Project

General

Profile

Actions

Bug #1206

closed

ZC pf_ring not working with Suricata 2.0.1 (or latest git)

Added by Peter Manev over 10 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

NOTE - Some of the errors in this bug report can be related as well to:
https://redmine.openinfosecfoundation.org/issues/1048

I have tried the latest (at the time of this ticket) 3.21 intel ixgbe drivers , plus pf_ring latest 6.0.2~ svn edition and ZC with the following config:

pfring:
  - interface: zc:eth3@0
    # Number of receive threads (>1 will enable experimental flow pinned
    # runmode)
    threads: 1
    # Default clusterid.  PF_RING will load balance packets based on flow.
    # All threads/processes that will participate need to have the same
    # clusterid.
    #cluster-id: 99
    # Default PF_RING cluster type. PF_RING can load balance per flow
or per hash.
    # This is only supported in versions of PF_RING > 4.1.1.
    cluster-type: cluster_flow
    # bpf filter for this interface
    #bpf-filter: tcp
    # Choose checksum verification mode for the interface. At the moment
    # of the capture, some packets may be with an invalid checksum due to
    # offloading to the network card of the checksum computation.
    # Possible values are:
    #  - rxonly: only compute checksum for packets received by network card.
    #  - yes: checksum validation is forced
    #  - no: checksum validation is disabled
    #  - auto: suricata uses a statistical approach to detect when
    #  checksum off-loading is used. (default)
    # Warning: 'checksum-validation' must be set to yes to have any validation
    #checksum-checks: auto
  # Second interface
  #- interface: eth1
  #  threads: 3
  #  cluster-id: 93
  #  cluster-type: cluster_flow
  # Put default values here
  #- interface: default
    #threads: 2
  - interface: zc:eth3@1
    threads: 1
  - interface: zc:eth3@2
    threads: 1
  - interface: zc:eth3@3
    threads: 1
  - interface: zc:eth3@4
    threads: 1
  - interface: zc:eth3@5
    threads: 1
  - interface: zc:eth3@6
    threads: 1
  - interface: zc:eth3@7
    threads: 1
  - interface: zc:eth3@8
    threads: 1
  - interface: zc:eth3@9
    threads: 1
  - interface: zc:eth3@10
    threads: 1
  - interface: zc:eth3@11
    threads: 1
  - interface: zc:eth3@12
    threads: 1
  - interface: zc:eth3@13
    threads: 1
  - interface: zc:eth3@14
    threads: 1
  - interface: zc:eth3@15
    threads: 1

I have the following warnings and errs and a failure to start in general with ZC:

