Project

General

Profile

Actions

Bug #6027

closed

Suricatasc encounters issues with commands involving multiple-tenant in Suricata 6.0.11, causing it to become unresponsive.

Added by Hongliang Liu over 1 year ago. Updated over 1 year ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

The config file we are using:

%YAML 1.1
---
af-packet:
  - interface: antrea-l7-tap0
    threads: auto
    cluster-id: 80
    cluster-type: cluster_flow
    defrag: no
    use-mmap: yes
    tpacket-v2: yes
    checksum-checks: no
    copy-mode: ips
    copy-iface: antrea-l7-tap1
  - interface:  antrea-l7-tap1
    threads: auto
    cluster-id: 81
    cluster-type: cluster_flow
    defrag: no
    use-mmap: yes
    tpacket-v2: yes
    checksum-checks: no
    copy-mode: ips
    copy-iface: antrea-l7-tap0
multi-detect:
  enabled: yes
  selector: vlan

The extra config above which is included in default config /etc/suricata/suricata.yaml, and Suricata is started with command:

suricata -c /etc/suricata/suricata.yaml --af-packet

In our project, we use `suricatasc` to add/delete/reload tenant. When we run command like `suricatasc -c "register-tenant 2 /etc/suricata/antrea-tenant-1.yaml" -v` to add a tenant, the output is

root@k8s-node-control-plane:/var/log/antrea/networkpolicy/l7engine# suricatasc -c "register-tenant 1 /etc/suricata/antrea-tenant-1.yaml" -v
SND: {"version": "0.2"}
RCV: {"return": "OK"}
SND: {"command": "command-list"}
RCV: {"message": {"count": 33, "commands": ["shutdown", "command-list", "help", "version", "uptime", "running-mode", "capture-mode", "conf-get", "dump-counters", "reload-rules", "ruleset-reload-rules", "ruleset-reload-nonblocking", "ruleset-reload-time", "ruleset-stats", "ruleset-failed-rules", "register-tenant-handler", "unregister-tenant-handler", "register-tenant", "reload-tenant", "unregister-tenant", "add-hostbit", "remove-hostbit", "list-hostbit", "reopen-log-files", "memcap-set", "memcap-show", "memcap-list", "dataset-add", "dataset-remove", "iface-stat", "iface-list", "iface-bypassed-stat", "ebpf-bypassed-stat"]}, "return": "OK"}
SND: {"command": "register-tenant", "arguments": {"id": 2, "filename": "/etc/suricata/antrea-tenant-1.yaml"}}

We can see that the command should be sent to the socket file successfully from the log. In additions, the output of Suricata console is

30/4/2023 -- 00:56:07 - <Info> - 1 rule files processed. 2 rules successfully loaded, 0 rules failed
30/4/2023 -- 00:56:07 - <Info> - Threshold config parsed: 0 rule(s) found
30/4/2023 -- 00:56:07 - <Info> - 2 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only

We can see that Suricata processed command from socket file, however, it doesn't end the socket connection.

For other commands which are not related to multiple-tenant like in the following, it works.

  • suricatasc -c "version" -v
  • suricatasc -c "uptime" -v

For the commands in the following, it doesn't work.

  • suricatasc -c "register-tenant 1 /etc/suricata/antrea-tenant-1.yaml" -v
  • suricatasc -c "reload-tenant 1 /etc/suricata/antrea-tenant-1.yaml" -v
  • suricatasc -c "unregister-tenant 1" -v
  • suricatasc -c "register-tenant-handler 1 vlan 1" -v
  • suricatasc -c "unregister-tenant-handler 1 vlan 1" -v

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #6021: af-packet: reload not occurring until packets are seenClosedJason IshActions
Actions

Also available in: Atom PDF