I'm building a configuration where I'm logging some packets from the beginning of new flows using ulogd2 NFLOG input and PCAP output. This works nicely without offload.
Would it be possible to to defer offloading somehow by a couple of seconds or for a few pakets, so I'd be able to log some more interesting stuff from the beginning of the flow and have good perf for long running flows with the help of offloading?
I'm doing this to get beginning of flows to NFLOG: nft 'insert rule inet fw4 forward ct state new,established ct bytes 0-10000 counter log group 1'
The going to 1000 packets did not help, but doing both
chain handle_offload {
ct bytes le 10000 counter log group 1 accept
}
and
nft 'insert rule inet fw4 forward ct state new,established ct bytes le 10000 counter log group 1'
did help. I'm pretty new to netfilter, fw4 & offload combination details. What would be the best way to add the nft insert rule properly to fw4 config?
Doing what you proposed in chain handle_offload works perfectly for TCP as far as I can tell; I'm able to control how much gets to NFLOG. For UDP however, chain handle_offload logging appears to produce only the reverse direction packets of a bi-directional flow; no packets from the flow initiator end up in the log. This is the likely cause of the failing QUIC SNI decode symptom I noticed earlier.
If I do the chain handle_offload and nft 'insert rule inet fw4 forward ct state new,established ct bytes le 10000 counter log group 1'
I get the data I want, but there are a lot of duplicate packets logged.
If I do the chain handle_offload and nft 'insert rule inet fw4 prerouting ct state new,established ct bytes le 10000 counter log group 1'
I seem to get the data I need and only some duplicates, so pretty OK.
Have not had to time to fully get my head aroung how all of this works as a system.
Yes, 1st udp bears SSL hello, if that is not logged to IDS it cannot re-construct tls connection start.
for TCP it comes 2 packets later so missing syn+synack is no problem.