IPFW divert and suricata
Oliver Humpage
oliver at watershed.co.uk
Wed Jul 1 16:06:16 UTC 2015
On 1 Jul 2015, at 15:31, Luigi Rizzo <rizzo at iet.unipi.it> wrote:
> For the latter two, you might be better off using netmap
> on vmxnet3 (in emulated mode, also disabling offloads),
> and if i remember well a couple of years ago there were
> efforts to use suricata on top of netmap.
> Worst case, you can just use the netmap-enabled libpcap.
Looks like netmap support has been finished and will be in version 2.1 of Suricata, so that's promising.
For now I'll try turning off all the hardware offloads and see what happens.
> 3. divert probably loses important context on the packets
> (e.g. incoming or outgoing interface) so when traffic is
> reinjected bad things occur
Would specifying a reinject rule (eg a "pass all") help, do you think? And/or having different divert rules for incoming/outgoing? I had assumed it wouldn't, but I'm not an expert.
Many thanks for replying,
Oliver.
More information about the freebsd-net
mailing list