[Oisf-users] De-queuing suricata at shutdown

[James Moe]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
  suricata v2.0.8
  linux 3.16.7-24-desktop x86_64

  Suricata is running in IPS mode. It is started after creating a
queue for NFQUEUE. This works fine.
  At shutdown, however, suricata is stopped but the queue is still in
place blocking the packet stream, and stalling shutdown.
  Is there a recommended way of stopping suricata and removing the
queue automatically at shutdown?


- ----[ the start/stop scripts ]----
GO_IPS=1;
Q_INP="INPUT  -j NFQUEUE";
Q_OUT="OUTPUT -j NFQUEUE";

if [ 0 -eq $GO_IPS ]
then
    # if monitor only mode:
    OPT4="-i eth0";   # Run in PCAP mode
else
    # if NFQ mode:
    OPT4="-q 0";        # Run in NFQ mode using queue 0
fi

suri_start () {
    CMD="${SURI} ${OPT3} ${OPT2} ${OPT1} ${OPT4}"

    ethtool --features eth0 rx off
    ethtool --features eth0 gro off
    ethtool --offload eth0 rx off tx off

    if [ 0 -ne $GO_IPS ]
    then
	iptables -I ${Q_INP}
        iptables -I ${Q_OUT}
    fi

    # rm ${LOG}/unified*
    ${CMD} > ${LOG}/verbose.log &
    echo "Return value [$?]";
    echo ${CMD}
}

suri_stop () {
    CMD="No PID found";
    if [ -f ${PID} ]
    then
        CMD="/usr/bin/kill -TERM $(cat ${PID})"
        ${CMD}
        rm ${PID}
    fi
    echo ${CMD}

    if [ 0 -ne $GO_IPS ]
    then
        iptables -D ${Q_INP}
	iptables -D ${Q_OUT}
    fi
}


- -- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlX1uHYACgkQzTcr8Prq0ZNJ1gCghVSkYZPjtriRha8qeOKBE1/e
tIoAni0GnztLAcQ5Sq1lpo2ZxokAimTg
=x03D
-----END PGP SIGNATURE-----