Support #3428
closed
fail-open config no effect
Added by John Smith almost 5 years ago.
Updated about 4 years ago.
Description
suricata version is 4.1.4.
run commond: suricata -c suricata.yaml -q 0
In suricata.yaml,the nfq config:
mode:accept
fail-open:yes
But when I set the nf_queue size is 1,and send packets to test "fail-open" function,there is no effect.Packets were dropped when suricata couldn't keep pace.
I had saw the libnetfilter_queue source code and source_nfq.c.There is no problem in those code.
So I want to know some ways to solve the problem.
Thank you very much!
And the Linux kernel is 4.4
libs had been installed:
libnfnetlink-dev is already the newest version (1.0.1-3).
libnfnetlink0 is already the newest version (1.0.1-3).
libnetfilter-queue-dev is already the newest version (1.0.2-2).
libnetfilter-queue1 is already the newest version (1.0.2-2)
The rule in iptables is : sudo iptables -A FORWARD -j NFQUEUE --queue-bypass.
So when I use the "fail-open" and set the nf_queue max-leng to 1.Packets will be dropped.
But when I change the rule to :sudo iptables -A FORWARD -j NFQUEUE.
The "fail-open" function is ok!
- Assignee changed from Victor Julien to John Smith
What kernel version are you running?
- Status changed from New to Closed
Also available in: Atom
PDF