqueue support.
> Should be possible ?
>
> Thanks
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190328/6fbbe6c9/attachment.html>


More information about the Oisf-users mailing list