[Oisf-users] IPS mode performance is very poor, why?

Victor Julien victor at inliniac.net
Mon Mar 5 07:29:43 UTC 2012 

On 03/05/2012 01:37 AM, tingwei liu wrote:
> 
> 
> On Fri, Mar 2, 2012 at 5:34 PM, Eric Leblond <eric at regit.org
> <mailto:eric at regit.org>> wrote:
> 
>     Hello,
> 
>     Le jeudi 01 mars 2012 à 17:11 +0800, tingwei liu a écrit :
>     >
>     >
>     > On Wed, Feb 29, 2012 at 6:57 PM, tingwei liu <tingw.liu at gmail.com
>     <mailto:tingw.liu at gmail.com>>
>     > wrote:
>     >         I have installed suricata-1.2.1 with enable nfqueue on fedora
>     >         15 system.
>     >
>     >         #>iptables -I FORWARD -j NFQUEUE --queue-num 3
>     >         #>suricata -c /etc/suricata/suricata.yaml -q 3 -D
>     >         Only emergency-ftp.rules loaded.
>     >
>     >         It works, but performance is very poor.
>     >         I test it by transfer files from ftp server.
>     >         Before running last two commands, the bandwidth is 100Mbps;
>     >         After nfqueue and suricata running, the bandwidth only 1Mbps.
>     >
>     >
>     >         Who can tell me which parameters should be changed ?
>     >         Thanks!
>     >
>     > I have test some parameters. I find the key is network topology.
>     > If suricata run a linux server with bridge mode, it's performance is
>     > poor.
>     > If suricata run a linux server which is a gataway, it's good.
>     > Why?
> 
>     First point:  what is the performance of bridge mode without IPS ?
> 
> I mean the bandwidth of forward, in my case ,the bandwidth of birdge
> mode with NFQ only 30Mbps, without NFQ almost 100Mbps. 
> 
> 
>     Second point: That's really strange. I've never heard about such issue
>     related to NFQ. I see one potential thing: the routing in gateway mode
>     is IP level and the routing in bridge mode is ethernet level.
>     Maybe there is an issue with the rerouting done at the time of the
>     verdict in gateway mode. This issue could be checked by fixing the arp
>     entry of the computers used for testing.
> 
> I have two kernels 2.6.38 and 3.0.8. The forward bandwidth of 2.6.38
> kernel in bridge mode with NFQ is 100Mbps, but the forward bandwidth of
> 3.0.8 kernel in bridge mode with NFQ is 30Mbps.
> The two kernels run a same box with the same parameters.(Fedora core 15)
> 
> Thanks for your reply!

I noticed you have the same issue with Snort. It seems to me this is an
issue with the kernel or the kernel/userspace interaction.

In the utils dir here:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_queue.git;a=tree

you'll find a nfqnl_test.c. Can you try that?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list