Suricata only using one thread

Started by Dunuin, March 01, 2022, 08:38:25 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 01, 2022, 08:38:25 AM Last Edit: March 01, 2022, 08:45:27 AM by Dunuin
Hi,

There are alot of old threads here reporting that suricata only makes use of one thread and isn't multi-threading.

I see the same here. My OPNsense 22.1 is running on a Proxmox VM with 4GB RAM and 4 vCPUs of a 2.3-3GHz Xeon E5 and virtio NICs. The virtio NICs use a LACP bond of all 4 ports of my Intel i350-T4. If I start downloading with suricata IPS enabled I can only make use of 50Mbit of my 100Mbit internet connection. When I look at top it shows that only one of suricatas threads is at 100% WCPU while the other threads aren't doing much. Bascially no meter how much threads I give OPNsense, it never makes use of more then 1-2 vCPUs.

Whats preventing suricata from effectivly using more than one core?
March 01, 2022, 08:53:56 AM #1
March 01, 2022, 11:19:00 AM #2
QuoteWhen Suricata is running in IPS mode, Netmap is utilized to fetch packets off the line for inspection. By default, OPNsense has configured Suricata in such a way that the packet which has passed inspection will be re-injected into the host networking stack for routing/firewalling purposes. The current Suricata/Netmap implementation limits this re-injection to one thread only. Work is underway to address this issue since the new Netmap API (V14+) is now capable of increasing this thread count. Until then, no benefit is gained from RSS when using IPS.
Do you know if OPNsense 22.1.1-3 meanwhile supports IPS with more then one thread when enableing RSS?
March 01, 2022, 12:46:08 PM #3
The development version does (it has suricata-devel package). However, there seem to be issues with it which point to newer Suricata version issues. We did a backport recently of version 5 and it works without issues...


Cheers,
Franco
Print
Go Up Pages1
User actions