From owner-freebsd-net@FreeBSD.ORG  Tue Sep 23 14:44:04 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id E20CACFD;
 Tue, 23 Sep 2014 14:44:04 +0000 (UTC)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com
 [IPv6:2a00:1450:4010:c04::22b])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 03B47884;
 Tue, 23 Sep 2014 14:44:03 +0000 (UTC)
Received: by mail-lb0-f171.google.com with SMTP id l4so8900782lbv.30
 for <multiple recipients>; Tue, 23 Sep 2014 07:44:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date:message-id:subject
 :from:to:cc:content-type;
 bh=c17EUo80i72EIjCKwvFlE//DFm00j3kox50Leshj3Go=;
 b=WnRIGLOvKlzboxqTUjPgsio9/JWZiPscwiSkFrk2Es+RIBOOMweJ5A7sBC7kz+FXTi
 yhb9ws+uocJy5W3JAecM11MgRHhrQa+qxKvqaG/KczWutteg9uUHEQICXeThnx+PY36F
 FQX7fPfbxcFlq9Js3k+oFvTJ0FkEWMjYeL6LZODlyNj457s84jQ9mM+ALEDBTu3M26Bs
 63oxs5UkKJvz5n98SUQUMpwwB9ElgV+XILVB5FgxuSuGbvFr+b1CoxTaKkcFCvhdDNOP
 OclwA5EXSvAa407FNneRvl+vtmLGIyRc90VSBfbEl0UnQaOsW7P3L6yP/UySZPCNs5mn
 rWyg==
MIME-Version: 1.0
X-Received: by 10.152.28.74 with SMTP id z10mr188425lag.10.1411483441980; Tue,
 23 Sep 2014 07:44:01 -0700 (PDT)
Sender: rizzo.unipi@gmail.com
Received: by 10.114.26.37 with HTTP; Tue, 23 Sep 2014 07:44:01 -0700 (PDT)
In-Reply-To: <CAJ-VmomamPVwja2Tgfi46EBu8E5Hohr6FcshsOkDeycEvGV51Q@mail.gmail.com>
References: <DUB125-W13FDC584F5DF9881CF5FDEBCB30@phx.gbl>
 <CA+P_MZGA_uz_H_QsB+dgXEgbXNCjv7w-OToKby=ww+vKgnU4_Q@mail.gmail.com>
 <DUB125-W851F972702452D9809C8E5BCB30@phx.gbl>
 <CAJ-Vmo=NGGkOkPWQKZ=3gA3vYYyM2kcjd3m85ymdJY3q4ixxLw@mail.gmail.com>
 <5421310C.5010406@FreeBSD.org>
 <CAJ-VmomamPVwja2Tgfi46EBu8E5Hohr6FcshsOkDeycEvGV51Q@mail.gmail.com>
Date: Tue, 23 Sep 2014 16:44:01 +0200
X-Google-Sender-Auth: nwaul6Jc1RMmXIPrejjve9xaQ9g
Message-ID: <CA+hQ2+hU6XwaeyqdcseL9uusmKfyG4Ko7TwvsZwU=r1cUyCw1w@mail.gmail.com>
Subject: Re: How do I balance bandwidth over several virtual NICs?
From: Luigi Rizzo <rizzo@iet.unipi.it>
To: Adrian Chadd <adrian@freebsd.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>,
 Elof Ofel <elofu17@hotmail.com>,
 "Alexander V. Chernikov" <melifaro@freebsd.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Sep 2014 14:44:05 -0000

On Tue, Sep 23, 2014 at 4:36 PM, Adrian Chadd <adrian@freebsd.org> wrote:

> On 23 September 2014 01:36, Alexander V. Chernikov <melifaro@freebsd.org>
> wrote:
> > On 22.09.2014 23:46, Adrian Chadd wrote:
> >> Hi,
> >>
> >> Yes.
> >>
> >> * grab an ixgbe NIC and the -HEAD driver; (or cxgbe - I haven't gone
> >> and written RSS programming code for that just yet);
> >> * patch it to use a symmetric RSS key;
> >> * configure up N queues;
> >> * run an instance of snort on each TX/RX ring from the NIC.
> > Oh, wow.
> > I have a low priority task to do that.
> > Nice to see this in stock fbsd!
> >
> >>
> >> The last step requires that you have snort use netmap rather than just
> >> straight bpf - or maybe somehow there's a way to glue bpf into a
> >> single netmap ring.
> > I've wrote snort netmap DAG once, but it does not play well w/o
> > symmetric rss.
> > I've see if I can share it.
>
> That'd be great!
>
> I'll see if I can get -HEAD enabled with an optional symmetric RSS key.
>
> It shouldn't be too difficult. The problem is the current RSS setup
> uses the same key for all NICs.
> I _guess_ that isn't going to /really/ be a problem here - unless you
> really want your server to serve lots of traffic /and/ snort :)
>
> Then we just need a netmap enabled snort :)
>

=E2=80=8Bfrom my (not first-hand) knowledge with IDSes,
i
=E2=80=8Bbelieve=E2=80=8B
 that the bottleneck is
=E2=80=8B =E2=80=8B
mostly the processing
done in the IDS, rather than
=E2=80=8B =E2=80=8B
the network I/O (provided
it is
=E2=80=8Breasonably fast
).

As a result, just running IDS instances on top
of a netmap-enabled libpcap (i.e. no source code
modifications) should do the job.

I know the Bro developers (in Bcc so they can pitch
in if they like) have been playing with some
external traffic demultiplexer that reads from the
NIC (in netmap mode) and passes traffic to IDS
instances using VALE ports or netmap pipes,
all of which are compatible with the netmap-libpcap.

In other words, even if the hardware cannot do rss
in a useful way, you should be able to do the
=E2=80=8Bdemux in software.

Of course, if you can put the hardware at work,
you should go for that.

cheers
luigi=E2=80=8B

=E2=80=8B