Call for testing: netmap on 20.7

Started by mb, May 23, 2020, 02:32:10 AM

Previous topic - Next topic
Print
Go Down Pages 1 ... 8 9 10 11 12 ... 14
User actions
August 25, 2020, 11:23:59 PM #135
Yep, for 1.6 you need the netmap test kernel and you need to be on 20.7. You can try force installing:

pkg add -f os-sensei-1.6.beta1.txz

August 26, 2020, 05:17:48 AM #136
OK am running latest Kernel:

12.1-RELEASE-p8-HBSD FreeBSD 12.1-RELEASE-p8-HBSD #6  39e30dc05(master)-dirty: Sat Aug 22 09:35:48 PDT 2020     root@sunnyvalley12.localdomain:/usr/obj/usr/src/amd64.amd64/sys/SMP  amd64

And am running Sensei 1.6 Beta1

I can't see any interfaces in Sensei to apply to. Not even vtnet0 LAN which it is currently running on.

Should I hack in some bypasses https://forum.opnsense.org/index.php?topic=9521.msg84199#msg84199

August 26, 2020, 06:36:19 AM #137
Hi @bunchofreeds,

Sorry, filter was still there. Can you try again:

pkg add -f https://updates.sunnyvalley.io/opnsense/updates/netmap-kernel/os-sensei-1.6.beta1.txz
August 26, 2020, 10:05:10 AM #138
@mb,

I now can see the used 'LAN (vtnet0)' interface, but not PPPoE. Only it's parent interface 'Unassigned (vtnet1)'

August 26, 2020, 06:38:13 PM #139 Last Edit: August 26, 2020, 06:53:31 PM by heresjody
Currently have the new kernel installed.

OPNsense 20.7.1-amd64
FreeBSD 12.1-RELEASE-p8-HBSD
OpenSSL 1.1.1g 21 Apr 2020
Code Select
FreeBSD OPNsense.localdomain 12.1-RELEASE-p8-HBSD FreeBSD 12.1-RELEASE-p8-HBSD #6  39e30dc05(master)-dirty: Sat Aug 22 09:35:48 PDT 2020     root@sunnyvalley12.localdomain:/usr/obj/usr/src/amd64.amd64/sys/SMP  amd64

And it seems my surricata is working fine and has started up monitoring PPPoE on my WAN.

Code Select
2020-08-26T18:27:25 suricata[13692] [100200] <Notice> -- all 4 packet processing threads, 4 management threads initialized, engine started.
2020-08-26T18:27:25 suricata[13692] [101008] <Notice> -- opened netmap:pppoe4/T from pppoe4: 0x3e58c16d300
2020-08-26T18:27:25 suricata[13692] [101008] <Notice> -- opened netmap:pppoe4^ from pppoe4^: 0x3e58c16d000
2020-08-26T18:27:25 suricata[13692] [101000] <Notice> -- opened netmap:pppoe4^ from pppoe4^: 0x3e58b442300
2020-08-26T18:27:25 suricata[13692] [101000] <Notice> -- opened netmap:pppoe4/R from pppoe4: 0x3e58b442000
2020-08-26T18:27:25 suricata[13692] [100999] <Notice> -- opened netmap:vtnet0/T from vtnet0: 0x3e58abd4300
2020-08-26T18:27:25 suricata[13692] [100999] <Notice> -- opened netmap:vtnet0^ from vtnet0^: 0x3e58abd4000
2020-08-26T18:27:25 suricata[13692] [100992] <Notice> -- opened netmap:vtnet0^ from vtnet0^: 0x3e587ebc300
2020-08-26T18:27:25 suricata[13692] [100992] <Notice> -- opened netmap:vtnet0/R from vtnet0: 0x3e587ebc000
2020-08-26T18:26:27 suricata[9486] [100971] <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode

If I understand correctly this kernel should fix vtnet-instability with the observed random crashes. Is the code below this line an example of the kind of crash which should now be fixed? (log below is from 20.7.1 with standard kernel and edited for a better reading experience)
Code Select
2020-08-25T10:47:53 kernel 273.390513 [ 320] generic_netmap_register Emulated adapter for ovpnc1 activated
2020-08-25T10:47:53 kernel 273.390098 [1130] generic_netmap_attach Emulated adapter for ovpnc1 created (prev was NULL)
2020-08-25T10:47:53 kernel ovpnc1: permanently promiscuous mode enabled
2020-08-25T10:47:53 kernel 273.385399 [1035] generic_netmap_dtor Emulated netmap adapter for ovpnc1 destroyed
2020-08-25T10:47:53 kernel 273.385329 [1130] generic_netmap_attach Emulated adapter for ovpnc1 created (prev was NULL)
2020-08-25T10:47:53 kernel 273.360774 [ 83] vtnet_free_used 14 sgs dequeued from RX-0 (netmap=1)
2020-08-25T10:47:53 kernel 273.337532 [ 83] vtnet_free_used 15 sgs dequeued from RX-0 (netmap=1)
2020-08-25T10:47:53 kernel 273.313455 [ 83] vtnet_free_used 1 sgs dequeued from TX-0 (netmap=0)

