From: Jeff Lucovsky Date: Sun, 16 Apr 2023 12:28:25 +0000 (-0400) Subject: doc/pfring: Document additional cluster types X-Git-Tag: suricata-6.0.12~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=581c06bee54ff81ed32e072879dcaa53af02c390;p=thirdparty%2Fsuricata.git doc/pfring: Document additional cluster types This commit adds brief discussion for additional cluster types for use with the pf-ring packet source. Newly added: - cluster_inner_flow - cluster_inner_flow_2_tuple - cluster_inner_flow_4_tuple - cluster_inner_flow_5_tuple Issue: 5975 (cherry picked from commit b1918168f934e1923498cbf007a2377e78e5e252) --- diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 62fd27ece1..df466cb610 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -1914,10 +1914,27 @@ is making use of clusters with the same id. cluster-id: 99 Pf_ring can load balance traffic using pf_ring-clusters. All traffic -for pf_ring can be load balanced in one of two ways, in a round robin -manner or a per flow manner that are part of the same cluster. All -traffic for pf_ring will be load balanced across acquisition threads -of the same cluster id. +for pf_ring can be load balanced according to the configured cluster +type value; in a round robin manner or a per flow manner that are part +of the same cluster. All traffic for pf_ring will be load balanced across +acquisition threads of the same cluster id. + ++----------------------------+--------------------------------------------------+ +| Cluster Type | Value | ++============================+==================================================+ +| cluster_flow | src ip, src_port, dst ip, dst port, proto, vlan | ++----------------------------+--------------------------------------------------+ +| cluster_inner_flow | src ip, src port, dst ip, dst port, proto, vlan | ++----------------------------+--------------------------------------------------+ +| cluster_inner_flow_2_tuple | src ip, dst ip | ++----------------------------+--------------------------------------------------+ +| cluster_inner_flow_4_tuple | src ip, src port, dst ip, dst port | ++----------------------------+--------------------------------------------------+ +| cluster_inner_flow_5_tuple | src ip, src port, dst ip, dst port, proto | ++----------------------------+--------------------------------------------------+ +| cluster_round_robin | not recommended | ++----------------------------+--------------------------------------------------+ + The cluster_round_robin manner is a way of distributing packets one at a time to each thread (like distributing playing cards to fellow @@ -1925,9 +1942,14 @@ players). The cluster_flow manner is a way of distributing all packets of the same flow to the same thread. The flows itself will be distributed to the threads in a round-robin manner. +If your deployment has VLANs, the cluster types with "inner" will use the innermost +tuple for distribution. + +Round-robin is not recommended with Suricata. + :: - cluster-type: cluster_round_robin + cluster-type: cluster_inner_flow_5_tuple .. _suricata-yaml-nfq: