[Oisf-users] Suricata on FreeBSD 10, netisr problem

Shirkdog shirkdog at gmail.com
Fri Apr 4 16:13:12 UTC 2014


Even better information from Calomel with some testing to perform to
adjust values accordingly:

https://calomel.org/freebsd_network_tuning.html

---
Michael Shirk


On Fri, Apr 4, 2014 at 10:48 AM, Shirkdog <shirkdog at gmail.com> wrote:
> To look to FreeBSD, you would need to provide additional information.
> If there is nothing dumping, kernel dumps, dmesg output, it may be
> something specific to Suricata.
>
> Some things from FreeBSD Wiki on Net tuning and Netisr
>
> https://wiki.freebsd.org/NetworkPerformanceTuning
>
> Netisr
> Bump net.route.netisr_maxqlen to 2048 or higher value.
> This can affect you iff you're doing shaping.
> Do NOT use netisr policy other than 'direct' if you can.
> Current netisr implementation can't split traffic into different ISR
> queues (patches are coming, 2012-02-23).
> Every queue is covered by mutex which is much worse than using
> buf_ring(9) api (patches are coming, 2012-02-23).
>
> Performance loss of 10-30% was observed on various scenarios (direct
> dispatch vs deferred of hybrid).
>
>
>
> ---
> Michael Shirk
>
>
> On Fri, Apr 4, 2014 at 8:47 AM, Özkan KIRIK <ozkan.kirik at gmail.com> wrote:
>> Hi,
>>
>> I am trying to use suricata on FreeBSD 10 amd64.
>> FreeBSD behaves as a VLAN router and NAT Box.
>>
>> Traffic is about 400Mbps.
>> When i diverted traffic to suricata, ( add 100 divert 8000 all from any to
>> any via em0 )
>> swi: netisr 0 thread gets %100 cpu.
>> other netisr threads are %0. And Even I remove the divert rule, netisr still
>> eats %100 cpu.  I think that something looping :)
>> And after 1-2 minutes, one of igb0 and igb1 stops working.
>> Only reboot solves problem.
>>
>> Hardware has 8 cores, 24GB Ram
>>
>> My loader.conf :
>>
>> hw.igb.txd="4096"
>> hw.igb.rxd="4096"
>> hw.igb.rx_process_limit=1024
>> hw.igb.num_queues=3
>> net.isr.maxthreads=3
>> net.isr.bindthreads=1
>> net.isr.defaultqlimit=4096
>> net.isr.maxqlimit=20480
>> net.link.ifqmaxlen=10240
>>
>> How can I debug this situation?
>> Any suggestions?
>>
>> Best regards
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/



More information about the Oisf-users mailing list