security/suricata: Update to 6.0.4

While here pet portfmt. Changes: https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942 PR: 260250 Approved by: 0mp (mentor) MFH: 2021Q4 Differential Revision: https://reviews.freebsd.org/D33335
2021-12-08 15:56:50 +01:00 · 2021-12-08 15:56:50 +01:00 · 3571a07d68
commit 3571a07d68
parent a367a9d74e
5 changed files with 42 additions and 181 deletions
--- a/security/suricata/Makefile
+++ b/security/suricata/Makefile
@ -1,6 +1,5 @@
 PORTNAME=	suricata
-DISTVERSION=	6.0.3
-PORTREVISION=	5
+DISTVERSION=	6.0.4
 CATEGORIES=	security
 MASTER_SITES=	https://www.openinfosecfoundation.org/download/

@ -12,44 +11,44 @@ LICENSE_FILE=	${WRKSRC}/LICENSE

 BUILD_DEPENDS=	rustc:lang/${RUST_DEFAULT}
 LIB_DEPENDS=	libjansson.so:devel/jansson \
-		libpcre.so:devel/pcre \
-		libnet.so:net/libnet \
 		liblz4.so:archivers/liblz4 \
+		libnet.so:net/libnet \
+		libpcre.so:devel/pcre \
 		libyaml.so:textproc/libyaml

-USES=		autoreconf cpe gmake iconv:translit libtool localbase \
-		pathfix pkgconfig
+USES=		autoreconf cpe gmake iconv:translit libtool localbase pathfix \
+		pkgconfig

 CPE_VENDOR=	openinfosecfoundation

 USE_LDCONFIG=	yes
 USE_RC_SUBR=	${PORTNAME}

-GNU_CONFIGURE=	yes
-CONFIGURE_ARGS+=--enable-gccprotect \
-		--enable-bundled-htp \
-	        --disable-gccmarch-native
-MAKE_ENV=	RUSTFLAGS="${RUSTFLAGS} -C linker=${CC:Q} ${LDFLAGS:C/.+/-C link-arg=&/}"
+GNU_CONFIGURE=		yes
+CONFIGURE_ARGS+=	--disable-gccmarch-native \
+			--enable-bundled-htp \
+			--enable-gccprotect
+MAKE_ENV=		RUSTFLAGS="${RUSTFLAGS} -C linker=${CC:Q} ${LDFLAGS:C/.+/-C link-arg=&/}"

-INSTALL_TARGET=		install-strip
-TEST_TARGET=		check
+INSTALL_TARGET=	install-strip
+TEST_TARGET=	check

 CONFLICTS_INSTALL=	libhtp

 SUB_FILES=	pkg-message
 PLIST_SUB=	PORTVERSION=${DISTVERSION:C/-/_/g}

-OPTIONS_DEFINE=		GEOIP IPFW NETMAP NSS PORTS_PCAP PRELUDE \
-			PYTHON REDIS TESTS
+OPTIONS_DEFINE=		GEOIP IPFW NETMAP NSS PORTS_PCAP PRELUDE PYTHON REDIS \
+			TESTS
 OPTIONS_DEFINE_amd64=	HYPERSCAN
 OPTIONS_DEFAULT=	IPFW NETMAP PYTHON

 OPTIONS_RADIO=		SCRIPTS
 OPTIONS_RADIO_SCRIPTS=	LUA LUAJIT

-OPTIONS_SUB=		yes
+OPTIONS_SUB=	yes

-PRELUDE_BROKEN=		Compilation broken, see https://redmine.openinfosecfoundation.org/issues/4065
+PRELUDE_BROKEN=	Compilation broken, see https://redmine.openinfosecfoundation.org/issues/4065

 GEOIP_DESC=		GeoIP support
 HYPERSCAN_DESC=		Hyperscan support
@ -65,32 +64,33 @@ REDIS_DESC=		Redis output support
 SCRIPTS_DESC=		Scripting
 TESTS_DESC=		Unit tests in suricata binary

