security/suricata: Update to 6.0.4
While here pet portfmt. Changes: https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942 PR: 260250 Approved by: 0mp (mentor) MFH: 2021Q4 Differential Revision: https://reviews.freebsd.org/D33335
This commit is contained in:
parent
a367a9d74e
commit
3571a07d68
|
@ -1,6 +1,5 @@
|
|||
PORTNAME= suricata
|
||||
DISTVERSION= 6.0.3
|
||||
PORTREVISION= 5
|
||||
DISTVERSION= 6.0.4
|
||||
CATEGORIES= security
|
||||
MASTER_SITES= https://www.openinfosecfoundation.org/download/
|
||||
|
||||
|
@ -12,44 +11,44 @@ LICENSE_FILE= ${WRKSRC}/LICENSE
|
|||
|
||||
BUILD_DEPENDS= rustc:lang/${RUST_DEFAULT}
|
||||
LIB_DEPENDS= libjansson.so:devel/jansson \
|
||||
libpcre.so:devel/pcre \
|
||||
libnet.so:net/libnet \
|
||||
liblz4.so:archivers/liblz4 \
|
||||
libnet.so:net/libnet \
|
||||
libpcre.so:devel/pcre \
|
||||
libyaml.so:textproc/libyaml
|
||||
|
||||
USES= autoreconf cpe gmake iconv:translit libtool localbase \
|
||||
pathfix pkgconfig
|
||||
USES= autoreconf cpe gmake iconv:translit libtool localbase pathfix \
|
||||
pkgconfig
|
||||
|
||||
CPE_VENDOR= openinfosecfoundation
|
||||
|
||||
USE_LDCONFIG= yes
|
||||
USE_RC_SUBR= ${PORTNAME}
|
||||
|
||||
GNU_CONFIGURE= yes
|
||||
CONFIGURE_ARGS+=--enable-gccprotect \
|
||||
--enable-bundled-htp \
|
||||
--disable-gccmarch-native
|
||||
MAKE_ENV= RUSTFLAGS="${RUSTFLAGS} -C linker=${CC:Q} ${LDFLAGS:C/.+/-C link-arg=&/}"
|
||||
GNU_CONFIGURE= yes
|
||||
CONFIGURE_ARGS+= --disable-gccmarch-native \
|
||||
--enable-bundled-htp \
|
||||
--enable-gccprotect
|
||||
MAKE_ENV= RUSTFLAGS="${RUSTFLAGS} -C linker=${CC:Q} ${LDFLAGS:C/.+/-C link-arg=&/}"
|
||||
|
||||
INSTALL_TARGET= install-strip
|
||||
TEST_TARGET= check
|
||||
INSTALL_TARGET= install-strip
|
||||
TEST_TARGET= check
|
||||
|
||||
CONFLICTS_INSTALL= libhtp
|
||||
|
||||
SUB_FILES= pkg-message
|
||||
PLIST_SUB= PORTVERSION=${DISTVERSION:C/-/_/g}
|
||||
|
||||
OPTIONS_DEFINE= GEOIP IPFW NETMAP NSS PORTS_PCAP PRELUDE \
|
||||
PYTHON REDIS TESTS
|
||||
OPTIONS_DEFINE= GEOIP IPFW NETMAP NSS PORTS_PCAP PRELUDE PYTHON REDIS \
|
||||
TESTS
|
||||
OPTIONS_DEFINE_amd64= HYPERSCAN
|
||||
OPTIONS_DEFAULT= IPFW NETMAP PYTHON
|
||||
|
||||
OPTIONS_RADIO= SCRIPTS
|
||||
OPTIONS_RADIO_SCRIPTS= LUA LUAJIT
|
||||
|
||||
OPTIONS_SUB= yes
|
||||
OPTIONS_SUB= yes
|
||||
|
||||
PRELUDE_BROKEN= Compilation broken, see https://redmine.openinfosecfoundation.org/issues/4065
|
||||
PRELUDE_BROKEN= Compilation broken, see https://redmine.openinfosecfoundation.org/issues/4065
|
||||
|
||||
GEOIP_DESC= GeoIP support
|
||||
HYPERSCAN_DESC= Hyperscan support
|
||||
|
@ -65,32 +64,33 @@ REDIS_DESC= Redis output support
|
|||
SCRIPTS_DESC= Scripting
|
||||
TESTS_DESC= Unit tests in suricata binary
|
||||
|
||||
GEOIP_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb
|
||||
GEOIP_CONFIGURE_ON= --enable-geoip
|
||||
GEOIP_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb
|
||||
GEOIP_CONFIGURE_ON= --enable-geoip
|
||||
|
||||
