Project

General

Profile

Actions
Copy link

Feature #507

closed
EL EL

Implement/test "fail-open" option

Feature #507: Implement/test "fail-open" option

Added by Eric Leblond over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Eric Leblond
Target version:
1.4beta1
Effort:
Difficulty:
Label:

Description

A new feature has recently been introduced in NFQUEUE. It is possible to accept packets when the queue is full. This could be useful in Suricata when admin wants to privilege network behavior over security.

More information and patch: http://www.digipedia.pl/usenet/thread/16261/26536/

Files

0001-nfq-implement-fail-open-support.patch (3.99 KB) 0001-nfq-implement-fail-open-support.patch Eric Leblond, 08/08/2012 08:53 AM

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #1

  • Status changed from New to Assigned
  • Assignee set to Eric Leblond
  • Target version set to 1.4beta1

EL Updated by Eric Leblond over 13 years ago Actions
Copy link
 #2

The associated patch is in 3.6-rc1, I don't think this will be in an official kernel before the release of 1.4beta1.
No problem on my side to work on a git Linux but this will be more difficult for testers.

Maybe we could postpone this to a beta2 ?

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #3

If the API is likely to remain the same I have no problem with already supporting it now.

EL Updated by Eric Leblond over 13 years ago Actions
Copy link
 #4

OK, working on it ASAP.

EL Updated by Eric Leblond over 13 years ago Actions
Copy link
 #5

I've implemented this and tested it using latest Linux git and latest libnetfilter_queue git. And it works:

# scp on lo with MTU at 100
# With fail-open
root@test-squeeze:~# scp linux-image-3.*deb localhost:/tmp
linux-image-3.3.0-rc3noct+_3.3.0-rc3noct+-10.00.Custom_amd64.deb                                                                                                                 100%   31MB   3.5MB/s   00:09
linux-image-3.6.0-rc1-netfilter+_3.6.0-rc1-netfilter+-10.00.Custom_amd64.deb                                                                                                     100%   30MB   3.3MB/s   00:09
# Without fail-open
root@test-squeeze:~# scp linux-image-3.*deb localhost:/tmp
linux-image-3.3.0-rc3noct+_3.3.0-rc3noct+-10.00.Custom_amd64.deb                                                                                                                 100%   31MB 504.7KB/s   01:03    
linux-image-3.6.0-rc1-netfilter+_3.6.0-rc1-netfilter+-10.00.Custom_amd64.deb                                                                                                     100%   30MB 513.6KB/s   00:59

The attached patch is the implementation.

Please note, there is no possibility to detect that the feature is not available in kernel.

EL Updated by Eric Leblond over 13 years ago Actions
Copy link
 #6

  • % Done changed from 0 to 80

EL Updated by Eric Leblond over 13 years ago Actions
Copy link
 #7

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #8

  • Status changed from Assigned to Closed

Merged. Thanks Eric!

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #9

  • % Done changed from 80 to 100

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #10

  • Tracker changed from Bug to Feature
Actions
Copy link

Also available in: PDF Atom