Project

General

Profile

Actions
Copy link

Bug #769

closed

Be sure to always apply verdict to NFQ packet

Added by Eric Leblond over 11 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Eric Leblond
Target version:
2.0beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

It seems that in some cases, it is possible that Suricata do not verdict a Packet. This is for example the case when the propagation to the other module fails. This could result in some packets getting stuck inside Netfilter queue on kernel side.

We should investigate more deeply into this to be sure we always verdict Packet.

Actions
Copy link
 #1

Updated by Victor Julien over 11 years ago

  • Target version changed from 1.4.1 to 2.0beta1
Actions
Copy link
 #2

Updated by Eric Leblond over 11 years ago

  • % Done changed from 0 to 90

Implemented by https://github.com/inliniac/suricata/pull/394.

It is hard to test, I've done it by changing NFQSetVerdict code to get out of without verdict for one given id. The test was successful.

Actions
Copy link
 #3

Updated by Victor Julien over 11 years ago

  • Status changed from New to Closed
Actions
Copy link
 #4

Updated by Victor Julien over 11 years ago

  • % Done changed from 90 to 100
Actions
Copy link

Also available in: Atom PDF