17.1.b & Suricata fails on ESXi

[phoenix]

I've been trying for a few days to get the 17.1 beta working with Suricata, as soon as I enable the service OPNsense collapses and the console goes to a "db>" prompt. Unfortunately at this point I don't really know what to do other than reboot, when I do that the console shows errors with the HD and repairs those. I've tried downloading the rules a couple of times, first without enabling any of them and also enabling some of them - then I activate the service and it fails in both of those tests.

This is a VM running on ESXi v6.0, I should point out that doing the same configuration on VMworkstation 12.5.2 it all works as it should - Suricata can be enabled and rules downloaded without problems. If you want/need any further information or logs point me in the right direction and I'll provide what I can. :)

P.S. I did try this on ESXi with the EFI  bios setting and it still failed.

[weust]

What type of NIC are you using for that VM?

[phoenix]

I use Intel NICs in all my machines, I'm not sure which model in this particular server but it's a server NIC and I'm using the VMXNET3 VMware NIC. As I mentioned, this worked fine in VMware Workstation so I was assuming it would be OK on ESXi. I also forgot to mention that all the NIC offload setting are disabled as well.

[lattera]

Can you give us a screenshot? Also, type in "bt" (without the quotes), then hit enter. And then take another screenshot.

[phoenix]

I'll give that go a bit later today if that's OK?

[lattera]

Sure. Whenever's most convenient for you. Thanks!

[phoenix]

Actually I just tried something else and it's activating the IPS mode that causes the problem, the original setting already had  that activated but not the service Enabled. Here they are, sooner than I thought:

[lattera]

This seems to be related to a problem I had a while ago with netmap. While at EuroBSDcon, I talked with the original developer behind netmap and the problem is now fixed in his out-of-tree project. It has been merged into 12-CURRENT. It hasn't been backported to 11-STABLE (and thus is not in 11.0-RELEASE).

I'll email the original developer just to make sure this is the same issue that I saw. If you want me to include you on the email, could you shoot me an email at shawn.webb@hardenedbsd.org?

[phoenix]

The technical details of this problem will be way above my head so no need to include me in the email, could you just give me a follow-up when you get an answer? Many thanks for your time and help. :)

[franco]

Looks like a problem with the netmap "generic" emulation layer because vmx does not have native netmap support. Does this also happen with e1000 emulated drivers?

[franco]

This should be the commit Shawn talked about, but it's not on stable/11 yet.

https://github.com/freebsd/freebsd/commit/cdb805690

This won't make it into 17.1 images for sure.


Cheers,
Franco

[lattera]

That's exactly it. Netmap had a major overhaul in 11.0, but that overhaul caused issues due to lack of testing with various "non-standard" hardware. The commit you linked to contains a whole lot of work, including more stable and robust code.

[franco]

If it applies cleanly we can talk about adding it in an 17.1.x :)

[phoenix]

So no IDS until this is incorporated, I guess? It's not a great problem for me so I'm going to leave the 17.1 version up on my VM, if there's any testing you need for this fix I can give it a go. :)

[franco]

Hi Bill,

The e1000 emulation should work.

I don't feel good about taking the commit (and the fixes for the commit that went in afterwards) without an official MFC to the FreeBSD 11 stable branch, so I cannot even provide a test kernel at the moment.


Cheers,
Franco