Af packet in suricsta is a software bridge between interfaces. Can I configure the network in Linux so that the data first comes to the interface that is protected by iptables, then goes to another (maybe empty) interface (which is not protected by iptables) and from it goes to the third interface, which forms the Suricata AF_PACKET Bridge with the second and drops traffic by suricata rules, and move from 2nd to the 3rd interface not dropped traffic? My current situation is next: suricata only copies packet to other interface, but that packet not dropped from the first interface: it continue to the kernel through iptables. I want iptables not to process a dropped traffic(if suricata is the first int the chain) or suricata process only firewall passed traffic.
if your intention is to filter/drop packet when the packet first arrive at the interface in AF_PACKET bridge mode, instead of using iptables, you could attach eBPF XDP program to do the packet filter/drop like iptables firewall, similar to https://youtu.be/U8l-hwL8ko8?si=fVmxRooJqhCMcgKp
XDP program is not stateful filtering like iptables though, so it depends on what kind of packet you want to filter and drop.
And I can’t do that without xdp firewall? No way? And what can I do if I want to change order: suricats first, firewall next and works only with passed by suricata traffic?
AF_PACKET bridge bypassed netfilter iptables firewall, see the diagram here Netfilter - Wikipedia, netfilter is unable to see the packet, XDP happens before AF_PACKET.
