[Oisf-users] [Oisf-devel] Suricata - Write to ipfw divert socket failed

Wed Mar 5 23:02:41 UTC 2014

Hi,

On Thu, 2014-03-06 at 00:55 +0200, Özkan KIRIK wrote:
> I tried to compile both clang and gcc. Result was same.
> 
> This error appears sometimes. Not for all packets.
> 
> There is only one rule : pass ip any any -> any any

There is an old memory coming back to me. Not sure but I think this is
linked with non routable packet reaching the filter (packet going to the
box for example). And there is a failure at reinject because the packet
can't be send.

BR,

> 
> 
> 6 Mar 2014 00:49 tarihinde "Özkan KIRIK" <ozkan.kirik at gmail.com>
> yazdı:
>         Hi,
>         
>         I was running suricata with these arguments;
>         
>         suricata -vv -d 8000
>         
>         ipfw add divert 8000 all from any to 10.2.2.10
>         ipfw add divert 8000 all from 10.2.2.10 to any
>         
>         6 Mar 2014 00:45 tarihinde "Shirkdog" <shirkdog at gmail.com>
>         yazdı:
>                 Do you have ipfw setup with the divert socket set to a
>                 port?
>                 
>                 On Mar 5, 2014 5:17 PM, "Özkan KIRIK"
>                 <ozkan.kirik at gmail.com> wrote:
>                         Hi,
>                         
>                         
>                         I'm using FreeBSD 10 ipfw and ipdivert
>                         enabled.
>                         I tried suricata v.1.4.6, v1.4.7 and also
>                         2.0rc1.
>                         
>                         
>                         All versions throws this error sometimes
>                         "<Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)]
>                         - Write to ipfw divert socket failed:
>                         Permission denied"
>                         After a while, thread restart threshold
>                         exceeded and suricata completely shutdown.
>                         
>                         
>                         I was diverted only 1 host to suricata. But
>                         still gives this error.
>                         
>                         
>                         It's strange, I inspected the source-ipfw.c
>                         file. The problem about injecting packet back
>                         to divert socket.
>                         
>                         
>                         errno = 13 - EACCESS.
>                         
>                         
>                         I saw that SO_BROADCAST option was set to
>                         socket.
>                         
>                         
>                         How can i debug this situation, or any
>                         solutions?
>                         
>                         
>                         Best regards
>                         
>                         _______________________________________________
>                         Suricata IDS Users mailing list:
>                         oisf-users at openinfosecfoundation.org
>                         Site: http://suricata-ids.org | Support:
>                         http://suricata-ids.org/support/
>                         List:
>                         https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>                         OISF: http://www.openinfosecfoundation.org/
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/

-- 
Eric Leblond <eric at regit.org>