Actions
Bug #1292
closedDisabling VLAN tracking should affect cluster mode tuple selection
Affected Versions:
Effort:
Difficulty:
Label:
Description
I was testing a case where mismatched VLAN tags caused flow tracking problems so I set vlan: use-for-tracking: false. However, this does not completely solve issue when using pf_ring for RX with more than 1 thread. The cluster_flow mode will still take VLAN tags into account due to using pf_ring's 6-tuple mode. This result in same flow ending on different RX thread which in turn seems to cause issues.
Setting cluster mode to cluster_per_flow_5_tuple in source-pfring.c line 480 fixes the issue. I think suricata should enforce using only cluster-modes which do not use VLAN tags when VLAN tracking is disabled from the configuration.
Actions