Project

General

Profile

Actions

Bug #4629

closed

Netmap IPS mode in Suricata 6.x ceases to pass traffic after a short, variable period of time on FreeBSD-12

Added by Jeff Lucovsky about 2 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Some change between Suricata 5.x and Suricata 6.x in the netmap operation code seems to have introduced an unintended bug. On FreeBSD-12 I am seeing a netmap-enabled interface in Suricata 6.0.2 suddenly stop passing traffic. Nothing is logged to either the console nor the system log when this happens, but the interface will not pass any traffic until Suricata is stopped and the netmap-enabled interface is then cycled back to normal operation. The particular mode of operation I am using is a NIC-to-Host Stack arrangement for IPS mode operation.

I am testing in a VMware virtual machine using the e1000 virtual NIC. I am actually testing on the latest editions of pfSense (which is based on FreeBSD-12.2/STABLE), but I strongly suspect the problem can be reproduced on any FreeBSD-12 installation. The exact same Suricata configuration on the exact same virtual machine using Suricata 5.0.6 works just fine, so the problem appears to definitely be in the Suricata 6.x code. I investigated using diff to compare changes in the relevant source files between Suricata 5.0.6 and Suricata 6.0.2. The only change I see that could possibly be related is the change to the thread packet queue logic. I don't fully understand what that change was about, but it really appears to be the only substantial change in the Suricata code for netmap between versions 5.x and 6.x. What appears to happen is that Suricata stops transmitting packets at some point when in IPS mode.

I noticed this bug while working on migrating the Suricata package for the pfSense firewall distro (which I maintain) from the 5.x binary branch to the 6.x binary branch.


Files

out.txt (25.2 KB) out.txt Martin Rehak, 07/01/2021 08:52 AM
debug.out.gz (24.2 MB) debug.out.gz Martin Rehak, 07/01/2021 02:08 PM

Related issues

Copied from Bug #4478: Netmap IPS mode in Suricata 6.x ceases to pass traffic after a short, variable period of time on FreeBSD-12ClosedVictor JulienActions
Actions #1

Updated by Jeff Lucovsky about 2 months ago

  • Copied from Bug #4478: Netmap IPS mode in Suricata 6.x ceases to pass traffic after a short, variable period of time on FreeBSD-12 added
Actions #2

Updated by Shivani Bhardwaj about 2 months ago

  • Status changed from Assigned to In Progress
Actions #3

Updated by Shivani Bhardwaj about 2 months ago

  • Status changed from In Progress to In Review
Actions #4

Updated by Shivani Bhardwaj about 1 month ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF