Date: Wed, 1 Jul 2015 17:06:09 +0100 From: Oliver Humpage <oliver@watershed.co.uk> To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: IPFW divert and suricata Message-ID: <FBDE2520-9C54-48A4-BC61-BBFA447A8E56@watershed.co.uk> In-Reply-To: <CA%2BhQ2%2BjZGbBMT4pD8GD4_4nuX9jEE4NCOSykmydtYCgy=vK-sA@mail.gmail.com> References: <D632FEB9-4C62-451E-B2F6-333B7EDAE7C9@watershed.co.uk> <CA%2BhQ2%2BjZGbBMT4pD8GD4_4nuX9jEE4NCOSykmydtYCgy=vK-sA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1 Jul 2015, at 15:31, Luigi Rizzo <rizzo@iet.unipi.it> wrote: > For the latter two, you might be better off using netmap > on vmxnet3 (in emulated mode, also disabling offloads), > and if i remember well a couple of years ago there were > efforts to use =E2=80=8Bsuricata on top of netmap. > Worst case, you can just use the netmap-enabled libpcap. Looks like netmap support has been finished and will be in version 2.1 = of Suricata, so that's promising. For now I'll try turning off all the hardware offloads and see what = happens. > 3. divert probably loses important context on the packets > (e.g. incoming or outgoing interface) so when traffic is > reinjected bad things occur Would specifying a reinject rule (eg a "pass all") help, do you think? = And/or having different divert rules for incoming/outgoing? I had = assumed it wouldn't, but I'm not an expert. Many thanks for replying, Oliver.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FBDE2520-9C54-48A4-BC61-BBFA447A8E56>