That's all new enough that the old "stuck packet" problem shouldn't be reappearing (was a problem up until about 2.6.21 or 22). <div><div><br></div><div>Could you try running two instances of Suricata, one on each queue, rather than a single instance on two queues? </div>
<div><br></div><div>As a separate thing, do you have tunnels crossing the IPS that have traffic being inspected?</div><div><br></div><div><br></div><div><div class="gmail_quote">On Tue, Jun 21, 2011 at 10:36 AM, Fernando Ortiz <span dir="ltr"><<a href="mailto:fernando.ortiz.f@gmail.com" target="_blank">fernando.ortiz.f@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Dave, Suricata is running in Arch Linux, <div><br></div><div>Kernel 2.6.32-lts</div><div>llibnetfilter_queue-1.0.0-1 is up to date</div>
<div>libnfnetlink-1.0.0-1</div><div><div></div><div><div><br><br><div class="gmail_quote">2011/6/21 Dave Remien <span dir="ltr"><<a href="mailto:dave.remien@gmail.com" target="_blank">dave.remien@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>What versions of the kernel, nfnetlink and nfnetlink_queue are you running? </div><div><div></div><div>
<div><br></div><div><br></div><div>>Everything seems to work just fine, but when I check nfnetlink_queue, i see</div><div>>there are some packets in queue waiting for verdict.</div>
<div>></div><div>>@ips2 ~]# cat /proc/net/netfilter/nfnetlink_queue</div><div>> 1 10893 *555* 2 65535 0 0 169915460 1</div><div>> 2 -4282 *552* 2 65535 0 0 169915475 1</div><div><br>
</div></div></div>
<br>
</blockquote></div><br><br>
</div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>"Of course, someone who knows more about this will correct me if I'm<br>wrong, and someone who knows less will correct me if I'm right." <br>
David Palmer (<a href="mailto:palmer@tybalt.caltech.edu" target="_blank">palmer@tybalt.caltech.edu</a>)<br><br>
</div></div>