From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Mar 26 19:00:02 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 435AC1065671 for ; Wed, 26 Mar 2008 19:00:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2678C8FC14 for ; Wed, 26 Mar 2008 19:00:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2QJ01XQ020360 for ; Wed, 26 Mar 2008 19:00:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2QJ01v5020359; Wed, 26 Mar 2008 19:00:01 GMT (envelope-from gnats) Resent-Date: Wed, 26 Mar 2008 19:00:01 GMT Resent-Message-Id: <200803261900.m2QJ01v5020359@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Martin Beran Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD4FE1065672 for ; Wed, 26 Mar 2008 18:58:06 +0000 (UTC) (envelope-from mb@tns.cz) Received: from mail.net-online.cz (mail.net-online.cz [77.48.57.5]) by mx1.freebsd.org (Postfix) with ESMTP id 498C18FC32 for ; Wed, 26 Mar 2008 18:58:05 +0000 (UTC) (envelope-from mb@tns.cz) Received: from mb.tns.cz ([77.48.57.2]) by mail.net-online.cz (IceWarp 9.1.5-7) with ESMTP id GVS37407 for ; Wed, 26 Mar 2008 19:44:07 +0100 Received: by mb.tns.cz (Postfix, from userid 1001) id D7AD917042; Wed, 26 Mar 2008 19:44:06 +0100 (CET) Message-Id: <20080326184406.D7AD917042@mb.tns.cz> Date: Wed, 26 Mar 2008 19:44:06 +0100 (CET) From: Martin Beran To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/122123: [patch] security/snort not working in inline mode X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Martin Beran List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2008 19:00:02 -0000 >Number: 122123 >Category: ports >Synopsis: [patch] security/snort not working in inline mode >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Mar 26 19:00:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Martin Beran >Release: FreeBSD 6.2-RELEASE-p4 i386 >Organization: Trusted Network Solutions, a. s. >Environment: System: FreeBSD mb.tns.cz 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Sun Apr 29 22:31:25 CEST 2007 root@mb.tns.cz:/usr/obj/usr/src/sys/MB i386 >Description: The current security/snort port # $FreeBSD: ports/security/snort/Makefile,v 1.91 2007/10/05 01:48:34 clsung Exp $ does not support the inline (IPFW) mode of Snort operation, although the source code seems to provide it. The alternative port security/snort_inline is not a good alternative, because it cannot load recent rulesets from www.snort.org. The attached patch adds several modification to the port security/snort: - adds INLINE option to the port configuration - enables inline IPFW mode via CONFIGURE_ARGS in Makefile - fixes the configure script to use libnet10-config instead of libnet-config - fixes handling of termination signals in inline mode (original code terminates only after reception of the next packet) - fixes "reject" action in inline mode (original code fails with SIGSEGV) It may be necessary to add line: config checksum_mode: none to /usr/local/etc/snort/snort.conf, because divert sockets return bad checksums for outgoing packets (as described in divert(4)). Note: I managed to run snort in inline mode, but I have not done thorough testing of it. >How-To-Repeat: >Fix: --- patch.txt begins here --- diff -ruN snort.orig/Makefile snort/Makefile --- snort.orig/Makefile Fri Oct 5 03:48:34 2007 +++ snort/Makefile Wed Mar 26 11:14:20 2008 @@ -25,7 +25,8 @@ MYSQL "Enable MySQL support" off \ ODBC "Enable ODBC support" off \ POSTGRESQL "Enable PostgreSQL support" off \ - PRELUDE "Enable Prelude NIDS integration" off + PRELUDE "Enable Prelude NIDS integration" off \ + INLINE "Enable inline operation" on USE_RC_SUBR= snort.sh SUB_FILES= pkg-message @@ -47,6 +48,14 @@ .if ${OSVERSION} < 500036 EXTRA_PATCHES+= ${FILESDIR}/extra-patch-src-sf_snort_plugin_api.h +.endif + +.if !defined(WITHOUT_INLINE) +.if defined(WITHOUT_FLEXRESP) +.undef WITHOUT_FLEXRESP +.endif +WITH_FLEXRESP= yes +CONFIGURE_ARGS+= --enable-inline --enable-ipfw .endif .if defined(WITH_FLEXRESP) diff -ruN snort.orig/files/patch-configure snort/files/patch-configure --- snort.orig/files/patch-configure Thu Jan 1 01:00:00 1970 +++ snort/files/patch-configure Wed Mar 26 11:17:53 2008 @@ -0,0 +1,87 @@ +--- configure.orig Wed Mar 26 11:04:37 2008 ++++ configure Wed Mar 26 11:15:21 2008 +@@ -24768,8 +24768,8 @@ + exit 1 + + fi +- CFLAGS="${CFLAGS} `libnet-config --defines` `libnet-config --cflags`" +- LIBS="${LIBS} `libnet-config --libs`" ++ CFLAGS="${CFLAGS} `libnet10-config --defines` `libnet10-config --cflags`" ++ LIBS="${LIBS} `libnet10-config --libs`" + CPPFLAGS="${CPPFLAGS} -I${LIBNET_INC_DIR}" + echo "$as_me:$LINENO: result: $i" >&5 + echo "${ECHO_T}$i" >&6 +@@ -24793,7 +24793,7 @@ + # Check whether --enable-flexresp or --disable-flexresp was given. + if test "${enable_flexresp+set}" = set; then + enableval="$enable_flexresp" +- CPPFLAGS="${CPPFLAGS} -DENABLE_RESPONSE `libnet-config --defines --cflags`" LDFLAGS="${LDFLAGS} `libnet-config --libs`" ++ CPPFLAGS="${CPPFLAGS} -DENABLE_RESPONSE `libnet10-config --defines --cflags`" LDFLAGS="${LDFLAGS} `libnet10-config --libs`" + fi; + + +@@ -24804,14 +24804,14 @@ + exit + fi + +- if test `libnet-config --cflags | wc -c` = "1"; then ++ if test `libnet10-config --cflags | wc -c` = "1"; then + CPPFLAGS="${CPPFLAGS} -I/usr/local/include -I/sw/include" + LIBNET_CONFIG_BROKEN_CFLAGS=yes + fi + +- if test `libnet-config --libs | wc -c` = "1"; then +- { echo "$as_me:$LINENO: WARNING: libnet-config --libs is broken on your system. If you" >&5 +-echo "$as_me: WARNING: libnet-config --libs is broken on your system. If you" >&2;} ++ if test `libnet10-config --libs | wc -c` = "1"; then ++ { echo "$as_me:$LINENO: WARNING: libnet10-config --libs is broken on your system. If you" >&5 ++echo "$as_me: WARNING: libnet10-config --libs is broken on your system. If you" >&2;} + { echo "$as_me:$LINENO: WARNING: are using a precompiled package please notify the" >&5 + echo "$as_me: WARNING: are using a precompiled package please notify the" >&2;} + { echo "$as_me:$LINENO: WARNING: maintainer." >&5 +@@ -24991,7 +24991,7 @@ + libnet_dir="/usr/include /usr/local/include /sw/include" + fi + else +- libnet_dir=`libnet-config --cflags | cut -dI -f2` ++ libnet_dir=`libnet10-config --cflags | cut -dI -f2` + fi + + LIBNET_INC_DIR="" +@@ -25395,7 +25395,7 @@ + # Check whether --enable-react