-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
config/mt: Add vlan-tuple MT selector #9747
Conversation
Issue: 6237 The VLAN tuple selector uses a tuple of values to select a tenant. - [ vlan-outermost, vlan-innermost] The tuple can contain as many VLAN values as supported by Suricata - currently 3. Each of these can accept a wild-card value (0). The tenant is selected by matching packet VLAN values with the selector values.
Information: QA ran without warnings. Pipeline 16408 |
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9747 +/- ##
==========================================
- Coverage 82.56% 82.49% -0.07%
==========================================
Files 968 968
Lines 273827 273960 +133
==========================================
- Hits 226074 226013 -61
- Misses 47753 47947 +194
Flags with carried forward coverage won't be shown. Click here to find out more. |
Information: QA ran without warnings. Pipeline 16416 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few things to consider, some related to making reading clearer, some to formatting. Please see inline comments :)
This example uses the VLAN tuple selector for packets encapsulated with two VLAN ids: | ||
|
||
:: | ||
|
||
multi-detect: | ||
enabled: yes | ||
selector: vlan-tuple | ||
loaders: 3 | ||
|
||
tenants: | ||
- id: 1 | ||
yaml: tenant-1.yaml | ||
- id: 2 | ||
yaml: tenant-2.yaml | ||
- id: 3 | ||
yaml: tenant-3.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This part is a bit confusing to me, maybe because of the example only actually having the id
word for the tenant ids...
Maybe if we add a generic format to the VLAN-tuple [outtermost-id, middle-id, innermost-id] this could help remove ambiguity when reading this example?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that using id
in the tenants
section and tenant-id
in the mappings
section is a bit confusing.
I can change this but am concerned about support for existing multi-tenant configurations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm.. Maybe just some addition to the documentation, to highlight /dismiss the confusion?
Continued in #9951 |
Continuation of #9738
Add a new MT selector type to support use cases where a VLAN tuple should be used to determine the MT tenant.
Packets with one VLAN id will never match as
vlan-tuple
requires at least QinQ.The tuple can hold up to 3 values -- this is the max supported by Suricata atm.
Tenants are selected by specifying a VLAN tuple, e.g.,
[1010, 5]
. A packet matches when:1015
5
Wild card values are supported; values of 0 match 'any VLAN' value in the same position as expressed in the tuple:
Tenants are selected by specifying a VLAN tuple, e.g.,
[1010, 0]
. A packet matches when:1015
Link to redmine ticket: 6237
Describe changes:
vlan-tuple
-- for use cases where a VLAN pair should determines the tenant.Updates
Provide values to any of the below to override the defaults.
To use a pull request use a branch name like
pr/N
whereN
is thepull request number.
Alternatively,
SV_BRANCH
may also be a link to anOISF/suricata-verify pull-request.