[Oisf-users] [Oisf-devel] Suricata - Write to ipfw divert socket failed

Shirkdog shirkdog at gmail.com
Thu Mar 6 17:24:19 UTC 2014 

I normally treat the divert as first in the chain (as a single rule)

ipfw add 100 divert 8000 all from any to any not layer2

I am not sure how even FreeBSD 10 will work with having two divert
rules. It should be a short circuit to detection, if all is well,
packet is evaluated by the rest of the rules.

---
Michael Shirk


On Thu, Mar 6, 2014 at 3:48 AM, Özkan KIRIK <ozkan.kirik at gmail.com> wrote:
> Hi Eric,
>
> I addded a printf into source-ipfw.c line 557.
>
>                         PrintInet(AF_INET, (const void *)
> GET_IPV4_SRC_ADDR_PTR(p), srcip, srcip_len);
>                         PrintInet(AF_INET, (const void *)
> GET_IPV4_DST_ADDR_PTR(p), dstip, dstip_len);
>                         printf( "fd: %d, data_p: %p, length: %u ", nq->fd,
> GET_PKT_DATA(p),GET_PKT_LEN(p) );
>                         printf( "src ip : %s ", srcip );
>                         printf( "dst ip : %s\n", dstip );
>
> But i saw that, these packets are routable packets. I don't think that
> problem is about non routable packages.
>
> fd: 7, data_p: 0x8045ce578, length: 95 src ip : 10.2.2.10 dst ip :
> 92.83.122.63
> 6/3/2014 -- 10:41:24 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
> to ipfw divert socket failed: Permission denied
> 6/3/2014 -- 10:41:24 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
> 9118, dropped 3
> 6/3/2014 -- 10:41:24 - <Info> - thread "Verdict0" restarted
> fd: 7, data_p: 0x8045eeb78, length: 58 src ip : 10.2.2.10 dst ip :
> 116.193.135.211
> 6/3/2014 -- 10:41:24 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
> to ipfw divert socket failed: Permission denied
> 6/3/2014 -- 10:41:24 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
> 35, dropped 0
> 6/3/2014 -- 10:41:24 - <Info> - thread "Verdict0" restarted
> fd: 7, data_p: 0x8044cc378, length: 58 src ip : 10.2.2.10 dst ip :
> 220.255.54.21
> 6/3/2014 -- 10:41:43 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
> to ipfw divert socket failed: Permission denied
> 6/3/2014 -- 10:41:43 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
> 8877, dropped 0
> 6/3/2014 -- 10:41:43 - <Info> - thread "Verdict0" restarted
> fd: 7, data_p: 0x8044cd178, length: 58 src ip : 10.2.2.10 dst ip :
> 220.255.1.178
> 6/3/2014 -- 10:41:43 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
> to ipfw divert socket failed: Permission denied
> 6/3/2014 -- 10:41:43 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
> 1, dropped 0
> 6/3/2014 -- 10:41:43 - <Info> - thread "Verdict0" restarted
> fd: 7, data_p: 0x8044cdf78, length: 58 src ip : 10.2.2.10 dst ip :
> 223.29.197.237
> 6/3/2014 -- 10:41:43 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
> to ipfw divert socket failed: Permission denied
> 6/3/2014 -- 10:41:43 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
> 1, dropped 0
> 6/3/2014 -- 10:41:43 - <Info> - thread "Verdict0" restarted
> fd: 7, data_p: 0x8044ced78, length: 58 src ip : 10.2.2.10 dst ip :
> 109.161.142.206
> 6/3/2014 -- 10:41:43 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
> to ipfw divert socket failed: Permission denied
> 6/3/2014 -- 10:41:43 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
> 1, dropped 0
> 6/3/2014 -- 10:41:43 - <Info> - thread "Verdict0" restarted
> fd: 7, data_p: 0x8044cfb78, length: 58 src ip : 10.2.2.10 dst ip :
> 110.175.191.10
> 6/3/2014 -- 10:41:43 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
> to ipfw divert socket failed: Permission denied
> 6/3/2014 -- 10:41:43 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
> 1, dropped 0
> 6/3/2014 -- 10:41:43 - <Info> - thread "Verdict0" restarted
> fd: 7, data_p: 0x8044d0978, length: 58 src ip : 10.2.2.10 dst ip :
> 110.74.201.253
> 6/3/2014 -- 10:41:43 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
> to ipfw divert socket failed: Permission denied
> 6/3/2014 -- 10:41:43 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
> 1, dropped 0
> 6/3/2014 -- 10:41:43 - <Info> - thread "Verdict0" restarted
> fd: 7, data_p: 0x8044d1778, length: 58 src ip : 10.2.2.10 dst ip :
> 110.175.99.68
> 6/3/2014 -- 10:41:43 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
> to ipfw divert socket failed: Permission denied
> 6/3/2014 -- 10:41:43 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
> 1, dropped 0
> 6/3/2014 -- 10:41:43 - <Info> - thread "Verdict0" restarted
> fd: 7, data_p: 0x8044c2978, length: 60 src ip : 10.2.2.10 dst ip :
> 224.0.0.252
> 6/3/2014 -- 10:41:53 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
> to ipfw divert socket failed: Permission denied
