From owner-freebsd-net@FreeBSD.ORG Mon Sep 22 20:40:57 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 11C93415; Mon, 22 Sep 2014 20:40:57 +0000 (UTC) Received: from DUB004-OMC4S24.hotmail.com (dub004-omc4s24.hotmail.com [157.55.2.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7F2F063D; Mon, 22 Sep 2014 20:40:56 +0000 (UTC) Received: from DUB125-W51 ([157.55.2.72]) by DUB004-OMC4S24.hotmail.com with Microsoft SMTPSVC(7.5.7601.22724); Mon, 22 Sep 2014 13:39:45 -0700 X-TMN: [8uRS5kDYI7uaH97EiSuTvZ0DSIBOozyA] X-Originating-Email: [elofu17@hotmail.com] Message-ID: From: Elof Ofel To: Adrian Chadd Subject: RE: How do I balance bandwidth over several virtual NICs? Date: Mon, 22 Sep 2014 22:39:45 +0200 Importance: Normal In-Reply-To: References: , , , MIME-Version: 1.0 X-OriginalArrivalTime: 22 Sep 2014 20:39:45.0758 (UTC) FILETIME=[585EA7E0:01CFD6A5] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-net@freebsd.org" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2014 20:40:57 -0000 Hi Adrian! Now this sounds promising! All my sensors use the ixgbe driver. However=2C my skills in programming/compiling isn't vast. I know how to pat= ch and use poudriere. That's about it. I must admit I don't really understand what you mean with "patch it to use = a symmetric RSS key"=2C but it sounds like the functionality I'm looking fo= r is not yet there in the driver. If we assume that someone in the future write and submit the above into the= ixgbe driver=2C could I be so bold as to ask you for a commandline/configu= ration example (a brief guide) of how one would setup netmap and how to con= figure it to use the RX-queues? That way I can start playing around with netmap and learning it while I wai= t for the ixgbe driver to be updated... I've got two professional programme= r colleagues who've dealt extensively with e.g. the libnids and pfring sour= ce code=2C so if I get a grasp of how to setup netmap=2C and I find it inte= resting=2C it is likely that they can dive into and fix the ixgbe driver an= d improve it as per above. So please=2C can you help me with a "netmap guid= e"? When I try to find documentation or examples of how to setup netmap I find = none. Not even the netmap-enabled pcaplib contain any information as how to= use it. I'm no programmer=2C so showing me different C structs for deliver= ing data is of no use. :-/=20 I would very much like to improve the ixgbe driver and give back to the Fre= eBSD community rather than scrap FreeBSD and move to Linux and PF-RING. /Elof > Date: Mon=2C 22 Sep 2014 12:46:01 -0700 > Subject: Re: How do I balance bandwidth over several virtual NICs? > From: adrian@freebsd.org > To: elofu17@hotmail.com > CC: nike_d@cytexbg.com=3B freebsd-net@freebsd.org >=20 > Hi=2C >=20 > Yes. >=20 > * grab an ixgbe NIC and the -HEAD driver=3B (or cxgbe - I haven't gone > and written RSS programming code for that just yet)=3B > * patch it to use a symmetric RSS key=3B > * configure up N queues=3B > * run an instance of snort on each TX/RX ring from the NIC. >=20 > The last step requires that you have snort use netmap rather than just > straight bpf - or maybe somehow there's a way to glue bpf into a > single netmap ring. >=20 > I haven't wrapped all of this up and thrown it into FreeBSD-HEAD yet=2C > but i know that a symmetric RSS key works fine on 82599 hardware with > a fixed driver. >=20 >=20 > -a >=20 >=20 > On 22 September 2014 12:06=2C Elof Ofel wrote: > > Hi Nikolay. > > > > Unfortunetly no=2C that's not a solution. > > mon0 could in theory be a bridge0 with four 10 GE interfaces =3D 40 Gbp= s theoretical input that need to be distributed over multiple virtual NICs.= Also=2C I have no control of the mirrored traffic=2C so it would be hard f= or me to build and maintain bpf filters that tries to roughly balance the b= andwidth load. > > > > Any other suggestions? > > > > /Elof > > > >> Date: Mon=2C 22 Sep 2014 18:45:28 +0200 > >> Subject: Re: How do I balance bandwidth over several virtual NICs? > >> From: nike_d@cytexbg.com > >> To: elofu17@hotmail.com > >> CC: freebsd-net@freebsd.org > >> > >> On Mon=2C Sep 22=2C 2014 at 5:12 PM=2C Elof Ofel = wrote: > >> > I have a single NIC=2C mon0=2C that constantly receive 800 Mbps of m= irrored traffic. > >> > I want to split these 800 Mbps into smaller chunks and feed them to = a couple of virtual interfaces. > >> > Each virtual interface can then have instance of 'snort' inspecting = its traffic. > >> > > >> > Say approximately 200 Mbps per interface =3D four interfaces. > >> > That way=2C each of the four snort processes only get 200 Mbps of da= ta to inspect instead of having *one* single snort process (single-threaded= ) trying to cope with 800 Mbps. > >> > > >> > (the problem I'm trying to solve is utilizing all cpu's. Currently o= ne cpu runs snort at 100% while all the other cpu's idle.) > >> > > >> > > >> > The important thing though is that all packets in the connection nee= d to be diverted to the same virtual NIC. You can't send the SYN to NIC0 an= d the SYN-ACK to NIC1=2C 'cause then neither snort-process-0 nor snort-proc= ess-1 see the other side of the connection. > >> > The loadbalancing must be based on a hash built from at least the ma= c-addresses+IP-addresses. > >> > > >> > > >> > So=2C what I think I'm looking for is a way to configure a lagg0 int= erface in loadbalance mode=2C that take all the incoming traffic on mon0 an= d distribute it over four virtual member NICs. (these four NICs would then = probably be configured to run in monitor mode.) > >> > > >> > > >> > Do FreeBSD support what I'm looking for? How do I do it? Where shoul= d I look? > >> > > >> > /Elof > >> > > >> > _______________________________________________ > >> > freebsd-net@freebsd.org mailing list > >> > http://lists.freebsd.org/mailman/listinfo/freebsd-net > >> > To unsubscribe=2C send any mail to "freebsd-net-unsubscribe@freebsd.= org" > >> > >> Since this is below one Gig=2C would running separate snort processes = on > >> mon0 and using a BPF filter to split traffic work? > >> > >> --Nikolay > > > > _______________________________________________ > > freebsd-net@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe=2C send any mail to "freebsd-net-unsubscribe@freebsd.org= " =