HYPERSCAN_LIB_DEPENDS= libhs.so:devel/hyperscan
|
||||
HYPERSCAN_LIB_DEPENDS= libhs.so:devel/hyperscan
|
||||
|
||||
IPFW_CONFIGURE_ON= --enable-ipfw
|
||||
IPFW_CONFIGURE_ON= --enable-ipfw
|
||||
|
||||
LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit-openresty
|
||||
LUAJIT_CONFIGURE_ON= --enable-luajit
|
||||
LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit-openresty
|
||||
LUAJIT_CONFIGURE_ON= --enable-luajit
|
||||
|
||||
LUA_USES= lua:51
|
||||
LUA_CONFIGURE_ON= --enable-lua
|
||||
LUA_USES= lua:51
|
||||
LUA_CONFIGURE_ON= --enable-lua
|
||||
|
||||
NETMAP_CONFIGURE_ENABLE= netmap
|
||||
|
||||
NSS_LIB_DEPENDS= libnss3.so:security/nss \
|
||||
libnspr4.so:devel/nspr
|
||||
NSS_CONFIGURE_OFF= --disable-nss --disable-nspr
|
||||
NSS_LIB_DEPENDS= libnspr4.so:devel/nspr \
|
||||
libnss3.so:security/nss
|
||||
NSS_CONFIGURE_OFF= --disable-nspr \
|
||||
--disable-nss
|
||||
|
||||
PORTS_PCAP_LIB_DEPENDS= libpcap.so.1:net/libpcap
|
||||
PORTS_PCAP_LIB_DEPENDS= libpcap.so.1:net/libpcap
|
||||
|
||||
PRELUDE_LIB_DEPENDS= libprelude.so:security/libprelude \
|
||||
PRELUDE_LIB_DEPENDS= libgcrypt.so:security/libgcrypt \
|
||||
libgnutls.so:security/gnutls \
|
||||
libgcrypt.so:security/libgcrypt \
|
||||
libgpg-error.so:security/libgpg-error \
|
||||
libltdl.so:devel/libltdl
|
||||
libltdl.so:devel/libltdl \
|
||||
libprelude.so:security/libprelude
|
||||
PRELUDE_CONFIGURE_ON= --with-libprelude-prefix=${LOCALBASE}
|
||||
PRELUDE_CONFIGURE_ENABLE= prelude
|
||||
|
||||
|
@ -100,11 +100,10 @@ PYTHON_USES= python
|
|||
PYTHON_USE= PYTHON=py3kplist
|
||||
PYTHON_CONFIGURE_ENABLE= python
|
||||
|
||||
REDIS_LIB_DEPENDS= libhiredis.so:databases/hiredis \
|
||||
libevent_pthreads.so:devel/libevent
|
||||
REDIS_CONFIGURE_ON= --enable-hiredis \
|
||||
|
||||
TESTS_CONFIGURE_ENABLE= unittests
|
||||
REDIS_LIB_DEPENDS= libevent_pthreads.so:devel/libevent \
|
||||
libhiredis.so:databases/hiredis
|
||||
REDIS_CONFIGURE_ON= --enable-hiredis
|
||||
TESTS_CONFIGURE_ENABLE= unittests
|
||||
|
||||
pre-patch:
|
||||
@${CP} ${FILESDIR}/ax_check_compile_flag.m4 ${WRKSRC}/m4
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
TIMESTAMP = 1628041281
|
||||
SHA256 (suricata-6.0.3.tar.gz) = daf134bb2d7c980035e9ae60f7aaf313323a809340009f26e48110ccde81f602
|
||||
SIZE (suricata-6.0.3.tar.gz) = 32421197
|
||||
TIMESTAMP = 1637246038
|
||||
SHA256 (suricata-6.0.4.tar.gz) = a8f197e33d1678689ebbf7bc1abe84934c465d22c504c47c2c7e9b74aa042d0d
|
||||
SIZE (suricata-6.0.4.tar.gz) = 32498036
|
||||
|
|
|
@ -1,78 +0,0 @@
|
|||
From 3c53a1601b6f861f8b7f0cd0984b18e78291fe85 Mon Sep 17 00:00:00 2001
|
||||
From: Victor Julien <victor@inliniac.net>
|
||||
Date: Wed, 18 Aug 2021 20:14:48 +0200
|
||||
Subject: [PATCH] threading: don't pass locked flow between threads
|
||||
|
||||
Previously the flow manager would share evicted flows with the workers
|
||||
while keeping the flows mutex locked. This reduced the number of unlock/
|
||||
lock cycles while there was guaranteed to be no contention.
