[Oisf-users] NFQUEUE in general

Andreas Herz andi at geekosphere.org
Sat Apr 7 22:21:31 UTC 2018 

On 07/04/18 at 17:25, Chris Boley wrote:
> Unless I missed this somewhere in "readthedocs", why does it not address:
> A. Loading the bridge_flt kernel module ie, how and why.. (Very important
> BTW)
> It can be done very simply but is a critical component. Ubuntu 16.04
> specifically doesn't do this by default and tons of noobs get stonewalled
> by this.
> 
> B. Configuring sysctl flags appropriately to make NFQUEUE work in a bridge
> with Suri. (also critical) Ubuntu 16.04 specifically doesn't do this by
> default. If I've missed this in the docs somewhere, sorry I'm asking about
> it...
> 
> C. Configuring sysctl flags appropriately to make NFQUEUE work in a bridge
> that has vlan tagged packets. (this area brings a couple of dynamics that
> are important)
>     1c. enabling more appropriate sysctl flags to deal with VLAN info
> appropriately.
> 
>     2c. Explanations of bridges handling VLAN tags and how it affects
> bridge MTU requirements...

Those are for specific setups with bridges, but feel free to add
documentation for that so we can include that either in our redmine wiki
or even include it in our readthedocs. Adding documentation helps a lot,
so I encourage you to submit a PR for that.

> Also, nothing talks about NFQUEUE tuning..
> for example load balancing NFQUEUE generic example for an 8 core proc:
> sudo suricata -q 0 -q 1 -q 2 -q 3 -q 4 -q 5 -q 6 -q7 -c
> /etc/suricata/suricata.yaml

If you use NFQUEUE we kinda expect that you know about such things, but
as mentioned above it's a valid suggestion to add this to our docs!

> I know there's a feature request in for this:
> Feature #2150
> How does that play into setting up iptables with:
> iptables -A FORWARD -j NFQUEUE --queue-balance 0:7  (asking about queue
> balance)
> 
> Does one contradict the other? Can somebody help me understand these two?
> Pros and cons?

The idea is that the script makes it easy to make sure suricata is run
with a configured amount of -q X paramets that should match the
--queue-balance that's configured or wwanted.

> I'm also curious why IPTABLES/nftables isn't mentioned more in
> documentation as a way to separate out unwanted traffic prior to it ever
> touching the NFQUEUE rule? This indirectly speeds up IDPS engines immensely
> and I would think is worthy of mention in documentation for NFQUEUE.

Again, we expect people to understand those basics. The only thing that
might be worth adding to mention that you might want to filter some
stuff out before hitting the NFQUEUE and maybe add 1-2 examples.

tl;dr new/more/better documentation is always appreciated! :)

-- 
Andreas Herz

More information about the Oisf-users mailing list