Netmap: new API version (14)

NRgia · May 31, 2022, 7:55 PM

Hello @bmeeks I see here https://redmine.openinfosecfoundation.org/issues/4852 that Suricata v.6.0.6 will implement a new version of netmap.

Do you foresee any issues with it, on FreeBSD, if you happen to know?
Although if I run:

suricata --build-info

I see "Netmap support...Yes v14+" (does this mean we already have it? Then I don't understand the above defect)
Thanks

NollipfSense · May 31, 2022, 8:34 PM

@nrgia If I am correct, I believe it's already built-in the kernel in Freebsd 12.3 and FreeBSD 13.0 for sure or, until Bill states better.

bmeeks · May 31, 2022, 8:46 PM

I helped the upstream Suricata team develop the Netmap API 14 code. Initially upstream elected to put the new code only in Suricata 7.0 which is still not released to production. I have not checked lately, but I don't think it is even RC (release candidate) yet.

Because I knew how the code worked and what changes were needed, I went ahead and ported the Netmap API v14 patch into the Suricata binary package built for pfSense. So pfSense has had the new v14 API since around August or so of 2021 (don't recall the exact release date at the moment).

The upstream team had the new API set for inclusion in the recent 6.0.5 update, but elected to not include it at the last minute. I don't know why. They still have it on the list to include in the next 6.x release. It is already merged into the 7.0 development code base upstream.

The "otherSense" product also went ahead and included the new Netmap API v14 code in their Suricata package. But they combined it with some changes to RSS in their kernel and a move to FreeBSD 13. They previously used FreeBSD 12 Hardened (which is similar, but different in some ways from the STABLE branch pfSense is using). Their results with the new API combined with the other changes were not great. A fair number of users had issues. I understand they have currently backed out the Netmap API v14 changes, but even still there are issues continually being reported there with Suricata and VLANs. Looks mostly to be related to FreeBSD 13 bugs to me.

So far on pfSense, the Netmap API v14 changes seem to have worked well. I have not seen any major bugs related to netmap. The only issues I know of are with VLANs and traffic shaping/limiters. But those issues are from the netmap device itself and are not related to the v14 API changes. What v14 did was allow netmap in Suricata to properly utilize multiple host rings for increased throughput, and it eliminated the problem of multiple threads stepping on and corrupting each others NIC-side netmap rings.

NRgia · May 31, 2022, 8:52 PM

@bmeeks Glad that you keep an eye on the "otherSense". Also glad that your implementation is better. Thank you again for your contribution to Suricata.

bmeeks · May 31, 2022, 9:47 PM

@nrgia said in Netmap: new API version (14):

@bmeeks Glad that you keep an eye on the "otherSense". Also glad that your implementation is better. Thank you again for your contribution to Suricata.

I probably should clarify that I think OpnSense still has the Netmap API v14 code in a development version of their build along with the RSS changes. From what I have followed over on their support forum, it appears that if you run a plain-vanilla Suricata setup (meaning no VLANs or shapers/limiters), the v14 API stuff runs great and really increases throughput with the RSS kernel changes. RSS lets the kernel stack and netmap make maximum use of multiple NIC queues and map the network flows to different CPU cores.

NRgia · May 31, 2022, 10:01 PM

@bmeeks In my case, VLANs are mandatory. In the end only an implementation that allows VLANs to work fits my needs. Hope at least on pfSense, they will still work in future releases too. Thanks for the hint.