[Oisf-users] Packet drop nfq repeat
Aleksey
unite at openmailbox.org
Wed May 13 09:03:45 UTC 2015
Hi guys!
I'm using Suricata 2.0.8 in NFQ mode. I have quite an ancient machine on
which my testing instance of suricata is running. I've noticed the
following thing - if I use nfq accept mode, when I stop suricata,
counters show that all packets where accepted:
13/5/2015 -- 11:30:32 - <Notice> - (Recv-Q0) Treated: Pkts 50, Bytes
18634, Errors 0
13/5/2015 -- 11:30:32 - <Notice> - (Recv-Q0) Verdict: Accepted 50,
Dropped 0, Replaced 0
When in turn I use repeat mode, I can notice quite high drops:
13/5/2015 -- 11:37:37 - <Notice> - (Recv-Q0) Treated: Pkts 219, Bytes
47586, Errors 0
13/5/2015 -- 11:37:37 - <Notice> - (Recv-Q0) Verdict: Accepted 172,
Dropped 47, Replaced 0
These are not blocked packets - drop.log is empty and there is nothing
to block there - I just connect to the testing website with my browser,
no rules are set to "drop", mostly "alert". CPU usage on suricata box
doen't exceed 10-20% (all processes) and suricata process doesn't exceed
5% during my tests. Probably, I've configured something wrong? Also if I
set nfq fail-open to "true" counters show that all packets are accepted.
My nfq config is:
nfq:
mode: repeat
repeat-mark: 1
repeat-mask: 1
Iptables rule is also quite simple:
iptables -A FORWARD -d 192.168.55.200 -m mark ! --mark 1 -j NFQUEUE
--queue-num 0 --queue-bypass
Any ideas?
Thanks in advance.
--
With kind regards,
Aleksey
More information about the Oisf-users
mailing list