Suricata can fail to analyze packets correctly when certain offload modes such as TSO, UFO, GRO, and GSO on Ethernet interfaces are enabled.

Because of this, the daemon has a configurable option (which we currently enable) to auto-disable these offload modes on any interfaces it is configured to use during startup. From my testing, it turns off the modes mentioned in the first paragraph as well as SG (scatter-gather).

The auto-disable behavior is a bit of a half-solution though, as reconfiguring certain settings of the interface in VyOS could easily cause the offload modes to get turned back on while Suricata is running, causing its traffic analysis to silently fail.

Rather than relying on half-measures baked into the daemon we can provide a better solution by leveraging our ability to integrate disparate components using the config system:

• Turn off the magic behavior in Suricata that disables offload modes on interfaces (capture: disable-offloading: false).
• As part of the verify() logic for "service suricata", we should either log a warning or fail validation if any of the interfaces configured for use with Suricata have any of the following offload settings enabled: gro gso tso sg.
• When modifying an interface's settings (after suricata has been configured/started), attempting to add any of the above offload settings should also produce either a warning or configuration error.