OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: nrf on August 01, 2016, 03:32:47 pm

Title: so ids is periodically dying with a core dump
Post by: nrf on August 01, 2016, 03:32:47 pm

anyone following this? seems I bumped up to 16.7 too soon, should have let others soak it :)

Title: Re: so ids is periodically dying with a core dump
Post by: RabidWolf9 on August 01, 2016, 06:37:31 pm

IDS / IPS currently are not working with 16.7, must be disabled till new patch.

Title: Re: so ids is periodically dying with a core dump
Post by: franco on August 02, 2016, 07:37:16 am

Try reverting to Suricata 3.0.2 to see if that helps:

https://forum.opnsense.org/index.php?topic=3433.0

Are you using IPS?

We've identified a bug in the kernel code that shall be addressed in 16.7.1 this week.


Cheers,
Franco

Title: Re: so ids is periodically dying with a core dump
Post by: Sundial on August 02, 2016, 03:13:07 pm

Just for my information, is this a kernel bug in FreeBSD itself or just related to a modification by OPNSense?  Thanks.

Title: Re: so ids is periodically dying with a core dump
Post by: franco on August 02, 2016, 04:46:58 pm

This is solely about the em(4) driver in conjunction with netmap(4) in FreeBSD. There was a batch MFC for FreeBSD 10.3 that is not in FreeBSD 10.2, namely:

https://svnweb.freebsd.org/base?view=revision&revision=294958

This was further bisected and led to:

https://svnweb.freebsd.org/base?view=revision&revision=293331

Then Ad found out this is related to the extended descriptor change and it is going to be reverted for 16.7.1:

https://github.com/opnsense/src/commit/11586afbb7ae47026ec490c2cf5c7d08111e88db

It's still not perfect and we'll keep digging to get to the bottom of this. The patch restores packet flow under netmap(4) for some chipsets and is generally more stable, although it's still not where it was as with 10.2.

For now we must say this also affects FreeBSD 11, though a small fix has already made it upstream which at least prevents total packet loss with netmap(4) in some scenarios:

https://svnweb.freebsd.org/base?view=revision&revision=303638


Cheers,
Franco

Title: Re: so ids is periodically dying with a core dump
Post by: Sundial on August 02, 2016, 04:59:46 pm

Thanks for the detailed info.  That really seems like quite the subtle little problem to find.  Good work figuring that out so quickly!

Is your assessment then that we should be OK with IDS on if not using the affected Intel network adapter?  For example, most of my boxes (unfortunately) have Realtek adapters.

Title: Re: so ids is periodically dying with a core dump
Post by: franco on August 02, 2016, 05:06:43 pm

Realtek re(4) is another story of instability with netmap(4). The consensus here is that it shouldn't be used. There are some threads about it. :(

IDS mode itself is fine on all adapters / drivers.

Title: Re: so ids is periodically dying with a core dump
Post by: Sundial on August 02, 2016, 05:13:56 pm

Thank you for the info.  I actually meant IPS in my previous post, but I'll stay away from that until the issues get resolved.  Thanks again for being on top of this.