Bug 210490 - security/suricata: Update to 3.1.1, Add HYPERSCAN option and support
Summary: security/suricata: Update to 3.1.1, Add HYPERSCAN option and support
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Kubilay Kocak
URL:
Keywords: patch
Depends on: 211002
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-23 10:50 UTC by Stewart Morgan
Modified: 2017-06-16 05:15 UTC (History)
3 users (show)

See Also:
koobs: maintainer-feedback+


Attachments
Patch to update to 3.1, faciliate hyperscan library (1.62 KB, patch)
2016-06-23 10:50 UTC, Stewart Morgan
no flags Details | Diff
Patch to update to 3.1, faciliate hyperscan library (1.59 KB, patch)
2016-06-23 11:15 UTC, Stewart Morgan
no flags Details | Diff
required libhtp version bump for HTP_PORT unset on Suricata 3.0.2/3.1 (598 bytes, patch)
2016-07-06 05:53 UTC, Franco Fichtner
no flags Details | Diff
devel/libhtp bump to 0.5.20 (783 bytes, patch)
2016-07-06 05:53 UTC, Franco Fichtner
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stewart Morgan 2016-06-23 10:50:29 UTC
Created attachment 171705 [details]
Patch to update to 3.1, faciliate hyperscan library

Updates port to 3.1.

Adds new "HYPERSCAN" knob that allows building Suricata with support for the the devel/hyperscan port.
Comment 1 Stewart Morgan 2016-06-23 11:15:22 UTC
Created attachment 171706 [details]
Patch to update to 3.1, faciliate hyperscan library

Upload correct diff!
Corrects option availability for AMD64.
Removed option under i386 since devel/hyperscan only builds for amd64 anyway.
Comment 2 Franco Fichtner 2016-07-06 05:53:00 UTC
Created attachment 172161 [details]
required libhtp version bump for HTP_PORT unset on Suricata 3.0.2/3.1
Comment 3 Franco Fichtner 2016-07-06 05:53:45 UTC
Created attachment 172162 [details]
devel/libhtp bump to 0.5.20
Comment 4 Franco Fichtner 2016-07-06 06:18:12 UTC
More thoughts:

1. For some reason or another, devel/hyperscan does not set SHARED by default, which breaks the build for HYPERSCAN, as it requires libhs.so, but the file is not found.  We should flip that for FreeBSD...  I don't think it's very useful for a library package to not do that by default.

2. HYPERSCAN_DESC still mentions i386.  Since it's only visible on amd64, it's better to simplify this to e.g. "Hyperscan support".

3. Let's please get this in soon, we've already missed out on 3.0.1 and now also 3.0.2. The state we have is pretty much January 2016. We will have to discuss MAINTAINER options again. I agreed with the reasoning back in January, but I'm not agreeing with it again.


Cheers,
Franco
Comment 5 Franco Fichtner 2016-07-25 06:09:24 UTC
Meanwhile, suricata 3.1.1 and libhtp 0.5.21 have been released.
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2016-07-25 06:39:20 UTC
I'll update to the latest versions and submit a patch for bug 211002 to help it move along, thanks Franco
Comment 7 Franco Fichtner 2016-07-25 06:40:14 UTC
highly appreciated, thanks :)
Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2016-07-25 07:41:40 UTC
@Stewart/Franco, if you would like, I am happy to land the update minus the HYPERSCAN option pending resolution of bug 211002
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2016-07-25 07:42:26 UTC
This issue would just then constitute a series of commits to be considered resolved, rather than one (blocked by another)
Comment 10 Franco Fichtner 2016-07-25 07:46:26 UTC
Since HYPERSCAN is not a default option that works with the bulk package builds, sure :)

Cheers,
Franco
Comment 11 Stewart Morgan 2016-07-26 08:36:58 UTC
(In reply to Kubilay Kocak from comment #8)

Yes, that would seem to make sense.
Thanks,
Stewart
Comment 12 commit-hook freebsd_committer 2016-07-31 13:00:28 UTC
A commit references this bug:

