[Oisf-users] Packets stucked in Nfqueue when running inline

Eric Leblond eric at regit.org
Thu Jun 30 20:53:54 UTC 2011 

Hi,

Could you check by running Suricata with debug at warning level ?

SC_LOG_LEVEL=warn /path/to/suricata $MY_BEAUTIFUL_CUSTOM_PARAMS

Following a related discussion on netfilter-devel mailing list, it
appears that the problem could be due to a verdict failure. The problem
is that this case is detected and a message is displayed but only if
WARN or more log level is set.

I've tried to reproduce the problem here (single powerful laptop and I
did not manage to make it).

As suggested on Netfilter devel mailing list, I've modified the code to
try to reissue verdict. I attach the patch to the mail. I've tested this
patch and it seems to work fine (at least when the problem does not
occur).

Could you test it ?

On Wed, 2011-06-22 at 02:50 -0500, Fernando Ortiz wrote:
> 
> 2011/6/21 Dave Remien <dave.remien at gmail.com>
>         That's all new enough that the old "stuck packet" problem
>         shouldn't be reappearing (was a problem up until about 2.6.21
>         or 22). 
>         
>         
>         Could you try running two instances of Suricata, one on each
>         queue, rather than a single instance on two queues? 
>         
>         
> 
> 
> I ran two instances of Suricata at a time packets were getting
> stucked. I let them run for a quarter of hour,  zero packets stucked.
> 
> 
> Just for be sure I load balanced traffic across 4 queues. I ran 3
> instances of Suricata
> 
> 
> suricata -c /etc/suricata/suricata.yaml -q1 -q2 -D
> suricata -c /etc/suricata/suricata.yaml -q4 -D
> suricata -c /etc/suricata/suricata.yaml -q3 -D
> 
> 
> ips2 ~]# cat /proc/net/netfilter/nfnetlink_queue 
>     1   3147    37 2 65535     0     0   325684  1
>     2  -4292    28 2 65535     0     0   325686  1
>     3   3692     0 2 65535     0     0   112386  1
>     4   3706     0 2 65535     0     0   112387  1
> 
> 
> That was interesting. 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

-- 
Eric Leblond 
Blog: http://home.regit.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-iterator-on-nfq_set_verdict.patch
Type: text/x-patch
Size: 6321 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110630/d2dbb361/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110630/d2dbb361/attachment.sig>

More information about the Oisf-users mailing list