2020-08-25T10:46:54 kernel ---<<BOOT>>---
2020-08-25T10:46:54 syslogd kernel boot file is /boot/kernel/kernel
2020-08-25T10:44:44 syslogd exiting on signal 15
2020-08-25T10:44:42 kernel 082.685532 [ 83] vtnet_free_used 23 sgs dequeued from RX-0 (netmap=1)
2020-08-25T10:44:42 kernel 082.656184 [ 83] vtnet_free_used 127 sgs dequeued from RX-0 (netmap=1)
2020-08-25T10:44:42 kernel 082.656155 [ 83] vtnet_free_used 1 sgs dequeued from TX-0 (netmap=1)
2020-08-25T10:44:42 kernel 082.656113 [1035] generic_netmap_dtor Emulated netmap adapter for ovpnc1 destroyed
2020-08-25T10:44:42 kernel 082.655669 [ 295] generic_netmap_unregister Emulated adapter for ovpnc1 deactivated
2020-08-25T10:44:42 kernel

2020-08-26T17:21:09 kernel 269.933029 [1035] generic_netmap_dtor Emulated netmap adapter for pppoe4 destroyed
2020-08-26T17:21:09 kernel 269.932647 [ 295] generic_netmap_unregister Emulated adapter for pppoe4 deactivated
2020-08-26T17:21:09 kernel 269.745860 [ 320] generic_netmap_register Emulated adapter for pppoe4 activated
2020-08-26T17:21:09 kernel 269.745712 [1130] generic_netmap_attach Emulated adapter for pppoe4 created (prev was NULL)

Update:

It seems Suricata doesn't receive packets from the PPPoE interface. Just changed a setting and this is the output with 0 packets for my PPPoE interface:
Code Select
2020-08-26T18:50:06 suricata[13692] [100200] <Notice> -- Stats for 'pppoe4^': pkts: 0, drop: 0 (nan%), invalid chksum: 0
2020-08-26T18:50:06 suricata[13692] [100200] <Notice> -- Stats for 'pppoe4': pkts: 0, drop: 0 (nan%), invalid chksum: 0
2020-08-26T18:50:06 suricata[13692] [100200] <Notice> -- Stats for 'vtnet0^': pkts: 82103, drop: 0 (0.00%), invalid chksum: 0
2020-08-26T18:50:06 suricata[13692] [100200] <Notice> -- Stats for 'vtnet0': pkts: 74062, drop: 0 (0.00%), invalid chksum: 0
August 27, 2020, 01:49:54 AM #140
Hi @bunchofreeds, Sensei is not meant to be run on WAN. You can test a vpn interface for the tun support.

Speaking of PPPoE and Suricata, we'll revisit this after the first test kernel. Patience :)

Initial goal is to have a "stable" netmap kernel which works flawlessly for the existing drivers.
August 27, 2020, 01:57:51 AM #141
QuoteIf I understand correctly this kernel should fix vtnet-instability with the observed random crashes. Is the code below this line an example of the kind of crash which should now be fixed? (log below is from 20.7.1 with standard kernel and edited for a better reading experience)

Hi @heresjody, if the firewall crashes and reboots after the messages, yes that is the crash this kernel is fixing.

QuoteIt seems Suricata doesn't receive packets from the PPPoE interface. Just changed a setting and this is the output with 0 packets for my PPPoE interface:

Since we don't have a pppoe environment we cannot test this on our end, however I'll reach out to @bunchofreeds and yourself and ask to run a test binary. It'll better tell us if netmap is passing packets or not. Theoretically pppoe should work like the  openvpn tun interface.

