[Oisf-users] Disable offloading on bond interface

Cooper F. Nelson cnelson at ucsd.edu
Thu Feb 5 18:23:34 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think it depends how you are using suricata.

If you are using it in inline mode, then it might make sense to leave
the offloading on as it could improve performance.

If you are using suricata in monitor mode, you want all offloading
disabled.  It's very important that suricata gets the packets exactly as
they were off the wire.

- -Coop

On 2/5/2015 7:04 AM, unite wrote:
> So, probably I didn't get it well.
> 
> I've read that if I don't disable nic offloading on the interface it
> might cause checksum errors so suricata might drop legitimate traffic,
> so as I understood for best results I have two options - disable nic
> offloading or disable checksum verifying in suricata. Also offloading
> needs to be disabled if I want to use file extraction feature.
> 
> So if I don't need file extraction at the moment, can I just disable
> checksum verifying and it will work all right? Won't it affect
> performance/security?
> 
> Also, does disabling nic offloading affect CPU usage?
> 
> 
> On 2015-01-28 18:42, Cooper F. Nelson wrote:
> As I said, this is as far as I know.  It's been a few years since I've
> done anything with a bonded interface.
> 
> It's kind of tricky to test if this works or not.  What I've found is
> that if file extraction doesn't work then your offloading settings are
> not disabled properly.  I'm sure this would also cause lots of decoder
> events if you had those rules enabled.
> 
> On 1/28/2015 1:30 AM, unite wrote:
>>>> I've tried disabling offloading on my test machine in three scenarios:
>>>>
>>>> 1) on physical interfaces (eth0 eth1)
>>>>
>>>> In this case "ethtool -k" for eth0/eth1 shows that offloading features
>>>> are disabled, but "ethtool -k bond0"  still shows some of them enabled.
> 
> 
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJU07UmAAoJEKIFRYQsa8FWcqcH/RIFjPqwVEvrj13CTlE7EpYL
YZg0L8BfkdkQepRXC+jcy1v2G2kFbCRVfdAJqYwdT9CQ1vVATopBt1JWX1F4wwPj
FjgdFZF7MqaU4A5z457P2QHqcYcwiu+ouVRLSHvfrAkrKN3inpg5KDiFKqSRINFb
dvPsGgTupfA0M0boggfT88gWVjYCnZG8b3Q9lL5RDCnOO996iIDwalgjbgFck1pu
oVD3BKRT59NbcJIDpG40F6Rl4wDW5ahBgIhU+CHWcoK7MoRr3pr+PaXw5bswN3Dz
+MlRouwlzUCrGp2DOLMFNh1uzdse6Usfin2uzmBJPK7KzOyAkrvZ8JVJhH+8Z9w=
=K1Wt
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list