Call for testing: netmap on 20.7

[mb]

@hfvk, @heresjody, thanks for letting us know.

@guyp2k, we have not heard of any feedback about that.

As of now, chip ids that are reported to be working:

0x156f8086
0x100e8086

Problematic chip id:
0x10d38086

[aimdev]

My system has

em0@pci0:0:31:6:   class=0x020000 card=0x00008086 chip=0x156f8086 rev=0x21 hdr=0x00

used on the WAN, the rest are igb.

All looks ok, except WAN does not appear in the sensei list (but i think it didn't in 20.1)

[mb]

Hi @aimdev, thanks. Do you have Suricata (in IPS mode) on WAN? If so, that's good. Yours is another testimony that this particular chipset works.

[aimdev]

No not yet. I don't fully understand the ramifications of disabling the hardware options.

[guyp2k]

Hi @aimdev, thanks. Do you have Suricata (in IPS mode) on WAN? If so, that's good. Yours is another testimony that this particular chipset works.

@mb just a FYI, I do have Suricata running in IPS mode on the WAN interface however, I had to add the WAN IP to the "Home Networks in order to start logging and blocking, chipset em0@pci0:1:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00.

Question, I subscribe to Sensei and still confused on the road map, is the ultimate goal is to use Suricata on both internal and external interface to take the place of Suricata or use both? Under Sensei Configuration, I do not have an option to select the external/WAN interface, just LAN and and VLANs.

Again, just a little confused on this entire Sensei, Suricata, and netmap effort.....

TIA

[Quetschwalze]

Thanks for looking into this @mb

I have put the 20.7 proxmox virtual instance of OPNsense inline with PPPoE by backing up my 20.1 config and restoring to 20.7. Really easy to do and was up and running quickly.

Suricata runs successfully and alerts on the LAN interface (Virtio)
Switched to run on the WAN interface and am not receiving alerts. The new log view with v5 Suricata is different and seems to cycle with this when trying to establish IPS on the PPPoE WAN

   Counter | TM Name | Value
    ------------------------------------------------------------------------------------
    Date: 6/14/2020 -- 08:49:09 (uptime: 0d, 00h 08m 17s)
    ------------------------------------------------------------------------------------
    flow.memuse | Total | 7154304
    tcp.reassembly_memuse | Total | 196608
    tcp.memuse | Total | 1146880
    flow_mgr.rows_skipped | Total | 65536
    flow_mgr.rows_checked | Total | 65536
    flow.spare | Total | 10000
    ------------------------------------------------------------------------------------
    Counter | TM Name | Value
    ------------------------------------------------------------------------------------
    Date: 6/14/2020 -- 08:49:01 (uptime: 0d, 00h 08m 09s)
    ------------------------------------------------------------------------------------
    flow.memuse | Total | 7154304
    tcp.reassembly_memuse | Total | 196608
    tcp.memuse | Total | 1146880
    flow_mgr.rows_skipped | Total | 65536
    flow_mgr.rows_checked | Total | 65536
    flow.spare | Total | 10000
    ------------------------------------------------------------------------------------

I am getting the ifconfig -a to you via PM

Here is the log when it successfully runs on the LAN interface

    flow.memuse | Total | 7177096
    tcp.reassembly_memuse | Total | 231424
    tcp.memuse | Total | 1146880
    flow_mgr.rows_maxlen | Total | 1
    flow_mgr.rows_skipped | Total | 65534
    flow_mgr.rows_checked | Total | 65536
    flow_mgr.flows_notimeout | Total | 2
    flow_mgr.flows_checked | Total | 2
    flow.spare | Total | 10000
    flow_mgr.new_pruned | Total | 9
    app_layer.flow.failed_udp | Total | 40
    app_layer.tx.dns_udp | Total | 20
    app_layer.flow.dns_udp | Total | 6
    app_layer.flow.failed_tcp | Total | 4
    app_layer.tx.dhcp | Total | 2
    app_layer.flow.dhcp | Total | 1
    app_layer.flow.tls | Total | 3
    tcp.overlap | Total | 1
    tcp.rst | Total | 16
    tcp.synack | Total | 9
    tcp.syn | Total | 9
    tcp.sessions | Total | 9
    flow.udp | Total | 47
    flow.tcp | Total | 39
    decoder.max_pkt_size | Total | 1514
    decoder.avg_pkt_size | Total | 474
    decoder.udp | Total | 320
    decoder.tcp | Total | 988
    decoder.ethernet | Total | 1594
    decoder.ipv6 | Total | 2
    decoder.ipv4 | Total | 1306
    decoder.bytes | Total | 756423
    decoder.pkts | Total | 1594
    capture.kernel_packets | Total | 1594
    ------------------------------------------------------------------------------------
    Counter | TM Name | Value
    ------------------------------------------------------------------------------------
    Date: 6/14/2020 -- 09:10:57 (uptime: 0d, 00h 01m 52s)
    -----------------------------------------------------------------------------------

