I recently enabled software flow unloading (SFU) on my x86/64 machine. This machine runs snort and with SFU disabled, I see that cores get saturated on a speed test. By contrast, with SFU enabled, I can't tell that the speed test is running looking at the output of htop. All cores appear idle. I do not see a reduction in performance (download/upload speed nor jitter). Snort appears to be working so how is this possible?
What's that? I'm unable to find anything useful...
What NIC do you use?
Setting under firewall in luci
I would not be surprised at all, if software flow-offloading would bypass snort for the offloaded packets. While being at odds with your intent, exactly that is the purpose for offloading - classify packets as being part of a known flow and let them bypass the rest of the normal netfilter processing (the slow path).
This was my initial suspicion as well, but I tested it using a snort rule that drops ping packets. I found that I was unable to ping even with flow offloading enabled, so I concluded snort was not being bypassed.
Each ping packet is a new 'flow'. So that is not offloaded. The first packet of a flow is reviewed by the netfilter processing, and only if it passes, the rest of the flow is offloaded.
I see... so there is no magic. Just bypassing snort which is not my intent. Although I do see some drops in my snort logs.
Is it not started after X number of packets (X being 128?)
Back in the days I did a lot of testing for Quarky on DDWRT and we could set the start of the offloading with /sys/fast_classifier/offload_at_pkts
But that was when I still had all my hair
Ok so we are talking about offload and not unload...
That is blatantly false IP:IP pings and replies are single state and they are not offloaded.
Offload applies only to established TCP (3rd packet onwards) and UDP flows (1:1 or 0:5+ packets) plus "related" icmp like frag-needed encapsulating valid in-flow header.
Apply this:
Then you can inject offload bypass using
/etc/nftables.d/whatever.nft
chain handle_offload {
ct packets < 500 accept
// flow add @ft accept
// accept
}
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.