Suricata and Hardware Offload Clarification

[dotike]

Dipping my toe in, content-based deny is quite sweet to see in action here!  The IPS feature is just plain awesome.  I've never used suricata before, so I've got a few questions about how it works on OPNsense before I dive into suricata itself.

Regarding hardware offloading, it's not entirely clear to me which offloading would affect which rulesets.  For example applied use, blocking Bittorrent on a network with rules concerning user-agent detection,

"ET P2P Bittorrent P2P Client User-Agent (Bittorrent/5.x.x)"
http://doc.emergingthreats.net/bin/view/Main/2006372

For matches like this based on packet conent, I'd love to know if the hardware offloading really gets in the way?

• - packet checksum offloading will obviously break packet known-signature rules, but would it affect content based rules?
  
• - TSO and LRO offloading obviously will obviously break packet signature and rules looking for specific packet fragmentation, but will they affect content rules?
  

The reason I'm asking here is that this new Suricata implementation opens up a whole new world of content-based packet filtering, and I'm looking to find the lines where it plays nicely with other features I care about, (hardware offloading becomes important to me on large and small networks alike!)

Excited to be using this now, and to see this feature set become more refined as more people use it!

[franco]

Hi Isaac,

Suricata 3.0 uses the netmap(4) device support in FreeBSD, which does not work very well with Hardware checksumming enabled. I suspect this can be solved in the future, but for now that's the way the author states it in the documentation.

I'll answer your other question in the other post, although the two are both related to how netmap(4) works.


Cheers,
Franco