-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
L7 NetworkPolicy failure #4628
Comments
Added an issue about Suricata process |
Added an topic to Suricata forum https://forum.suricata.io/t/af-packet-ips-suricata-process-exits-with-segment-fault-coredumped/3263 |
A PR OISF/suricata#8611 was merged into Suricata main branch and another PR OISF/suricata#8640 is used to backport the patch to Suricata 6.0.x. |
@hongliangl could you give an update for this issue. I believe both PRs have been merged, and that this is fixed in 6.0.11? BTW, did that affect all L7 NetworkPolicies, or only specific ones? |
The issue is fixed by PR OISF/suricata#8640. However, something changed in Suricata 6.0.11 causes that Suricata's suricatasc tool is encountering issue when executing commands that involve multiple tenants (we are using these commands to sync L7 NetworkPolicies to Suricata). |
A new bug is introduced by latest Suricata 6.0.11, tracked by issue #4921. We need to avoid the critical bug first, so this issue might be deferred to next release until Suricata deliver a new release. |
Issue #4921 was resolved, close this issue. |
Describe the bug
All connections that should be filtered by the target L7 NetworkPolicy are dropped, rather than rejected or passed.
To Reproduce
for ((i=0;i<10000;i++)) do curl http://<server Pod IP>/api/v2/version; sleep 1; done
on client Pod, and these requests should be rejected.for ((i=0;i<10000;i++)) do curl http://<server Pod IP>/api/v1/version; sleep 1; done
on client Pod, and these requests should be passed.Segment fault
orSegmentation fault (core dumped)
.Versions:
The text was updated successfully, but these errors were encountered: