[Oisf-users] Packets stucked in Nfqueue when running inline

Eric Leblond eric at regit.org
Mon Jun 20 17:46:24 EDT 2011


Hello,

Le lundi 20 juin 2011 à 12:34 -0500, Fernando Ortiz a écrit :
> Hello, I am running suricata 1.1beta2 (rev ) inline with this command:
> 
> 
> suricata -c /etc/suricata/suricata.yaml -q1 -q2 -D
> 
> Everything seems to work just fine, but when I check nfnetlink_queue,
> i see there are some packets in queue waiting for verdict. 
> 
> 
> @ips2 ~]# cat /proc/net/netfilter/nfnetlink_queue
>  
>     1  10893   555 2 65535     0     0 169915460  1
>     2  -4282   552 2 65535     0     0 169915475  1
> 
> 
> This happens most at night. Traffic is around 15 Mb/s with pikes at 20
> Mb/s. The packets stucked are a few compared with the total number of
> packets processed by Suricata. No problems reported by anyone in the
> network. 

I've rarely looked at this proc file when using nfnetlink_queue. I sadly
can not tell if it is frequent.

What I can tell, is that suricata did not reach an nfnetlink overrun (it
should have restarted the packet counter). Suricata does sequential
reading and thus this is not a read problem (people are not
complaining). One of the possibility is that some packets remained
blocked in suricata.

I see one possiblity to check this :
      * Flush iptables rules (to block the packet counter in /proc)
      * Wait a few seconds for delivery of all packets
      * Get the number of packets queued from /proc (equal to last
        number before 1 in the proc file)
      * Stop suricata
      * Retrieve NFQ packets statistics in the log output (Pkts accepted
        %"PRIu32", dropped %"PRIu32", replaced %"PRIu32)

With that we will be able to compare the number of queued packets to the
number packet received and answer by suricata. If suricata has not seen
the 555 packets queued, there is a problem before reaching suricata.

> If I bypassed Suricata (iptables -F) packets are still there until I
> kill suricata process.

This part is normal, the packet are in a waiting stage and are freed
when the listening process terminate (queue flush). Iptables can not be
used to clear these packets.

BR,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
Url : http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110620/ba4b2133/attachment.bin


More information about the Oisf-users mailing list