|
||||
|
||||
This turns out to be undefined behavior. A lock is supposed to be locked
|
||||
and unlocked from the same thread. It appears that FreeBSD is stricter on
|
||||
this than Linux.
|
||||
|
||||
This patch addresses the issue by unlocking before handing a flow off
|
||||
to another thread, and locking again from the new thread.
|
||||
|
||||
Issue was reported and largely analyzed by Bill Meeks.
|
||||
|
||||
Bug: #4478
|
||||
(cherry picked from commit 9551cd05357925e8bec8e0030d5f98fd07f17839)
|
||||
---
|
||||
src/flow-hash.c | 1 +
|
||||
src/flow-manager.c | 2 +-
|
||||
src/flow-timeout.c | 1 +
|
||||
src/flow-worker.c | 1 +
|
||||
4 files changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/flow-hash.c b/src/flow-hash.c
|
||||
index ebbd836e81a..760bc53e0a8 100644
|
||||
--- src/flow-hash.c
|
||||
+++ src/flow-hash.c
|
||||
@@ -669,6 +669,7 @@ static inline void MoveToWorkQueue(ThreadVars *tv, FlowLookupStruct *fls,
|
||||
f->fb = NULL;
|
||||
f->next = NULL;
|
||||
FlowQueuePrivateAppendFlow(&fls->work_queue, f);
|
||||
+ FLOWLOCK_UNLOCK(f);
|
||||
} else {
|
||||
/* implied: TCP but our thread does not own it. So set it
|
||||
* aside for the Flow Manager to pick it up. */
|
||||
diff --git a/src/flow-manager.c b/src/flow-manager.c
|
||||
index d58a49637d6..9228c88490c 100644
|
||||
--- src/flow-manager.c
|
||||
+++ src/flow-manager.c
|
||||
@@ -333,9 +333,9 @@ static uint32_t ProcessAsideQueue(FlowManagerTimeoutThread *td, FlowTimeoutCount
|
||||
FlowForceReassemblyNeedReassembly(f) == 1)
|
||||
{
|
||||
FlowForceReassemblyForFlow(f);
|
||||
+ FLOWLOCK_UNLOCK(f);
|
||||
/* flow ownership is passed to the worker thread */
|
||||
|
||||
- /* flow remains locked */
|
||||
counters->flows_aside_needs_work++;
|
||||
continue;
|
||||
}
|
||||
diff --git a/src/flow-timeout.c b/src/flow-timeout.c
|
||||
index 972b35076bd..d6cca490087 100644
|
||||
--- src/flow-timeout.c
|
||||
+++ src/flow-timeout.c
|
||||
@@ -401,6 +401,7 @@ static inline void FlowForceReassemblyForHash(void)
|
||||
RemoveFromHash(f, prev_f);
|
||||
f->flow_end_flags |= FLOW_END_FLAG_SHUTDOWN;
|
||||
FlowForceReassemblyForFlow(f);
|
||||
+ FLOWLOCK_UNLOCK(f);
|
||||
f = next_f;
|
||||
continue;
|
||||
}
|
||||
diff --git a/src/flow-worker.c b/src/flow-worker.c
|
||||
index 69dbb6ac575..dccf3581dd5 100644
|
||||
--- src/flow-worker.c
|
||||
+++ src/flow-worker.c
|
||||
@@ -168,6 +168,7 @@ static void CheckWorkQueue(ThreadVars *tv, FlowWorkerThreadData *fw,
|
||||
{
|
||||
Flow *f;
|
||||
while ((f = FlowQueuePrivateGetFromTop(fq)) != NULL) {
|
||||
+ FLOWLOCK_WRLOCK(f);
|
||||
f->flow_end_flags |= FLOW_END_FLAG_TIMEOUT; //TODO emerg
|
||||
|
||||
const FlowStateType state = f->flow_state;
|
|
@ -1,62 +0,0 @@
|
|||
--- rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/mod.rs.orig 2020-03-17 20:35:43 UTC
|
||||
+++ rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/mod.rs
|
||||
@@ -1486,6 +1486,9 @@ cfg_if! {
|
||||
} else if #[cfg(target_arch = "powerpc64")] {
|
||||
mod powerpc64;
|
||||
pub use self::powerpc64::*;
