In my case, DPDK IPS mode (see the attachment) with livedev used for tracking, traffic is passing between port 0 and port 1. TCP connection is not established, which is expected, because hash calculated is five tuple plus livedev id, so the same connection coming from port 0 and port 1 is regarded as different hash. For SYN-ACK packet, in FlowGetFlowFromHash it can’t find out the flow created by SYN, then create a new flow (another bug?) with protoctx is NULL. In later StreamTcpPacket, this packet is blocked for p->flow->protoctx == NULL.
The calling chain for TCP packet is like this:
TmThreadsSlotVarRun
→ FlowWorker
→ FlowWorkerStreamTCPUpdate
→ StreamTcp
→ StreamTcpPacket …
while for UDP or TCP, it is obvious that there is no such TCP state checking, so even for different livedev, the packets are still allowed.
suricata.yaml (83.1 KB)