Created attachment 516318 [details] suricata-4.0.3.ebuild Suricata ebuild has number of options currently not used by Gentoo. Some of them are driver specific and likely not easily incorporated into Gentoo, but there are also present switches for packages available in portage or bugzilla. Here is some of those examples --enable-prelude Enable Prelude support for alerts --enable-pfring Enable Native PF_RING support --enable-ipfw Enable FreeBSD IPFW support for inline IDP dev-lang/rust --enable-rust Enable Experimental Rust support --enable-rust-experimental Enable support for experimental Rus parsers --enable-rust-strict Rust warnings as errors driver specific --enable-afl Enable AFL fuzzing logic --enable-netmap Enable Netmap support --enable-dag Enable DAG capture --enable-napatech Enabled Napatech Devices Attached ebuild makes use of some of them and requires following bugs to be resolved first - https://bugs.gentoo.org/366609 - https://bugs.gentoo.org/645542 - https://bugs.gentoo.org/627490 I compile tested it with prelude & pfring. It also compiled for me with ipfq, but I am not sure if it is needed in the ebuild as it is required only for FreeBSD. Rust is still experimental in suricata, but hence it is available some might want to test it. On side note hence config & init script are the same for all ebuilds in portage replacing them in all ebuilds with ${PN} instead of ${P} could save few kB of space
Thank you for your report. Some of the options you've mentioned are already included but commented in ebuild, because as you said - they depends on another opened bugs. I didn't opened a bug before as I didn't know if someone would be interested in suricata. Now it may be a good idea to track those dependencies here. It may be a good idea to use $PN, and when some changes appear we could still use $P then.
I have been using suricata with PF_RING for some years now (albeit from time to time). The initial source of the ebuilds predates my move to github, but I guess it was initially in Pentoo. I guess sorting the dependencies between the 3 bugs mentioned, choosing a name for the PF_RING kernel module and library needs to be done. My pkalin overlay is available at https://github.com/thinrope/pkalin and I just revbumped the 3 ebuilds in question, trying to match the vanilla tree as much as possible. There are some subtle differences in syntax, but I guess someone needs to choose and/or mix and push to portage, then it can be tested. Now, I haven't used prelude, so no idea what is needed.
New maintainer of net-analyzer/suricata here. Seeing as this ticket is almost 2 years old I am now closing it as obsolete, that said by all means do ask if there is still interest in any of these features. My comments regarding some of them: - rust - as of suricata-5.0.0 this is no longer optional - pfring - I used to use this a lot in the past (under Debian) but it seems that these days PF_RING mode only outperforms AF_PACKET mode when used in conjunction with non-free additional components? Plus I do not know if the former works with eBGP/XDP; - prelude - sounds like a good feature to add but it should be clarified why some parts of the tree still mention Prelude as having been masked for removal; - ipfw - we no longer support FreeBSD so I think it's safe to assume this will never be needed after all.
