[Oisf-users] Utilizing NetMap-Suricata on FreeBSD

Shane Boissevain shaneboissevain at gmail.com
Wed Oct 28 18:47:34 UTC 2015 

Oliver, Et. Al.

Thank you for the time, I went from 2.0.9 to 2.1beta4 without changing the
conf file, and missed that as an option. Thank you for pointing it out. My
netmap section now looks like this, and does what I expect it to.

netmap:

 - interface: default

   threads: auto

   copy-mode: ips

   disable-promisc: no

   checksum-checks: auto

 - interface: ix0

   copy-iface: ix1

 - interface: ix1

   copy-iface: ix0


Next issue: Increasing Throughput:
I'm currently running a ruleset with 16 617 rules in it, and seeing my
throughput drop from 3.2 Gb/s to 600 Mb/s with suricata running. Suricata
is running in netmap mode (workers), and I'm thinking that i can get my
throughput higher by putting it in autofp mode. The problem is that when
Suricata is running in autofp mode (so that i can get multiple detection
threads), it stops passing traffic.

Typical output after stopping Suricata --netmap (workers) after about 30
seconds is something like:

<Notice> - Stats for 'ix0':  pkts: 1522757, drop: 0 (0.00%), invalid
> chksum: 0

<Notice> - Stats for 'ix1':  pkts: 761553, drop: 0 (0.00%), invalid chksum:
> 0


But when running in autofp mode, i'm getting SIGNIFICANTLY less packets,
almost none.

<Notice> - Stats for 'ix0':  pkts: 9, drop: 0 (0.00%), invalid chksum: 0

<Notice> - Stats for 'ix1':  pkts: 19, drop: 0 (0.00%), invalid chksum: 0


Any insight would be greatly appreciated.

Thank you again for reading.

On Fri, Oct 23, 2015 at 11:03 AM, Oliver Humpage <oliver at watershed.co.uk>
wrote:

>
> > On 23 Oct 2015, at 16:44, Shane Boissevain <shaneboissevain at gmail.com>
> wrote:
> >
> > My questions are:
> > 1) Has anyone done this before?
>
> Sort of.
>
> > 2) Am i going about this all wrong?
>
> I’m interested in why you’ve got FreeBSD set up as a bridge. What I’ve
> tended to do is set it up as a normal router, with normal IPs, so that
> hosts on the networks it’s connecting know to send packets through it.
> However, netmap then sits on top of that to snaffle the packets that come
> into an interface and copy them out of the other without them ever
> troubling the kernel’s routing table, a *bit* like a bridge.
>
> If you setup your box as a normal router, then use roughly this netmap
> config in suricata:
>
> netmap:
>  - interface: int_if
>    copy-mode: ips
>    copy-iface: ext_if
>  - interface: ext_if
>    copy-mode: ips
>    copy-iface: int_if
>
> That should be all you need.
>
> Personally, I have more than two interfaces, so I do actually need the
> kernel to route them. In my case I can set int_if to copy packets to
> int_if+ (so the kernel just thinks the packet has come in on the interface,
> and can route it itself). Similarly interface int_if+ copies to int_if to
> get the reverse flow.
>
> I’m pretty sure I’ve had both bridgey and routey setups working fine. I
> suspect if you’re bridging in the OS (i.e. passing ARP around) netmap may
> well be getting in the way of that.
>
> I’ve been absolutely itching to get netmap into production, but I’m
> waiting for a proper suricata release with netmap in rather than running
> beta, so it’s been a small while since I had a test rig up and running with
> this stuff. Apologies if I’m a bit rusty and have gotten anything wrong.
>
> Oliver.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151028/0e21b55a/attachment-0002.html>

More information about the Oisf-users mailing list