elastic
Optionally ignore MAC address in flow matching in Packetbeat
Proposed commit message
This adds a new configuration field under flows allow_mismatched_eth which if set to true, will not add the MAC address to the flowId. This allows correlating packets that for one reason or another end up with a differing return route. E.g. a DNS response is returned on a different interface or from a different source than the request was sent on/to.
This change is to support the enhancement request
Checklist
- [x] My code follows the style guidelines of this project
- [x] I have commented my code, particularly in hard-to-understand areas
- [x] I have made corresponding changes to the documentation
- [x] I have made corresponding change to the default configuration files
- [ ] I have added tests that prove my fix is effective or that my feature works
- [x] I have added an entry in
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.
Disruptive User Impact
There should be none, as this is a default false configuration, so unless the field is added no behaviour in packetbeat changes.
:robot: GitHub comments
Expand to view the GitHub comments
Just comment with:
rundocs-build: Re-trigger the docs validation. (use unformatted text in the comment!)
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This pull request does not have a backport label. If this is a bug or security fix, could you label this PR @Tacklebox? 🙏. For such, you'll need to label your PR with:
- The upcoming major version of the Elastic Stack
- The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)
To fixup this pull request, you need to add the backport labels for the needed branches, such as:
backport-8./dis the label to automatically backport to the8./dbranch./dis the digitbackport-active-allis the label that automatically backports to all active branches.backport-active-8is the label that automatically backports to all active minor branches for the 8 major.backport-active-9is the label that automatically backports to all active minor branches for the 9 major.
![mergify[bot] avatar](https://avatars.githubusercontent.com/in/10562?v=4 "Published by a pub.dev verified publisher"){kind=small}
This pull request is now in conflicts. Could you fix it? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/
git fetch upstream
git checkout -b mborden/AllowMismatchedEth upstream/mborden/AllowMismatchedEth
git merge upstream/main
git push upstream mborden/AllowMismatchedEth
@Tacklebox are you still working on this? The linter is just complaining about the int -> uint conversion, seems like.
Yea, I think that's just an update to gosec linter? It's suspiciously on something to do with flowID but It's not a line I changed and I don't immediately see how my change would have caused anything to behave differently there. I disabled the lint for that line
backport 8.17 8.18 8.19 9.0 9.1
✅ Backports have been created
- #45585 [8.17](backport #44965) Optionally ignore MAC address in flow matching in Packetbeat has been created for branch
8.17 - #45586 [8.18](backport #44965) Optionally ignore MAC address in flow matching in Packetbeat has been created for branch
8.18 - #45587 [8.19](backport #44965) Optionally ignore MAC address in flow matching in Packetbeat has been created for branch
8.19 - #45588 [9.0](backport #44965) Optionally ignore MAC address in flow matching in Packetbeat has been created for branch
9.0 - #45589 [9.1](backport #44965) Optionally ignore MAC address in flow matching in Packetbeat has been created for branch
9.1