-GEOIP_LIB_DEPENDS=		libmaxminddb.so:net/libmaxminddb
-GEOIP_CONFIGURE_ON=		--enable-geoip
+GEOIP_LIB_DEPENDS=	libmaxminddb.so:net/libmaxminddb
+GEOIP_CONFIGURE_ON=	--enable-geoip

-HYPERSCAN_LIB_DEPENDS=		libhs.so:devel/hyperscan
+HYPERSCAN_LIB_DEPENDS=	libhs.so:devel/hyperscan

-IPFW_CONFIGURE_ON=		--enable-ipfw
+IPFW_CONFIGURE_ON=	--enable-ipfw

-LUAJIT_LIB_DEPENDS=		libluajit-5.1.so:lang/luajit-openresty
-LUAJIT_CONFIGURE_ON=		--enable-luajit
+LUAJIT_LIB_DEPENDS=	libluajit-5.1.so:lang/luajit-openresty
+LUAJIT_CONFIGURE_ON=	--enable-luajit

-LUA_USES=			lua:51
-LUA_CONFIGURE_ON=		--enable-lua
+LUA_USES=		lua:51
+LUA_CONFIGURE_ON=	--enable-lua

 NETMAP_CONFIGURE_ENABLE=	netmap

-NSS_LIB_DEPENDS=		libnss3.so:security/nss \
-				libnspr4.so:devel/nspr
-NSS_CONFIGURE_OFF=		--disable-nss --disable-nspr
+NSS_LIB_DEPENDS=	libnspr4.so:devel/nspr \
+			libnss3.so:security/nss
+NSS_CONFIGURE_OFF=	--disable-nspr \
+			--disable-nss

-PORTS_PCAP_LIB_DEPENDS=		libpcap.so.1:net/libpcap
+PORTS_PCAP_LIB_DEPENDS=	libpcap.so.1:net/libpcap

-PRELUDE_LIB_DEPENDS=		libprelude.so:security/libprelude \
+PRELUDE_LIB_DEPENDS=		libgcrypt.so:security/libgcrypt \
 				libgnutls.so:security/gnutls \
-				libgcrypt.so:security/libgcrypt \
 				libgpg-error.so:security/libgpg-error \
-				libltdl.so:devel/libltdl
+				libltdl.so:devel/libltdl \
+				libprelude.so:security/libprelude
 PRELUDE_CONFIGURE_ON=		--with-libprelude-prefix=${LOCALBASE}
 PRELUDE_CONFIGURE_ENABLE=	prelude

@ -100,11 +100,10 @@ PYTHON_USES=			python
 PYTHON_USE=			PYTHON=py3kplist
 PYTHON_CONFIGURE_ENABLE=	python

-REDIS_LIB_DEPENDS=		libhiredis.so:databases/hiredis \
-				libevent_pthreads.so:devel/libevent
-REDIS_CONFIGURE_ON=		--enable-hiredis \
-
-TESTS_CONFIGURE_ENABLE=		unittests
+REDIS_LIB_DEPENDS=	libevent_pthreads.so:devel/libevent \
+			libhiredis.so:databases/hiredis
+REDIS_CONFIGURE_ON=	--enable-hiredis
+TESTS_CONFIGURE_ENABLE=	unittests

 pre-patch:
 	@${CP} ${FILESDIR}/ax_check_compile_flag.m4 ${WRKSRC}/m4
--- a/security/suricata/distinfo
+++ b/security/suricata/distinfo
@ -1,3 +1,3 @@
-TIMESTAMP = 1628041281
-SHA256 (suricata-6.0.3.tar.gz) = daf134bb2d7c980035e9ae60f7aaf313323a809340009f26e48110ccde81f602
-SIZE (suricata-6.0.3.tar.gz) = 32421197
+TIMESTAMP = 1637246038
+SHA256 (suricata-6.0.4.tar.gz) = a8f197e33d1678689ebbf7bc1abe84934c465d22c504c47c2c7e9b74aa042d0d
+SIZE (suricata-6.0.4.tar.gz) = 32498036
--- a/security/suricata/files/patch-3c53a1601
+++ b/security/suricata/files/patch-3c53a1601
@ -1,78 +0,0 @@
-From 3c53a1601b6f861f8b7f0cd0984b18e78291fe85 Mon Sep 17 00:00:00 2001
-From: Victor Julien <victor@inliniac.net>
-Date: Wed, 18 Aug 2021 20:14:48 +0200
-Subject: [PATCH] threading: don't pass locked flow between threads
-
-Previously the flow manager would share evicted flows with the workers
-while keeping the flows mutex locked. This reduced the number of unlock/
-lock cycles while there was guaranteed to be no contention.
-
-This turns out to be undefined behavior. A lock is supposed to be locked
-and unlocked from the same thread. It appears that FreeBSD is stricter on
-this than Linux.
-
-This patch addresses the issue by unlocking before handing a flow off
-to another thread, and locking again from the new thread.
-
-Issue was reported and largely analyzed by Bill Meeks.
-
-Bug: #4478
-(cherry picked from commit 9551cd05357925e8bec8e0030d5f98fd07f17839)
---
- src/flow-hash.c    | 1 +
- src/flow-manager.c | 2 +-
- src/flow-timeout.c | 1 +
- src/flow-worker.c  | 1 +
- 4 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/flow-hash.c b/src/flow-hash.c
-index ebbd836e81a..760bc53e0a8 100644
--- src/flow-hash.c
-+++ src/flow-hash.c
-@@ -669,6 +669,7 @@ static inline void MoveToWorkQueue(ThreadVars *tv, FlowLookupStruct *fls,
-         f->fb = NULL;
-         f->next = NULL;
-         FlowQueuePrivateAppendFlow(&fls->work_queue, f);
-+        FLOWLOCK_UNLOCK(f);
-     } else {
-         /* implied: TCP but our thread does not own it. So set it
-          * aside for the Flow Manager to pick it up. */
-diff --git a/src/flow-manager.c b/src/flow-manager.c
-index d58a49637d6..9228c88490c 100644
--- src/flow-manager.c
-+++ src/flow-manager.c
-@@ -333,9 +333,9 @@ static uint32_t ProcessAsideQueue(FlowManagerTimeoutThread *td, FlowTimeoutCount
-                 FlowForceReassemblyNeedReassembly(f) == 1)
-         {
-             FlowForceReassemblyForFlow(f);
-+            FLOWLOCK_UNLOCK(f);
-             /* flow ownership is passed to the worker thread */
- 
-            /* flow remains locked */
-             counters->flows_aside_needs_work++;
-             continue;
-         }
-diff --git a/src/flow-timeout.c b/src/flow-timeout.c
-index 972b35076bd..d6cca490087 100644
--- src/flow-timeout.c
-+++ src/flow-timeout.c
-@@ -401,6 +401,7 @@ static inline void FlowForceReassemblyForHash(void)
-                 RemoveFromHash(f, prev_f);
-                 f->flow_end_flags |= FLOW_END_FLAG_SHUTDOWN;
-                 FlowForceReassemblyForFlow(f);
-+                FLOWLOCK_UNLOCK(f);
-                 f = next_f;
-                 continue;
-             }
-diff --git a/src/flow-worker.c b/src/flow-worker.c
-index 69dbb6ac575..dccf3581dd5 100644
--- src/flow-worker.c
-+++ src/flow-worker.c
-@@ -168,6 +168,7 @@ static void CheckWorkQueue(ThreadVars *tv, FlowWorkerThreadData *fw,
- {
-     Flow *f;
-     while ((f = FlowQueuePrivateGetFromTop(fq)) != NULL) {
-+        FLOWLOCK_WRLOCK(f);
-         f->flow_end_flags |= FLOW_END_FLAG_TIMEOUT; //TODO emerg
- 
-         const FlowStateType state = f->flow_state;
--- a/security/suricata/files/patch-powerpc
+++ b/security/suricata/files/patch-powerpc
@ -1,62 +0,0 @@
--- rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/mod.rs.orig	2020-03-17 20:35:43 UTC
-+++ rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/mod.rs
-@@ -1486,6 +1486,9 @@ cfg_if! {
-     } else if #[cfg(target_arch = "powerpc64")] {
-         mod powerpc64;
-         pub use self::powerpc64::*;
-+    } else if #[cfg(target_arch = "powerpc")] {
-+        mod powerpc;
-+        pub use self::powerpc::*;
-     } else {
-         // Unknown target_arch
-     }
--- rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/powerpc.rs.orig	2021-06-23 22:40:24 UTC
-+++ rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/powerpc.rs
-@@ -0,0 +1,47 @@
-+pub type c_char = u8;
-+pub type c_long = i32;
-+pub type c_ulong = u32;
-+pub type wchar_t = i32;
-+pub type time_t = i64;
-+pub type suseconds_t = i32;
-+pub type register_t = i32;
-+
-+s! {
-+    pub struct stat {
-+        pub st_dev: ::dev_t,
-+        pub st_ino: ::ino_t,
-+        pub st_mode: ::mode_t,
-+        pub st_nlink: ::nlink_t,
-+        pub st_uid: ::uid_t,
-+        pub st_gid: ::gid_t,
-+        pub st_rdev: ::dev_t,
-+        pub st_atime: ::time_t,
-+        pub st_atime_nsec: ::c_long,
-+        pub st_mtime: ::time_t,
-+        pub st_mtime_nsec: ::c_long,
-+        pub st_ctime: ::time_t,
-+        pub st_ctime_nsec: ::c_long,
-+        pub st_size: ::off_t,
-+        pub st_blocks: ::blkcnt_t,
-+        pub st_blksize: ::blksize_t,
-+        pub st_flags: ::fflags_t,
-+        pub st_gen: u32,
-+        pub st_lspare: i32,
-+        pub st_birthtime: ::time_t,
-+        pub st_birthtime_nsec: ::c_long,
-+    }
-+}
-+
-+// should be pub(crate), but that requires Rust 1.18.0
-+cfg_if! {
-+    if #[cfg(libc_const_size_of)] {
-+        #[doc(hidden)]
-+        pub const _ALIGNBYTES: usize = ::mem::size_of::<::c_int>() - 1;
-+    } else {
-+        #[doc(hidden)]
-+        pub const _ALIGNBYTES: usize = 4 - 1;
-+    }
-+}
-+
-+pub const MAP_32BIT: ::c_int = 0x00080000;
-+pub const MINSIGSTKSZ: ::size_t = 2048; // 512 * 4
--- a/security/suricata/pkg-plist
+++ b/security/suricata/pkg-plist
@ -136,7 +136,7 @@ man/man1/suricata.1.gz
 %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/util.pyc
 %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.py
 %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.pyc
-%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.2-py%%PYTHON_VER%%.egg-info
+%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.3-py%%PYTHON_VER%%.egg-info
 %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.py
 %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.pyc
 %%DATADIR%%/rules/app-layer-events.rules
@ -146,9 +146,11 @@ man/man1/suricata.1.gz
 %%DATADIR%%/rules/dns-events.rules
 %%DATADIR%%/rules/files.rules
 %%DATADIR%%/rules/http-events.rules
+%%DATADIR%%/rules/http2-events.rules
 %%DATADIR%%/rules/ipsec-events.rules
 %%DATADIR%%/rules/kerberos-events.rules
 %%DATADIR%%/rules/modbus-events.rules
+%%DATADIR%%/rules/mqtt-events.rules
 %%DATADIR%%/rules/nfs-events.rules
 %%DATADIR%%/rules/ntp-events.rules
 %%DATADIR%%/rules/smb-events.rules