> 6/3/2014 -- 10:41:53 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
> 6114, dropped 0
> 6/3/2014 -- 10:41:53 - <Info> - thread "Verdict0" restarted
>
>
>
>
>
> On Thu, Mar 6, 2014 at 9:17 AM, Özkan KIRIK <ozkan.kirik at gmail.com> wrote:
>>
>> ipfw -ad list
>>
>> 00004          0             0 deny ip from any to any MAC
>> e8:03:9a:0f:74:7b any
>> 00005   63668675   49628511386 allow ip from any to any layer2
>> 00100      25849      4724396 divert 8000 all from any to 10.2.2.10 not
>> layer2
>> 00200      26579      5122809 divert 8000 all from 10.2.2.10 to any not
>> layer2
>> 00300     365312      25436015 skipto 600 udp from any to any dst-port
>> 53,1812
>> 00400     334817      71431398 skipto 600 udp from any 53,1812 to any
>> 00500      77815       5612395 deny udp from any to any
>> 00600    4928083    1457516245 nat tablearg ip from table(10) to any via
>> igb1 // VLAN NAT
>> 00600   13655296   16815414254 nat tablearg ip from any to table(11) via
>> igb1 // VLAN NAT
>> ##Dynamic rules:
>>
>>
>>
>> On Thu, Mar 6, 2014 at 1:02 AM, Eric Leblond <eric at regit.org> wrote:
>>>
>>> Hi,
>>>
>>> On Thu, 2014-03-06 at 00:55 +0200, Özkan KIRIK wrote:
>>> > I tried to compile both clang and gcc. Result was same.
>>> >
>>> > This error appears sometimes. Not for all packets.
>>> >
>>> > There is only one rule : pass ip any any -> any any
>>>
>>> There is an old memory coming back to me. Not sure but I think this is
>>> linked with non routable packet reaching the filter (packet going to the
>>> box for example). And there is a failure at reinject because the packet
>>> can't be send.
>>>
>>> BR,
>>>
>>> >
>>> >
>>> > 6 Mar 2014 00:49 tarihinde "Özkan KIRIK" <ozkan.kirik at gmail.com>
>>> > yazdı:
>>> >         Hi,
>>> >
>>> >         I was running suricata with these arguments;
>>> >
>>> >         suricata -vv -d 8000
>>> >
>>> >         ipfw add divert 8000 all from any to 10.2.2.10
>>> >         ipfw add divert 8000 all from 10.2.2.10 to any
>>> >
>>> >         6 Mar 2014 00:45 tarihinde "Shirkdog" <shirkdog at gmail.com>
>>> >         yazdı:
>>> >                 Do you have ipfw setup with the divert socket set to a
>>> >                 port?
>>> >
>>> >                 On Mar 5, 2014 5:17 PM, "Özkan KIRIK"
>>> >                 <ozkan.kirik at gmail.com> wrote:
>>> >                         Hi,
>>> >
>>> >
>>> >                         I'm using FreeBSD 10 ipfw and ipdivert
>>> >                         enabled.
>>> >                         I tried suricata v.1.4.6, v1.4.7 and also
>>> >                         2.0rc1.
>>> >
>>> >
>>> >                         All versions throws this error sometimes
>>> >                         "<Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)]
>>> >                         - Write to ipfw divert socket failed:
>>> >                         Permission denied"
>>> >                         After a while, thread restart threshold
>>> >                         exceeded and suricata completely shutdown.
>>> >
>>> >
>>> >                         I was diverted only 1 host to suricata. But
>>> >                         still gives this error.
>>> >
>>> >
>>> >                         It's strange, I inspected the source-ipfw.c
>>> >                         file. The problem about injecting packet back
>>> >                         to divert socket.
>>> >
>>> >
>>> >                         errno = 13 - EACCESS.
>>> >
>>> >
>>> >                         I saw that SO_BROADCAST option was set to
>>> >                         socket.
>>> >
>>> >
>>> >                         How can i debug this situation, or any
>>> >                         solutions?
>>> >
>>> >
>>> >                         Best regards
>>> >
>>> >                         _______________________________________________
>>> >                         Suricata IDS Users mailing list:
>>> >                         oisf-users at openinfosecfoundation.org
>>> >                         Site: http://suricata-ids.org | Support:
>>> >                         http://suricata-ids.org/support/
>>> >                         List:
>>> >
>>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> >                         OISF: http://www.openinfosecfoundation.org/
>>> > _______________________________________________
>>> > Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>>> > Site: http://suricata-ids.org | Participate:
>>> > http://suricata-ids.org/participate/
>>> > List:
>>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>> > Redmine: https://redmine.openinfosecfoundation.org/
>>>
>>> --
>>> Eric Leblond <eric at regit.org>
>>>
>>
>

More information about the Oisf-users mailing list