<div dir="ltr">Oliver, Et. Al.<div><br></div>Thank you for the time, I went from 2.0.9 to 2.1beta4 without changing the conf file, and missed that as an option. Thank you for pointing it out. My netmap section now looks like this, and does what I expect it to. <blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">netmap:</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> - interface: default</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> threads: auto</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> copy-mode: ips</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> disable-promisc: no</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> checksum-checks: auto</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> - interface: ix0</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> copy-iface: ix1</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> - interface: ix1</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> copy-iface: ix0</blockquote></div></blockquote><div><br></div><div>Next issue: Increasing Throughput:</div><div>I'm currently running a ruleset with 16 617 rules in it, and seeing my throughput drop from 3.2 Gb/s to 600 Mb/s with suricata running. Suricata is running in netmap mode (workers), and I'm thinking that i can get my throughput higher by putting it in autofp mode. The problem is that when Suricata is running in autofp mode (so that i can get multiple detection threads), it stops passing traffic. </div><div><br></div><div>Typical output after stopping Suricata --netmap (workers) after about 30 seconds is something like:</div><div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><Notice> - Stats for 'ix0': pkts: 1522757, drop: 0 (0.00%), invalid chksum: 0</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><Notice> - Stats for 'ix1': pkts: 761553, drop: 0 (0.00%), invalid chksum: 0</blockquote></div></blockquote><div><br></div><div>But when running in autofp mode, i'm getting SIGNIFICANTLY less packets, almost none. </div><div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><Notice> - Stats for 'ix0': pkts: 9, drop: 0 (0.00%), invalid chksum: 0</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><Notice> - Stats for 'ix1': pkts: 19, drop: 0 (0.00%), invalid chksum: 0</blockquote></div></blockquote><div><br></div><div>Any insight would be greatly appreciated.<br></div><div><br></div><div>Thank you again for reading. </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 23, 2015 at 11:03 AM, Oliver Humpage <span dir="ltr"><<a href="mailto:oliver@watershed.co.uk" target="_blank">oliver@watershed.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
> On 23 Oct 2015, at 16:44, Shane Boissevain <<a href="mailto:shaneboissevain@gmail.com">shaneboissevain@gmail.com</a>> wrote:<br>
><br>
> My questions are:<br>
> 1) Has anyone done this before?<br>
<br>
</span>Sort of.<br>
<span class=""><br>
> 2) Am i going about this all wrong?<br>
<br>
</span>I’m interested in why you’ve got FreeBSD set up as a bridge. What I’ve tended to do is set it up as a normal router, with normal IPs, so that hosts on the networks it’s connecting know to send packets through it. However, netmap then sits on top of that to snaffle the packets that come into an interface and copy them out of the other without them ever troubling the kernel’s routing table, a *bit* like a bridge.<br>
<br>
If you setup your box as a normal router, then use roughly this netmap config in suricata:<br>
<br>
netmap:<br>
- interface: int_if<br>
copy-mode: ips<br>
copy-iface: ext_if<br>
- interface: ext_if<br>
copy-mode: ips<br>
copy-iface: int_if<br>
<br>
That should be all you need.<br>
<br>
Personally, I have more than two interfaces, so I do actually need the kernel to route them. In my case I can set int_if to copy packets to int_if+ (so the kernel just thinks the packet has come in on the interface, and can route it itself). Similarly interface int_if+ copies to int_if to get the reverse flow.<br>
<br>
I’m pretty sure I’ve had both bridgey and routey setups working fine. I suspect if you’re bridging in the OS (i.e. passing ARP around) netmap may well be getting in the way of that.<br>
<br>
I’ve been absolutely itching to get netmap into production, but I’m waiting for a proper suricata release with netmap in rather than running beta, so it’s been a small while since I had a test rig up and running with this stuff. Apologies if I’m a bit rusty and have gotten anything wrong.<br>
<span class="HOEnZb"><font color="#888888"><br>
Oliver.<br>
<br>
</font></span></blockquote></div><br></div>