IPS: Add promisc mode / physical interface selection

[AdSchellevis]

For netmap to function correctly on vlan interfaces, it needs to be able to capture data from the physical interface.
We should add two features here:

1. add physical interfaces to the interface list
2. provide the option to set disable-promisc to no

[AdSchellevis]

reference https://forum.opnsense.org/index.php?topic=3017

[oparoz]

In the contextual help, there is this sentence "this is required to actually capture data on the physical interface".

Do you mean that if we have em0 and em0_vlan10, we need to enable promiscuous mode in order to be able to capture data on em0? I'm asking because traffic was captured just fine on VLANs without that option, so maybe it should be explained that this is to capture traffic on the parent interface.

[fichtner]

This seems to shift from driver to driver, from logical interface to logical interface. We know that e.g. PPPoE doesn't work in netmap mode although it has been added for pcap listening during 3.0 development. It's overly weird, and we really need to move on and let upstream take care of this accordingly.

If it works for you, that's great. Help share that knowledge. :)

[oparoz]

This seems to shift from driver to driver, from logical interface to logical interface.

Ah, OK, makes sense then. Upstream should really provide an auto switch for that setting.

If it works for you, that's great. Help share that knowledge. :)

I've enabled netmap on re0 only and can monitor all its VLANs without enabling promiscuous mode, but I can only use it for testing as Suricata doesn't work with software netmap and because the netmap patches for Realtek drivers are broken.

[fichtner]

Some of this may change with 10.3. The master branch for src.git is 10.3 now and there is a 16.7 config in tools for easy build. ASLR backport pending, otherwise all in.

[oparoz]

I'm not too hopeful since I've tested both netmap and the re driver from 11, but maybe some other changes in the kernel make it so that the interrupt don't pile up when the queue is full.
I'll check it out once ASLR is in.

[fichtner]

ok, thanks for mentioning. I really thought that netmap would shape up now with native suricata support. :/

[oparoz]

One problem is that there is a big divergence between the FreeBSD netmap and the official netmap. The official one crashes the kernel and I don't know what to cherry-pick to make it work as I'm not a driver hacker.

The other problem is in the hands of the Suricata team. If they can make it work with software netmap, then everybody could use IPS, at the cost of more CPU use.

[L1ghtn1ng]

Well we know from #940 that not using the wan interface and just the LAN interface we get IPS alerts, so in that sense to me it makes sense to select the vlan interfaces and LAN and see what happens. Also do we have any update on #940?