|
||||
+ } else if #[cfg(target_arch = "powerpc")] {
|
||||
+ mod powerpc;
|
||||
+ pub use self::powerpc::*;
|
||||
} else {
|
||||
// Unknown target_arch
|
||||
}
|
||||
--- rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/powerpc.rs.orig 2021-06-23 22:40:24 UTC
|
||||
+++ rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/powerpc.rs
|
||||
@@ -0,0 +1,47 @@
|
||||
+pub type c_char = u8;
|
||||
+pub type c_long = i32;
|
||||
+pub type c_ulong = u32;
|
||||
+pub type wchar_t = i32;
|
||||
+pub type time_t = i64;
|
||||
+pub type suseconds_t = i32;
|
||||
+pub type register_t = i32;
|
||||
+
|
||||
+s! {
|
||||
+ pub struct stat {
|
||||
+ pub st_dev: ::dev_t,
|
||||
+ pub st_ino: ::ino_t,
|
||||
+ pub st_mode: ::mode_t,
|
||||
+ pub st_nlink: ::nlink_t,
|
||||
+ pub st_uid: ::uid_t,
|
||||
+ pub st_gid: ::gid_t,
|
||||
+ pub st_rdev: ::dev_t,
|
||||
+ pub st_atime: ::time_t,
|
||||
+ pub st_atime_nsec: ::c_long,
|
||||
+ pub st_mtime: ::time_t,
|
||||
+ pub st_mtime_nsec: ::c_long,
|
||||
+ pub st_ctime: ::time_t,
|
||||
+ pub st_ctime_nsec: ::c_long,
|
||||
+ pub st_size: ::off_t,
|
||||
+ pub st_blocks: ::blkcnt_t,
|
||||
+ pub st_blksize: ::blksize_t,
|
||||
+ pub st_flags: ::fflags_t,
|
||||
+ pub st_gen: u32,
|
||||
+ pub st_lspare: i32,
|
||||
+ pub st_birthtime: ::time_t,
|
||||
+ pub st_birthtime_nsec: ::c_long,
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+// should be pub(crate), but that requires Rust 1.18.0
|
||||
+cfg_if! {
|
||||
+ if #[cfg(libc_const_size_of)] {
|
||||
+ #[doc(hidden)]
|
||||
+ pub const _ALIGNBYTES: usize = ::mem::size_of::<::c_int>() - 1;
|
||||
+ } else {
|
||||
+ #[doc(hidden)]
|
||||
+ pub const _ALIGNBYTES: usize = 4 - 1;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+pub const MAP_32BIT: ::c_int = 0x00080000;
|
||||
+pub const MINSIGSTKSZ: ::size_t = 2048; // 512 * 4
|
|
@ -136,7 +136,7 @@ man/man1/suricata.1.gz
|
|||
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/util.pyc
|
||||
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.py
|
||||
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.pyc
|
||||
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.2-py%%PYTHON_VER%%.egg-info
|
||||
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.3-py%%PYTHON_VER%%.egg-info
|
||||
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.py
|
||||
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.pyc
|
||||
%%DATADIR%%/rules/app-layer-events.rules
|
||||
|
@ -146,9 +146,11 @@ man/man1/suricata.1.gz
|
|||
%%DATADIR%%/rules/dns-events.rules
|
||||
%%DATADIR%%/rules/files.rules
|
||||
%%DATADIR%%/rules/http-events.rules
|
||||
%%DATADIR%%/rules/http2-events.rules
|
||||
%%DATADIR%%/rules/ipsec-events.rules
|
||||
%%DATADIR%%/rules/kerberos-events.rules
|
||||
%%DATADIR%%/rules/modbus-events.rules
|
||||
%%DATADIR%%/rules/mqtt-events.rules
|
||||
%%DATADIR%%/rules/nfs-events.rules
|
||||
%%DATADIR%%/rules/ntp-events.rules
|
||||
%%DATADIR%%/rules/smb-events.rules
|
||||
|
|
Loading…
Reference in New Issue
Block a user