[Oisf-users] IPS mode performance is very poor, why?

Hariharan Thantry thantry at gmail.com
Fri Mar 2 17:16:35 UTC 2012 

Sorry missed the second point. Shouldn't NFQueue be using the ebtables
infrastructure, instead of iptables in bridging mode. I know it
doesn't, but maybe it should. Also, in bridging, why is there a need
to do "re-routing"?

Thanks
Hari

On Fri, Mar 2, 2012 at 9:13 AM, Hariharan Thantry <thantry at gmail.com> wrote:
> Hi Eric,
>
> Bridge mode performance is line rate or very nearly so. I have 2 10G
> dual ported-ethernet cards on 2 PCI-Express x8 link, and the
> forwarding performance is near line rate (20Gbps). No problem with the
> bridge module, itself. Like tingwei, I suspect the NFQUEUE
> library/kernel implementation as well...
>
> Thanks,
> Hari
>
> On Fri, Mar 2, 2012 at 1:34 AM, Eric Leblond <eric at regit.org> wrote:
>> Hello,
>>
>> Le jeudi 01 mars 2012 à 17:11 +0800, tingwei liu a écrit :
>>>
>>>
>>> On Wed, Feb 29, 2012 at 6:57 PM, tingwei liu <tingw.liu at gmail.com>
>>> wrote:
>>>         I have installed suricata-1.2.1 with enable nfqueue on fedora
>>>         15 system.
>>>
>>>         #>iptables -I FORWARD -j NFQUEUE --queue-num 3
>>>         #>suricata -c /etc/suricata/suricata.yaml -q 3 -D
>>>         Only emergency-ftp.rules loaded.
>>>
>>>         It works, but performance is very poor.
>>>         I test it by transfer files from ftp server.
>>>         Before running last two commands, the bandwidth is 100Mbps;
>>>         After nfqueue and suricata running, the bandwidth only 1Mbps.
>>>
>>>
>>>         Who can tell me which parameters should be changed ?
>>>         Thanks!
>>>
>>> I have test some parameters. I find the key is network topology.
>>> If suricata run a linux server with bridge mode, it's performance is
>>> poor.
>>> If suricata run a linux server which is a gataway, it's good.
>>> Why?
>>
>> First point:  what is the performance of bridge mode without IPS ?
>>
>> Second point: That's really strange. I've never heard about such issue
>> related to NFQ. I see one potential thing: the routing in gateway mode
>> is IP level and the routing in bridge mode is ethernet level.
>> Maybe there is an issue with the rerouting done at the time of the
>> verdict in gateway mode. This issue could be checked by fixing the arp
>> entry of the computers used for testing.
>>
>> BR,
>>
>> --
>> Eric Leblond <eric at regit.org>
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>

More information about the Oisf-users mailing list