Feature #507
closedImplement/test "fail-open" option
Added by Eric Leblond over 13 years ago. Updated over 13 years ago.
Description
A new feature has recently been introduced in NFQUEUE. It is possible to accept packets when the queue is full. This could be useful in Suricata when admin wants to privilege network behavior over security.
More information and patch: http://www.digipedia.pl/usenet/thread/16261/26536/
Files
| 0001-nfq-implement-fail-open-support.patch (3.99 KB) 0001-nfq-implement-fail-open-support.patch | Eric Leblond, 08/08/2012 08:53 AM |
VJ Updated by Victor Julien over 13 years ago Actions #1
- Status changed from New to Assigned
- Assignee set to Eric Leblond
- Target version set to 1.4beta1
EL Updated by Eric Leblond over 13 years ago Actions #2
The associated patch is in 3.6-rc1, I don't think this will be in an official kernel before the release of 1.4beta1.
No problem on my side to work on a git Linux but this will be more difficult for testers.
Maybe we could postpone this to a beta2 ?
VJ Updated by Victor Julien over 13 years ago Actions #3
If the API is likely to remain the same I have no problem with already supporting it now.
EL Updated by Eric Leblond over 13 years ago Actions #4
OK, working on it ASAP.
EL Updated by Eric Leblond over 13 years ago Actions #5
I've implemented this and tested it using latest Linux git and latest libnetfilter_queue git. And it works:
# scp on lo with MTU at 100 # With fail-open root@test-squeeze:~# scp linux-image-3.*deb localhost:/tmp linux-image-3.3.0-rc3noct+_3.3.0-rc3noct+-10.00.Custom_amd64.deb 100% 31MB 3.5MB/s 00:09 linux-image-3.6.0-rc1-netfilter+_3.6.0-rc1-netfilter+-10.00.Custom_amd64.deb 100% 30MB 3.3MB/s 00:09 # Without fail-open root@test-squeeze:~# scp linux-image-3.*deb localhost:/tmp linux-image-3.3.0-rc3noct+_3.3.0-rc3noct+-10.00.Custom_amd64.deb 100% 31MB 504.7KB/s 01:03 linux-image-3.6.0-rc1-netfilter+_3.6.0-rc1-netfilter+-10.00.Custom_amd64.deb 100% 30MB 513.6KB/s 00:59
The attached patch is the implementation.
Please note, there is no possibility to detect that the feature is not available in kernel.
EL Updated by Eric Leblond over 13 years ago Actions #6
- % Done changed from 0 to 80
EL Updated by Eric Leblond over 13 years ago Actions #7
pull request on github: https://github.com/inliniac/suricata/pull/6
VJ Updated by Victor Julien over 13 years ago Actions #8
- Status changed from Assigned to Closed
Merged. Thanks Eric!
VJ Updated by Victor Julien over 13 years ago Actions #9
- % Done changed from 80 to 100
VJ Updated by Victor Julien over 13 years ago Actions #10
- Tracker changed from Bug to Feature