August 27, 2020, 03:44:03 AM #142
@mb,

Thanks for the updates.
Let me know when you have a PPPoE solution that needs testing.
August 27, 2020, 08:49:18 AM #143
@mb: Awesome, thanks for the great work. Will be standing by to test your binary.
August 27, 2020, 02:19:55 PM #144 Last Edit: August 27, 2020, 02:24:59 PM by loganx1121
I'm a bit late to the party but I've been experiencing crashes (shown in screenshot attached) every day or 2 on my firewall where it locks up and stops passing traffic.  Between following this thread and github I first installed the sensei 1.6 beta, then per a gentleman on github did the following:

# opnsense-update -kr 20.7.1-netmap4
# opnsense-shell reboot

Firewall is up but now I'm having a weird issue where exceptions in sensei are not working?  For example I have the "Ads" category blocked, but in order to access a site I use I have to whitelist a particular URL which falls into the category.  Having the category blocked but a whitelisted URL in the same category worked fine before I did the above, now it is not. 

I've tried restarting, stopping and starting the sensei engine but it seems like whitelists aren't working anymore if the category is blocked, where as it did before.  Did I screw something up with the kernel update/sensei beta process or is this just a new bug?
August 27, 2020, 03:18:08 PM #145
Quote from: loganx1121 on August 27, 2020, 02:19:55 PM
I'm a bit late to the party but I've been experiencing crashes (shown in screenshot attached) every day or 2 on my firewall where it locks up and stops passing traffic.  Between following this thread and github I first installed the sensei 1.6 beta, then per a gentleman on github did the following:

# opnsense-update -kr 20.7.1-netmap4
# opnsense-shell reboot

Firewall is up but now I'm having a weird issue where exceptions in sensei are not working?  For example I have the "Ads" category blocked, but in order to access a site I use I have to whitelist a particular URL which falls into the category.  Having the category blocked but a whitelisted URL in the same category worked fine before I did the above, now it is not. 

I've tried restarting, stopping and starting the sensei engine but it seems like whitelists aren't working anymore if the category is blocked, where as it did before.  Did I screw something up with the kernel update/sensei beta process or is this just a new bug?

Looks like the kernel recommended by the gentleman on github is different from the test kernel mentioned here.  I've just installed the one from this thread : fetch https://updates.sunnyvalley.io/opnsense/updates/netmap-kernel/kernel-12.1-0822-1.tar.gz

Next I'll try adding the sensei 1.6 beta package from the CLI and will post back with results.
August 27, 2020, 05:44:02 PM #146
Hi @loganx1121,

I doubt kernel is the source for your problem, since exceptions are handled in the sensei packet engine.

Do try 1.6 beta1 and if it does not work out shoot a PR.

Can you point me to the github URL about 20.7.1-netmap4 kernel?
August 27, 2020, 06:48:34 PM #147 Last Edit: August 27, 2020, 06:58:14 PM by loganx1121
Quote from: mb on August 27, 2020, 05:44:02 PM
Hi @loganx1121,

I doubt kernel is the source for your problem, since exceptions are handled in the sensei packet engine.

Do try 1.6 beta1 and if it does not work out shoot a PR.

Can you point me to the github URL about 20.7.1-netmap4 kernel?

Sure it's here:

https://github.com/opnsense/core/issues/4305

So I uninstalled sensei completely via the GUI and now I'm trying to add the beta but I'm getting the following:

Code Select
root@fw:~ # fetch https://updates.sunnyvalley.io/opnsense/updates/netmap-kernel/os-sensei-1.6.beta1.txz
os-sensei-1.6.beta1.txz                                 25 MB   11 MBps    02s
root@fw:~ # pkg add os-sensei-1.6.beta1.txz
Installing os-sensei-1.6.beta1...
pkg: Missing dependency 'os-sensei-updater'

Failed to install the following 1 package(s): os-sensei-1.6.beta1.txz


And here is the kernel version:

Code Select
root@fw:~ # uname -a
FreeBSD fw 12.1-RELEASE-p8-HBSD FreeBSD 12.1-RELEASE-p8-HBSD #6  39e30dc05(master)-dirty: Sat Aug 22 09:35:48 PDT 2020     root@sunnyvalley12.localdomain:/usr/obj/usr/src/amd64.amd64/sys/SMP  amd64

Any help is appreciated
August 27, 2020, 07:12:27 PM #148
Hi logan, do not completely remove 1.5. just pkg add 1.6; otherwise it'll require dependencies.
August 27, 2020, 07:27:34 PM #149
Ok I'll reinstall sensei from the gui and then add the pkg from cli and report back.  Thanks
Print
Go Up Pages 1 ... 8 9 10 11 12 ... 14
User actions