Call for testing: New netmap enabled kernel

[franco]

Thanks to Murat and all of Sunny Valley for providing this rework and helping with a related Suricata incompatibility!

So far this is exciting *and* promising with good overall stability.

Ideally, this would be merged into 19.1.x in March or April, although the core team has not yet decided on a timeline.


Cheers,
Franco

[lattera]

Installation of the test world+kernel sets on the APU4c4 securing HardenedBSD's build network and infrastructure succeeded without issue. I've got Suricata running in IPS mode and only inspecting traffic on the LAN interface. Seems to be working fine for me for now. I'll be placing the firewall under load over the next few days and will report back.

[lattera]

Deployed successfully on another APU4c4 in a lab environment with tunneled IPv6. Working great!

[newsense]

Does 19.1-netmap kernel revert anything from 19.1.1 and how will it be kept on par with the upcoming 19.1.2+ versions until it is merged into mainline ?

Just trying to assess the security risks.

[newsense]

Also noticed this swap message after reboot:

[mb]

@redfish, this looks like something that needs to be investigated on the Suricata side. Will let you know once I have some more time for this.

@newsense, the only difference between 19.1 default kernel and 19.1-netmap kernel should be the netmap subsystem.

Any chances that you boot with the default kernel and try to see if it produces the same message?

@franco, that's great to hear it'll land on the production branch soon.

@lattera, thanks for the tests. Glad to hear that you had no issues.

[lattera]

One thing I did notice was that suricata seems to go crazy when in IPS mode and configured to monitor gif interfaces. Brings the entire network stack down. I'm gonna guess that netmap doesn't work with tunneling interfaces (at least, not yet?) Thank goodness for the serial console port on the APU devices.

[Redfish]

Thanks mb, here are the outputs for both kernels:
Edit: also need to note that I’ve followed this guide https://forum.opnsense.org/index.php?topic=6590.0 and disabled VLAN_HWTAGGING in order for suricata to function with my vlans.

Stock Kernel

dev.netmap.ixl_rx_miss_bufs: 0
dev.netmap.ixl_rx_miss: 0
dev.netmap.iflib_rx_miss_bufs: 0
dev.netmap.iflib_rx_miss: 0
dev.netmap.iflib_crcstrip: 1
dev.netmap.bridge_batch: 1024
dev.netmap.default_pipes: 0
dev.netmap.priv_buf_num: 4098
dev.netmap.priv_buf_size: 2048
dev.netmap.buf_curr_num: 163840
dev.netmap.buf_num: 163840
dev.netmap.buf_curr_size: 2048
dev.netmap.buf_size: 2048
dev.netmap.priv_ring_num: 4
dev.netmap.priv_ring_size: 20480
dev.netmap.ring_curr_num: 200
dev.netmap.ring_num: 200
dev.netmap.ring_curr_size: 73728
dev.netmap.ring_size: 73728
dev.netmap.priv_if_num: 1
dev.netmap.priv_if_size: 1024
dev.netmap.if_curr_num: 100
dev.netmap.if_num: 100
dev.netmap.if_curr_size: 1024
dev.netmap.if_size: 1024
dev.netmap.generic_rings: 1
dev.netmap.generic_ringsize: 1024
dev.netmap.generic_mit: 100000
dev.netmap.admode: 0
dev.netmap.fwd: 0
dev.netmap.flags: 0
dev.netmap.adaptive_io: 0
dev.netmap.txsync_retry: 2
dev.netmap.no_pendintr: 1
dev.netmap.mitigate: 1
dev.netmap.no_timestamp: 0
dev.netmap.verbose: 0
dev.netmap.ix_rx_miss_bufs: 0
dev.netmap.ix_rx_miss: 0
dev.netmap.ix_crcstrip: 0

New netmap kernel

dev.netmap.ixl_rx_miss_bufs: 0
dev.netmap.ixl_rx_miss: 0
dev.netmap.iflib_rx_miss_bufs: 0
dev.netmap.iflib_rx_miss: 0
dev.netmap.iflib_crcstrip: 1
dev.netmap.bridge_batch: 1024
dev.netmap.default_pipes: 0
dev.netmap.priv_buf_num: 4098
dev.netmap.priv_buf_size: 2048
dev.netmap.buf_curr_num: 0
dev.netmap.buf_num: 163840
dev.netmap.buf_curr_size: 0
dev.netmap.buf_size: 2048
dev.netmap.priv_ring_num: 4
dev.netmap.priv_ring_size: 20480
dev.netmap.ring_curr_num: 0
dev.netmap.ring_num: 200
dev.netmap.ring_curr_size: 0
dev.netmap.ring_size: 36864
dev.netmap.priv_if_num: 2
dev.netmap.priv_if_size: 1024
dev.netmap.if_curr_num: 0
dev.netmap.if_num: 100
dev.netmap.if_curr_size: 0
dev.netmap.if_size: 1024
dev.netmap.ptnet_vnet_hdr: 1
dev.netmap.generic_rings: 1
dev.netmap.generic_ringsize: 1024
dev.netmap.generic_mit: 100000
dev.netmap.generic_hwcsum: 0
dev.netmap.admode: 0
dev.netmap.fwd: 0
dev.netmap.txsync_retry: 2
dev.netmap.mitigate: 1
dev.netmap.no_pendintr: 1
dev.netmap.no_timestamp: 0
dev.netmap.verbose: 0
dev.netmap.ix_rx_miss_bufs: 0
dev.netmap.ix_rx_miss: 0
dev.netmap.ix_crcstrip: 0

[mb]

@redfish, thanks. Looks like it's on the Suricata side. I'll have a closer look.

[TheGrandWazoo]

This is "Excellent" news! . I run a lot of VM with VirtIO on Proxmox VE and have not been able to take advantage of Suricata. Will start converting and testing my OPNSense kernels.

Was very happy with my transition from pfSense to OPNSense, this makes it even better.

Thank you.

[mb]

TheGrandWazoo, great that you found this useful Please share your experience with Suricata + new kernel.

[Antaris]

Now when there is 19.1.1 can we use it with netmap enabled kernel and what is the command?

May be "# opnsense-update -bkr 19.1.1-netmap" ?

[mb]

Antaris, yes, correct.  From the first post in the thread:

To switch to the new-netmap-enabled kernel:

# opnsense-update -bkr 19.1-netmap

After the update & reboot, your 'uname -a' output should be similar: (pay attention to the commit hash and branch, it should be:  c4ec367c3d9(master) )

root@fw:~ # uname -a
FreeBSD fw.local 11.2-RELEASE-p8-HBSD FreeBSD 11.2-RELEASE-p8-HBSD  c4ec367c3d9(master)  amd64


To revert back to the 19.1-default kernel:

# opnsense-update -bkf

Franco plans the merge in the upcoming OPNsense 19.1.x minor releases.

[Antaris]

So is there 19.1.1 netmap enabled or just 19.1 ?

[franco]

There is no base/kernel for 19.1.1 so there is no / won't be a 19.1.1-netmap.

And when 19.1.2 is out with a new base/kernel, then the netmap kernel will be automatically removed as it is a test kernel, but you can lock it from the GUI if you do not want that.


Cheers,
Franco