Bug 210490
| Summary: | security/suricata: Update to 3.1.1, Add HYPERSCAN option and support | ||
|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Stewart Morgan <stewart+FreeBSD-BugZilla> |
| Component: | Individual Port(s) | Assignee: | Kubilay Kocak <koobs> |
| Status: | Closed Overcome By Events | ||
| Severity: | Affects Some People | CC: | ebay, franco, jim |
| Priority: | --- | Keywords: | patch |
| Version: | Latest | Flags: | koobs:
maintainer-feedback+
|
| Hardware: | Any | ||
| OS: | Any | ||
| Bug Depends on: | 211002 | ||
| Bug Blocks: | |||
| Attachments: | |||
Created attachment 171706 [details]
Patch to update to 3.1, faciliate hyperscan library
Upload correct diff!
Corrects option availability for AMD64.
Removed option under i386 since devel/hyperscan only builds for amd64 anyway.
Created attachment 172161 [details]
required libhtp version bump for HTP_PORT unset on Suricata 3.0.2/3.1
Created attachment 172162 [details]
devel/libhtp bump to 0.5.20
More thoughts: 1. For some reason or another, devel/hyperscan does not set SHARED by default, which breaks the build for HYPERSCAN, as it requires libhs.so, but the file is not found. We should flip that for FreeBSD... I don't think it's very useful for a library package to not do that by default. 2. HYPERSCAN_DESC still mentions i386. Since it's only visible on amd64, it's better to simplify this to e.g. "Hyperscan support". 3. Let's please get this in soon, we've already missed out on 3.0.1 and now also 3.0.2. The state we have is pretty much January 2016. We will have to discuss MAINTAINER options again. I agreed with the reasoning back in January, but I'm not agreeing with it again. Cheers, Franco Meanwhile, suricata 3.1.1 and libhtp 0.5.21 have been released. I'll update to the latest versions and submit a patch for bug 211002 to help it move along, thanks Franco highly appreciated, thanks :) @Stewart/Franco, if you would like, I am happy to land the update minus the HYPERSCAN option pending resolution of bug 211002 This issue would just then constitute a series of commits to be considered resolved, rather than one (blocked by another) Since HYPERSCAN is not a default option that works with the bulk package builds, sure :) Cheers, Franco (In reply to Kubilay Kocak from comment #8) Yes, that would seem to make sense. Thanks, Stewart A commit references this bug: Author: koobs Date: Sun Jul 31 12:59:38 UTC 2016 New revision: 419371 URL: https://svnweb.freebsd.org/changeset/ports/419371 Log: devel/libhtp: Update to 0.5.21 * Update PORTVERSION and distinfo checksum (0.5.21) [1] * Modernise test target (Use TEST_TARGET) https://github.com/OISF/libhtp/blob/0.5.21/ChangeLog PR: 210490 [1] Submitted by: Franco Fichtner <franco opnsense org> [1] Changes: head/devel/libhtp/Makefile head/devel/libhtp/distinfo A commit references this bug: Author: koobs Date: Sun Jul 31 14:21:36 UTC 2016 New revision: 419381 URL: https://svnweb.freebsd.org/changeset/ports/419381 Log: security/suricata: Update to 3.1.1 * Update PORTVERSION and distinfo checksum (3.1.1) [1] * Update pkg-plist for shared library bump [2] * Use postunexec instead of unexec in pkg-plist * Group common OPTIONS_* entries * Group *_TARGET entries https://github.com/inliniac/suricata/blob/suricata-3.1.1/ChangeLog PR: 210490 [1][2] Submitted by: Stewart Morgan <stewart.morgan gmail com> [1] Submitted by: Franco Fichtner <franco opnsense org> [2] Changes: head/security/suricata/Makefile head/security/suricata/distinfo head/security/suricata/pkg-plist Thanks for getting this in! :) One more thing to fix up: libhtp is 0.5.21 for 3.1.1, but it was updated to 0.5.20 in security/suricata/pkg-plist. Cheers, Franco A commit references this bug: Author: koobs Date: Mon Aug 1 05:12:48 UTC 2016 New revision: 419424 URL: https://svnweb.freebsd.org/changeset/ports/419424 Log: security/suricata: Fix plist with HTP_PORT option disabled Update pkg-plist entry for shared library version missed due to not testing with HTP_PORT disabled. Pointyhat: koobs PR: 210490 Reported by: Franco Fichtner <franco opnsense org> Changes: head/security/suricata/pkg-plist Good morning, SHARED for hyperscan went in, so this can finally go in. :) Cheers, Franco Working on landing the balance of D7386 [1], which enables packaging of hyperscan on architectures other than amd64 (in particular i386). [1] https://reviews.freebsd.org/D7386 We should finally add this as a non-default option. It works, but has amd64 binary compatibility consequences, especially with old AMD CPUs. Updated PR including Suricata 3.2.1: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217143 Hyperscan 4.4.0, which allows Suricata 3.2.1 to do run-time detection of SSSE3 features is here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217116 I do not recommend setting HYPERSCAN as a default option though. Cheers, Franco Surcxata 3.2.1 with HYPERSCAN option and Hyperscan 4.4.0 (runtime detection of SSSE3 features) went in. HYPERSCAN is off by default. This can be closed. Superseded by bug 220026 |
Created attachment 171705 [details] Patch to update to 3.1, faciliate hyperscan library Updates port to 3.1. Adds new "HYPERSCAN" knob that allows building Suricata with support for the the devel/hyperscan port.