Date: Wed, 1 Jul 2015 17:06:09 +0100 From: Oliver Humpage <oliver@watershed.co.uk> To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: IPFW divert and suricata Message-ID: <FBDE2520-9C54-48A4-BC61-BBFA447A8E56@watershed.co.uk> In-Reply-To: <CA%2BhQ2%2BjZGbBMT4pD8GD4_4nuX9jEE4NCOSykmydtYCgy=vK-sA@mail.gmail.com> References: <D632FEB9-4C62-451E-B2F6-333B7EDAE7C9@watershed.co.uk> <CA%2BhQ2%2BjZGbBMT4pD8GD4_4nuX9jEE4NCOSykmydtYCgy=vK-sA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1 Jul 2015, at 15:31, Luigi Rizzo <rizzo@iet.unipi.it> wrote: > For the latter two, you might be better off using netmap > on vmxnet3 (in emulated mode, also disabling offloads), > and if i remember well a couple of years ago there were > efforts to use ​suricata on top of netmap. > Worst case, you can just use the netmap-enabled libpcap. Looks like netmap support has been finished and will be in version 2.1 of Suricata, so that's promising. For now I'll try turning off all the hardware offloads and see what happens. > 3. divert probably loses important context on the packets > (e.g. incoming or outgoing interface) so when traffic is > reinjected bad things occur Would specifying a reinject rule (eg a "pass all") help, do you think? And/or having different divert rules for incoming/outgoing? I had assumed it wouldn't, but I'm not an expert. Many thanks for replying, Oliver.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FBDE2520-9C54-48A4-BC61-BBFA447A8E56>