Support #3428
closedfail-open config no effect
Description
suricata version is 4.1.4.
run commond: suricata -c suricata.yaml -q 0
In suricata.yaml,the nfq config:
mode:accept
fail-open:yes
But when I set the nf_queue size is 1,and send packets to test "fail-open" function,there is no effect.Packets were dropped when suricata couldn't keep pace.
I had saw the libnetfilter_queue source code and source_nfq.c.There is no problem in those code.
So I want to know some ways to solve the problem.
Thank you very much!
Updated by John Smith over 4 years ago
libs had been installed:
libnfnetlink-dev is already the newest version (1.0.1-3).
libnfnetlink0 is already the newest version (1.0.1-3).
libnetfilter-queue-dev is already the newest version (1.0.2-2).
libnetfilter-queue1 is already the newest version (1.0.2-2)
Updated by John Smith over 4 years ago
The rule in iptables is : sudo iptables -A FORWARD -j NFQUEUE --queue-bypass.
So when I use the "fail-open" and set the nf_queue max-leng to 1.Packets will be dropped.
But when I change the rule to :sudo iptables -A FORWARD -j NFQUEUE.
The "fail-open" function is ok!
Updated by Andreas Herz about 4 years ago
- Assignee changed from Victor Julien to John Smith
What kernel version are you running?
Updated by Andreas Herz over 3 years ago
- Status changed from New to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs