[Bug 1250439] Re: suricata complains about NFQUEUE in newer kernels

Rafael David Tinoco Thu, 24 Apr 2014 09:31:35 -0700

** Description changed:

  Suricata in newer kernels (3.5 and upper) will complain like this:
  
-  * NFQUEUE support not found !
-  * Please ensure the nfnetlink_queue module is loaded or built in kernel
+  * NFQUEUE support not found !
+  * Please ensure the nfnetlink_queue module is loaded or built in kernel
  
  although nfnetlink_queue is loaded:
  
- 
  lsmod | grep  nfnetlink_queue
- nfnetlink_queue        17557  3 
+ nfnetlink_queue        17557  3
  nfnetlink              13983  5 nf_conntrack_netlink,nfnetlink_queue
  
  This happens because /etc/init.d/suricata does this check:
  
  check_nfqueue() {
  if [ ! -e /proc/net/netfilter/nf_queue ]; then
-     log_failure_msg "NFQUEUE support not found !"
-     log_failure_msg "Please ensure the nfnetlink_queue module is loaded or 
built in kernel"
-     exit 5
+     log_failure_msg "NFQUEUE support not found !"
+     log_failure_msg "Please ensure the nfnetlink_queue module is loaded or 
built in kernel"
+     exit 5
  fi
  }
  
- 
- Nevertheless this only works in pre3.5 kernels as newer kernels have 
supressed ip_queue , in benefit of libnetfilter_queue.
+ Nevertheless this only works in pre3.5 kernels as newer kernels have
+ supressed ip_queue , in benefit of libnetfilter_queue.
  
  Thus the script should check that nor /proc/net/netfilter/nf_queue nor
  /proc/net/netfilter/nfnetlink_queue existed.
+ 
+ 
+ [Impact] 
+  
+  * Suricata is not able to start without changes on config files.
+     When starting the daemon, it tries to detect NLQUEUE support 
+     checking existence of wrong procfs file.
+    
+  * On precise it is not able to start out-of-the-box after the
+     change above. Suricata-debian.yaml points to wrong 
+     reference.config file. 
+ 
+  * This change fixes LP #1250439. 
+    
+ [Test Case]
+ 
+  * Steps
+  
+     Install "suricata" package with apt-get. 
+     Set RUN to yes on /etc/default/suricata.
+     Make sure nfnetlink_queue and nfnetlink modules are not loaded.
+     Try to start suricata service and it will complain about no NFQUEUE.
+     Modprobe nfnetlink_queue and try to start suricata again.
+     You cannot because file being checked is /proc/net/netfilter/nf_queue.
+  
+  * On precise:
+  
+     Wrong auto-generated reference on /etc/suricata/suricata-debian.yaml.
+     Package silently refuses to start even after fixing service init script.
+ 
+ [Regression Potential]
+ 
+  * Since this problem exists on upstream and on all Ubuntu versions, it
+     is most likely that customers using this package have already fixed
+     init script.
+  
+  * Since customers tend to write their own suricata rules, it is most
+     likely that cutomers have already fixed default rules file.
+    
+  * Regression would make suricata daemon not to start (just like now).
+ 
+ [Other Info]
+ 
+ NA


** Description changed:

+ [Impact]
+ 
+  * Suricata is not able to start without changes on config files.
+     When starting the daemon, it tries to detect NLQUEUE support
+     checking existence of wrong procfs file.
+ 
+  * On precise it is not able to start out-of-the-box after the
+     change above. Suricata-debian.yaml points to wrong
+     reference.config file.
+ 
+  * This change fixes LP #1250439.
+ 
+ [Test Case]
+ 
+  * Steps
+ 
+     Install "suricata" package with apt-get.
+     Set RUN to yes on /etc/default/suricata.
+     Make sure nfnetlink_queue and nfnetlink modules are not loaded.
+     Try to start suricata service and it will complain about no NFQUEUE.
+     Modprobe nfnetlink_queue and try to start suricata again.
+     You cannot because file being checked is /proc/net/netfilter/nf_queue.
+ 
+  * On precise:
+ 
+     Wrong auto-generated reference on /etc/suricata/suricata-debian.yaml.
+     Package silently refuses to start even after fixing service init script.
+ 
+ [Regression Potential]
+ 
+  * Since this problem exists on upstream and on all Ubuntu versions, it
+     is most likely that customers using this package have already fixed
+     init script.
+ 
+  * Since customers tend to write their own suricata rules, it is most
+     likely that cutomers have already fixed default rules file.
+ 
+  * Regression would make suricata daemon not to start (just like now).
+ 
+ [Other Info]
+ 
+ NA
+ 
  Suricata in newer kernels (3.5 and upper) will complain like this:
  
   * NFQUEUE support not found !
   * Please ensure the nfnetlink_queue module is loaded or built in kernel
  
  although nfnetlink_queue is loaded:
  
  lsmod | grep  nfnetlink_queue
  nfnetlink_queue        17557  3
  nfnetlink              13983  5 nf_conntrack_netlink,nfnetlink_queue
  
  This happens because /etc/init.d/suricata does this check:
  
  check_nfqueue() {
  if [ ! -e /proc/net/netfilter/nf_queue ]; then
      log_failure_msg "NFQUEUE support not found !"
      log_failure_msg "Please ensure the nfnetlink_queue module is loaded or 
built in kernel"
      exit 5
  fi
  }
  
  Nevertheless this only works in pre3.5 kernels as newer kernels have
  supressed ip_queue , in benefit of libnetfilter_queue.
  
