"
Hi!
I am not familiar with the details of the divert-to functionality in FreeBSD when it is implemented with pf, but when using ipfw there is an option to use reinject mode, where, if Suricata does not drop the packet, it reinjects it back into the network stack at the specified ipfw rule:
https://docs.suricata.io/en/latest/configuration/suricata-yaml.html#ipfw
Is there any plan to implement this somehow?
This would allow much finer-grained control, and the final decision would be made by the packet filter rather than by Suricata.
I am also not aware of whether a fail-open (bypass) mechanism exists for divert-to, similar to Linux NFQUEUE (queue-bypass), which switches to pass instead of drop if Suricata is not listening or crash...
I am not familiar with the details of the divert-to functionality in FreeBSD when it is implemented with pf, but when using ipfw there is an option to use reinject mode, where, if Suricata does not drop the packet, it reinjects it back into the network stack at the specified ipfw rule:
https://docs.suricata.io/en/latest/configuration/suricata-yaml.html#ipfw
Is there any plan to implement this somehow?
This would allow much finer-grained control, and the final decision would be made by the packet filter rather than by Suricata.
I am also not aware of whether a fail-open (bypass) mechanism exists for divert-to, similar to Linux NFQUEUE (queue-bypass), which switches to pass instead of drop if Suricata is not listening or crash...