29278] 10/6/2014 -- 14:18:37 - (util-threshold-config.c:1202) <Info>
(SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
[29278] 10/6/2014 -- 14:18:37 - (util-coredump-config.c:122) <Info>
(CoredumpLoadConfig) -- Core dump size set to unlimited.
[29278] 10/6/2014 -- 14:18:37 - (util-logopenfile.c:209) <Info>
(SCConfLogOpenGeneric) -- eve-log output device (regular) initialized:
eve.json
[29278] 10/6/2014 -- 14:18:37 - (output-json.c:471) <Info>
(OutputJsonInitCtx) -- returning output_ctx 0xa3a15c30
[29278] 10/6/2014 -- 14:18:37 - (runmodes.c:672) <Info>
(RunModeInitializeOutputs) -- enabling 'eve-log' module 'alert'
[29278] 10/6/2014 -- 14:18:37 - (runmodes.c:672) <Info>
(RunModeInitializeOutputs) -- enabling 'eve-log' module 'http'
[29278] 10/6/2014 -- 14:18:37 - (runmodes.c:672) <Info>
(RunModeInitializeOutputs) -- enabling 'eve-log' module 'dns'
[29278] 10/6/2014 -- 14:18:37 - (runmodes.c:672) <Info>
(RunModeInitializeOutputs) -- enabling 'eve-log' module 'ssh'
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@0 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@1 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@2 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@3 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@4 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@5 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@6 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@7 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@8 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@9 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@10 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@11 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@12 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@13 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@14 from config file
[29278] 10/6/2014 -- 14:18:37 - (util-device.c:153) <Info>
(LiveBuildDeviceList) -- Adding interface zc:eth3@15 from config file
[29278] 10/6/2014 -- 14:18:37 - (runmode-pfring.c:276) <Error>
(ParsePfringConfig) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Could
not get cluster-id from config
[29278] 10/6/2014 -- 14:18:37 - (runmode-pfring.c:332) <Info>
(ParsePfringConfig) -- Using flow cluster mode for PF_RING (iface
zc:eth3@0)
[29278] 10/6/2014 -- 14:18:37 - (util-runmodes.c:558) <Info>
(RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s)
[29280] 10/6/2014 -- 14:18:37 - (source-pfring.c:485) <Error>
(ReceivePfringThreadInit) -- [ERRCODE:
SC_ERR_PF_RING_SET_CLUSTER_FAILED(37)] - pfring_set_cluster returne
d -7 for cluster-id: 1
[29278] 10/6/2014 -- 14:18:37 - (runmode-pfring.c:276) <Error>
(ParsePfringConfig) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Could
not get cluster-id from config
[29278] 10/6/2014 -- 14:18:37 - (runmode-pfring.c:319) <Error>
(ParsePfringConfig) -- [ERRCODE: SC_ERR_GET_CLUSTER_TYPE_FAILED(35)] -
Could not get cluster-type fron co
nfig
[29278] 10/6/2014 -- 14:18:37 - (util-runmodes.c:558) <Info>
(RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s)
[29281] 10/6/2014 -- 14:18:37 - (source-pfring.c:485) <Error>
(ReceivePfringThreadInit) -- [ERRCODE:
SC_ERR_PF_RING_SET_CLUSTER_FAILED(37)] - pfring_set_cluster returne
d -7 for cluster-id: 1
[29278] 10/6/2014 -- 14:18:37 - (runmode-pfring.c:276) <Error>
(ParsePfringConfig) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Could
not get cluster-id from config
[29278] 10/6/2014 -- 14:18:37 - (runmode-pfring.c:319) <Error>
(ParsePfringConfig) -- [ERRCODE: SC_ERR_GET_CLUSTER_TYPE_FAILED(35)] -
Could not get cluster-type fron co
nfig
[29278] 10/6/2014 -- 14:18:37 - (util-runmodes.c:558) <Info>
(RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s)
[29282] 10/6/2014 -- 14:18:37 - (source-pfring.c:485) <Error>
(ReceivePfringThreadInit) -- [ERRCODE:
SC_ERR_PF_RING_SET_CLUSTER_FAILED(37)] - pfring_set_cluster returne
d -7 for cluster-id: 1
[29278] 10/6/2014 -- 14:18:37 - (runmode-pfring.c:276) <Error>
(ParsePfringConfig) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Could
not get cluster-id from config
[29278] 10/6/2014 -- 14:18:37 - (runmode-pfring.c:319) <Error>
(ParsePfringConfig) -- [ERRCODE: SC_ERR_GET_CLUSTER_TYPE_FAILED(35)] -
Could not get cluster-type fron co
nfig
[29278] 10/6/2014 -- 14:18:37 - (util-runmodes.c:558) <Info>
(RunModeSetLiveCaptureWorkersForDevice) -- Going to use 1 thread(s)
...
Actions #1

Updated by Mats Klepsland over 10 years ago

Patching "src/source-pfring.c" to not set cluster id when opening a NIC prefixed with "zc" (similar to what's done with PF_RING DNA), seems to get Suricata running using PF_RING ZC.

Actions #2

Updated by Mats Klepsland over 10 years ago

--- suricata-2.0.1.orig/src/source-pfring.c
+++ suricata-2.0.1/src/source-pfring.c
@@ -472,6 +472,8 @@ TmEcode ReceivePfringThreadInit(ThreadVa

     if ((ptv->threads == 1) && (strncmp(ptv->interface, "dna", 3) == 0)) {
         SCLogInfo("DNA interface detected, not adding thread to cluster");
+    } else if (strncmp(ptv->interface, "zc", 2) == 0) {
+        SCLogInfo("PF_RING ZC interface detected, not adding thread to cluster");
     } else {
 #ifdef HAVE_PFRING_CLUSTER_TYPE
         ptv->ctype = pfconf->ctype;
Actions #3

Updated by Mats Klepsland over 10 years ago

Created pull request on github (https://github.com/inliniac/suricata/pull/999).

Actions #4

Updated by Victor Julien over 10 years ago

  • Status changed from New to Closed
  • Assignee set to Mats Klepsland
  • Target version set to 2.0.2
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF