<br><br><div class="gmail_quote">On Mon, Mar 5, 2012 at 3:29 PM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 03/05/2012 01:37 AM, tingwei liu wrote:<br>
><br>
><br>
> On Fri, Mar 2, 2012 at 5:34 PM, Eric Leblond <<a href="mailto:eric@regit.org">eric@regit.org</a><br>
</div><div class="im">> <mailto:<a href="mailto:eric@regit.org">eric@regit.org</a>>> wrote:<br>
><br>
> Hello,<br>
><br>
> Le jeudi 01 mars 2012 à 17:11 +0800, tingwei liu a écrit :<br>
> ><br>
> ><br>
> > On Wed, Feb 29, 2012 at 6:57 PM, tingwei liu <<a href="mailto:tingw.liu@gmail.com">tingw.liu@gmail.com</a><br>
</div>> <mailto:<a href="mailto:tingw.liu@gmail.com">tingw.liu@gmail.com</a>>><br>
<div><div class="h5">> > wrote:<br>
> > I have installed suricata-1.2.1 with enable nfqueue on fedora<br>
> > 15 system.<br>
> ><br>
> > #>iptables -I FORWARD -j NFQUEUE --queue-num 3<br>
> > #>suricata -c /etc/suricata/suricata.yaml -q 3 -D<br>
> > Only emergency-ftp.rules loaded.<br>
> ><br>
> > It works, but performance is very poor.<br>
> > I test it by transfer files from ftp server.<br>
> > Before running last two commands, the bandwidth is 100Mbps;<br>
> > After nfqueue and suricata running, the bandwidth only 1Mbps.<br>
> ><br>
> ><br>
> > Who can tell me which parameters should be changed ?<br>
> > Thanks!<br>
> ><br>
> > I have test some parameters. I find the key is network topology.<br>
> > If suricata run a linux server with bridge mode, it's performance is<br>
> > poor.<br>
> > If suricata run a linux server which is a gataway, it's good.<br>
> > Why?<br>
><br>
> First point: what is the performance of bridge mode without IPS ?<br>
><br>
> I mean the bandwidth of forward, in my case ,the bandwidth of birdge<br>
> mode with NFQ only 30Mbps, without NFQ almost 100Mbps.<br>
><br>
><br>
> Second point: That's really strange. I've never heard about such issue<br>
> related to NFQ. I see one potential thing: the routing in gateway mode<br>
> is IP level and the routing in bridge mode is ethernet level.<br>
> Maybe there is an issue with the rerouting done at the time of the<br>
> verdict in gateway mode. This issue could be checked by fixing the arp<br>
> entry of the computers used for testing.<br>
><br>
> I have two kernels 2.6.38 and 3.0.8. The forward bandwidth of 2.6.38<br>
> kernel in bridge mode with NFQ is 100Mbps, but the forward bandwidth of<br>
> 3.0.8 kernel in bridge mode with NFQ is 30Mbps.<br>
> The two kernels run a same box with the same parameters.(Fedora core 15)<br>
><br>
> Thanks for your reply!<br>
<br>
</div></div>I noticed you have the same issue with Snort. It seems to me this is an<br>
issue with the kernel or the kernel/userspace interaction.<br>
<br>
In the utils dir here:<br>
<a href="http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_queue.git;a=tree" target="_blank">http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_queue.git;a=tree</a><br>
<br>
you'll find a nfqnl_test.c. Can you try that?<br>
<span class="HOEnZb"><font color="#888888"><br></font></span></blockquote><div>Thanks for your reply!<br> I build and test it. Also the same issue.<br>I have captured packets with wireshark on nfqueue mode. There are many packes with TCP DUP ACK.</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="HOEnZb"><font color="#888888">
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br>