I have an appliance with two interfaces, eth0 and eth1. Suricata works in IPS mode, copying packets between the two interfaces.
My goal is to create an eBPF program to use through XDP to bypass certain type of packets so that they are copied directly to the other interface, without Suricata analyzing them.
The problem is that when I use XDP_DROP inside the eBPF program to bypass certain packets, they are dropped without being copied to the other network interface. Reading the Suricata documentation I seem to have understood that the packets should be copied to the other interface without being analyzed, not discarded.
I tried using both version 6.0.14 and version 7.0.2 of Suricata, but neither version works.
I’m using Ubuntu 20.04 and libbpf of version 1.2.2 (I also tried using version 0.8.1, but the problem persists).
I compiled Suricata from source.
This is the config I used for af-packet:
af-packet:
- interface: eth0
threads: 4
cluster-id: 99
cluster-type: cluster_qm
defrag: no
use-mmap: yes
ring-size: 200000
bypass: yes
xdp-mode: driver
xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf
copy-mode: ips
copy-iface: eth1
- interface: eth1
threads: 4
cluster-id: 98
cluster-type: cluster_qm
defrag: no
use-mmap: yes
ring-size: 200000
bypass: yes
xdp-mode: driver
xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf
copy-mode: ips
copy-iface: eth0
Any suggestions for achieving my goal?
Thanks