Netmap not supported for Intel X553 driver in pfSense 2.5.0
-
I have a Supermicro motherboard 'A2SDi-4C-HLN4F' which uses X553 chipset. It is presently running Stable 2.4.5-p1 and Snort. Is this release affected by this issue?
-
@trumee said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
I have a Supermicro motherboard 'A2SDi-4C-HLN4F' which uses X553 chipset. It is presently running Stable 2.4.5-p1 and Snort. Is this release affected by this issue?
Snort on pfSense-2.4.5 does not support netmap device operation, so no, the 2.4.5 release is not impacted. Snort on 2.4.5-RELEASE uses
libpcap
. -
@trumee said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
I have a Supermicro motherboard 'A2SDi-4C-HLN4F' which uses X553 chipset. It is presently running Stable 2.4.5-p1 and Snort. Is this release affected by this issue?
My tests didn't include testing Snort on Stable 2.4.5. I was asked to install Snort on 2.5.0-devel by another user, to compare Snort vs Suricata, in the matter of speed and it was a little lower for me when I tested with Snort.
After some discussions with the guys that maintain Netmap, Intel drivers, Supermicro support, FreeBSD, I was directed to Suricata maintainers.
I took my time and tried various tutorials that optimize some networking parameters, but I got only small variances in performance like 30-40 Mbps.
My last try will be to have a chat with Suricata guys.
I hope they will not recommend me a Napatech card
Napatech products link , or something.
I will update if I find something of interest. -
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
@trumee said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
I have a Supermicro motherboard 'A2SDi-4C-HLN4F' which uses X553 chipset. It is presently running Stable 2.4.5-p1 and Snort. Is this release affected by this issue?
My tests didn't include testing Snort on Stable 2.4.5. I was asked to install Snort on 2.5.0-devel by another user, to compare Snort vs Suricata, in the matter of speed and it was a little lower for me when I tested with Snort.
After some discussions with the guys that maintain Netmap, Intel drivers, Supermicro support, FreeBSD, I was directed to Suricata maintainers.
I took my time and tried various tutorials that optimize some networking parameters, but I got only small variances in performance like 30-40 Mbps.
My last try will be to have a chat with Suricata guys.
I hope they will not recommend me a Napatech card
Napatech products link , or something.
I will update if I find something of interest.One issue that is likely at play with both Suricata and Snort (Snort on FreeBSD-11.x) is that on FreeBSD the netmap host stack originally exposed only a single ring. NIC drivers, on the other hand, pretty much uniformly expose multiple rings. The more rings you have, the higher the theoretical throughput can be.
The latest iteration of netmap on FreeBSD finally offers a multiple ring interface for the host stack. The host stack is the connection to the kernel itself. Most of the original implementations of netmap envisoned sending packets between two NIC interfaces directly (that is, without necessarily going through the kernel network stack). So to put this in Suricata terms, think of using two physical NICs and having Suricata sit between them policing traffic between the two NICs. In that scenario all rings available in the NIC drivers would be used.
But Suricata on pfSense needs to interract with the kernel network stack because we want to inspect traffic as it flows to and from the NIC to the
pf
firewall engine in the kernel. Also, we don't want to use up two valuable hardware NIC ports just to have an "in" and an "out" path. We want to use a single NIC for an interface.Starting with FreeBSD-12 and the move to the iflib networking API, netmap now exposes a multi-ring netmap interface for the host stack. However, for the moment I don't believe Suricata 5.x is using that interface in order to maintain backwards compatibility with older netmap API versions.