CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #94 from rwwiv/master

Browse Source 
Fix for packet capture loss by disabling checksum offloading for non-management interfaces
This commit is contained in:
Mike Reeves
2019-08-18 09:18:00 -04:00
committed by GitHub
parent f1ae2617c2 75ab90d5e8
commit 209a46bad6
2 changed files with 36 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
install_scripts/disable-checksum-offload.sh Normal file
View File

@@ -0,0 +1,9 @@
#!/bin/bash
if [ "$NM_DISPATCHER_ACTION" == "pre-up" ]; then
if ["$DEVICE_IFACE" !== "$MAININT"]; then
for i in rx tx sg tso ufo gso gro lro; do
ethtool -K $DEVICE_IFACE $i off;
done
fi
fi

18
so-setup-network.sh
View File

@@ -246,15 +246,15 @@ copy_ssh_key() {
} }
create_bond_nmcli() { network_setup() {
echo "Setting up Bond" >> $SETUPLOG 2>&1 echo "Setting up Bond" >> $SETUPLOG 2>&1
# Set the MTU # Set the MTU
if [ $NSMSETUP != 'ADVANCED' ]; then if [ "$NSMSETUP" != 'ADVANCED' ]; then
MTU=1500 MTU=1500
fi fi
# Create the bond interface # Create the bond interface
nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \ nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \
ipv4.method disabled \ ipv4.method disabled \
ipv6.method link-local \ ipv6.method link-local \
@@ -264,6 +264,10 @@ create_bond_nmcli() {
for BNIC in ${BNICS[@]}; do for BNIC in ${BNICS[@]}; do
# Strip the quotes from the NIC names # Strip the quotes from the NIC names
BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" BONDNIC="$(echo -e "${BNIC}" | tr -d '"')"
# Turn off various offloading settings for the interface
for i in rx tx sg tso ufo gso gro lro; do
ethtool -K $BONDNIC $i off >> $SETUPLOG 2>&1
done
# Create the slave interface and assign it to the bond # Create the slave interface and assign it to the bond
nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 -- \ nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 -- \
ethernet.mtu $MTU \ ethernet.mtu $MTU \
@@ -271,6 +275,10 @@ create_bond_nmcli() {
# Bring the slave interface up # Bring the slave interface up
nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1 nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1
done done
# Replace the variable string in the network script
sed -i "s/\$MAININT/${MAININT}/g" ./install_scripts/disable-checksum-offload.sh >> $SETUPLOG 2>&1
# Copy the checksum offload script to prevent issues with packet capture
cp ./install_scripts/disable-checksum-offload.sh /etc/NetworkManager/dispatcher.d/disable-checksum-offload.sh >> $SETUPLOG 2>&1
} }
detect_os() { detect_os() {
@@ -1683,7 +1691,7 @@ if (whiptail_you_sure); then
echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX" echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
set_initial_firewall_policy >> $SETUPLOG 2>&1 set_initial_firewall_policy >> $SETUPLOG 2>&1
echo -e "XXX\n3\nCreating Bond Interface... \nXXX" echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
create_bond_nmcli >> $SETUPLOG 2>&1 network_setup >> $SETUPLOG 2>&1
echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX" echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
sensor_pillar >> $SETUPLOG 2>&1 sensor_pillar >> $SETUPLOG 2>&1
echo -e "XXX\n5\nInstalling Salt Components... \nXXX" echo -e "XXX\n5\nInstalling Salt Components... \nXXX"
@@ -1773,7 +1781,7 @@ if (whiptail_you_sure); then
{ {
sleep 0.5 sleep 0.5
echo -e "XXX\n0\nCreating Bond Interface... \nXXX" echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
create_bond_nmcli >> $SETUPLOG 2>&1 network_setup >> $SETUPLOG 2>&1
echo -e "XXX\n1\nInstalling saltstack... \nXXX" echo -e "XXX\n1\nInstalling saltstack... \nXXX"
saltify >> $SETUPLOG 2>&1 saltify >> $SETUPLOG 2>&1
echo -e "XXX\n3\nInstalling docker... \nXXX" echo -e "XXX\n3\nInstalling docker... \nXXX"