Status on the netmap improvement efforts for OPNsense 20.7
As some of you already know, Sunny Valley Networks is sponsoring a second round of improvement efforts on the upstream project and FreeBSD side. OPNsense 20.7 is expected to be released next week (July 30, 2020). So, we get many questions from Sensei and Suricata users with regard to the status of our netmap improvement efforts and whether they landed on OPNsense 20.7.
Latest Update: July 31, 2020 12.10 pm
TL;DR – Qstrong textuick Answer
Unfortunately not yet.
So, what’s the netmap status with OPNsense 20.7 stock kernel?
OPNsense 20.7 is based on HardenedBSD/FreeBSD 12.1. In the overall, we saw improvements with some drivers while experiencing regressions with some. For some drivers, the situation seems to be the same. See below table for a detailed overview. If you’re using Sensei and/or Suricata with any of the problematic drivers, you should be careful:
|Drivers tested and in working condition||igb, ix, ixl, mlx4en|
|Drivers that are in partial working condition||em (VLANs do not work)|
|Drivers that needs testing and verification||bge, xn, hn, re (without VLANs ok, needs VLAN testing)|
|Drivers that FAIL to work||vtnet, vmx (Kernel race condition leading to panic)|
|Drivers not supported||tun, lagg, bridge|
OPNsense 20.7 (FreeBSD 12.1) netmap status
So, where are we now? When can we expect improvements with regard to problematic/unsopported drivers?
We’ve already started the work on the upstream project side: netmap. The project has two main objectives:
Quickly fixing reported bugs in such a manner that they are quickly made available for FreeBSD -> HardenedBSD -> OPNsense.
Improving device-driver support for netmap. We’ll be focusing on providing netmap support for tun, lagg and bridge interfaces.
The former will increase netmap stability and reliability to a great deal, while the latter will provide the long-awaited capability to be able to protect VPN (OpenVPN, Zerotier, Wireguard etc), Bridge and LAGG interfaces.
Thanks to netmap maintainers being fast to respond and fix, our first two reported problems are now fixed in the upstream project. vtnet crash fix has already been integrated into FreeBSD 12-STABLE. em VLAN patch is awaiting review and it’s highly likely that it’ll land on 12-STABLE soon.
You can view the current project status here: Google Docs – Netmap status as of OPNsense 20.7 RC1
When can we test / use the enhanced netmap support?
We hope to provide a netmap test kernel around late August / September this year. But it’s highly likely that OPNsense will start landing them on the project starting with OPNsense 20.7.1 or 20.7.2.
How can I help?
Testing the stock / test netmap kernel with different drivers and providing feedback through either:
Sunny Valley Support Portal: Sunny Valley Support Portal
This would be of great help since we need to spot problems to be able to start fixing them. Your help is much appreciated.