[Oisf-users] Suricata on FreeBSD 10, netisr problem

Sat Apr 5 14:36:36 UTC 2014

Hi Michael,

Thank you very much for your suggestions. I have tuned these options. But
no luck :)

After that, I wrote a short code that reads from divert socket and write
back.

while( 1 ) {
origBytes = recvfrom( sock, buf, sizeof buf, 0, (struct sockaddr *)&addr,
&addrSize );
wroteBytes = sendto( sock, buf, origBytes, 0, (struct sockaddr*) &addr,
sizeof addr );
}

I wondered that if this test code bumps the netisr to %100 ?
I was diverted all the traffic to this test code. with this test netisr
uses only %1 or %2 cpu for 400Mbps.

Suricata bumps the netisr usage to %100 even with empty ruleset.
There is something wrong in suricata 2.0 release.

And I wanna give some information about nic stopping:
When I remove the divert rule while netisr is at %100 usage, netisr still
uses cpu at %100 for a long time.
While netisr using %100 cpu, most of network functionalities doest work.
I was monitored queue drops by netstat -Q. Queue drops was increasing even
ipfw has no divert rule. ( I think received packets by suricata still
processing... )
After about half an hour every thing becomes fine.

I'll test 1.4.7 and share results with you.

Best regards

On Fri, Apr 4, 2014 at 7:13 PM, Shirkdog <shirkdog at gmail.com> wrote:

> Even better information from Calomel with some testing to perform to
> adjust values accordingly:
>
> https://calomel.org/freebsd_network_tuning.html
>
> ---
> Michael Shirk
>
>
> On Fri, Apr 4, 2014 at 10:48 AM, Shirkdog <shirkdog at gmail.com> wrote:
> > To look to FreeBSD, you would need to provide additional information.
> > If there is nothing dumping, kernel dumps, dmesg output, it may be
> > something specific to Suricata.
> >
> > Some things from FreeBSD Wiki on Net tuning and Netisr
> >
> > https://wiki.freebsd.org/NetworkPerformanceTuning
> >
> > Netisr
> > Bump net.route.netisr_maxqlen to 2048 or higher value.
> > This can affect you iff you're doing shaping.
> > Do NOT use netisr policy other than 'direct' if you can.
> > Current netisr implementation can't split traffic into different ISR
> > queues (patches are coming, 2012-02-23).
> > Every queue is covered by mutex which is much worse than using
> > buf_ring(9) api (patches are coming, 2012-02-23).
> >
> > Performance loss of 10-30% was observed on various scenarios (direct
> > dispatch vs deferred of hybrid).
> >
> >
> >
> > ---
> > Michael Shirk
> >
> >
> > On Fri, Apr 4, 2014 at 8:47 AM, Özkan KIRIK <ozkan.kirik at gmail.com>
> wrote:
> >> Hi,
> >>
> >> I am trying to use suricata on FreeBSD 10 amd64.
> >> FreeBSD behaves as a VLAN router and NAT Box.
> >>
> >> Traffic is about 400Mbps.
> >> When i diverted traffic to suricata, ( add 100 divert 8000 all from any
> to
> >> any via em0 )
> >> swi: netisr 0 thread gets %100 cpu.
> >> other netisr threads are %0. And Even I remove the divert rule, netisr
> still
> >> eats %100 cpu.  I think that something looping :)
> >> And after 1-2 minutes, one of igb0 and igb1 stops working.
> >> Only reboot solves problem.
> >>
> >> Hardware has 8 cores, 24GB Ram
> >>
> >> My loader.conf :
> >>
> >> hw.igb.txd="4096"
> >> hw.igb.rxd="4096"
> >> hw.igb.rx_process_limit=1024
> >> hw.igb.num_queues=3
> >> net.isr.maxthreads=3
> >> net.isr.bindthreads=1
> >> net.isr.defaultqlimit=4096
> >> net.isr.maxqlimit=20480
> >> net.link.ifqmaxlen=10240
> >>
> >> How can I debug this situation?
> >> Any suggestions?
> >>
> >> Best regards
> >>
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140405/88f4fd66/attachment-0002.html>