• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Suricata inline mode on KVM

Scheduled Pinned Locked Moved Virtualization
4 Posts 2 Posters 2.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    edosselio
    last edited by May 16, 2016, 1:13 PM

    Hi all,
    after that Netmap support was added on 2.3, i'm trying to setup Suricata to work in "inline mode" on KVM virtual interfaces.
    Summarily it seems to work quite well (i've tried both e1000 and virtio interfaces) and i've verified that packets matching the alerts are effectively blocked.
    The problem is that when inline mode is enabled, i'm unable to see the outgoing traffic graph as you can see in attached pictures.
    I've disabled all sorts of tx and rx checksumming (as well as gso,tso ecc) on host side virtual interfaces, but nothing changes.
    Also with the "iotop" command i can see that the traffic in outgoing direction is always 0kb/s.
    As well as i switch from inline to legacy mode, the behaviour of the traffic graph and the iotop command are ok and i am able to see the outbound real time traffic.

    From the console i can also see (sometimes, the messages appears randomly) these errors:

    len_netmap_txsync  bad addr/len ring 0 slot 106 idx 1132 len 4096

    What could cause this issue?

    Is someone seeing the same issue?

    Thanks and regards,

    Edoardo

    traffic.JPG
    traffic.JPG_thumb
    no_traffic.JPG
    no_traffic.JPG_thumb

    1 Reply Last reply Reply Quote 0
    • N
      ntct
      last edited by May 26, 2016, 1:42 AM

      https://forum.pfsense.org/index.php?topic=110418.0

      1 Reply Last reply Reply Quote 0
      • E
        edosselio
        last edited by May 26, 2016, 8:03 AM

        Hello ntct,

        I had already seen your thread before; i've not understood if, in addition on of these log messages, you've noticed traffic destruction or not.
        In my case there is not traffic issues, but i've at most 40/50 clients passing through the firewall; furthermore the internet pipe is 10Mbit only, so suricata is not handling a large number of packets as in your case…

        I've not understood if also in your case you've got the issue of the traffic graphs showing 0 Kb/s in egress direction.
        Regarding this issue, i've found another thread that speak about this issue:
        https://forum.pfsense.org/index.php?topic=111204.msg623379#msg623379

        I can tell you that i've also tried to use pci passthrough to assign the phisical NIC to pfsense VM (Intel e1000); however the issue still persists, thing that makes me think that maybe is not related to KVM/ESXi…

        Have a nice day,

        Edoardo

        1 Reply Last reply Reply Quote 0
        • N
          ntct
          last edited by May 26, 2016, 1:31 PM

          Yes, the issue still persists, maybe is not related to KVM/ESXi.

          I have request a support ticket, But It still test internal.

          I hope it can be fixed this year….

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            [[user:consent.lead]]
            [[user:consent.not_received]]