-> Any reason why ip4-input is not appropriate? You'd get L2 and L3 headers validation, and avoid sending ARP etc. to Snort. my own vpp plugin will take over the traffic from device-input node, it will not go into ip4-unicast node. we need a copy into snort, and then go back to my plugin. Does that make sense ? ------------------------------------------------------------------ 发件人:Benoit Ganne (bganne) via lists.fd.io <[email protected]> 发送时间:2026年6月9日(周二) 16:07 收件人:"[email protected]"<[email protected]> 主 题:Re: [vpp-dev] Question about integrating custom node and snort_plugin on device-input feature arc > Is the above design (moving snort_plugin to device-input) considered > reasonable? Could there be any missing prerequisites (e.g., L2 header not yet > processed, or missing flow information) that prevent Snort from properly > inspecting the packets? I am no expert, but the main difference between device-input and ip4-input should be that the current packet offset (b->data + b->current_data) points to the L2 header (ethernet) and not L3 (IP). So if you did not change anything else, you might consider trying something like b->current_data += sizeof(ethernet_header_t) before passing the packet to Snort. > If this design is not optimal, what alternative solutions would you recommend > to achieve both (a) custom processing at an early stage and (b) sending a > duplicate copy of the original packets to Snort? Any reason why ip4-input is not appropriate? You'd get L2 and L3 headers validation, and avoid sending ARP etc. to Snort. Best ben
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#27055): https://lists.fd.io/g/vpp-dev/message/27055 Mute This Topic: https://lists.fd.io/mt/119719751/21656 Group Owner: [email protected] Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/14379924/21656/631435203/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
