OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: dotike on January 31, 2016, 04:30:56 am

Title: Suricata and Hardware Offload Clarification
Post by: dotike on January 31, 2016, 04:30:56 am
Dipping my toe in, content-based deny is quite sweet to see in action here!  The IPS feature is just plain awesome.  I've never used suricata before, so I've got a few questions about how it works on OPNsense before I dive into suricata itself.

Regarding hardware offloading, it's not entirely clear to me which offloading would affect which rulesets.  For example applied use, blocking Bittorrent on a network with rules concerning user-agent detection,

"ET P2P Bittorrent P2P Client User-Agent (Bittorrent/5.x.x)"

For matches like this based on packet conent, I'd love to know if the hardware offloading really gets in the way?

The reason I'm asking here is that this new Suricata implementation opens up a whole new world of content-based packet filtering, and I'm looking to find the lines where it plays nicely with other features I care about, (hardware offloading becomes important to me on large and small networks alike!)

Excited to be using this now, and to see this feature set become more refined as more people use it!
Title: Re: Suricata and Hardware Offload Clarification
Post by: franco on January 31, 2016, 12:01:04 pm
Hi Isaac,

Suricata 3.0 uses the netmap(4) device support in FreeBSD, which does not work very well with Hardware checksumming enabled. I suspect this can be solved in the future, but for now that's the way the author states it in the documentation.

I'll answer your other question in the other post, although the two are both related to how netmap(4) works.