Show Posts
1
19.1 Production Series / Call for testing: New netmap enabled kernel
« on: February 06, 2019, 12:21:44 am »
Dear OPNsense community,
One of the exciting new features, introduced with OPNsense 19.1 release, is the introduction of an alternate test kernel having the latest upstream netmap code.
Netmap is a very important subsystem in the base OS, since it provides the necessary plumbing for the operation of Suricata in IPS mode and also Sensei in particular.
Netmap code in FreeBSD (thus HardenedBSD) was almost 4 years old. It lacked lots of new developments and bug-fixes that have been done in this timeframe.
On the FreeBSD side, we (Sunny Valley Networks) sponsored a development effort to bring the latest upstream netmap code into FreeBSD.
Quite promptly, OPNsense team has now landed all this development to OPNsense 19.1. New functionality can be enabled by switching to the new-netmap-kernel (Instructions below)
As said, new kernel brings lots of bug-fixes and new developments, two of the most notable ones are being:
1 - VirtIO network adapters support:
You can now run Suricata/Sensei on virtio adapters. Virtio adapters are found mostly on QEMU/KVM based
Hypervisors like Proxmox, and on Cloud VPS providers.
2 - VLAN child interfaces: You can now run Suricata / Sensei on child vlan interfaces.
There is some more development pending (i.e. native VMware vmxnet support) but as of now and as far as our tests are concerned, we now seem to have a stable netmap implementation.
Bottomline, you should have a more stable Suricata (IPS mode) and Sensei experience after you switch to the new kernel.
Here are the steps for you to run and test the new kernel. Please feel free to share any issues you encountered and we'll do our best to investigate and try to find a solution.
IMPORTANT: Make sure you've completed your upgrade to 19.1. The new kernel is available & compatible with OPNsense 19.1.
To switch to the new-netmap-enabled kernel:
# opnsense-update -bkr 19.1-netmap
After the update & reboot, your 'uname -a' output should be similar: (pay attention to the commit hash and branch, it should be: c4ec367c3d9(master) )
root@fw:~ # uname -a
FreeBSD fw.local 11.2-RELEASE-p8-HBSD FreeBSD 11.2-RELEASE-p8-HBSD c4ec367c3d9(master) amd64
To revert back to the 19.1-default kernel:
# opnsense-update -bkf
Kudos to the OPNsense team for all of their co-operation and help on this.
One of the exciting new features, introduced with OPNsense 19.1 release, is the introduction of an alternate test kernel having the latest upstream netmap code.
Netmap is a very important subsystem in the base OS, since it provides the necessary plumbing for the operation of Suricata in IPS mode and also Sensei in particular.
Netmap code in FreeBSD (thus HardenedBSD) was almost 4 years old. It lacked lots of new developments and bug-fixes that have been done in this timeframe.
On the FreeBSD side, we (Sunny Valley Networks) sponsored a development effort to bring the latest upstream netmap code into FreeBSD.
Quite promptly, OPNsense team has now landed all this development to OPNsense 19.1. New functionality can be enabled by switching to the new-netmap-kernel (Instructions below)
As said, new kernel brings lots of bug-fixes and new developments, two of the most notable ones are being:
1 - VirtIO network adapters support:
You can now run Suricata/Sensei on virtio adapters. Virtio adapters are found mostly on QEMU/KVM based
Hypervisors like Proxmox, and on Cloud VPS providers.
2 - VLAN child interfaces: You can now run Suricata / Sensei on child vlan interfaces.
There is some more development pending (i.e. native VMware vmxnet support) but as of now and as far as our tests are concerned, we now seem to have a stable netmap implementation.
Bottomline, you should have a more stable Suricata (IPS mode) and Sensei experience after you switch to the new kernel.
Here are the steps for you to run and test the new kernel. Please feel free to share any issues you encountered and we'll do our best to investigate and try to find a solution.
IMPORTANT: Make sure you've completed your upgrade to 19.1. The new kernel is available & compatible with OPNsense 19.1.
To switch to the new-netmap-enabled kernel:
# opnsense-update -bkr 19.1-netmap
After the update & reboot, your 'uname -a' output should be similar: (pay attention to the commit hash and branch, it should be: c4ec367c3d9(master) )
root@fw:~ # uname -a
FreeBSD fw.local 11.2-RELEASE-p8-HBSD FreeBSD 11.2-RELEASE-p8-HBSD c4ec367c3d9(master) amd64
To revert back to the 19.1-default kernel:
# opnsense-update -bkf
Kudos to the OPNsense team for all of their co-operation and help on this.