Sometimes at random point I get those errors that shuts down Suricata. Did some one faced it too?
Quote[101868] <Error> -- thread W-8000 failed
[102152] <Warning> -- Write to ipfw divert socket failed: Permission denied
I'm unsure about "Permission denied" but we have a test version that gracefully handles EHOSTUNREACH/ENETUNREACH
https://github.com/opnsense/core/issues/9712#issuecomment-3865139847
Cheers,
Franco
Quote from: franco on February 08, 2026, 05:56:19 PMI'm unsure about "Permission denied" but we have a test version that gracefully handles EHOSTUNREACH/ENETUNREACH
https://github.com/opnsense/core/issues/9712#issuecomment-3865139847
Cheers,
Franco
Thank you Franco!
I'm sorry but i have no idea how to implement the patch, can you please hint how to do that?
Quote from: Hantritor on February 09, 2026, 10:14:09 PMI'm sorry but i have no idea how to implement the patch, can you please hint how to do that?
See : https://github.com/opnsense/core/issues/9712#issuecomment-3866792301 ;)
Still no idea on "permission denied". It indicates insufficient permission, but Suricata runs as root and there should be no restrictions placed on a default install GUI only use regarding what Suricata can do.
Cheers,
Franco
It's crushes on:
2026-02-11T19:03:36Errorsuricata[102643] <Error> -- thread W-8000 failed
2026-02-11T19:03:36Warningsuricata[103107] <Warning> -- Write to ipfw divert socket failed: Invalid argument
I applied the https://github.com/opnsense/core/issues/9712#issuecomment-3866792301 and it's still crushes on
Invalid argument
Will this fix allow the firewall to continue if suricata crashes/fails?
> Invalid argument
This wasn't fixed by the recent change. It's also different from the initial "Permission denied".
> Will this fix allow the firewall to continue if suricata crashes/fails?
This isn't supported by FreeBSD at the moment as far as I know.
Cheers,
Franco
Thank you franco.
I thought that somehow the error "Invalid argument" is same nature. This error is very annoying and crushes Suricata almost every few minutes. Is there a way that i can gather more information from the system regarding the error and to provide it in some kind of more structured and correct way?
Ok so EINVAL means the destination address is malformed and this could be a "normal" error. I'm not sure about EACCESS. Need to do a bit more research.
Cheers,
Franco
I'm experiencing the exact same behavior now after yesterday's update.
I am also running into this issue about every 3 days, and it kills all traffic with divert rules until I manually restart the Suricata service.
Currently running most recent stable version
OPNsense 26.1.3-amd64
Most recent example:
2026-03-08T18:34:56-07:00 Error suricata [101733] <Error> -- thread W-8000 failed
2026-03-08T18:34:56-07:00 Warning suricata [103270] <Warning> -- Write to ipfw divert socket failed: Permission denied
I've resorted to disabling divert mode until root cause can be identified and worked out
Ok, I traced the kernel code and it appears to reinject the packet at which point the firewall is asked for outbound and then the packet is rejected:
https://github.com/opnsense/src/blob/6e01be67e8f2218a2825860ef581a988b405902d/sys/netinet/ip_output.c#L129-L130
Easy fix for 26.1.4.
Cheers,
Franco
Great thank you for locating this!