[Oisf-users] NETMAP guide - FreeBSD /etc/rc.conf

elof2 at sentor.se elof2 at sentor.se
Thu Apr 7 13:58:08 UTC 2016 

On Thu, 7 Apr 2016, Shirkdog wrote:

> From a pure FreeBSD/Netmap perspective, I would document the specific
> version of FreeBSD in your write up that these configurations worked
> with Netmap.

Sure!

> FreeBSD 11 will have Netmap enabled by default.

What do you mean by "enabled" by default?
Netmap is already in the kernel in 10.1.

/Elof


> On Thu, Apr 7, 2016 at 9:12 AM,  <elof2 at sentor.se> wrote:
>>
>> So, I'll start with a bunch of "stupid" questions.
>> My intention is to put together your replies into a general wiki-page for
>> NETMAP.
>>
>>
>> ##########################################################################
>>
>>
>> For IDS-mode (ix0 and ix1 receive mirrored traffic) I have this in my
>> /etc/rc.conf:
>>   # Disable unnecessary stuff (arp-learning)
>>   # Disable lro (suricata requirement)
>>   # Disable all hw acceleration (NETMAP requirement)
>>   # Put interface in monitor mode to drop packets immediately after being
>> captured
>>   ifconfig_ix0="up -arp -lro -rxcsum -rxcsum6 monitor"
>>   ifconfig_ix1="up -arp -lro -rxcsum -rxcsum6 monitor"
>>
>>
>> Example of running sniffer interface:
>> ix1: flags=488c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST,MONITOR>
>> metric 0 mtu 1500
>>
>> options=8403b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO>
>>         ether 0c:12:34:56:78:91
>>         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>>         media: Ethernet autoselect (10Gbase-T <full-duplex>)
>>         status: active
>>
>>
>>
>> Do you think I should add anything more (or less) to /etc/rc.conf when
>> running suricata in IDS mode?
>>
>>
>>
>> ##########################################################################
>>
>>
>>
>> For IPS-mode (ix0=outside and ix1=inside):
>> /etc/rc.conf:
>>   ifconfig_ix0="inet 1.2.3.50 netmask 255.255.255.0 -lro -rxcsum -rxcsum6
>> -txcsum -txcsum6 -tso -tso6"
>>   ifconfig_ix1="inet 10.0.0.1 netmask 255.255.255.0 -lro -rxcsum -rxcsum6
>> -txcsum -txcsum6 -tso -tso6"
>>
>> Ex:
>> ix0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>>
>> options=8400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
>>         ether 0c:12:34:56:78:90
>>         inet 1.2.3.50 netmask 0xffffff00 broadcast 1.2.3.255
>>         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>>         media: Ethernet autoselect (10Gbase-T <full-duplex>)
>>         status: active
>>
>>
>> Do you think I should add anything more (or less) to /etc/rc.conf when
>> running suricata in IPS mode?
>>
>>
>>
>> ##########################################################################
>>
>>
>>
>> (if you have any simillar examples for Linux, let me know and I'll include
>> them in the wiki)
>>
>> /Elof
>>
>>
>>
>>
>> On Thu, 10 Mar 2016, elof2 at sentor.se wrote:
>>
>>> Hi all, especially FreeBSD users.
>>>
>>> In the docs directory there's an old textfile for FreeBSD 8.
>>>
>>> I would greatly appreciate if the FreeBSD users merged together an updated
>>> textfile with hints, tips and tricks for FreeBSD 10.x/11.x, with the new
>>> NETMAP support.
>>>
>>>
>>>
>>> Examples of topics I'd like:
>>>
>>> What hardware (NICs) is known to work good?
>>>
>>> rc.conf
>>> - give examples and explain that e.g. options "-lro" and "monitor" should
>>> be used (for IDS mode)
>>>
>>>
>>> What tweaks to put in /etc/sysctl.conf (and /boot/loader.conf???).
>>> - net.bpf.zerocopy_enable=1 ?
>>> - net.bpf.maxbufsize= huge numer? How large? 15% of total RAM?
>>> - kern.ipc.maxsockbuf? kern.threads.max_threads_per_proc? dev.ix.0.fc=0? -
>>> etc
>>>
>>>
>>> What config/tweaks to put in suricata.yaml
>>> - specifically for NETMAP
>>> - Mapping CPUs to queues
>>> - recommended runmode
>>> - etc
>>>
>>>
>>>
>>> If you people can feed me your thoughts and experiences, I'm happy to put
>>> together a new textfile (FreeBSD.NETMAP.txt) for the docs dir.
>>>
>>>
>>>
>>>
>>> It's time to show the world that linux+PF-RING isn't the only way to go.
>>>
>>> /Elof
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 9-11 in Washington, DC:
>>> http://oisfevents.net
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://oisfevents.net
>

More information about the Oisf-users mailing list