First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 149496
Alias:
Product:
Component:
Status: RESOLVED
Resolution: TEST-REQUEST
Assigned To: Netmon Herd <netmon@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Christian Buehler <christian@cbuehler.de>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 149496 depends on: Show dependency tree
Show dependency graph
Bug 149496 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-09-29 01:27 0000 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.12)
Gecko/20050919 Firefox/1.0.7
Build Identifier: 

When using snort 2.4.5 with inline USE-Flag as an Intrusion Prevention System,
all TCP traffic gets blocked, while ICMP and UDP seem to work perfectly well.
It seems to be a problem with compiler optimization because everything works
fine when optimization is disabled.

My CFLAGS where the problems occur: CFLAGS="-O2 -march=i686 -pipe"

Would it be possible to disable optimization in the ebuild?

Reproducible: Always

Steps to Reproduce:
1. set CFLAGS to "-O2 -march=i686 -pipe"
2. emerge snort
3. set up bridge
4. /etc/init.d/snort start
5. iptables -A FORWARD -j QUEUE
Actual Results:  
ICMP and UDP traffic gets filtered through snort an passed to the other side to
the bridge but TCP traffic gets blocked.

Expected Results:  
All traffic (ICMP, UDP and TCP) should be passed to snort for filtering an
reach
the other side of the bridge.

Gentoo Base System version 1.6.14
Portage 2.1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4,
2.6.15-gentoo-r1 i686)
=================================================================
System uname: 2.6.15-gentoo-r1 i686 Intel(R) Pentium(R) 4 CPU 2.40GHz
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.2
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1-r2
sys-devel/gcc-config: 1.3.13-r2
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 alsa apache2 apm arts berkdb bitmap-fonts cli crypt cups dlloader dri
eds emboss encode esd foomaticdb fortran gdbm gif gnome gpm gstreamer gtk gtk2
imlib inline ipv6 isdnlog jpeg kde libg++ libwww mad mikmod motif mp3 mpeg
mysql
ncurses nls nptl ogg opengl oss pam pcre perl png pppd python qt3 qt4 quicktime
readline reflection sdl session spell spl ssl tcpd truetype truetype-fonts
type1-fonts udev vorbis xml xmms xorg xv zlib elibc_glibc
input_devices_keyboard
input_devices_mouse input_devices_evdev kernel_linux userland_GNU
video_cards_apm video_cards_ark video_cards_ati video_cards_chips
video_cards_cirrus video_cards_cyrix video_cards_dummy video_cards_fbdev
video_cards_glint video_cards_i128 video_cards_i740 video_cards_i810
video_cards_imstt video_cards_mga video_cards_neomagic video_cards_nsc
video_cards_nv video_cards_rendition video_cards_s3 video_cards_s3virge
video_cards_savage video_cards_siliconmotion video_cards_sis video_cards_sisusb
video_cards_tdfx video_cards_tga video_cards_trident video_cards_tseng
video_cards_v4l video_cards_vesa video_cards_vga video_cards_via
video_cards_vmware video_cards_voodoo"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY


snort-2.4.5 (with inline USE Flag)
iptables-1.3.5-r1
bridge-utils-1.0.6-r3

------- Comment #1 From Christian Buehler 2006-10-07 09:53:46 0000 ------- 
This mail from the snort-inline-users mailing list seems to address the same
issue and proposes a solution (compile with "-fno-strict-aliasing")


In-Reply-To: <9d1b82480610052135l44a20d45qcfdd572d7587963@mail.gmail.com>
Content-class: urn:content-classes:message
Subject: Re: [Snort-inline-users] snort-inline dropping only TCP packets.
Date: Fri, 6 Oct 2006 14:20:13 +0200
Message-ID: <452649FD.6090602@sourcefire.com>
Thread-Topic: [Snort-inline-users] snort-inline dropping only TCP packets.
Thread-Index: AcbpQcBeqcFbKtWmTRqYd5MpilRxqg==
References: <9d1b82480610052135l44a20d45qcfdd572d7587963@mail.gmail.com>
From: "Adam Keeton" <akeeton@sourcefire.com>
Sender: <snort-inline-users-bounces@lists.sourceforge.net>
To: "Pravin" <shindepravin@gmail.com>
Cc: <snort-inline-users@lists.sourceforge.net>

Run Snort with "-k none", if you start getting TCP packets, then the
checksums are failing.

FC 5 comes with GCC 4.x.x.  In GCC 4.x.x, (and, potentially, late
versions of the 3 series), optimizations were re-worked.  Snort compiles
with optimization level 2, which now assumes strict aliasing by
default.  The resulting optimizations break the TCP checksumming code.
The solution is to compile Snort with "-fno-strict-aliasing".

If you check out the latest Snort from CVS, or download the beta, the
configure script will take care of it for you.  If you want to stick
with your current version, set the CFLAGS variable to
-fno-strict-aliasing and rerun configure, then and do a fresh compile
(be sure to make clean first).

Thanks,
Adam

> Hi,
> I have a problem that snort-inline is allowing UDP and ICMP packets
> but dropping TCP packets.
> I Fedora core - 5 on my box.
>
> I refered the http://linuxgazette.net/117/savage.html tutorial for
> this installation and configuration purpose.
> I run snort-inline using following command.
> snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l
> /var/log/snort_inline/ \
>     -t /var/log/snort_inline/ -v
>
> after starting snort-inline ICMP and UDP packets are able to get
> through but
> TCP packets are getting dropped
>
> I used simple IPTABLES rules to queue up the packets to user space.
> iptables -I INPUT -p tcp --dport 80 -j QUEUE
> iptables -I INPUT -p udp --dport 20000 -j QUEUE
> iptables -I INPUT -p icmp -j QUEUE
>
> I checked logs files and all of them are empty.
>
> I also tried to go through the source code.
> I found following lines which are responsible for packet droping or
> packet allowing.
>
> inline.c : 948.        status =3D ipq_set_verdict(ipqh, m->packet_id,
> NF_DROP, 0, NULL);
>
> inline.c :1025        status =3D ipq_set_verdict(ipqh, m->packet_id,
> NF_ACCEPT, 0, NULL);
>
> inline.c :1047        status =3D ipq_set_verdict(ipqh, m->packet_id,
> NF_ACCEPT,
>                                                    m->data_len,
> m->payload );
> I added some printf after them for debugging purpose,
> and find out that ICMP and UDP packets were being accepted by second
> ipq_set_verdict function call (inline.c:1025) but TCP packets were
> getting droped by first ipq_set_verdict
> function call (inline.c:948).
>
> My guess is that there is something wrong in configuration file,
> As per me, the default rules are not supposed to drop any packets.
> The only change that I have done in config file is to change
> "var RULE_PATH /etc/snort_inline/drop_rules"
> to
> "var RULE_PATH /etc/snort_inline/rules "
>
> I am attaching my snort_inline.conf file with this mail.
> can someone please help me to find out what I am missing ?
>
> =
------------------------------------------------------------------------
>
> =
-------------------------------------------------------------------------=

> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to =
share your
> opinions on IT & business topics through brief surveys -- and earn =
cash
> =
http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D=
DEVDEV
> =
------------------------------------------------------------------------
>
> _______________________________________________
> Snort-inline-users mailing list
> Snort-inline-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>  =20


-------------------------------------------------------------------------=

Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share =
your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D=
DEVDEV
_______________________________________________
Snort-inline-users mailing list
Snort-inline-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-inline-users

------- Comment #2 From Cédric Krier 2006-11-25 10:18:59 0000 ------- 
Fix in cvs
First Last Prev Next    No search results available      Search page      Enter new bug