PF_PACKET load balancing


I am experimenting with several OpenSource IDS on Linux.
My concern is load balancing across mmap-ed packet rings.
Some of them have AF_PACKET socket load balancing (Suricata) while others don’t, and rely on PF_RING (Bro).
When I say load balancing I mean PACKET_FANOUT sock option.

The following setup looks like a silver bullet for me:
You compile them (the IDS) with the latest version of pcap, and use pcap filters to achieve load balancing.

Am I missing something?


I’ve actually implemented BPF filters for load balancing before and it’s not good. You end up having to implement the modulus operator in BPF (yes, it’s possible) but then that expensive filter ends up being executed for each separate process. A user tested it on a large network and the result was bad.