PF-Ring 4.2.0-38 Kernel; Unknown symbol sk_attach_filter; sk_detach_filter

[Jason Kowalczyk]

I am deploying a new production sensor using 14.04 LTS.

Kernel 4.2.0-38

When running on the above kernel inserting the module fails with

~$ sudo modprobe pf_ring
modprobe: ERROR: could not insert 'pf_ring': Unknown symbol in module, or unknown parameter (see dmesg)

and in dmesg:
[13920.569438] pf_ring: Unknown symbol sk_attach_filter (err 0)
[13920.569477] pf_ring: Unknown symbol sk_detach_filter (err 0)

if I downgrade to the 4.2.0-27 kernel, I can get the pfring module to install without an issue.

[ 320.074641] pf_ring: module verification failed: signature and/or required key missing - tainting kernel
[ 320.076744] [PF_RING] registered /proc/net/pf_ring/

(But then this breaks barnyard2 and bro but I have not diagnosed that part yet.)

Note: these are similar to -- https://elrepo.org/bugs/view.php?id=646

Has anyone else run into this?

Thanks.

-Jason.

[Jason Kowalczyk]

sostat-redacted if that helps

[Wes]

On Monday, June 13, 2016 at 2:29:18 PM UTC-4, Jason Kowalczyk wrote:
> sostat-redacted if that helps

Jason,

Are you tryring to increase the number of slots for pf_ring? If so, have you tried modifying /etc/modprobe.d/pf_ring.conf?

Thanks,
Wes

[Jason Kowalczyk]

The Module will not even insert to the kernel with the default config. Have not gotten to tune the module yet.

[Doug Burks]

Hi Jason,

I don't believe our current PF_RING packages are compatible with that
kernel version. I've created Issue 941 to update to PF_RING 6.4:
https://github.com/Security-Onion-Solutions/security-onion/issues/941

> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks

[Jason Kowalczyk]

OK, Thanks!

I'll watch for the upgrade so I can test.

[Aaron Fosdick]

On Tuesday, June 14, 2016 at 7:05:02 AM UTC-6, Jason Kowalczyk wrote:
> OK, Thanks!
>
> I'll watch for the upgrade so I can test.

This happened to me after I mistakenly loaded pf_ring 6.4. You can get the module to compile & load w/o errors by removing the sk_attach_filter/sk_detach_filter code from pf_ring.c. That code seems to be for RHEL, so I don't know why it executes on debian. Perhaps the check is too lenient.

# /var/lib/dkms/pf_ring/6/build/

diff -uNr pf_ring.c.orig pf_ring.c
--- pf_ring.c.orig 2016-06-16 20:53:11.749278922 +0000
+++ pf_ring.c 2016-06-16 20:56:21.145585962 +0000
@@ -7429,80 +7429,6 @@

/* ************************************* */

-#if defined(RHEL_RELEASE_CODE) && (LINUX_VERSION_CODE < KERNEL_VERSION(3,0,0))
-
-/* sk_attach_filter/sk_detach_filter for some reason is undefined on CentOS
- * code from core/sock.c kernel 2.x */
-
-static void sk_filter_rcu_release(struct rcu_head *rcu)
-{
- struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu);
-
- sk_filter_release(fp);
-}
-
-static void sk_filter_delayed_uncharge(struct sock *sk, struct sk_filter *fp)
-{
- unsigned int size = sk_filter_len(fp);
-
- atomic_sub(size, &sk->sk_omem_alloc);
- call_rcu_bh(&fp->rcu, sk_filter_rcu_release);
-}
-
-int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
-{
- struct sk_filter *fp, *old_fp;
- unsigned int fsize = sizeof(struct sock_filter) * fprog->len;
- int err;
-
- /* Make sure new filter is there and in the right amounts. */
- if (fprog->filter == NULL)
- return -EINVAL;
-
- fp = sock_kmalloc(sk, fsize+sizeof(*fp), GFP_KERNEL);
- if (!fp)
- return -ENOMEM;
- if (copy_from_user(fp->insns, fprog->filter, fsize)) {
- sock_kfree_s(sk, fp, fsize+sizeof(*fp));
- return -EFAULT;
- }
-
- atomic_set(&fp->refcnt, 1);
- fp->len = fprog->len;
-
- err = sk_chk_filter(fp->insns, fp->len);
- if (err) {
- sk_filter_uncharge(sk, fp);
- return err;
- }
-
- rcu_read_lock_bh();
- old_fp = rcu_dereference(sk->sk_filter);
- rcu_assign_pointer(sk->sk_filter, fp);
- rcu_read_unlock_bh();
-
- if (old_fp)
- sk_filter_delayed_uncharge(sk, old_fp);
- return 0;
-}
-
-int sk_detach_filter(struct sock *sk)
-{
- int ret = -ENOENT;
- struct sk_filter *filter;
-
- rcu_read_lock_bh();
- filter = rcu_dereference(sk->sk_filter);
- if (filter) {
- rcu_assign_pointer(sk->sk_filter, NULL);
- sk_filter_delayed_uncharge(sk, filter);
- ret = 0;
- }
- rcu_read_unlock_bh();
- return ret;
-}
-
-#endif

/* ************************************* */

@@ -7553,23 +7479,11 @@
if (fprog.len <= 1) /* empty filter */
break;

- if (unlikely(enable_debug))
- printk("[PF_RING] BPF filter (len = %u)\n", fprog.len);
-
- ret = sk_attach_filter(&fprog, pfr->sk);
-
if (ret == 0)
pfr->bpfFilter = 1;
}
break;

- case SO_DETACH_FILTER:
- if (unlikely(enable_debug))
- printk("[PF_RING] Removing BPF filter\n");
- ret = sk_detach_filter(pfr->sk);
- pfr->bpfFilter = 0;
- break;
-
case SO_ADD_TO_CLUSTER:
if(optlen != sizeof(cluster))
return(-EINVAL);