Short answer: No, AF_PACKET will not work with RHEL7. The long of it, from RedHat direct, is:
Erik,
Is this in response to your earlier post regarding AF_PACKET plugin on 6.8? I use AF_PACKET w/ Bro 2.5 on CentOS 7 and RHEL 7.2 every day, in production, using the default production kernel of 3.10.
While kernel 3.10 is the minimum to support functional AF_PACKET, more recent patches have improved performance, fixed bugs, etc. The often-misunderstood notion, however, is that RHEL uses an (relatively) ancient kernel in 3.10. However, Red Hat backports patches and have been pretty responsive to my interactions with them.
To be clear, AF_PACKET on RHEL7 and CentOS7 work extremely well w/ Bro 2.5 and the af_packet plugin. It will not, however, work under RHEL 6 because it uses the 2.x kernel.
-Derek
Is this with a single worker or multiple workers?
A single worker would work fine, but as far as I can tell hash based fanout is broken.
If bro is working for you, any ideas why https://github.com/JustinAzoff/can-i-use-afpacket-fanout/ fails to run properly on Centos 7?
Justin,
I haven’t used your tool before. That’s interesting…I tested in my ROCK NSM dev VM and it failed. When I switched to the El Repo kernel it had no problem. On production sensors w/ AF_PACKET I get ~ 0.06% packet loss. I’ll have to dig deeper on this. Your go app fails on my production sensor too, but I never had sufficient packet loss to dig into it.
Have you submitted an issue with Red Hat to get the fix backported? If so, can you post the bug tracker number?
-Derek
I have a bug report with RH. It is being worked on. It MAY make it into 7.4. The solution from RH is to use the elrepo kernel. I haven’t been back to work yet, but I may be getting a test kernel to work with to help get this into the main branch earlier than 7.4. Per RH, the permanent fix isn’t that bad, it just touches on a bunch of things at once making it undesireable to push into production immediately.
Also, I get very low packet loss when using AF_PACKET on 7.3, BUT, conn and weird logs go absolutely bonkers, and long term conns are trashed because traffic goes out one worker but back in on a different one. This is a big issue for me, as we were going to go AF_PAcKET with suricata as well.