output/ipv6: Add configuration option to shorten IPv6 IP addresses by jlucovsky · Pull Request #14458 · OISF/suricata

jlucovsky · 2025-12-10T14:04:46Z

Continuation of #14449

Add a configuration option for outputting shortened IPv6 addresses per RFC-5952

The configuration option:
logging.ipv6-addr-shorten has a default value of no.

When set to yes, IPv6 addresses will be shortened everywhere they are output. E.g., the IPv6 address fe80:0000:0000:0000:020c:29ff:faf2:ab42 will be output as fe80::20c:29ff:faf2:ab42

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7399

Describe changes:

Add a configuration variable for choosing shortened IPv6 IP addresses
Add Rust logic to create a shortened IPv6 address
Document changes and usage.

Updates:

Address Clippy issues
Renamed Rust function to conform to API-naming standard
Eliminated extra copy in Rust function
s-v test updates.
Removed commented-out line from Rust module; added copyright
Misc doc updates.
Rearranged copyright notice
Updated s-v test cases with min-version
Formatted with rustfmt
Added test cases
Changed return for detection of success/failure.
Fixed issue handling return value.

Provide values to any of the below to override the defaults.

To use a Suricata-Verify or Suricata-Update pull request,
link to the pull request in the respective _BRANCH variable.
Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=OISF/suricata-verify#2789
SU_REPO=
SU_BRANCH=

Issue: 7399 Use shortened IPv6 addresses in all output when configured. IPv6 addresses are shortened per RFC5952 By default, IPv6 addresses are never shortened; set logging.ipv6-addr-shorten=yes to shorten. Added Rust utility function to create shortened IPv6 address.

Document the configuration variable logging.ipv6-addr-shorten Issue: 7399

codecov · 2025-12-10T14:53:42Z

Codecov Report

❌ Patch coverage is 98.26087% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.17%. Comparing base (354e998) to head (cda88b7).
⚠️ Report is 117 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #14458      +/-   ##
==========================================
- Coverage   84.20%   84.17%   -0.03%     
==========================================
  Files        1013     1014       +1     
  Lines      262383   262498     +115     
==========================================
+ Hits       220936   220959      +23     
- Misses      41447    41539      +92

Flag	Coverage Δ
fuzzcorpus	`63.18% <9.37%> (-0.01%)`	⬇️
livemode	`18.73% <6.25%> (-0.03%)`	⬇️
pcap	`44.62% <9.37%> (+0.01%)`	⬆️
suricata-verify	`64.90% <90.62%> (-0.08%)`	⬇️
unittests	`59.26% <93.91%> (+0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

victorjulien · 2025-12-10T15:07:15Z

rust/src/utils/ip_addr.rs

+        let bytes = std::slice::from_raw_parts(addr, 16);
+
+        // Convert &[u8] → Ipv6Addr
+        let ipv6 = match <&[u8; 16]>::try_from(bytes) {


how might this fail? If we have 16 bytes we have a valid ipv6 address, right?

As reported in #14433 (comment)

I think you should use a from method that is MSRV-compatible

Can we unwrap this somehow then? Now the error check is just dead code AFAICS

jasonish · 2025-12-10T16:35:31Z

suricata.yaml.in

+  # Shorten IPv6 addresses per RFC 5952 before logging. The default is no
+  #ipv6-addr-shorten: no


This section logging typically has no effect on outputs. I wonder if this should be specified per eve logger?

I went down that rabbit hole (per eve logger) but decided on this approach to catch the output of any IPv6 address anywhere.

Perhaps logging isn't the correct section but I feel this is a global Suricata config setting, not per-output.

@jasonish Suggestions on how to specify the global config value?

Unfortunately not. Perhaps at the top level? This is an issue with Eve output currently; there is no way to specify global things. A goal for 9 is to remove globals as well. I feel it more naturally belongs on the eve instance? Maybe the idea of a global section is not a bad idea?

I'll start a global section with the IPv6 option being the first member.

suricata-qa · 2025-12-10T23:30:02Z

Information: QA ran without warnings.

Pipeline = 28672

victorjulien · 2025-12-11T14:43:32Z

doc/userguide/upgrade.rst

  E.g., previously, ``ether_type`` values were logged in host order;  an ethertype value of ``0xfbb7``
  (network order) was logged as `47099`` (``0xb7fb``). This ethertype value will be logged as ``64439``.

+- The output format for IPv6 addresses can be configured. By default, they are presented in their


I don't think this belongs here unless we change the default.

I'll remove mention of this from the upgrade unless you suggest changing the default value to "always shorten"

@victorjulien Should the default be yes (shorten)?

catenacyber

Some changes were requested inline if I understand correctly

jlucovsky · 2026-01-16T15:34:24Z

Continued in #14636

jlucovsky added 2 commits December 10, 2025 08:58

doc/ipv6: Config variable for shortened IPv6 addr

cda88b7

Document the configuration variable logging.ipv6-addr-shorten Issue: 7399

jlucovsky requested review from a team, jasonish, jufajardini and victorjulien as code owners December 10, 2025 14:04

jlucovsky mentioned this pull request Dec 10, 2025

output/ipv6: Add configuration option for shortened IPv6 IP addresses #14449

Closed

victorjulien reviewed Dec 10, 2025

View reviewed changes

jasonish reviewed Dec 10, 2025

View reviewed changes

victorjulien reviewed Dec 11, 2025

View reviewed changes

catenacyber requested changes Jan 8, 2026

View reviewed changes

jlucovsky mentioned this pull request Jan 16, 2026

output/ipv6: Add configuration option to shorten IPv6 IP addresses #14636

Closed

jlucovsky closed this Jan 16, 2026

		# Shorten IPv6 addresses per RFC 5952 before logging. The default is no
		#ipv6-addr-shorten: no

Conversation

jlucovsky commented Dec 10, 2025

Provide values to any of the below to override the defaults.

Uh oh!

codecov bot commented Dec 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

suricata-qa commented Dec 10, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

catenacyber left a comment

Choose a reason for hiding this comment

Uh oh!

jlucovsky commented Jan 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

5 participants

codecov bot commented Dec 10, 2025 •

edited

Loading