[Oisf-users] AF_Packet Mode vs. NFQUEUE Mode
Eric Leblond
eric at regit.org
Fri Nov 13 16:02:03 UTC 2015
Hi,
On Fri, 2015-11-13 at 09:52 -0600, Leonard Jacobs wrote:
> Are you saying that NFQUEUE is not working so well in 2.0.9 so we
> should not use that IPS mode?
No. Just don't use NFQUEUE to filter packet on a bridged interface.
++
> Leonard Jacobs
> From: Eric Leblond [mailto:eric at regit.org]
> To: Leonard Jacobs [mailto:ljacobs at netsecuris.com], oisf-users at lists.
> openinfosecfoundation.org [mailto:oisf-users at lists.openinfosecfoundat
> ion.org]
> Sent: Fri, 13 Nov 2015 07:37:51 -0600
> Subject: Re: [Oisf-users] AF_Packet Mode vs. NFQUEUE Mode
>
> Hello Leonard,
>
> On Fri, 2015-11-13 at 07:08 -0600, Leonard Jacobs wrote:
> > What happens if the interfaces are bridged when using AF_Packet
> mode?
> > Does that cause problems since this mode performs its own copy-mode
> > between interfaces?
>
> That would cause a duplication of packets:
> * Bridge forward packets from iface 1 to 2
> * Suricata see packets on iface 1 and copy packets on iface 2
>
> > In NFQUEUE IPS mode, are the interfaces supposed to be bridged?
> Will
> > IPTables not function properly without the interfaces being
> bridged?
>
> No bridge needed. Using it is even the buggiest setup that can be
> done
> (currently unexplained packets loss in that mode).
>
> BR,
>
> > Thanks.
> >
> > Leonard Jacobs
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.o
> rg
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/su
> pp
> > ort/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf
> -u
> > sers
> > Suricata User Conference November 4 & 5 in Barcelona: http://oisfev
> en
> > ts.net
--
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/
More information about the Oisf-users
mailing list