T6659: suricata: use unique cluster_id per interface

[lucasec]

Change Summary

If I assign suricata to monitor more than one interface, the suricata process consumes 100% CPU for about 30 seconds at startup, then crashes and repeats.

This appears to be because we use the same "cluster-id: 99" for every interface under the "af-packet" section of the YAML config. I am relatively new to configuring this daemon, but from a quick perusal of documentation and reference materials I could find, a unique cluster_id is expected for every interface (these can simply be incrementing or decrementing numbers—it's not clear what the acceptable range is or whether it is possible to conflict with other applications).

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

https://vyos.dev/T6659

Related PR(s)

Component(s) name

suricata

Proposed changes

This changes

How to test

You'll need a basic Suricata config with at least two interfaces configured:

set service suricata address-group aim-servers group 'external-net'
set service suricata address-group dc-servers group 'home-net'
set service suricata address-group dnp3-client group 'home-net'
set service suricata address-group dnp3-server group 'home-net'
set service suricata address-group dns-servers group 'home-net'
set service suricata address-group enip-client group 'home-net'
set service suricata address-group enip-server group 'home-net'
set service suricata address-group external-net group '!home-net'
set service suricata address-group home-net address '10.0.0.0/8'
set service suricata address-group http-servers group 'home-net'
set service suricata address-group modbus-client group 'home-net'
set service suricata address-group modbus-server group 'home-net'
set service suricata address-group smtp-servers group 'home-net'
set service suricata address-group sql-servers group 'home-net'
set service suricata address-group telnet-servers group 'home-net'
set service suricata interface 'eth1'
set service suricata interface 'eth2'
set service suricata log eve type 'alert'
set service suricata log eve type 'anomaly'
set service suricata port-group dnp3-ports port '20000'
set service suricata port-group file-data-ports group 'http-ports'
set service suricata port-group file-data-ports port '110'
set service suricata port-group file-data-ports port '143'
set service suricata port-group ftp-ports port '21'
set service suricata port-group geneve-ports port '6081'
set service suricata port-group http-ports port '80'
set service suricata port-group modbus-port port '502'
set service suricata port-group oracle-ports port '1521'
set service suricata port-group shellcode-ports group '!http-ports'
set service suricata port-group ssh-ports port '22'
set service suricata port-group teredo-ports port '3544'
set service suricata port-group vxlan-ports port '4789'

(unfortunately with the required default dictionaries the config is pretty large)

Smoketest result

There are currently no smoketests for Suricata.

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

👍
No issues in PR Title / Commit Title