L7 NetworkPolicy failure

[hongliangl]

Describe the bug
All connections that should be filtered by the target L7 NetworkPolicy are dropped, rather than rejected or passed.

To Reproduce

1. Create a client Pod and a server Pod using the commands in the following:

export NGINX=projects.registry.vmware.com/antrea/nginx:1.21.6-alpine
export AGNHOST=k8s.gcr.io/e2e-test-images/agnhost:2.29

kubectl create deploy client --image=$AGNHOST
kubectl create deploy server --image=$NGINX

2. Create a L7 NetworkPolicy

apiVersion: crd.antrea.io/v1alpha1
kind: NetworkPolicy
metadata:
  name: ingress-allow-http-request-to-api-v2
spec:
  priority: 5
  tier: application
  appliedTo:
    - podSelector:
        matchLabels:
          app: server
  ingress:
    - name: allow-http
      action: Allow
      from:
        - podSelector:
            matchLabels:
              app: client
      l7Protocols:
        - http:
            path: "/api/v2/*"
            method: "GET"
    - name: drop-other
      action: Drop

3. Run command for ((i=0;i<10000;i++)) do curl http://<server Pod IP>/api/v2/version; sleep 1; done on client Pod, and these requests should be rejected.
4. Run command for ((i=0;i<10000;i++)) do curl http://<server Pod IP>/api/v1/version; sleep 1; done on client Pod, and these requests should be passed.
5. During running the commands in step 3 and 4, delete and apply the L7 NetworkPolicy in step 2 several times, and reserve the L7 NetworkPolicy after deleting and applying the L7 NetworkPolicy over and over again.
6. All connections that should be filtered by the target L7 NetworkPolicy are dropped, and this is because that the process of Suricata in became defunct. The reason why the process became defunct is that the process of Suricata exited with Segment fault or Segmentation fault (core dumped).

Versions:

• Antrea: v1.10
• Suricata v6.0.9

[hongliangl]

Added an issue about Suricata process Segmentation fault (core dumped) https://redmine.openinfosecfoundation.org/issues/5866?next_issue_id=5865

[hongliangl]

Added an topic to Suricata forum https://forum.suricata.io/t/af-packet-ips-suricata-process-exits-with-segment-fault-coredumped/3263

[hongliangl]

A PR OISF/suricata#8611 was merged into Suricata main branch and another PR OISF/suricata#8640 is used to backport the patch to Suricata 6.0.x.

[antoninbas]

@hongliangl could you give an update for this issue. I believe both PRs have been merged, and that this is fixed in 6.0.11?

BTW, did that affect all L7 NetworkPolicies, or only specific ones?

[hongliangl]

The issue is fixed by PR OISF/suricata#8640. However, something changed in Suricata 6.0.11 causes that Suricata's suricatasc tool is encountering issue when executing commands that involve multiple tenants (we are using these commands to sync L7 NetworkPolicies to Suricata).

[luolanzone]

A new bug is introduced by latest Suricata 6.0.11, tracked by issue #4921. We need to avoid the critical bug first, so this issue might be deferred to next release until Suricata deliver a new release.

[hongliangl]

Issue #4921 was resolved, close this issue.