  Thus the script should check that nor /proc/net/netfilter/nf_queue nor
  /proc/net/netfilter/nfnetlink_queue existed.
- 
- 
- [Impact] 
-  
-  * Suricata is not able to start without changes on config files.
-     When starting the daemon, it tries to detect NLQUEUE support 
-     checking existence of wrong procfs file.
-    
-  * On precise it is not able to start out-of-the-box after the
-     change above. Suricata-debian.yaml points to wrong 
-     reference.config file. 
- 
-  * This change fixes LP #1250439. 
-    
- [Test Case]
- 
-  * Steps
-  
-     Install "suricata" package with apt-get. 
-     Set RUN to yes on /etc/default/suricata.
-     Make sure nfnetlink_queue and nfnetlink modules are not loaded.
-     Try to start suricata service and it will complain about no NFQUEUE.
-     Modprobe nfnetlink_queue and try to start suricata again.
-     You cannot because file being checked is /proc/net/netfilter/nf_queue.
-  
-  * On precise:
-  
-     Wrong auto-generated reference on /etc/suricata/suricata-debian.yaml.
-     Package silently refuses to start even after fixing service init script.
- 
- [Regression Potential]
- 
-  * Since this problem exists on upstream and on all Ubuntu versions, it
-     is most likely that customers using this package have already fixed
-     init script.
-  
-  * Since customers tend to write their own suricata rules, it is most
-     likely that cutomers have already fixed default rules file.
-    
-  * Regression would make suricata daemon not to start (just like now).
- 
- [Other Info]
- 
- NA

** Description changed:

  [Impact]
  
   * Suricata is not able to start without changes on config files.
      When starting the daemon, it tries to detect NLQUEUE support
      checking existence of wrong procfs file.
  
   * On precise it is not able to start out-of-the-box after the
      change above. Suricata-debian.yaml points to wrong
      reference.config file.
  
   * This change fixes LP #1250439.
  
  [Test Case]
  
   * Steps
  
      Install "suricata" package with apt-get.
      Set RUN to yes on /etc/default/suricata.
      Make sure nfnetlink_queue and nfnetlink modules are not loaded.
      Try to start suricata service and it will complain about no NFQUEUE.
      Modprobe nfnetlink_queue and try to start suricata again.
      You cannot because file being checked is /proc/net/netfilter/nf_queue.
  
   * On precise:
  
      Wrong auto-generated reference on /etc/suricata/suricata-debian.yaml.
      Package silently refuses to start even after fixing service init script.
  
  [Regression Potential]
  
   * Since this problem exists on upstream and on all Ubuntu versions, it
      is most likely that customers using this package have already fixed
      init script.
  
   * Since customers tend to write their own suricata rules, it is most
      likely that cutomers have already fixed default rules file.
  
   * Regression would make suricata daemon not to start (just like now).
  
  [Other Info]
  
- NA
- 
  Suricata in newer kernels (3.5 and upper) will complain like this:
  
   * NFQUEUE support not found !
   * Please ensure the nfnetlink_queue module is loaded or built in kernel
  
  although nfnetlink_queue is loaded:
  
  lsmod | grep  nfnetlink_queue
  nfnetlink_queue        17557  3
  nfnetlink              13983  5 nf_conntrack_netlink,nfnetlink_queue
  
  This happens because /etc/init.d/suricata does this check:
  
  check_nfqueue() {
  if [ ! -e /proc/net/netfilter/nf_queue ]; then
      log_failure_msg "NFQUEUE support not found !"
      log_failure_msg "Please ensure the nfnetlink_queue module is loaded or 
built in kernel"
      exit 5
  fi
  }
  
  Nevertheless this only works in pre3.5 kernels as newer kernels have
  supressed ip_queue , in benefit of libnetfilter_queue.
  
  Thus the script should check that nor /proc/net/netfilter/nf_queue nor
  /proc/net/netfilter/nfnetlink_queue existed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1250439

Title:
  suricata complains about NFQUEUE in newer kernels

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/suricata/+bug/1250439/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1250439] Re: suricata complains about NFQUEUE in newer kernels

Reply via email to