Not usual setup can lead to surprise
The 5th of December 2012, I’ve setup suricata in AF_PACKET IPS mode between a WiFi interface and an Ethernet interface. The result was surprising as it was leading to a crash after some time:
The issue was linked with the defrag option of AF_PACKEt fanout. I’ve proposed a patch the 7th Dec 2012 and after a discussion with David Miller and Johannes Berg, Johannes has proposed a better patch which was included in official tree. So the problem is fixed for kernel superior or equal to 3.7.
Affected kernel
Here’s the list of affected kernel:
- All kernel prior to 3.2.36
- All 3.3.x kernel
- All 3.4.x kernel prior to 3.4.25
- All 3.5.x kernel prior to 3.5.7.3
- All 3.6.x kernel prior to 3.6.11
Workaround in Suricata
If you can’t update to a not affected kernel, you can set defrag to no in af-packet configuration to avoid the issue:
af-packet:
- interface: wlan0
# In some fragmentation case, the hash can not be computed. If "defrag" is set
# to yes, the kernel will do the needed defragmentation before sending the packets.
defrag: no