Divert mode "Write to ipfw divert socket failed: Permission denied"

Started by Hantritor, February 08, 2026, 04:15:39 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 08, 2026, 04:15:39 PM
Sometimes at random point I get those errors that shuts down Suricata. Did some one faced it too?
 
Quote[101868] <Error> -- thread W-8000 failed
[102152] <Warning> -- Write to ipfw divert socket failed: Permission denied
February 08, 2026, 05:56:19 PM #1
I'm unsure about "Permission denied" but we have a test version that gracefully handles EHOSTUNREACH/ENETUNREACH

https://github.com/opnsense/core/issues/9712#issuecomment-3865139847


Cheers,
Franco
February 09, 2026, 10:14:09 PM #2
Quote from: franco on February 08, 2026, 05:56:19 PMI'm unsure about "Permission denied" but we have a test version that gracefully handles EHOSTUNREACH/ENETUNREACH

https://github.com/opnsense/core/issues/9712#issuecomment-3865139847


Cheers,
Franco

Thank you Franco!
I'm sorry but i have no idea how to implement the patch, can you please hint how to do that?
February 10, 2026, 12:49:04 AM #3
Quote from: Hantritor on February 09, 2026, 10:14:09 PMI'm sorry but i have no idea how to implement the patch, can you please hint how to do that?
See : https://github.com/opnsense/core/issues/9712#issuecomment-3866792301 ;)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
February 11, 2026, 08:21:49 AM #4
Still no idea on "permission denied". It indicates insufficient permission, but Suricata runs as root and there should be no restrictions placed on a default install GUI only use regarding what Suricata can do.


Cheers,
Franco
February 11, 2026, 06:14:40 PM #5
It's crushes on:

2026-02-11T19:03:36Errorsuricata[102643] <Error> -- thread W-8000 failed
2026-02-11T19:03:36Warningsuricata[103107] <Warning> -- Write to ipfw divert socket failed: Invalid argument

I applied the https://github.com/opnsense/core/issues/9712#issuecomment-3866792301 and it's still crushes on

Invalid argument

February 11, 2026, 10:46:02 PM #6
Will this fix allow the firewall to continue if suricata crashes/fails?
February 12, 2026, 04:48:19 PM #7
> Invalid argument

This wasn't fixed by the recent change. It's also different from the initial "Permission denied".

> Will this fix allow the firewall to continue if suricata crashes/fails?

This isn't supported by FreeBSD at the moment as far as I know.


Cheers,
Franco
February 13, 2026, 04:42:53 PM #8
Thank you franco.
I thought that somehow the error "Invalid argument" is same nature. This error is very annoying and crushes Suricata almost every few minutes. Is there a way that i can gather more information from the system regarding the error and to provide it in some kind of more structured and correct way?   
February 16, 2026, 12:40:49 PM #9
Ok so EINVAL means the destination address is malformed and this could be a "normal" error. I'm not sure about EACCESS. Need to do a bit more research.


Cheers,
Franco
March 06, 2026, 08:59:23 AM #10
I'm experiencing the exact same behavior now after yesterday's update.

Your Threat Intelligence Partner  qfeeds.com
March 09, 2026, 03:16:53 AM #11
I am also running into this issue about every 3 days, and it kills all traffic with divert rules until I manually restart the Suricata service.

Currently running most recent stable version
OPNsense 26.1.3-amd64

Most recent example:
2026-03-08T18:34:56-07:00 Error suricata [101733] <Error> -- thread W-8000 failed
2026-03-08T18:34:56-07:00 Warning suricata [103270] <Warning> -- Write to ipfw divert socket failed: Permission denied

I've resorted to disabling divert mode until root cause can be identified and worked out
March 09, 2026, 09:19:24 PM #12
Ok, I traced the kernel code and it appears to reinject the packet at which point the firewall is asked for outbound and then the packet is rejected:

https://github.com/opnsense/src/blob/6e01be67e8f2218a2825860ef581a988b405902d/sys/netinet/ip_output.c#L129-L130

Easy fix for 26.1.4.


Cheers,
Franco
Print
Go Up Pages1
User actions