[Oisf-users] Suricata Inline (NFQ) + bridge interface - any news ?
Breno Silva
breno.silva at gmail.com
Thu Mar 28 16:06:57 UTC 2019
Hi Eric ad Amar,
Defining a specific interface didn't help. Continue to not work.
I tested nftables:
# nft list ruleset
table ip filter {
chain IPS {
type filter hook forward priority 10; policy accept;
queue num 0
}
}
and suricata process the packets (like iptables+nfqueue does):
[32436] 28/3/2019 -- 11:00:03 - (source-nfq.c:989) <Notice>
(ReceiveNFQThreadExitStats) -- (W-Q0) Treated: Pkts 8524, Bytes 860854,
Errors 5546
However it doesn't detect anything, not alerts, no drops. Looks like
suricata cannot see payloads ?
The strange thing is sometimes it works. Looks like a random behavior
Do you have any suggestion ?
Thanks
On Wed, Mar 27, 2019 at 11:26 PM Amar <amar at countersnipe.com> wrote:
> Hello Breno
>
> Sorry if I have missed an earlier communication, but what does “sometimes
> it doesn’t work very well” mean? Could you be more specific please?
>
> Thank you
>
> Amar
> Making sense of Technology
>
>
> On Mar 28, 2019 at 2:32 AM, <Breno Silva <breno.silva at gmail.com>> wrote:
>
> Hello all,
>
> I have an appliance where multiple interfaces are configured in bridge
> (ie. br0) mode. Trying to run suricata inline (nfq) on a bridged applicance
> sometimes doesn't work very well for and looks like it is a known issue for
> years. I cannot use afpacket/netmap or other "true" bridge approached. Must
> continue with nfqueue,
>
> Do we have any update on this topic? some solution?
> I heard Victor saying it is a netfilter issue, do we have any feedback
> from netfilter core team ?
>
> Thinking about the possibility to use ebtables with some nfqueue support.
> Should be possible ?
>
> Thanks
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190328/6fbbe6c9/attachment.html>
More information about the Oisf-users
mailing list