Bug #6027
closedSuricatasc encounters issues with commands involving multiple-tenant in Suricata 6.0.11, causing it to become unresponsive.
Description
The config file we are using:
%YAML 1.1
---
af-packet:
- interface: antrea-l7-tap0
threads: auto
cluster-id: 80
cluster-type: cluster_flow
defrag: no
use-mmap: yes
tpacket-v2: yes
checksum-checks: no
copy-mode: ips
copy-iface: antrea-l7-tap1
- interface: antrea-l7-tap1
threads: auto
cluster-id: 81
cluster-type: cluster_flow
defrag: no
use-mmap: yes
tpacket-v2: yes
checksum-checks: no
copy-mode: ips
copy-iface: antrea-l7-tap0
multi-detect:
enabled: yes
selector: vlan
The extra config above which is included in default config /etc/suricata/suricata.yaml, and Suricata is started with command:
suricata -c /etc/suricata/suricata.yaml --af-packet
In our project, we use `suricatasc` to add/delete/reload tenant. When we run command like `suricatasc -c "register-tenant 2 /etc/suricata/antrea-tenant-1.yaml" -v` to add a tenant, the output is
root@k8s-node-control-plane:/var/log/antrea/networkpolicy/l7engine# suricatasc -c "register-tenant 1 /etc/suricata/antrea-tenant-1.yaml" -v
SND: {"version": "0.2"}
RCV: {"return": "OK"}
SND: {"command": "command-list"}
RCV: {"message": {"count": 33, "commands": ["shutdown", "command-list", "help", "version", "uptime", "running-mode", "capture-mode", "conf-get", "dump-counters", "reload-rules", "ruleset-reload-rules", "ruleset-reload-nonblocking", "ruleset-reload-time", "ruleset-stats", "ruleset-failed-rules", "register-tenant-handler", "unregister-tenant-handler", "register-tenant", "reload-tenant", "unregister-tenant", "add-hostbit", "remove-hostbit", "list-hostbit", "reopen-log-files", "memcap-set", "memcap-show", "memcap-list", "dataset-add", "dataset-remove", "iface-stat", "iface-list", "iface-bypassed-stat", "ebpf-bypassed-stat"]}, "return": "OK"}
SND: {"command": "register-tenant", "arguments": {"id": 2, "filename": "/etc/suricata/antrea-tenant-1.yaml"}}
We can see that the command should be sent to the socket file successfully from the log. In additions, the output of Suricata console is
30/4/2023 -- 00:56:07 - <Info> - 1 rule files processed. 2 rules successfully loaded, 0 rules failed 30/4/2023 -- 00:56:07 - <Info> - Threshold config parsed: 0 rule(s) found 30/4/2023 -- 00:56:07 - <Info> - 2 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only
We can see that Suricata processed command from socket file, however, it doesn't end the socket connection.
For other commands which are not related to multiple-tenant like in the following, it works.
- suricatasc -c "version" -v
- suricatasc -c "uptime" -v
For the commands in the following, it doesn't work.
- suricatasc -c "register-tenant 1 /etc/suricata/antrea-tenant-1.yaml" -v
- suricatasc -c "reload-tenant 1 /etc/suricata/antrea-tenant-1.yaml" -v
- suricatasc -c "unregister-tenant 1" -v
- suricatasc -c "register-tenant-handler 1 vlan 1" -v
- suricatasc -c "unregister-tenant-handler 1 vlan 1" -v
Updated by Hongliang Liu 12 months ago
- Assignee changed from OISF Dev to Philippe Antoine
Updated by Victor Julien 12 months ago
- Assignee changed from Philippe Antoine to Jason Ish
likely duplicate of #6021
Updated by Victor Julien 12 months ago
- Related to Bug #6021: af-packet: reload not occurring until packets are seen added
Updated by Victor Julien 12 months ago
- Status changed from New to Rejected
- Assignee deleted (
Jason Ish) - Target version deleted (
TBD)
Duplicate of #6021