Hi Dinesh,
It sounds like commit 102575492 ("snort: support multiple instances per
interface") introduced the ADMIN_UP restriction that didn't exist in 23.02.
This commit added support for multiple Snort instances per interface with load
balancing.
The default behavior `drop-on-disconnect = 1` existed in both versions. When an
interface is attached but Snort hasn't connected yet, packets are dropped.
Possible Workaround:
# Create instance with pass-through mode
snort create-instance name snort0 on-disconnect pass
This may help prevent packet loss during attach/startup when Snort is not yet
connected.
Maybe you can consider discussing with the authors of commit 102575492 to
understand the rationale for this restriction.
Jerome
De : [email protected] <[email protected]> de la part de Dinesh via
lists.fd.io <[email protected]>
Date : mercredi, 18 février 2026 à 14:34
À : [email protected] <[email protected]>
Objet : Re: [vpp-dev] Need clarification on snort plugin
Hi,
Reminder.
On 17/02/26 14:58, Dinesh via lists.fd.io wrote:
Hi everyone,
I wanted to check if there have been any updates or if additional
information is required from my side to help move this forward.
I appreciate your time and looking forward for your response.
Thanks,
Dinesh
On 16/02/26 15:29, Dinesh wrote:
Hello everyone,
I am migrating an application detection system from VPP 23.02 to 25.02 using
the Snort3 plugin. In the new version, the plugin prevents attaching an
interface to a Snort instance while the interface is 'Up'—a restriction that
didn't exist in 23.02.
Currently, my workaround is to manually bring the interface down, attach it,
and bring it back up. However, the state change is not instantaneous (requiring
multiple retries), and once restored, the interface drops all traffic.
I can see arp replies are getting dropped in show errors output. Since we have
a flag in userspace like if application detection is turned on, i need to
create snort interface and make it run.
Since this is a production environment, I must ensure uninterrupted
connectivity or zero packet loss. Is there a way to dynamically attach a Snort
instance to an active interface without toggling its state or causing traffic
interruptions? Also why doesn't state change to 'down' happen immediately ?
Could anyone provide support on this issue ?
Thanks,
Dinesh
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#26831): https://lists.fd.io/g/vpp-dev/message/26831
Mute This Topic: https://lists.fd.io/mt/117836501/21656
Group Owner: [email protected]
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/14379924/21656/631435203/xyzzy
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