I'm having the same result on my Qotom Installation with intel interfaces. I'm using pppoe over VLAN as WAN Interface. It would be really awesome to have netmap support for setups like that

[mb]

A quick update:

I think this vmx bug has been resolved on FreeBSD 12-STABLE:

https://svnweb.freebsd.org/base?view=revision&revision=363163

Let's do some tests and I'll post some results.

If anyone out there is able to test 12/STABLE kernel with an ESX vmx interface, that'd also be great

[DanMc85]

A quick update:

I think this vmx bug has been resolved on FreeBSD 12-STABLE:

https://svnweb.freebsd.org/base?view=revision&revision=363163

Let's do some tests and I'll post some results.

If anyone out there is able to test 12/STABLE kernel with an ESX vmx interface, that'd also be great

I have ESXi 7.0 with Netmap crashing using vmxnet3 with Intrusion Detection and Sensei enabled. So if you think this test would fix it, I could give it a try. Let me know how to test.

[Voodoo]

netmap with 20.7 release for vnet driver (virtio) is working, the kernel panic is gone.

[bunchofreeds]

No sure if this is netmap related, but I can't seem to get any alerts showing for IPS anymore?
They we're showing initially after upgrading to 20.7 rc1

My test is to initiate to P2P traffic from a client behind OPNsense.
I can usually catch this with 'ET telemetry/emerging-p2p' set to drop and its associated alerts.

Running:
OPNsense 20.7-amd64
FreeBSD 12.1-RELEASE-p7-HBSD
OpenSSL 1.1.1g 21 Apr 2020

Currently IPS is enabled on my LAN interface which is vtnet through Proxmox
I have tried em through Proxmox also with no success

IPS Enabled
Promiscuous Enabled
Syslog Dsiabled
Eve Disabled

I don't use remote logging, but as an FYI I have disabled circular logging so am using syslog-ng.
IPS appears to be running successfully when checking the IPS log from the GUI
The log appears to have returned to its original format...

Have enabled 'drop' for all rulesets including ET Telemetry in an attempt to 'kick' it into life.

Any ideas of how to test this further and progress would be great.

[mb]

netmap with 20.7 release for vnet driver (virtio) is working, the kernel panic is gone.

Hi @Vodoo, what happens when you go out of netmap mode ? (e.g. shut down suricata/sensei) ? virtio bug is related to that. entering netmap mode seems fine.

[binaryanomaly]

netmap with 20.7 release for vnet driver (virtio) is working, the kernel panic is gone.

I still do observe pagefaults with virtio vtnet interfaces...

[mb]

netmap with 20.7 release for vnet driver (virtio) is working, the kernel panic is gone.

I still do observe pagefaults with virtio vtnet interfaces...

Yes, this is expected as of now. Fix is on upstream.

[mb]

For those who

• are using Suricata/Sensei on VLANs on em(4)
• experiencing vmx crash
• experiencing vtnet crash
• want to have Suricata on PPPoE / OpenVPN interfaces

I have an (unofficial) test kernel ready. Please PM me if you'd like to give it a try.

PS: vmx patch fixes the kernel crash, but has an outstanding issue. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248494

[sorano]

For those who

• are using Suricata/Sensei on VLANs on em(4)
• experiencing vmx crash
• experiencing vtnet crash
• want to have Suricata on PPPoE / OpenVPN interfaces

I have an (unofficial) test kernel ready. Please PM me if you'd like to give it a try.

PS: vmx patch fixes the kernel crash, but has an outstanding issue. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248494

I would like to try out the test kernel, (and see if I get duplicates).

Just out of curiosity, are you certain that the outstanding issue with duplicates is not related to the following: https://kb.vmware.com/s/article/59235

Cause I was seeing lots of duplicates when running CARP & Sensei until I applied the mac-learning workaround on the dswitch.