> Is the above design (moving snort_plugin to device-input) considered > reasonable? Could there be any missing prerequisites (e.g., L2 header not yet > processed, or missing flow information) that prevent Snort from properly > inspecting the packets?
I am no expert, but the main difference between device-input and ip4-input should be that the current packet offset (b->data + b->current_data) points to the L2 header (ethernet) and not L3 (IP). So if you did not change anything else, you might consider trying something like b->current_data += sizeof(ethernet_header_t) before passing the packet to Snort. > If this design is not optimal, what alternative solutions would you recommend > to achieve both (a) custom processing at an early stage and (b) sending a > duplicate copy of the original packets to Snort? Any reason why ip4-input is not appropriate? You'd get L2 and L3 headers validation, and avoid sending ARP etc. to Snort. Best ben
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#27054): https://lists.fd.io/g/vpp-dev/message/27054 Mute This Topic: https://lists.fd.io/mt/119717052/21656 Group Owner: [email protected] Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/14379924/21656/631435203/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
