Hi, I have been experimenting with https://elixir.bootlin.com/linux/latest/source/tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c with suricata in AF_PACKET IPS inline bridge mode, my intention is to attach the XDP syncookie program to the same network interface that suricata inline mode runs on so the XDP syncookie could do SYN flood protection, the packet path is like client <-->xdp syncookie<-->suricata AF_PACKET bridge<-->server What I found out is: 1, client send SYN, 2, XDP syncookie respond with SYN+ACK (with cookie), return XDP_TX 3, client send good ACK, XDP syncookie return XDP_PASS, ACK to AF_PACKET bridge The ACK from client is verified by XDP syncookie program and passed on (XDP_PASS) to suricata AF_PACKET and bridged to server, but the initial SYN from client is not passed on to suricata's AF_PACKET and not bridged to server, so server send RST to the ACK. My understanding is that XDP syncookie uses netfilter connection tracking, if the packet destinationated to the host, it works fine. But in layer 2 middle box bridge scenario, AF_PACKET bridge by suricata or Linux bridge does not know about the initial SYN (XDP syncookie returns XDP_TX). I am wondering if there is any solution to get this work. If I run a firewall based on netfilter/iptables as a middle box, XDP syncookie attached to the firewall network interface works to protect the server, so my assumption is since XDP syncookie uses netfilter connection tracking, layer 2 bridge has no visibility to the connection tracking and initial SYN. Thanks!
|