[Oisf-users] Utilizing NetMap-Suricata on FreeBSD

[Oliver Humpage]

> On 23 Oct 2015, at 16:44, Shane Boissevain <shaneboissevain at gmail.com> wrote:
> 
> My questions are:
> 1) Has anyone done this before?

Sort of.

> 2) Am i going about this all wrong? 

I’m interested in why you’ve got FreeBSD set up as a bridge. What I’ve tended to do is set it up as a normal router, with normal IPs, so that hosts on the networks it’s connecting know to send packets through it. However, netmap then sits on top of that to snaffle the packets that come into an interface and copy them out of the other without them ever troubling the kernel’s routing table, a *bit* like a bridge.

If you setup your box as a normal router, then use roughly this netmap config in suricata:

netmap:
 - interface: int_if
   copy-mode: ips
   copy-iface: ext_if
 - interface: ext_if
   copy-mode: ips
   copy-iface: int_if

That should be all you need.

Personally, I have more than two interfaces, so I do actually need the kernel to route them. In my case I can set int_if to copy packets to int_if+ (so the kernel just thinks the packet has come in on the interface, and can route it itself). Similarly interface int_if+ copies to int_if to get the reverse flow.

I’m pretty sure I’ve had both bridgey and routey setups working fine. I suspect if you’re bridging in the OS (i.e. passing ARP around) netmap may well be getting in the way of that.

I’ve been absolutely itching to get netmap into production, but I’m waiting for a proper suricata release with netmap in rather than running beta, so it’s been a small while since I had a test rig up and running with this stuff. Apologies if I’m a bit rusty and have gotten anything wrong.

Oliver.