Actions
Bug #2422
closed[4.0.3] af_packet: a leak that (possibly) breaks an inline channel
Affected Versions:
Effort:
Difficulty:
Label:
Description
Some days ago we have found an interesting bug with inline mode in Suricata 4.0.3 (probably earlier versions are affected too). The testcase is:
1. Start suricata in inline mode on two interfaces. E.g., on eth3 and eth4.
2. Bring eth3 down with 'ifconfig eth3 down'
3. Suricata detects that interface isdown and tries to reopen it
4. Bring eth3 up with 'ifconfig eth3 up'
5. Suricata detects that interface is up but... traffic is not received on eth3 anymore. As a result an inline channel is broken until we restart suricata.
Furthermore, we have found that the number of lines in /proc/net/packet increases when we bring interface down and then up. It looks like a leak that is not detected by valgrind.
Actions