<br><br><div class="gmail_quote">On Thu, Jun 30, 2011 at 2:53 PM, Eric Leblond <span dir="ltr"><<a href="mailto:eric@regit.org">eric@regit.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hi,<br>
<br>
Could you check by running Suricata with debug at warning level ?<br>
<br>
SC_LOG_LEVEL=warn /path/to/suricata $MY_BEAUTIFUL_CUSTOM_PARAMS<br>
<br>
Following a related discussion on netfilter-devel mailing list, it<br>
appears that the problem could be due to a verdict failure. The problem<br>
is that this case is detected and a message is displayed but only if<br>
WARN or more log level is set.<br>
<br>
I've tried to reproduce the problem here (single powerful laptop and I<br>
did not manage to make it).<br>
<br></blockquote><div><br></div><div>How many CPUs, at a question? Lots??</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
As suggested on Netfilter devel mailing list, I've modified the code to<br>
try to reissue verdict. I attach the patch to the mail. I've tested this<br>
patch and it seems to work fine (at least when the problem does not<br>
occur).<br>
<br></blockquote><div><br></div><div>As it turns out, you can issue verdict on any packet in (or not in 8-) the nfqueue. I once had code that issued verdict on hundreds of K packets going backwards, in an attempt to clear the queue. It'll be interesting to see if the queue gets cleared with Eric's patch. </div>
<div><br></div><div>Cheers!</div><div><br></div><div>Dave</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Could you test it ?<br>
<div class="im"><br>
On Wed, 2011-06-22 at 02:50 -0500, Fernando Ortiz wrote:<br>
><br>
</div><div><div></div><div class="h5">> 2011/6/21 Dave Remien <<a href="mailto:dave.remien@gmail.com">dave.remien@gmail.com</a>><br>
> That's all new enough that the old "stuck packet" problem<br>
> shouldn't be reappearing (was a problem up until about 2.6.21<br>
> or 22).<br>
><br>
><br>
> Could you try running two instances of Suricata, one on each<br>
> queue, rather than a single instance on two queues?<br>
><br>
><br>
><br>
><br>
> I ran two instances of Suricata at a time packets were getting<br>
> stucked. I let them run for a quarter of hour, zero packets stucked.<br>
><br>
><br>
> Just for be sure I load balanced traffic across 4 queues. I ran 3<br>
> instances of Suricata<br>
><br>
><br>
> suricata -c /etc/suricata/suricata.yaml -q1 -q2 -D<br>
> suricata -c /etc/suricata/suricata.yaml -q4 -D<br>
> suricata -c /etc/suricata/suricata.yaml -q3 -D<br>
><br>
><br>
> ips2 ~]# cat /proc/net/netfilter/nfnetlink_queue<br>
> 1 3147 37 2 65535 0 0 325684 1<br>
> 2 -4292 28 2 65535 0 0 325686 1<br>
> 3 3692 0 2 65535 0 0 112386 1<br>
> 4 3706 0 2 65535 0 0 112387 1<br>
><br>
><br>
> That was interesting.<br>
</div></div><div class="im">> _______________________________________________<br>
> Oisf-users mailing list<br>
> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
--<br>
</div><div><div></div><div class="h5">Eric Leblond<br>
Blog: <a href="http://home.regit.org/" target="_blank">http://home.regit.org/</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>"Of course, someone who knows more about this will correct me if I'm<br>wrong, and someone who knows less will correct me if I'm right." <br>
David Palmer (<a href="mailto:palmer@tybalt.caltech.edu">palmer@tybalt.caltech.edu</a>)<br><br>