Project

General

Profile

Actions
Copy link

Bug #1561

closed

Write to ipfw divert socket failed: Permission denied rappidly followed thread restart loop

Added by Olivier Cochard-Labbé over 8 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

I'm trying to use suricata in ipfw divert mode under FreeBSD (11-head).
My setup is working on a lab with very few traffic (just ping and few telnet on port 80).
But once put in production it only need one workstation surfing for crashing suricata in less than 5 seconds.

Here this an extract of log message:
23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write to ipfw divert socket failed: Permission denied
23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted 43, dropped 0
23/9/2015 -- 20:49:13 - <Info> - thread "Verdict0" restarted
23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write to ipfw divert socket failed: Permission denied
23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted 12, dropped 0
23/9/2015 -- 20:49:13 - <Info> - thread "Verdict0" restarted
23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write to ipfw divert socket failed: Permission denied
23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted 30, dropped 0
23/9/2015 -- 20:49:13 - <Error> - [ERRCODE: SC_ERR_TM_THREADS_ERROR(136)] - thread restarts exceeded threshold limit for thread "Verdict0"

There were some changes regarding SOCK_RAW in FreeBSD since 10.0, and other change in the futur 11: https://wiki.freebsd.org/SOCK_RAW
Because divert socket is using SOCK_RAW: Can these FreeBSD changes generate this problem ?

Actions
Copy link
 #1

Updated by Andreas Herz over 7 years ago

  • Target version set to TBD
Actions
Copy link
 #2

Updated by Victor Julien over 7 years ago

I have removed the thread restart logic, so that part of this issue should be fixed.

Actions
Copy link
 #3

Updated by Victor Julien about 7 years ago

  • Assignee changed from Eric Leblond to Anonymous
  • Priority changed from High to Normal

Any FreeBSD folks available to figure out this ipfw issue?

Actions
Copy link
 #4

Updated by Olivier Cochard-Labbé about 7 years ago

Victor Julien wrote:

Any FreeBSD folks available to figure out this ipfw issue?

Yes: Should I just try Suricata 3.2 with ipfw in divert mode ?

Actions
Copy link
 #5

Updated by Victor Julien about 7 years ago

If you can help on the dev side, then please use the git master. Thanks!

Actions
Copy link
 #6

Updated by Andreas Herz about 5 years ago

  • Assignee set to Community Ticket
Actions
Copy link
 #7

Updated by Andreas Herz over 4 years ago

Did you have chance to give this a try?

Actions
Copy link
 #8

Updated by Victor Julien over 4 years ago

  • Subject changed from Write to ipfw divert socket failed: Permission denied rappidly followed by a fatal "[ERRCODE: SC_ERR_TM_THREADS_ERROR(136)] - thread restarts exceeded threshold limit for thread Verdict0" to Write to ipfw divert socket failed: Permission denied rappidly followed thread restart loop
  • Status changed from New to Closed
  • Assignee deleted (Community Ticket)
  • Target version deleted (TBD)
Actions
Copy link

Also available in: Atom PDF