I’m wondering if it is valid to associate an IPS nfqueue with an nftables ingress hook. IPS works correctly with the input, forward and prerouting hooks, but if I use the ingress hook, the packets are processed but don’t get any further, and I lose the connection to the device assigned to the hook. Suricata version is 6.0.4, with kernel 5.10.63.
Hi,
can you get a bit more into detail how you configured your setup?
Hi Andreas, thanks for getting back. Here’s the nfq portion of the configuration:
nfq:
mode: accept
threads: auto
repeat-mark: 1
repeat-mask: 1
bypass-mark: 1
bypass-mask: 1
route-queue: 2
batchcount: 20
fail-open: yes
Here’s how I start suricata:
$ sudo suricata -c suricata.yaml -q 0 &
Here are the nft commands for the nftables chain and rule:
add chain inet filter IPS { type filter hook ingress device eth1 priority raw ;}
add rule inet filter IPS counter queue num 0 bypass
A few packets are processed by suricata before the connection to eth1 goes down.
I’m having this problem too, but with Suricata in a Docker container. I’m using:
nfq:
mode: accept
I have DHCP nft rules being passed to queue 0, but I don’t think Suricata is passing them back to netfilter. On enp1s0 I see DHCP discovers, but with Suricata they don’t make it to enp1s0.10 (I’m using VLANs).
My Suricata is working correctly because on my forward chains it’s working as intended.