Project

General

Profile

Actions
Copy link

Bug #769

closed
EL EL

Be sure to always apply verdict to NFQ packet

Bug #769: Be sure to always apply verdict to NFQ packet

Added by Eric Leblond about 13 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Eric Leblond
Target version:
2.0beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

It seems that in some cases, it is possible that Suricata do not verdict a Packet. This is for example the case when the propagation to the other module fails. This could result in some packets getting stuck inside Netfilter queue on kernel side.

We should investigate more deeply into this to be sure we always verdict Packet.

VJ Updated by Victor Julien about 13 years ago Actions
Copy link
 #1

  • Target version changed from 1.4.1 to 2.0beta1

EL Updated by Eric Leblond almost 13 years ago Actions
Copy link
 #2

  • % Done changed from 0 to 90

Implemented by https://github.com/inliniac/suricata/pull/394.

It is hard to test, I've done it by changing NFQSetVerdict code to get out of without verdict for one given id. The test was successful.

VJ Updated by Victor Julien over 12 years ago Actions
Copy link
 #3

  • Status changed from New to Closed

VJ Updated by Victor Julien over 12 years ago Actions
Copy link
 #4

  • % Done changed from 90 to 100
Actions
Copy link

Also available in: PDF Atom