Bug #5480
openCannot compile Suricata 6.0.6 with PF_RING support
Description
Key details: At configure-time, Suricata's configure script incorrectly determines our PF_RING version to be <6. Patching out that check, the next PF_RING check incorrectly determines the PF_RING version to be <7.
The configure script from Suricata 5.0.6 works.
This ticket discusses the issue as experienced in the git repository from Github, but the same behavior is seen with the 6.0.6 source tarball.
System info
- Red Hat Enterprise Linux release 8.5 (Ootpa)
- FIPS mode is enabled
- Suricata 6.0.6
- PF_RING 8.3.0.220630 (same error messages with 8.1.xxxxxx)
- We use PF_RING ZC (zero copy) drivers
- Suricata invocation in its .service file:
/usr/local/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --pfring --pfring-cluster-id=9 --pfring-cluster-type=cluster_flow
- Our PF_RING install dropped the headers and libraries with a /usr prefix, not /usr/local:
# ls -lhs /usr/include/pfring* 24K -rw-r--r--. 1 root root 23K Aug 3 20:43 /usr/include/pfring_ft.h 60K -rw-r--r--. 1 root root 60K Aug 3 20:43 /usr/include/pfring.h 44K -rw-r--r--. 1 root root 41K Aug 3 20:43 /usr/include/pfring_zc.h # ls -lhs /usr/lib/libpfring.* 1.2M -rw-r--r--. 1 root root 1.2M Aug 3 20:43 /usr/lib/libpfring.a 0 lrwxrwxrwx. 1 root root 14 Aug 3 20:43 /usr/lib/libpfring.so -> libpfring.so.8 0 lrwxrwxrwx. 1 root root 18 Aug 3 20:43 /usr/lib/libpfring.so.8 -> libpfring.so.8.3.0 820K -rwxr-xr-x. 1 root root 817K Aug 3 20:43 /usr/lib/libpfring.so.8.3.0
- Adding
--with-libpfring-includes=/usr/include
and--with-libpfring-libraries=/usr/lib
to ./configure arguments doesn't change anything. /usr/{include,lib} is seemingly already searched.
Attachments
- suricata-506.txt:
script
output (basically: an almost-plain-text recording of my terminal) while running ./autogen.sh and ./configure with suricata 5.0.6 checked out. - suricata-606.txt: the same, but with suricata 6.0.6 checked out.
- config-506.log: config.log from the 5.0.6 run
- config-606.log: config.log from the 6.0.6 run
- configure.ac.patch: A patch for 6.0.6's configure.ac that I applied for our use, but is likely to be unacceptable for general use.
My investigation
Looking at config-606.log and configure.ac from 6.0.6, the pfring_recv_chunk
check is the first problem. Interesting lines in config-606.log start with the line starting with configure:20805
. As an aside, the same errors regarding unknown types u_char and u_int exist above here in config-606.log during the check for pcap/bpf.h
. Lines here start with configure:20371
.
I fixed this, in perhaps an upstream-able way, by replacing the hand-written AC_COMPILE_IFELSE
check with a simple AC_CHECK_LIB
. See the attached configure.ac.patch.
After this change, the next issue is the AC_COMPILE_IFELSE
that checks for PF_RING_FLOW_OFFLOAD
to be defined as a litmus test for PF_RING version >=7. I am not uploading a config.log that shows this, but removing the check "fixes" it. The attached configure.ac.patch removes the check, which may not be suitable for upstreaming.
(I know just enough autoconf/automake to be a danger to myself and others, and I was not around to know why you wrote these checks in this way.)
After applying the patch, we are able to make
suricata 6.0.6 with PF_RING support. It runs and generates eve/fast logs like 5.0.6 did before.
$ suricata -V This is Suricata version 6.0.6 RELEASE $ suricata --build-info | grep PF_RING Features: PCAP_SET_BUFF PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST PF_RING support: yes
Files
Updated by Matthew Traudt about 2 years ago
- File config-506.log config-506.log added
- File config-606.log config-606.log added
- File suricata-506.txt suricata-506.txt added
- File suricata-606.txt suricata-606.txt added