Project

General

Profile

Actions

Support #3428

closed

fail-open config no effect

Added by John Smith about 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Affected Versions:
Label:

Description

suricata version is 4.1.4.
run commond´╝Ü suricata -c suricata.yaml -q 0
In suricata.yaml,the nfq config:
mode:accept
fail-open:yes
But when I set the nf_queue size is 1,and send packets to test "fail-open" function,there is no effect.Packets were dropped when suricata couldn't keep pace.
I had saw the libnetfilter_queue source code and source_nfq.c.There is no problem in those code.
So I want to know some ways to solve the problem.
Thank you very much!

Actions #1

Updated by John Smith about 3 years ago

And the Linux kernel is 4.4

Actions #2

Updated by John Smith about 3 years ago

libs had been installed:
libnfnetlink-dev is already the newest version (1.0.1-3).
libnfnetlink0 is already the newest version (1.0.1-3).
libnetfilter-queue-dev is already the newest version (1.0.2-2).
libnetfilter-queue1 is already the newest version (1.0.2-2)

Actions #3

Updated by John Smith about 3 years ago

The rule in iptables is : sudo iptables -A FORWARD -j NFQUEUE --queue-bypass.
So when I use the "fail-open" and set the nf_queue max-leng to 1.Packets will be dropped.
But when I change the rule to :sudo iptables -A FORWARD -j NFQUEUE.
The "fail-open" function is ok!

Actions #4

Updated by Andreas Herz about 3 years ago

  • Assignee changed from Victor Julien to John Smith

What kernel version are you running?

Actions #5

Updated by Andreas Herz over 2 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF