Suricata only using one thread

[Dunuin]

Hi,

There are alot of old threads here reporting that suricata only makes use of one thread and isn't multi-threading.

I see the same here. My OPNsense 22.1 is running on a Proxmox VM with 4GB RAM and 4 vCPUs of a 2.3-3GHz Xeon E5 and virtio NICs. The virtio NICs use a LACP bond of all 4 ports of my Intel i350-T4. If I start downloading with suricata IPS enabled I can only make use of 50Mbit of my 100Mbit internet connection. When I look at top it shows that only one of suricatas threads is at 100% WCPU while the other threads aren't doing much. Bascially no meter how much threads I give OPNsense, it never makes use of more then 1-2 vCPUs.

Whats preventing suricata from effectivly using more than one core?

[franco]

https://forum.opnsense.org/index.php?topic=24409.0

[Dunuin]

When Suricata is running in IPS mode, Netmap is utilized to fetch packets off the line for inspection. By default, OPNsense has configured Suricata in such a way that the packet which has passed inspection will be re-injected into the host networking stack for routing/firewalling purposes. The current Suricata/Netmap implementation limits this re-injection to one thread only. Work is underway to address this issue since the new Netmap API (V14+) is now capable of increasing this thread count. Until then, no benefit is gained from RSS when using IPS.

Do you know if OPNsense 22.1.1-3 meanwhile supports IPS with more then one thread when enableing RSS?

[franco]

The development version does (it has suricata-devel package). However, there seem to be issues with it which point to newer Suricata version issues. We did a backport recently of version 5 and it works without issues...


Cheers,
Franco