According to the latest document of Suricata version 7.0, it only supports multiple tenants in netmap mode for VLAN or network interface devices.
“”"
Note: Not currently supported for IPS.
Note: support depends on a capture method using the ‘livedev’ API. Currently, these are pcap, AF_PACKET, PF_RING, and Netmap.
“”"
I want to know why it doesn’t implement multiple tenants for IPFW mode. Is it difficult? Can it support multiple tenants if I disable IPS?
I’m considering implementing the above feature, if it is really difficult, please let me know.
Thanks.
1 Like
I don’t think it is difficult. The question is how you map tenants to something ipfw can provide. How would you distinguish your tenants in ipfw?
Can Suricata use the IPFW’s rule number as the tenant id? We need Suricata to process an IPFW rule using a specific Suricata rule set in our product, one or multiple IPFW rules using one Suricata rule set.
On the man page of FreeBSD,
READING PACKETS
…
Diverted packets may be read unaltered via read(2), recv(2), or recvfrom(2). In the latter case, the address returned will have its port set to some tag supplied by the packet diverter, (usually the ipfw rule number) and the IP address set to the (first) address of the interface on which the packet was received (if the packet was incoming) or INADDR_ANY (if the packet was outgoing). The interface name (if defined for the packet) will be placed in the 8 bytes following the address, if it fits.
…
WRITING PACKETS
…
The port part of the socket address passed to the sendto(2) contains a tag that should be meaningful to the diversion module. In the case of ipfw(8) the tag is interpreted as the rule number after which rule processing should restart.
…
Also, the functions in source_ipfw.c:
TmEcode ReceiveIPFWLoop(ThreadVars *tv, void *data, void *slot)
and
TmEcode IPFWSetVerdict(ThreadVars *tv, IPFWThreadVars *ptv, Packet *p)
in Suricata use the recvfrom and sendto to read and write packets. So it should be able to get and put back the IPFW rule number.
I have not verified the above information, assume that the above is true, and what steps should be taken to implement the multiple tenants feature for IPFW, can you descript briefly?
Thank you very much.
I’m not very familiar with the ipfw code in Suricata, as it was contributed and I don’t think it has many users. But if the recvfrom returns this info you should be able to use it to set Packet::tenant_id.
Thank you very much.
I will verify whether it has a rule number in the packet from ipfw.
I’ve verified that the ipfw rules number is parsed and stored in source-ipfw.h in the variable IPFWQueueVars.ipfw_sin.sin_port. So it can be used as the identity of multiple tenants.