[Oisf-users] Packets stucked in Nfqueue when running inline
Fernando Ortiz
fernando.ortiz.f at gmail.com
Tue Aug 16 19:30:10 UTC 2011
Sorry the late of the answer. I got a server to make more test in production
again.
I patched Suricata. I still have the same problem with packets stucked
This output is after running suricata for about 12 hours with a throughput
around 15 mbps
Colas:
1 10607 200 2 65535 0 0 51706878 1
2 -4206 188 2 65535 0 0 51706879 1
pkts: 103405470 Alertas: 115222
sessions: 617097 ssn_memcap_drop: 0 segment_memcap_drop:
0
I had de Log Level in "info" which as I understand it logs error, warning
and info. I restart suricata with Log Level = "warn" but I still don't see
any nfqueue warning. Only several of these two entries.
<Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error in
parsing HTTP server response: [1] [htp_response.c] [360] Invalid C-L field
in response
<Warning> (SSLv2Decode) -- [ERRCODE: SC_ERR_ALPARSER(59)] - SSLV2_MT_ERROR
msg_type recived. Error encountered in establishing the sslv2 session, may
be version
I am running in Arch Linux, Kernel 2.6.32-lts. As anybody has comment about
this issue, it may look that is a problem at my side. At least maybe with
kernel or distro.
2011/6/30 Dave Remien <dave.remien at gmail.com>
>
>
> On Thu, Jun 30, 2011 at 2:53 PM, Eric Leblond <eric at regit.org> wrote:
>
>> Hi,
>>
>> Could you check by running Suricata with debug at warning level ?
>>
>> SC_LOG_LEVEL=warn /path/to/suricata $MY_BEAUTIFUL_CUSTOM_PARAMS
>>
>> Following a related discussion on netfilter-devel mailing list, it
>> appears that the problem could be due to a verdict failure. The problem
>> is that this case is detected and a message is displayed but only if
>> WARN or more log level is set.
>>
>> I've tried to reproduce the problem here (single powerful laptop and I
>> did not manage to make it).
>>
>>
> How many CPUs, at a question? Lots??
>
>
>> As suggested on Netfilter devel mailing list, I've modified the code to
>> try to reissue verdict. I attach the patch to the mail. I've tested this
>> patch and it seems to work fine (at least when the problem does not
>> occur).
>>
>>
> As it turns out, you can issue verdict on any packet in (or not in 8-) the
> nfqueue. I once had code that issued verdict on hundreds of K packets going
> backwards, in an attempt to clear the queue. It'll be interesting to see if
> the queue gets cleared with Eric's patch.
>
> Cheers!
>
> Dave
>
>
>> Could you test it ?
>>
>> On Wed, 2011-06-22 at 02:50 -0500, Fernando Ortiz wrote:
>> >
>> > 2011/6/21 Dave Remien <dave.remien at gmail.com>
>> > That's all new enough that the old "stuck packet" problem
>> > shouldn't be reappearing (was a problem up until about 2.6.21
>> > or 22).
>> >
>> >
>> > Could you try running two instances of Suricata, one on each
>> > queue, rather than a single instance on two queues?
>> >
>> >
>> >
>> >
>> > I ran two instances of Suricata at a time packets were getting
>> > stucked. I let them run for a quarter of hour, zero packets stucked.
>> >
>> >
>> > Just for be sure I load balanced traffic across 4 queues. I ran 3
>> > instances of Suricata
>> >
>> >
>> > suricata -c /etc/suricata/suricata.yaml -q1 -q2 -D
>> > suricata -c /etc/suricata/suricata.yaml -q4 -D
>> > suricata -c /etc/suricata/suricata.yaml -q3 -D
>> >
>> >
>> > ips2 ~]# cat /proc/net/netfilter/nfnetlink_queue
>> > 1 3147 37 2 65535 0 0 325684 1
>> > 2 -4292 28 2 65535 0 0 325686 1
>> > 3 3692 0 2 65535 0 0 112386 1
>> > 4 3706 0 2 65535 0 0 112387 1
>> >
>> >
>> > That was interesting.
>> > _______________________________________________
>> > Oisf-users mailing list
>> > Oisf-users at openinfosecfoundation.org
>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> --
>> Eric Leblond
>> Blog: http://home.regit.org/
>>
>
>
>
> --
> "Of course, someone who knows more about this will correct me if I'm
> wrong, and someone who knows less will correct me if I'm right."
> David Palmer (palmer at tybalt.caltech.edu)
>
>
--
Fernando Ortiz
Twitter: http://twitter.com/FernandOrtizF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110816/c72ba76d/attachment-0002.html>
More information about the Oisf-users
mailing list