Author: koobs
Date: Sun Jul 31 12:59:38 UTC 2016
New revision: 419371
URL: https://svnweb.freebsd.org/changeset/ports/419371

Log:
  devel/libhtp: Update to 0.5.21

  * Update PORTVERSION and distinfo checksum (0.5.21) [1]
  * Modernise test target (Use TEST_TARGET)

    https://github.com/OISF/libhtp/blob/0.5.21/ChangeLog

  PR:		210490 [1]
  Submitted by:	Franco Fichtner <franco opnsense org> [1]

Changes:
  head/devel/libhtp/Makefile
  head/devel/libhtp/distinfo
Comment 13 commit-hook freebsd_committer 2016-07-31 14:21:43 UTC
A commit references this bug:

Author: koobs
Date: Sun Jul 31 14:21:36 UTC 2016
New revision: 419381
URL: https://svnweb.freebsd.org/changeset/ports/419381

Log:
  security/suricata: Update to 3.1.1

  * Update PORTVERSION and distinfo checksum (3.1.1) [1]
  * Update pkg-plist for shared library bump [2]
  * Use postunexec instead of unexec in pkg-plist
  * Group common OPTIONS_* entries
  * Group *_TARGET entries

    https://github.com/inliniac/suricata/blob/suricata-3.1.1/ChangeLog

  PR:		210490 [1][2]
  Submitted by:	Stewart Morgan <stewart.morgan gmail com> [1]
  Submitted by:	Franco Fichtner <franco opnsense org> [2]

Changes:
  head/security/suricata/Makefile
  head/security/suricata/distinfo
  head/security/suricata/pkg-plist
Comment 14 Franco Fichtner 2016-08-01 05:01:19 UTC
Thanks for getting this in!  :)

One more thing to fix up: libhtp is 0.5.21 for 3.1.1, but it was updated to 0.5.20 in security/suricata/pkg-plist.


Cheers,
Franco
Comment 15 commit-hook freebsd_committer 2016-08-01 05:13:15 UTC
A commit references this bug:

Author: koobs
Date: Mon Aug  1 05:12:48 UTC 2016
New revision: 419424
URL: https://svnweb.freebsd.org/changeset/ports/419424

Log:
  security/suricata: Fix plist with HTP_PORT option disabled

  Update pkg-plist entry for shared library version missed due to not testing
  with HTP_PORT disabled.

  Pointyhat:	koobs

  PR:		210490
  Reported by:	Franco Fichtner <franco opnsense org>

Changes:
  head/security/suricata/pkg-plist
Comment 16 Franco Fichtner 2016-09-19 06:16:47 UTC
Good morning,

SHARED for hyperscan went in, so this can finally go in.  :)


Cheers,
Franco
Comment 17 Kubilay Kocak freebsd_committer freebsd_triage 2016-10-19 10:06:31 UTC
Working on landing the balance of D7386 [1], which enables packaging of hyperscan on architectures other than amd64 (in particular i386).

[1] https://reviews.freebsd.org/D7386
Comment 18 Franco Fichtner 2016-12-21 09:22:54 UTC
We should finally add this as a non-default option. It works, but has amd64 binary compatibility consequences, especially with old AMD CPUs.
Comment 19 Franco Fichtner 2017-02-16 15:07:34 UTC
Updated PR including Suricata 3.2.1:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217143

Hyperscan 4.4.0, which allows Suricata 3.2.1 to do run-time detection of SSSE3 features is here:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217116

I do not recommend setting HYPERSCAN as a default option though.


Cheers,
Franco
Comment 20 Franco Fichtner 2017-03-05 08:37:42 UTC
Surcxata 3.2.1 with HYPERSCAN option and Hyperscan 4.4.0 (runtime detection of SSSE3 features) went in. HYPERSCAN is off by default. This can be closed.
Comment 21 Kubilay Kocak freebsd_committer freebsd_triage 2017-06-16 05:15:26 UTC
Superseded by bug 220026