Project

General

Profile

Actions

Bug #5480

open

Cannot compile Suricata 6.0.6 with PF_RING support

Added by Matthew Traudt about 2 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Key details: At configure-time, Suricata's configure script incorrectly determines our PF_RING version to be <6. Patching out that check, the next PF_RING check incorrectly determines the PF_RING version to be <7.

The configure script from Suricata 5.0.6 works.

This ticket discusses the issue as experienced in the git repository from Github, but the same behavior is seen with the 6.0.6 source tarball.

System info

  • Red Hat Enterprise Linux release 8.5 (Ootpa)
  • FIPS mode is enabled
  • Suricata 6.0.6
  • PF_RING 8.3.0.220630 (same error messages with 8.1.xxxxxx)
  • We use PF_RING ZC (zero copy) drivers
  • Suricata invocation in its .service file: /usr/local/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --pfring --pfring-cluster-id=9 --pfring-cluster-type=cluster_flow
  • Our PF_RING install dropped the headers and libraries with a /usr prefix, not /usr/local:
# ls -lhs /usr/include/pfring*
24K -rw-r--r--. 1 root root 23K Aug  3 20:43 /usr/include/pfring_ft.h
60K -rw-r--r--. 1 root root 60K Aug  3 20:43 /usr/include/pfring.h
44K -rw-r--r--. 1 root root 41K Aug  3 20:43 /usr/include/pfring_zc.h
# ls -lhs /usr/lib/libpfring.*
1.2M -rw-r--r--. 1 root root 1.2M Aug  3 20:43 /usr/lib/libpfring.a
   0 lrwxrwxrwx. 1 root root   14 Aug  3 20:43 /usr/lib/libpfring.so -> libpfring.so.8
   0 lrwxrwxrwx. 1 root root   18 Aug  3 20:43 /usr/lib/libpfring.so.8 -> libpfring.so.8.3.0
820K -rwxr-xr-x. 1 root root 817K Aug  3 20:43 /usr/lib/libpfring.so.8.3.0
  • Adding --with-libpfring-includes=/usr/include and --with-libpfring-libraries=/usr/lib to ./configure arguments doesn't change anything. /usr/{include,lib} is seemingly already searched.

Attachments

  • suricata-506.txt: script output (basically: an almost-plain-text recording of my terminal) while running ./autogen.sh and ./configure with suricata 5.0.6 checked out.
  • suricata-606.txt: the same, but with suricata 6.0.6 checked out.
  • config-506.log: config.log from the 5.0.6 run
  • config-606.log: config.log from the 6.0.6 run
  • configure.ac.patch: A patch for 6.0.6's configure.ac that I applied for our use, but is likely to be unacceptable for general use.

My investigation

Looking at config-606.log and configure.ac from 6.0.6, the pfring_recv_chunk check is the first problem. Interesting lines in config-606.log start with the line starting with configure:20805. As an aside, the same errors regarding unknown types u_char and u_int exist above here in config-606.log during the check for pcap/bpf.h. Lines here start with configure:20371.

I fixed this, in perhaps an upstream-able way, by replacing the hand-written AC_COMPILE_IFELSE check with a simple AC_CHECK_LIB. See the attached configure.ac.patch.

After this change, the next issue is the AC_COMPILE_IFELSE that checks for PF_RING_FLOW_OFFLOAD to be defined as a litmus test for PF_RING version >=7. I am not uploading a config.log that shows this, but removing the check "fixes" it. The attached configure.ac.patch removes the check, which may not be suitable for upstreaming.

(I know just enough autoconf/automake to be a danger to myself and others, and I was not around to know why you wrote these checks in this way.)

After applying the patch, we are able to make suricata 6.0.6 with PF_RING support. It runs and generates eve/fast logs like 5.0.6 did before.

$ suricata -V
This is Suricata version 6.0.6 RELEASE
$ suricata --build-info | grep PF_RING
Features: PCAP_SET_BUFF PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
  PF_RING support:                         yes

Files

configure.ac.patch (2.17 KB) configure.ac.patch Matthew Traudt, 08/04/2022 08:19 PM
config-506.log (128 KB) config-506.log Matthew Traudt, 08/05/2022 01:00 PM
config-606.log (185 KB) config-606.log Matthew Traudt, 08/05/2022 01:00 PM
suricata-506.txt (29.1 KB) suricata-506.txt Matthew Traudt, 08/05/2022 01:00 PM
suricata-606.txt (18.2 KB) suricata-606.txt Matthew Traudt, 08/05/2022 01:00 PM
Actions #1

Updated by Matthew Traudt about 2 months ago

  • File deleted (config-506.log)
Actions #2

Updated by Matthew Traudt about 2 months ago

  • File deleted (config-606.log)
Actions #3

Updated by Matthew Traudt about 2 months ago

  • File deleted (suricata-506.txt)
Actions #4

Updated by Matthew Traudt about 2 months ago

  • File deleted (suricata-606.txt)
Actions

Also available in: Atom PDF