Suricata with netmap works only in one thread?

Help
1

I run suricata with netmap in the host stack mode (eth1 <> eth1^). Also, in the settings of each interface I specify the number of threads (threads option). When I set this value to one, the suricata “DROP all UDP traffic” rule is triggered and blocks all incoming UDP traffic perfect. However, when I set the number of threads for example to two - the traffic is not blocked. Moreover, when i launch suricata with the -vvv option, the suricata writes that none of the interfaces (eth1, eth1^) received any packets at all. The logs are also clean(fast.log). Increasing the number of threads helps block some traffic according to the given rule, but still not all, as in the case of one thread. Moreover, trying to set the threads value to ‘auto’ results in getting an error - netmap couldn’t allocate memory for interface.
Is this the intended behavior(i’m about UDP packets ghosting/skipping) of suricata or is a bug? If the former, then how to fix the problem?

The rules file contains only one rule: block all UDP traffic, regardless of address and direction. I use the master version of netmap, and the master version of suricata (8.0). Linux kernel version is 5.4. Also I didn’t install netmap builded drivers for network card(pkt gen test works perfect)

2

Hi,
Could you provide the suricata.log file snippet during the time that this fails as well as your configuration file netmap snippet?

Additionally, information on your nic, e.g., sudo ethtool -x <your-nic>

3

It was experimentally discovered that if I set the value of threads in the suricata/netmap equal to the value of rx queues on the interface, then everything works fine. But if I set the number of threads less than the number of queues(but not to one), then part of the traffic becomes invisible. If the number of threads should be equal to the number of queues, then why when I set the number of threads to one - all the traffic is visible and everything also works well?

ethtool -x show me 40 Rx queues, toeplitz hash on, xor and crc32 off.
In suricata.log, when I have, for exmpl 2 threads, I see on each netmap interface - no packets.

And my settings for that case:

netmap:

  • interface: eth1
    copy-mode: ips
    copy-iface: eth1^
    threads: 2
    #disable-promisc: yes
  • interface: eth1^
    copy-mode: ips
    copy-iface: eth1
    threads: 2
    #disable-promisc: yes

Full suricata.log still needed?

4

Thanks for the update.

I suspect that your NIC is spreading traffic to each of the card’s RX rings. I suggest using auto for the threads value. A setting of auto instructs Suricata to query the NIC for the ring count and use a matching value for threads