From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 [PATCH 08/20] suricata: Add a watcher to restart on unexpected termination
Date: Tue, 10 Sep 2024 14:37:21 +0000
Message-ID: <20240910143748.3469271-9-michael.tremer@ipfire.org>
In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9126282036626940019=="
List-Id: <development.lists.ipfire.org>

--===============9126282036626940019==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

This patch adds a watcher process that will restart suricata when it is
being killed by SIGKILL (e.g. by the OOM killer) or after a SEGV.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/rootfiles/common/suricata |  1 +
 config/suricata/suricata-watcher | 55 ++++++++++++++++++++++++++++++++
 lfs/suricata                     |  3 ++
 src/initscripts/system/suricata  | 16 ++--------
 4 files changed, 61 insertions(+), 14 deletions(-)
 create mode 100644 config/suricata/suricata-watcher

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suric=
ata
index 53224d006..8fe53f7e6 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -1,6 +1,7 @@
 etc/suricata
 etc/suricata/suricata.yaml
 usr/bin/suricata
+usr/bin/suricata-watcher
 usr/sbin/convert-ids-backend-files
 #usr/share/doc/suricata
 #usr/share/doc/suricata/AUTHORS
diff --git a/config/suricata/suricata-watcher b/config/suricata/suricata-watc=
her
new file mode 100644
index 000000000..a1a13d40c
--- /dev/null
+++ b/config/suricata/suricata-watcher
@@ -0,0 +1,55 @@
+#!/bin/bash
+############################################################################=
###
+#                                                                           =
  #
+# IPFire.org - A Linux-based Firewall                                       =
  #
+# Copyright (C) 2024  IPFire Team  <info(a)ipfire.org>                      =
    #
+#                                                                           =
  #
+# This program is free software: you can redistribute it and/or modify      =
  #
+# it under the terms of the GNU General Public License as published by      =
  #
+# the Free Software Foundation, either version 3 of the License, or         =
  #
+# (at your option) any later version.                                       =
  #
+#                                                                           =
  #
+# This program is distributed in the hope that it will be useful,           =
  #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of            =
  #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the             =
  #
+# GNU General Public License for more details.                              =
  #
+#                                                                           =
  #
+# You should have received a copy of the GNU General Public License         =
  #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.     =
  #
+#                                                                           =
  #
+############################################################################=
###
+
+PIDFILE=3D"/var/run/suricata.pid"
+
+main() {
+	local ret
+
+	while :; do
+		# Launch suricata
+		/usr/bin/suricata "$@" &>/dev/null
+
+		# Wait until suricata is done
+		ret=3D$?
+
+		case "${ret}" in
+			# If suricata has been killed by SIGKILL (e.g. by
+			# the OOM killer, or if it ran into a SEGV, we will
+			# restart the process.
+			137|139)
+				# Remove the PID file
+				unlink "${PIDFILE}" 2>/dev/null
+
+				sleep 1
+				continue
+				;;
+
+			*)
+				break
+				;;
+		esac
+	done
+
+	return ${ret}
+}
+
+main "$@" || return $?
diff --git a/lfs/suricata b/lfs/suricata
index 88f3c4575..dcee61ea1 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -132,5 +132,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# Install converter script needed for Core Update 167
 	install -m 0755 $(DIR_SRC)/config/suricata/convert-ids-backend-files /usr/s=
bin/convert-ids-backend-files
=20
+	# Install the watcher
+	install -v -m 755 $(DIR_SRC)/config/suricata/suricata-watcher /usr/bin/suri=
cata-watcher
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 20afab130..40bd69c87 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -123,12 +123,9 @@ case "$1" in
 		if [ "$ENABLE_IDS" =3D=3D "on" ]; then
 			# Start the IDS.
 			boot_mesg "Starting Intrusion Detection System..."
-			/usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null =
2>/dev/null
+			/usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES
 			evaluate_retval
=20
-			# Allow reading the pidfile.
-			chmod 644 $PID_FILE
-
 			# Flush the firewall chain
 			flush_fw_chain
=20
@@ -139,20 +136,11 @@ case "$1" in
=20
         stop)
 		boot_mesg "Stopping Intrusion Detection System..."
-		killproc -p $PID_FILE /var/run
+		killproc /usr/bin/suricata
=20
 		# Flush firewall chain.
 		flush_fw_chain
=20
-		# Sometimes suricata not correct shutdown. So killall.
-		killall -KILL /usr/bin/suricata 2>/dev/null
-
-		# Remove suricata control socket.
-		rm /var/run/suricata/* >/dev/null 2>/dev/null
-
-		# Trash remain pid file if still exists.
-		rm -f $PID_FILE >/dev/null 2>/dev/null
-
 		# Don't report returncode of rm if suricata was not started
 		exit 0
         ;;
--=20
2.39.2


--===============9126282036626940019==--