or --disable-react was given. + if test "${enable_react+set}" = set; then + enableval="$enable_react" +- CPPFLAGS="${CPPFLAGS} -DENABLE_REACT `libnet-config --defines --cflags`" LDFLAGS="${LDFLAGS} `libnet-config --libs`" ++ CPPFLAGS="${CPPFLAGS} -DENABLE_REACT `libnet10-config --defines --cflags`" LDFLAGS="${LDFLAGS} `libnet10-config --libs`" + fi; + + +@@ -25407,14 +25407,14 @@ + exit + fi + +- if test `libnet-config --cflags | wc -c` = "1"; then ++ if test `libnet10-config --cflags | wc -c` = "1"; then + CPPFLAGS="${CPPFLAGS} -I/usr/local/include -I/sw/include" + LIBNET_CONFIG_BROKEN_CFLAGS=yes + fi + +- if test `libnet-config --libs | wc -c` = "1"; then +- { echo "$as_me:$LINENO: WARNING: libnet-config --libs is broken on your system. If you" >&5 +-echo "$as_me: WARNING: libnet-config --libs is broken on your system. If you" >&2;} ++ if test `libnet10-config --libs | wc -c` = "1"; then ++ { echo "$as_me:$LINENO: WARNING: libnet10-config --libs is broken on your system. If you" >&5 ++echo "$as_me: WARNING: libnet10-config --libs is broken on your system. If you" >&2;} + { echo "$as_me:$LINENO: WARNING: are using a precompiled package please notify the" >&5 + echo "$as_me: WARNING: are using a precompiled package please notify the" >&2;} + { echo "$as_me:$LINENO: WARNING: maintainer." >&5 +@@ -25594,7 +25594,7 @@ + libnet_dir="/usr/include /usr/local/include /sw/include" + fi + else +- libnet_dir=`libnet-config --cflags | cut -dI -f2` ++ libnet_dir=`libnet10-config --cflags | cut -dI -f2` + fi + + LIBNET_INC_DIR="" diff -ruN snort.orig/files/patch-inline.c snort/files/patch-inline.c --- snort.orig/files/patch-inline.c Thu Jan 1 01:00:00 1970 +++ snort/files/patch-inline.c Wed Mar 26 18:23:32 2008 @@ -0,0 +1,35 @@ +--- src/inline.c.orig Wed Mar 26 13:32:12 2008 ++++ src/inline.c Wed Mar 26 13:51:47 2008 +@@ -366,8 +366,12 @@ + + if (select(32, &fdset, (fd_set *)NULL, (fd_set *)NULL, (struct timeval *)NULL) == -1) + { +- printf("select failed"); +- continue; ++ if (errno == EINTR) ++ sig_check(); ++ else { ++ printf("select failed\n"); ++ continue; ++ } + } + + if (FD_ISSET(s, &fdset)) +@@ -378,7 +382,7 @@ + { + if (errno != EINTR) + { +- printf("IpfwLoop: read from divert socket failed"); ++ printf("IpfwLoop: read from divert socket failed\n"); + continue; + } + } +@@ -396,7 +400,7 @@ + { + if (sendto(s, pkt, pktlen, 0,(struct sockaddr *)&sin, sinlen) == -1) + { +- printf("IpfwLoop: write to divert socket failed"); ++ printf("IpfwLoop: write to divert socket failed\n"); + } + } + } /* end if */ diff -ruN snort.orig/files/patch-snort.c snort/files/patch-snort.c --- snort.orig/files/patch-snort.c Thu Jan 1 01:00:00 1970 +++ snort/files/patch-snort.c Wed Mar 26 18:24:05 2008 @@ -0,0 +1,18 @@ +--- src/snort.c.orig Wed Mar 26 18:18:36 2008 ++++ src/snort.c Wed Mar 26 18:18:40 2008 +@@ -825,7 +825,6 @@ + SnortEventqInit(); + + #ifdef GIDS +-#ifndef IPFW + if (InlineMode()) + { + if (!(pv.test_mode_flag && pv.disable_inline_init_flag)) +@@ -833,7 +832,6 @@ + InitInlinePostConfig(); + } + } +-#endif /* IPFW */ + #endif /* GIDS */ + } + --- patch.txt ends here --- >Release-Note: >Audit-Trail: >Unformatted: