Lower cpu load during idle in 22.7.5 when using suricata

[Ypsilon]

This could be a continuation of this thread, as we are on 22.7 release now:
https://forum.opnsense.org/index.php?topic=24895.0

Version 22.7.5 was released with of course the security fix as most important change..
Suricata was upgraded too in this release, with a change that should revert cpu load while idle to levels knows before 21.7.3
I upgraded my system and the load drop was significant.

I wonder if other users that experienced this specific load issue have the same improvement after upgrading to 22.7.5.

See also:
https://redmine.openinfosecfoundation.org/issues/4421
https://github.com/opnsense/core/issues/6065

[franco]

To be honest, with all the outrage on negative things happen... the least will report that CPU usage is lower and that they are happy about it. ;)

But consider me happy this was resolved. :)


Cheers,
Franco

[cookiemonster]

I'm going to re-enable it and check, thanks for pointing it out.
I had to disable it or put on IDS mode only, the bandwith was reduced too much to be usable. Different things but maybe it is better in that regard too.

[jphylips]

Hi,
I noticed a drop in CPU load as well. I have proof in a Zabbix graph, which I'm unable to upload I'm afraid.

Franco,
No negativity from my end. You guys are doing an excellent job. Better support than many enterprises deliver these days. So keep up the fantastic work and many thanks from a former pfSense user.

[franco]

It wasn't meant as a rant, I'm sorry if it came across like this. That's just usually what we see when something keeps working no matter how much it improved: lack of feedback.

But we generally take this as a good sign. :)


Cheers,
Franco

[cookiemonster]

Re-enabled IPS and again 500 Mbps link gets only 119 Mbps. I'm diasbling Suricata again. In fact I might need to forego Suricata all together. Sorry for the noise, this is performance issue.
On a positive side, the cpu usage is indeed low :)

[RamSense]

How do you test this? I have used https://www.speedtest.net/ on multiple devices with and without IPS mode, but I get the same speed (1gbit ISP connection and about 700 Mbps on wifi, 950 on apple tv wired). So no problems here.

Running opsense:
OPNsense 22.7.5-amd64
FreeBSD 13.1-RELEASE-p2
OpenSSL 1.1.1q 5 Jul 2022

CPU type    Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz (4 cores, 4 threads)
16 gb memory

[cookiemonster]

Thanks for inputting for this Ramsense. (apologies to OP for the slight hijack).
I am on an apu4 with an AMD GX-412TC SOC as cpu. The clock max is 1 GHz base and 1.4 boost, 4 cores.
The testing done is as you have done yours.
I've put it down to the cpu not being powerful enough to be suitable for IPS. I can't blame OPN or the Suricata chaps. Tremendous job. I've tried every optimisation I come across and RSS for instance gave me my isp package, until I introduce Suricata or Zenarmor. I lef it with Suricata as my preferred option if I had to chose but then this hit is too much.
package is 500/75. Suricata IDS 474/69 . Suricata IPS 119/35.
I didn't want to open another "why does Suricata kills my thoughput" without doing all I can to diagnose but I'm very close to admit defeat.