[Oisf-users] Fwd: Suricata IPS with 8 threads
Eric Leblond
eric at regit.org
Tue Jan 10 08:58:47 UTC 2012
Hello,
Le lundi 09 janvier 2012 à 13:48 -0800, Hariharan Thantry a écrit :
> It works. Both with the default MTU, and the larger MTU size.
Great.
> Are there any recommended settings with cpu_affinity turned on, with
> the multi-queue option?
> Is there a way, for instance, to bind each hardware NIC queue to an
> individual NFQUEUE queue, and then on to an individual Suricata
> thread, that is then affinitized to a particular hyperthread or core?
> Wouldn't it be better to have a single thread/connection doing all the
> Suricata work for that connection be resident in a single thread
> affinitized onto a single hyperthread for better caching performance?
Regarding affinity of worker mode in suricata, you can use the
detect_cpu_set to set up the parameters of the worker threads. The other
variable (like decode_cpu_set, stream_cpu_set, ...) will be ignored.
For NFQUEUE, the queue-balance option guarantee that a flow will always
be queued on the same queue. I've looked at the code but I've found
nothing that seems to indicate it is possible to link CPU and queue.
One possible solution could be to use iptables cpu module to force the
cpu but a trick has to be found to have both flow and cpu.
> Also, I notice code in the Git tree that uses IPFW in IPS mode as
> well. Is that not supported anymore?
I don't get you here. IPFW is supported and has even been improved
recently.
BR,
>
> Thanks,
> Hari
>
> On Sat, Jan 7, 2012 at 12:25 AM, Victor Julien <victor at inliniac.net> wrote:
> > This patch has been committed to our git tree. Please test it!
> >
> > Cheers,
> > Victor
> >
> > On 01/04/2012 09:12 PM, Hariharan Thantry wrote:
> >> Hi Eric,
> >>
> >> Thanks. Is it committed to the tree?
> >> If not, can you send me the patch?
> >>
> >> Thanks,
> >> Hari
> >>
> >> On Wed, Jan 4, 2012 at 1:07 AM, Eric Leblond <eric at regit.org> wrote:
> >>> Hello,
> >>>
> >>> Le mercredi 04 janvier 2012 à 09:22 +0100, Eric Leblond a écrit :
> >>>> Hello,
> >>>>
> >>>> Le mardi 03 janvier 2012 à 14:55 -0800, Hariharan Thantry a écrit :
> >>>>> The multiqueue option in Suricata IPS (1.2beta1) seems to have issues
> >>>>> when started with 8 threads (and 8 queues for iptables with the
> >>>>> queue-balance option). The default of single queue works fine, but
> >>>>> with --runmode worker, and no changes to config file (other than
> >>>>> loading the changed rules from emerging threats), the engine doesn't
> >>>>> seem to be able to forward packets. With a single queue, it works
> >>>>> fine. Suricata is running on a bridged setup, with 2 dual-ported 82599
> >>>>> NICs, forwarding packets between 2 independent networks. When trying
> >>>>> to stop Suricata, I seem to get an error as well:
> >>>>
> >>>> Thanks for the report, I am able to reproduce it. I will try to fix it
> >>>> ASAP.
> >>>
> >>> I've fixed it twice (an indirect fix and a dedicated fix, I've just made
> >>> now). Victor Julien should publish a updated git containing the fixes
> >>> soon.
> >>>
> >>> Let me know if you want access to my patches.
> >>>
> >>> BR,
> >>> --
> >>> Eric Leblond
> >>>
> >> _______________________________________________
> >> Oisf-users mailing list
> >> Oisf-users at openinfosecfoundation.org
> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>
> >
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120110/12173ec2/attachment.sig>
More information about the Oisf-users
mailing list