Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata inline mode on KVM

    Scheduled Pinned Locked Moved Virtualization
    4 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      edosselio
      last edited by

      Hi all,
      after that Netmap support was added on 2.3, i'm trying to setup Suricata to work in "inline mode" on KVM virtual interfaces.
      Summarily it seems to work quite well (i've tried both e1000 and virtio interfaces) and i've verified that packets matching the alerts are effectively blocked.
      The problem is that when inline mode is enabled, i'm unable to see the outgoing traffic graph as you can see in attached pictures.
      I've disabled all sorts of tx and rx checksumming (as well as gso,tso ecc) on host side virtual interfaces, but nothing changes.
      Also with the "iotop" command i can see that the traffic in outgoing direction is always 0kb/s.
      As well as i switch from inline to legacy mode, the behaviour of the traffic graph and the iotop command are ok and i am able to see the outbound real time traffic.

      From the console i can also see (sometimes, the messages appears randomly) these errors:

      len_netmap_txsync  bad addr/len ring 0 slot 106 idx 1132 len 4096

      What could cause this issue?

      Is someone seeing the same issue?

      Thanks and regards,

      Edoardo

      traffic.JPG
      traffic.JPG_thumb
      no_traffic.JPG
      no_traffic.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • N
        ntct
        last edited by

        https://forum.pfsense.org/index.php?topic=110418.0

        1 Reply Last reply Reply Quote 0
        • E
          edosselio
          last edited by

          Hello ntct,

          I had already seen your thread before; i've not understood if, in addition on of these log messages, you've noticed traffic destruction or not.
          In my case there is not traffic issues, but i've at most 40/50 clients passing through the firewall; furthermore the internet pipe is 10Mbit only, so suricata is not handling a large number of packets as in your case…

          I've not understood if also in your case you've got the issue of the traffic graphs showing 0 Kb/s in egress direction.
          Regarding this issue, i've found another thread that speak about this issue:
          https://forum.pfsense.org/index.php?topic=111204.msg623379#msg623379

          I can tell you that i've also tried to use pci passthrough to assign the phisical NIC to pfsense VM (Intel e1000); however the issue still persists, thing that makes me think that maybe is not related to KVM/ESXi…

          Have a nice day,

          Edoardo

          1 Reply Last reply Reply Quote 0
          • N
            ntct
            last edited by

            Yes, the issue still persists, maybe is not related to KVM/ESXi.

            I have request a support ticket, But It still test internal.

            I hope it can be fixed this year….

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.