[Oisf-users] Packets stucked in Nfqueue when running inline
Eric Leblond
eric at regit.org
Wed Aug 17 14:28:58 UTC 2011
Hello,
On Tue, 2011-08-16 at 14:30 -0500, Fernando Ortiz wrote:
> Sorry the late of the answer. I got a server to make more test in
> production again.
No problem, I was on holiday :P
> I patched Suricata. I still have the same problem with packets stucked
Bad news.
If you have some time, could you test the attached patch.
If there is some warning message containing:
"lost its mind"
Then, we may be really near to have found the problem.
BR,
>
>
> This output is after running suricata for about 12 hours with a
> throughput around 15 mbps
> Colas:
> 1 10607 200 2 65535 0 0 51706878 1
> 2 -4206 188 2 65535 0 0 51706879 1
>
>
> pkts: 103405470 Alertas: 115222
> sessions: 617097 ssn_memcap_drop: 0
> segment_memcap_drop: 0
>
>
> I had de Log Level in "info" which as I understand it logs error,
> warning and info. I restart suricata with Log Level = "warn" but I
> still don't see any nfqueue warning. Only several of these two
> entries.
>
>
> <Error> (HTPHandleResponseData) -- [ERRCODE: SC_ERR_ALPARSER(59)] -
> Error in parsing HTTP server response: [1] [htp_response.c] [360]
> Invalid C-L field in response
>
>
> <Warning> (SSLv2Decode) -- [ERRCODE: SC_ERR_ALPARSER(59)] -
> SSLV2_MT_ERROR msg_type recived. Error encountered in establishing
> the sslv2 session, may be version
>
>
> I am running in Arch Linux, Kernel 2.6.32-lts. As anybody has comment
> about this issue, it may look that is a problem at my side. At least
> maybe with kernel or distro.
>
> 2011/6/30 Dave Remien <dave.remien at gmail.com>
>
>
> On Thu, Jun 30, 2011 at 2:53 PM, Eric Leblond <eric at regit.org>
> wrote:
> Hi,
>
> Could you check by running Suricata with debug at
> warning level ?
>
> SC_LOG_LEVEL=warn /path/to/suricata
> $MY_BEAUTIFUL_CUSTOM_PARAMS
>
> Following a related discussion on netfilter-devel
> mailing list, it
> appears that the problem could be due to a verdict
> failure. The problem
> is that this case is detected and a message is
> displayed but only if
> WARN or more log level is set.
>
> I've tried to reproduce the problem here (single
> powerful laptop and I
> did not manage to make it).
>
>
>
> How many CPUs, at a question? Lots??
>
> As suggested on Netfilter devel mailing list, I've
> modified the code to
> try to reissue verdict. I attach the patch to the
> mail. I've tested this
> patch and it seems to work fine (at least when the
> problem does not
> occur).
>
>
>
> As it turns out, you can issue verdict on any packet in (or
> not in 8-) the nfqueue. I once had code that issued verdict on
> hundreds of K packets going backwards, in an attempt to clear
> the queue. It'll be interesting to see if the queue gets
> cleared with Eric's patch.
>
>
> Cheers!
>
>
> Dave
>
>
> Could you test it ?
>
> On Wed, 2011-06-22 at 02:50 -0500, Fernando Ortiz
> wrote:
> >
>
>
> > 2011/6/21 Dave Remien <dave.remien at gmail.com>
> > That's all new enough that the old "stuck
> packet" problem
> > shouldn't be reappearing (was a problem up
> until about 2.6.21
> > or 22).
> >
> >
> > Could you try running two instances of
> Suricata, one on each
> > queue, rather than a single instance on two
> queues?
> >
> >
> >
> >
> > I ran two instances of Suricata at a time packets
> were getting
> > stucked. I let them run for a quarter of hour, zero
> packets stucked.
> >
> >
> > Just for be sure I load balanced traffic across 4
> queues. I ran 3
> > instances of Suricata
> >
> >
> > suricata -c /etc/suricata/suricata.yaml -q1 -q2 -D
> > suricata -c /etc/suricata/suricata.yaml -q4 -D
> > suricata -c /etc/suricata/suricata.yaml -q3 -D
> >
> >
> > ips2 ~]# cat /proc/net/netfilter/nfnetlink_queue
> > 1 3147 37 2 65535 0 0 325684 1
> > 2 -4292 28 2 65535 0 0 325686 1
> > 3 3692 0 2 65535 0 0 112386 1
> > 4 3706 0 2 65535 0 0 112387 1
> >
> >
> > That was interesting.
>
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> >
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> --
>
>
> Eric Leblond
> Blog: http://home.regit.org/
>
>
>
>
>
> --
> "Of course, someone who knows more about this will correct me
> if I'm
> wrong, and someone who knows less will correct me if I'm
> right."
> David Palmer (palmer at tybalt.caltech.edu)
>
>
>
>
>
>
> --
> Fernando Ortiz
> Twitter: http://twitter.com/FernandOrtizF
>
--
Eric Leblond
Blog: http://home.regit.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Log-thread-error.patch
Type: text/x-patch
Size: 1655 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110817/57b0908c/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110817/57b0908c/attachment.sig>
More information about the Oisf-users
mailing list