Bug#793086: arpalert: Stopping arpalert service with ‘systemctl stop arpalert` does not work in a reliable way.
Package: arpalert
Version: 2.0.11-7.1
Severity: normal
Dear Maintainer,
Stopping arpalert service with "systemctl stop arpalert" does not work in a reliable way when the service
listens on multiple interfaces (for instance interface = eth0,eth1,eth2,eth3,eth4 in arpalert.conf).
Sometimes the process stops while other time it continues to run:
root@leszek-test:~# systemctl start arpalert ; sleep 5
root@leszek-test:~# systemctl stop arpalert ; sleep 5 ; ps faux|grep arpalert ; tail /var/log/syslog
root 18468 0.0 0.2 12720 2200 pts/0 S+ 01:12 0:00 | | \_ grep arpalert
arpalert 18448 0.1 1.4 30328 15108 ? S 01:11 0:00 /usr/sbin/arpalert -d -f /etc/arpalert/arpalert.conf
Jul 15 01:11:55 leszek-test arpalert[18443]: arpalert.
Jul 15 01:11:55 leszek-test arpalert[18443]: Jul 15 01:11:55 arpalert: Selected device: eth0
Jul 15 01:11:55 leszek-test arpalert[18443]: Jul 15 01:11:55 arpalert: Selected device: eth1
Jul 15 01:11:55 leszek-test arpalert[18443]: Jul 15 01:11:55 arpalert: Selected device: eth2
Jul 15 01:11:55 leszek-test arpalert[18443]: Jul 15 01:11:55 arpalert: Selected device: eth3
Jul 15 01:11:55 leszek-test arpalert[18443]: Jul 15 01:11:55 arpalert: Selected device: eth4
Jul 15 01:12:03 leszek-test arpalert: seq=55, mac=00:0c:21:1b:75:f0, ip=10.1.2.52, type=new, dev=eth3, vendor="VMware, Inc."
Jul 15 01:12:03 leszek-test arpalert: seq=56, mac=00:0c:22:7a:ac:92, ip=10.1.2.63, type=new, dev=eth3, vendor="VMware, Inc."
Jul 15 01:12:05 leszek-test arpalert: seq=96, mac=00:0c:12:3c:28:7c, ip=10.1.7.1, reference=10.1.7.3, type=ip_change, dev=eth1, vendor="VMware, Inc."
Jul 15 01:12:14 leszek-test arpalert[18461]: Stopping Ethernet station monitor daemon: arpalert.
We've noticed that stopping the service works reliably when in arpalert.conf we have a single interface to
be monitored (interface = eth0).
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages arpalert depends on:
ii adduser 3.113+nmu3
ii libc6 2.19-18
ii libpcap0.8 1.6.2-2
arpalert recommends no packages.
arpalert suggests no packages.
-- Configuration Files:
/etc/arpalert/arpalert.conf changed:
maclist file = "/etc/arpalert/maclist.allow"
maclist alert file = "/etc/arpalert/maclist.deny"
maclist leases file = "/var/lib/arpalert/arpalert.leases"
lock file = "/var/run/arpalert.pid"
use syslog = true
log level = 6
user = arpalert
umask = 177
dump packet = false
daemon = false
dump inter = 5
catch only arp = true
interface = eth0,eth1,eth2,eth3,eth4
action on detect = ""
mod on detect = ""
mod config = ""
execution timeout = 10
max alert = 20
dump black list = false
dump white list = false
dump new address = true
mac timeout = 259200
max entry = 1000000
anti flood interval = 5
anti flood global = 50
mac vendor file = "/etc/arpalert/oui.txt"
log mac vendor = true
alert mac vendor = true
mod mac vendor = true
log referenced address = false
alert on referenced address = false
mod on referenced address = false
log deny address = true
alert on deny address = true
mod on deny address = true
log new address = true
alert on new address = true
mod on new address = true
log new mac address = true
alert on new mac address = true
mod on new mac address = true
log ip change = true
alert on ip change = true
mod on ip change = true
log mac change = true
alert on mac change = true
mod on mac change = true
log unauth request = false
alert on unauth request = false
mod on unauth request = false
ignore unknown sender = false
ignore me = true
ignore self test = false
unauth ignore time method = 2
log request abus = true
alert on request abus = true
mod on request abus = true
max request = 1000000
log mac error = true
alert on mac error = true
mod on mac error = true
log flood = true
alert on flood = true
mod on flood = true
-- no debconf information
Reply to: