4. Suricata inline mode on KVM

Suricata inline mode on KVM

  • E

    Hi all,
    after that Netmap support was added on 2.3, i'm trying to setup Suricata to work in "inline mode" on KVM virtual interfaces.
    Summarily it seems to work quite well (i've tried both e1000 and virtio interfaces) and i've verified that packets matching the alerts are effectively blocked.
    The problem is that when inline mode is enabled, i'm unable to see the outgoing traffic graph as you can see in attached pictures.
    I've disabled all sorts of tx and rx checksumming (as well as gso,tso ecc) on host side virtual interfaces, but nothing changes.
    Also with the "iotop" command i can see that the traffic in outgoing direction is always 0kb/s.
    As well as i switch from inline to legacy mode, the behaviour of the traffic graph and the iotop command are ok and i am able to see the outbound real time traffic.

    From the console i can also see (sometimes, the messages appears randomly) these errors:

    len_netmap_txsync  bad addr/len ring 0 slot 106 idx 1132 len 4096

    What could cause this issue?

    Is someone seeing the same issue?

    Thanks and regards,

    Edoardo




    0
  • N

    https://forum.pfsense.org/index.php?topic=110418.0

    0
  • E

    Hello ntct,

    I had already seen your thread before; i've not understood if, in addition on of these log messages, you've noticed traffic destruction or not.
    In my case there is not traffic issues, but i've at most 40/50 clients passing through the firewall; furthermore the internet pipe is 10Mbit only, so suricata is not handling a large number of packets as in your case…

    I've not understood if also in your case you've got the issue of the traffic graphs showing 0 Kb/s in egress direction.
    Regarding this issue, i've found another thread that speak about this issue:
    https://forum.pfsense.org/index.php?topic=111204.msg623379#msg623379

    I can tell you that i've also tried to use pci passthrough to assign the phisical NIC to pfsense VM (Intel e1000); however the issue still persists, thing that makes me think that maybe is not related to KVM/ESXi…

    Have a nice day,

    Edoardo

    0
  • N

    Yes, the issue still persists, maybe is not related to KVM/ESXi.

    I have request a support ticket, But It still test internal.

    I hope it can be fixed this year….

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy