Error:
netmap_buf_size_validate error: using NS_MOREFRAG on vmx0 requires netmap buf size >= 4096
Issue:
Suricata intrusion detection fails to stay running. The error in the OPNsense General logs:
System --> Log Files --> General
. . .
2025-04-11T08:46:21-04:00 Notice kernel 581.689485 [2225] netmap_buf_size_validate error: using NS_MOREFRAG on vmx0 requires netmap buf size >= 4096
2025-04-11T08:46:21-04:00 Notice kernel 581.689409 [ 850] iflib_netmap_config txr 4 rxr 4 txd 512 rxd 512 rbufsz 4096
Issue Notes:
On one of the firewalls we manage, a storage network runs Jumbo Frames (MTU=9000). The suricata service will run on the Firewall with the NetMap buffers set to 4096, but the log has the following subsequent Error Message after changing the NetMap buffer size to 4096:
iflip_netmap_config netmap_buf_size_validate info:netmap application on vmx0 needs to support NS_MOREFRAG (MTU=9000), netmap_buf_size=4096)
Therefore, if the MTU equals 9000, then change the buffer size to 9710 below instead of 4096. 9710 gives extra headers room for the buffers.
To temporarily fix/validate:
In this example, it is likely the MTU on this vmx0 interface is higher than 1500 (default), for Jumbo 9000 MTU, the default size of 2048 must be increased to 4096.
1. SSH or use the virtual console.
2. As root, enter:
# sysctl dev.netmap.buf_size=4096
dev.netmap.buf_size: 2048 -> 4096
3. In the web UI, return to the Dashboard and start suricata:
Lobby --> Dashboard
On right, click the suricata play icon.
4. Monitor.
After validation, make permanent in the Tunables page:
System --> Settings --> Tunables
5a. Click the "+" to add a new setting.
5b. In the System:Settings:Tunable new form, enter:
Tunable: dev.netmap.buf_size
Description: 2025/04/11 Suricata error NS_MOREFRAG netmap buf size
Value: 4096
Click SAVE.
Note:
Per above, if running Jumbo Frames, set to 9710 instead of 4096.
previous page
|