From 2875a7a2e5163fae947e58e354154c8c64fa5366 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Aug 2023 09:48:44 -0400 Subject: [PATCH 1/4] Sensor NIC offload --- salt/sensor/files/99-so-checksum-offload-disable | 12 ++++++++++++ salt/sensor/init.sls | 11 +++++++++++ salt/top.sls | 5 +++++ 3 files changed, 28 insertions(+) create mode 100755 salt/sensor/files/99-so-checksum-offload-disable create mode 100644 salt/sensor/init.sls diff --git a/salt/sensor/files/99-so-checksum-offload-disable b/salt/sensor/files/99-so-checksum-offload-disable new file mode 100755 index 000000000..fdce54f5e --- /dev/null +++ b/salt/sensor/files/99-so-checksum-offload-disable @@ -0,0 +1,12 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + + +. /usr/sbin/so-common + +init_monitor $MNIC diff --git a/salt/sensor/init.sls b/salt/sensor/init.sls new file mode 100644 index 000000000..34133e488 --- /dev/null +++ b/salt/sensor/init.sls @@ -0,0 +1,11 @@ +offload_script: + file.managed: + - name: /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable + - source: salt://sensor/files/99-so-checksum-offload-disable + - mode: 755 + +execute_checksum: + cmd.run: + - name: /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable + - onchanges: + - file: offload_script \ No newline at end of file diff --git a/salt/top.sls b/salt/top.sls index e53895324..bc51c2db1 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -36,6 +36,7 @@ base: '*_sensor and G@saltversion:{{saltversion}}': - match: compound + - sensor - ssl - sensoroni - telegraf @@ -52,6 +53,7 @@ base: '*_eval and G@saltversion:{{saltversion}}': - match: compound - salt.master + - sensor - ca - ssl - registry @@ -118,6 +120,7 @@ base: '*_standalone and G@saltversion:{{saltversion}}': - match: compound - salt.master + - sensor - ca - ssl - registry @@ -196,6 +199,7 @@ base: '*_heavynode and G@saltversion:{{saltversion}}': - match: compound + - sensor - ssl - sensoroni - nginx @@ -216,6 +220,7 @@ base: '*_import and G@saltversion:{{saltversion}}': - match: compound - salt.master + - sensor - ca - ssl - registry From 87a5d20ac968f811338556d71d66edcf066eb9dd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Aug 2023 10:03:59 -0400 Subject: [PATCH 2/4] Sensor NIC offload --- salt/sensor/files/99-so-checksum-offload-disable | 4 +++- salt/sensor/init.sls | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/sensor/files/99-so-checksum-offload-disable b/salt/sensor/files/99-so-checksum-offload-disable index fdce54f5e..72f7838db 100755 --- a/salt/sensor/files/99-so-checksum-offload-disable +++ b/salt/sensor/files/99-so-checksum-offload-disable @@ -9,4 +9,6 @@ . /usr/sbin/so-common -init_monitor $MNIC +{% set MNIC = salt['pillar.get']('sensor:interface') %} + +init_monitor {{ MNIC }} diff --git a/salt/sensor/init.sls b/salt/sensor/init.sls index 34133e488..53cd808c6 100644 --- a/salt/sensor/init.sls +++ b/salt/sensor/init.sls @@ -3,6 +3,7 @@ offload_script: - name: /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable - source: salt://sensor/files/99-so-checksum-offload-disable - mode: 755 + - template: jinja execute_checksum: cmd.run: From b6579d7d45474c229316cfa1653bc86565e3e725 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Aug 2023 10:13:44 -0400 Subject: [PATCH 3/4] Sensor NIC offload --- salt/common/tools/sbin/so-common | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index f9459587d..0581c09c6 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -225,12 +225,15 @@ init_monitor() { if [[ $MONITORNIC == "bond0" ]]; then BIFACES=$(lookup_bond_interfaces) + for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload; do + ethtool -K "$MONITORNIC" "$i" off; + done else BIFACES=$MONITORNIC fi for DEVICE_IFACE in $BIFACES; do - for i in rx tx sg tso ufo gso gro lro; do + for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload; do ethtool -K "$DEVICE_IFACE" "$i" off; done ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on From f35f42c83d58c4aabee7ca7c7a48a8d16b344c97 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Aug 2023 10:23:45 -0400 Subject: [PATCH 4/4] Sensor NIC offload --- salt/common/tools/sbin/so-common | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 0581c09c6..3c79110b3 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -225,7 +225,7 @@ init_monitor() { if [[ $MONITORNIC == "bond0" ]]; then BIFACES=$(lookup_bond_interfaces) - for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload; do + for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do ethtool -K "$MONITORNIC" "$i" off; done else @@ -233,7 +233,7 @@ init_monitor() { fi for DEVICE_IFACE in $BIFACES; do - for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload; do + for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do ethtool -K "$DEVICE_IFACE" "$i" off; done ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on