[Oisf-users] Packets stucked in Nfqueue when running inline

Fernando Ortiz fernando.ortiz.f at gmail.com
Tue Aug 16 19:30:10 UTC 2011


Sorry the late of the answer. I got a server to make more test in production
again.
I patched Suricata. I still have the same problem with packets stucked

This output is after running suricata for about 12 hours with a throughput
around 15 mbps
Colas:
    1  10607   200 2 65535     0     0 51706878  1
    2  -4206   188 2 65535     0     0 51706879  1

pkts: 103405470         Alertas: 115222
sessions: 617097                ssn_memcap_drop: 0      segment_memcap_drop:
0

I had de Log Level in "info" which as I understand  it logs error, warning
and info. I restart suricata with Log Level = "warn" but I still don't see
any nfqueue warning. Only several of these two entries.

<Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in
parsing HTTP server response: [1] [htp_response.c] [360] Invalid C-L field
in response

 <Warning> (SSLv2Decode) -- [ERRCODE: SC_ERR_ALPARSER(59)] - SSLV2_MT_ERROR
msg_type recived.  Error encountered in establishing the sslv2 session, may
be version

I am running in Arch Linux, Kernel  2.6.32-lts. As anybody has comment about
this issue, it may look that is a problem at my side. At least maybe with
kernel or distro.

2011/6/30 Dave Remien <dave.remien at gmail.com>

>
>
> On Thu, Jun 30, 2011 at 2:53 PM, Eric Leblond <eric at regit.org> wrote:
>
>> Hi,
>>
>> Could you check by running Suricata with debug at warning level ?
>>
>> SC_LOG_LEVEL=warn /path/to/suricata $MY_BEAUTIFUL_CUSTOM_PARAMS
>>
>> Following a related discussion on netfilter-devel mailing list, it
>> appears that the problem could be due to a verdict failure. The problem
>> is that this case is detected and a message is displayed but only if
>> WARN or more log level is set.
>>
>> I've tried to reproduce the problem here (single powerful laptop and I
>> did not manage to make it).
>>
>>
> How many CPUs, at a question? Lots??
>
>
>> As suggested on Netfilter devel mailing list, I've modified the code to
>> try to reissue verdict. I attach the patch to the mail. I've tested this
>> patch and it seems to work fine (at least when the problem does not
>> occur).
>>
>>
> As it turns out, you can issue verdict on any packet in (or not in 8-) the
> nfqueue. I once had code that issued verdict on hundreds of K packets going
> backwards, in an attempt to clear the queue.  It'll be interesting to see if
> the queue gets cleared with Eric's patch.
>
> Cheers!
>
> Dave
>
>
>> Could you test it ?
>>
>> On Wed, 2011-06-22 at 02:50 -0500, Fernando Ortiz wrote:
>> >
>> > 2011/6/21 Dave Remien <dave.remien at gmail.com>
>> >         That's all new enough that the old "stuck packet" problem
>> >         shouldn't be reappearing (was a problem up until about 2.6.21
>> >         or 22).
>> >
>> >
>> >         Could you try running two instances of Suricata, one on each
>> >         queue, rather than a single instance on two queues?
>> >
>> >
>> >
>> >
>> > I ran two instances of Suricata at a time packets were getting
>> > stucked. I let them run for a quarter of hour,  zero packets stucked.
>> >
>> >
>> > Just for be sure I load balanced traffic across 4 queues. I ran 3
>> > instances of Suricata
>> >
>> >
>> > suricata -c /etc/suricata/suricata.yaml -q1 -q2 -D
>> > suricata -c /etc/suricata/suricata.yaml -q4 -D
>> > suricata -c /etc/suricata/suricata.yaml -q3 -D
>> >
>> >
>> > ips2 ~]# cat /proc/net/netfilter/nfnetlink_queue
>> >     1   3147    37 2 65535     0     0   325684  1
>> >     2  -4292    28 2 65535     0     0   325686  1
>> >     3   3692     0 2 65535     0     0   112386  1
>> >     4   3706     0 2 65535     0     0   112387  1
>> >
>> >
>> > That was interesting.
>> > _______________________________________________
>> > Oisf-users mailing list
>> > Oisf-users at openinfosecfoundation.org
>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> --
>> Eric Leblond
>> Blog: http://home.regit.org/
>>
>
>
>
> --
> "Of course, someone who knows more about this will correct me if I'm
> wrong, and someone who knows less will correct me if I'm right."
> David Palmer (palmer at tybalt.caltech.edu)
>
>


-- 
Fernando Ortiz
Twitter: http://twitter.com/FernandOrtizF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110816/c72ba76d/attachment-0002.html>


More information about the Oisf-users mailing list