[PARTIALLY SOLVED] Can't downgrade to 24.1.1 from 24.1.2_1 using opnsense-revert: opnsense has a missing dependency: suricata-stable/WAN Flapping due to Suricata 7.0.3 change in default behavier

[LPJon]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

After update to 24.1.2_1 from 24.1.2 all my NAT configurations are still not working.
Traffic is being Dropped due to WAN flapping
Rules that only need firewall rules works as exepected: openVPN.

Suricata commit to fix this issue was issued 3 days ago:
OISF/suricata@4b0704d

Suricata Logs Show:

[100687 - Suricata-Main] 2024-02-22 13:42:14 Error: hugepages: unable to open /sys/devices/system/node/
[100687 - Suricata-Main] 2024-02-22 13:42:14 Error: hugepages: failed to obtain number of NUMA nodes in the system

I wanted to revert to 24.1.1 but the downgrade fails: see below.

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)

To Reproduce

I've just updated to 24.1.2_1 - nothing less, nothing more.

Expected behavior

A clear and concise description of what you expected to happen.

• Suricata should work properly without looking for NUMA nodes in `/sys/devices/system/node/` for FreeBSD
  

• Should be able to revert to previous version of OPNsense using the `opnsense-revert` method (see below)
  

Describe alternatives you considered
Tried downgrading but it fail with the following:

opnsense-revert -r 24.1.1 opnsense
Fetching opnsense.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20240105... done
opnsense-24.1.2: already unlocked
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg-static: opnsense has a missing dependency: suricata-stable

Software version used and hardware type if relevant, e.g.:

OPNsense 24.1.2_1-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13

[LPJon]

@fichtner There is no way to revert back to 24.1.1 because the incorrect package is in the repository. The package that is actually in 24.1.2_1/latest/latest repository is suricata.pkg not suricata-stable.pkg. Was this done on purpose? Why exactly can't we revert back to OPNsense version 24.1.1? Was this by design? I'm not sure community support is useful here since no one in the community can control the repositories. I have several firewalls now that can't use suricata and depend on it for front line security. Is there anyone that can offer a solution for this?

[fichtner]

I don’t want to discuss release engineering quirks like this because it wasn’t done to annoy anyone and it can’t be undone either.

[LPJon]

@fichtner Fair enough.....Is there any way to fix it temporarily?

[fichtner]

Turn off IPS mode?

[LPJon]

@fichtner Well....there is that....and it works but effectively disables Suricata. There is a better solution over in the forums.....after you refused to look further into this to at least help provide a solution. Anyway, for anyone else looking for something that actually works while not disabling Suricata and killing their network security. Here is what I have tested and seems to work.

The forum links to support this comment are:
https://forum.opnsense.org/index.php?topic=38989.0
https://forum.suricata.io/t/my-traffic-gets-blocked-after-upgrading-to-suricata-7/3745

The links above describe that Suricata 7 has moved for a default of "drop(Close)" instead of "ignore(Open)". This causes exceptions in Suricata causing the packets to be dropped.

What worked for me was editing the file shown at the path below with the code following that. Be sure to have Suricata disabled in the WebUI before applying this fix. Once the file has been edited then re-enable Suricata in the WebUI and test the network. The logs will show the same NUMA errors so that is useless. OISF stated that they are moving the NUMA messages to the infromational channel in logging as it's not supposed to affect functionality.

IMPORTANT: According to the documentation this effectively turns the "applayer" into IDS mode (Off) in the cases of exceptions. They also discuss more about how Suricata will act more like a firewall in this way from version 7 on. More information about this can be found here.

File to edit:
/usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml

Code to add at the end of the file:

# Uncomment line below to ignore all exceptions (Suricata 6.0.15 Behavier) - You should not need this but use it if the app-layer code does not work
#exception-policy: ignore
app-layer:
  error-policy: ignore

[fichtner]

Frankly, I’m not very fond of throwing ad-hominem around.