Feature #2741
closednetmap: add support for lb and vale switches
Description
The documentation suggests that we should be able to use netmap's lb with Suricata: https://suricata.readthedocs.io/en/latest/performance/packet-capture.html#load-balancing
I have lb compiled (FreeBSD 11.2) and moving packets to the netmap pipes eg "netmap:igb{0", but I don't seem to be able to tell Suricata's threads to use those pipes/interfaces to accept the packets or pass them back to the host. I've tried various iterations of:
- interface: netmap:igb0{0
copy-iface: igb0+
- interface: netmap:igb0{0+
copy-iface: igb0
I've also tried various versions of --netmap=netmap:igb0{0 in the run params.
Initial output from Suricata shows the interface names truncated:
12/12/2018 -- 22:16:54 - <Info> -- Shortening device name to: netm..b0{0 12/12/2018 -- 22:16:54 - <Info> -- Shortening device name to: netm..0{0+
system.log shows:
12/12/2018 -- 22:17:43 - <Info> -- Going to use 1 thread(s) 12/12/2018 -- 22:17:43 - <Error> -- [ERRCODE: SC_ERR_SYSCALL(50)] - Unable to get flags for iface "netmap:igb0{0": Device not configured 12/12/2018 -- 22:17:43 - <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - Can not access to interface 'netmap:igb0{0' 12/12/2018 -- 22:17:43 - <Error> -- [ERRCODE: SC_ERR_SYSCALL(50)] - Unable to get caps for iface "netmap:igb0{0": Device not configured
I'm running Suricata 4.0.6 RELEASE in IPS mode with desired processor affinity set. I'm trying to use "worker" mode as opposed to "autofp" per my understanding of the best practices discussed here: https://lists.openinfosecfoundation.org/pipermail/oisf-devel/2013-March/002167.html and here: https://lists.openinfosecfoundation.org/pipermail/oisf-users/2016-March/005829.html
I only see a single reference to using Suricata with netmap pipes on the mailing list, and the author there never got it running (emailed him today): https://lists.openinfosecfoundation.org/pipermail/oisf-users/2017-February/006807.html
Suricata+netmap works, but I haven't found a way to bind it to lb. Is that currently possible?