转载自:https://zhuanlan.zhihu.com/p/64742715
对部分安装报错的地方进行了修改,建议按照原文安装,原文有ES对接
内网搭建Suricata进行流量检测
目标机器版本:CentOS Linux release 7.6.1810
Suricata版本:suricata-6.02
Luajit版本:LuaJIT-2.0.5
PF_RING版本:PF_RING-7.8.0
Hyperscan版本:hyperscan-5.4.0
Hyperscan 第3方依赖库
| 依赖项 | 版本 |
|---|---|
| CMake | >=2.8.11 |
| Ragel | 6.9 |
| Python | 2.7 |
| Boost | >=1.57 |
| Pcap | >=0.8 |
| SQLite | ? |
| g++、gcc | >v4.8.1 |
0x01 相关依赖安装
1.先安装相关依赖包
# yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel
2.安装所需工具
根据所需安装相关的配套工具,使Suricata发挥出最大作用。我用到的有LuaJIT、PF_RING和Hyperscan。
(1)LuaJIT
- LuaJIT简介
- LuaJIT是采用C语言写的Lua代码的解释器,LuaJIT试图保留Lua的精髓–轻量级,高效和可扩展。
LuaJIT的安装
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar -zxf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5/
make
make install
得到以下提示,说明安装成功:
需要更新动态库,对文件/etc/ld.so.conf进行修改,添加相应的路径/usr/local/lib。
vim /etc/ld.so.conf
# 添加如下路径,保存退出
/usr/local/lib
# 运行如下命令加载
ldconfig
(2)PF_RING
- PF_RING简介
Github地址:https://github.com/ntop/PF_RING
PF_RING是Luca研究出来的基于Linux内核级的高效数据包捕获技术。简单来说PF_RING 是一个高速数据包捕获库,通过它可以实现将通用 PC 计算机变成一个有效且便宜的网络测量工具箱,进行数据包和现网流量的分析和操作。同时支持调用用户级别的API来创建更有效的应用程序。PF_RING是拥有一套完整开发接口的高速数据包捕捉库,与我们熟知的libpcap十分相似,但其性能要优于libpcap。
按照传统的观念,中间网络节点只能按照协议栈的层次一层一层地解析数据包,所谓路由器是三层设备,交换机是二层设备,防火墙分为二层防火墙和三层防火墙...使用PF_RING的设备,它可以将数据包直接从网卡的芯片DMA到你机器上的内存,仅此而已,然后你通过一个应用程序而不是内核协议栈来处理数据包,至于说你的应用程序怎么处置数据包,我来列举几个:
(1) 深度解析数据包,按照各种你可以想到的粒度来解析会话,然后记录审计信息;
(2) 提供高性能的入侵检测功能;
(3) 转发数据包,按照路由器的方式。但是不再仅仅通过查询路由表的方式进行IP路由,而是可以通过各种各样的方式,转发表完全由你自己定义,比如实现一个通用的SDN流表;
(4) 根据上面第2点的含义,你可以决定哪些包被丢弃,这就是一个高性能的防火墙。
相比协议栈的串行解决方案,使用PF_RING是一个更加高效的方案,不但高效,而且灵活。如果你拥有多核心的处理器,你甚至可以可以在用户态并行处理数据包的各个层信息。
PF_RING的安装
- 我的流量镜像在enp26s0f1网卡,我这边配置的enp26s0f1网卡的PF_RING:
#安装基本库
yum install numactl-devel -y
#编译安装PF_RING之前需要卸载原来的网卡驱动,卸载之前使用ethtool命令查看当前网卡的类型和驱动版本
ethtool -i enp26s0f1
lsmod | grep igb
rmmod igb
#Tips:该操作可能会造成网络无法连接,所以需要现场进行操作,避免使用ssh远程
git clone https://github.com/ntop/PF_RING/
cd PF_RING/
make #直接在跟目录下面make,进行全部编译
cd PF_RING/kernel
make
make install
#最好设置一下,官方解释是2的性能最好,但是有大神测试后发现差别并不是很大(在PF_RING/kernel目录下insmod)
insmod pf_ring.ko transparent_mode=1
当PF_RING激活时,会创建/proc/net/pf_ring目录,使用cat命令查看pf_ring的属性信息:
cat /proc/net/pf_ring/info
#编译安装PF_RING所需依赖库
cd PF_RING/userland/lib
./configure
make
make install
如果需要使用libpcap抓包分析,请卸载之前安装的libpcap,然后进入/PF_RING/userland/libpcap-1.9.1/目录下配置、编译和安装驱动。
#卸载原来的libpqcap
rpm -qa libpcap #查看安装的libpcap,如果有libpcap则强制卸载
rpm --nodeps -e libpcap
#安装PF_RING的libpcap
cd PF_RING-dev/userland/libpcap
./configure
make
make install
#编译网卡驱动
cd PF_RING/drivers/intel/igb/igb-5.3.5.18-zc/src
insmod igb.ko #安装pf_ring网卡驱动
modprobe igb #只能载入/lib/modules/<kernel ver>/中模块
安装完成,使用dmesg命令查看驱动信息:
dmesg | grep enp26s0f1
测试网络的接受包数:
cd PF_RING/userland/example
make
./pfcount -i enp26s0f1 #测试捕获eth0的数据报文
PF_RING安装完成后,需要在suricata的配置文件中(suricata.yaml)进行配置,参见下文:0x03 suricata.yaml配置。
(3)Hyperscan
- Hyperscan简介
· Github地址:https://github.com/intel/hyperscan
· Wiki:https://github.com/ntop/PF_RING/wiki
· 文档:https://www.ntop.org/guides/pf_ring
Hyperscan是一个高性能的多重正则表达式匹配库。在Suricata中它可以用来执行多模式匹配。Hyperscan适用于部署在诸如DPI/IPS/IDS/FW等场景中,目前已经在全球多个客户网络安全方案中得到实际的应用。
Hyperscan的安装
#安装依赖
yum install cmake ragel libtool python-devel GyeoIP-devel -y
yum install boost boost-devel boost-doc -y
yum install libquadmath libquadmath-devel bzip2-devel -y
#boost不需要编译安装,如果通过系统包管理工具(yum/apt-get)安装的,版本无法满足版本需要,则需要下载源码包,解压后执行类似
wget https://jaist.dl.sourceforge.net/project/boost/boost/1.76.0/boost_1_76_0.tar.gz
tar xvzf boost_1_76_0.tar.gz
cd boost_1_76_0/
./bootstrap.sh --prefix=/tmp/boots-1.76
#开始编译,编译的过程有点慢
./b2 install
#安装Hyperscan
git clone https://github.com/intel/hyperscan.git
mkdir build # 在hyperscan平级目录中创建build文件夹
cd build
cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/tmp/boots-1.76 ../hyperscan
#开始安装
make
make install
最终的安装完成页面如下所示:
参考链接:https://www.dazhuanlan.com/2020/02/03/5e37c29012884/
需要更新动态库,对文件/etc/ld.so.conf进行修改,添加相应的路径/usr/local/lib64
vim /etc/ld.so.conf
#添加如下路径,保存退出
/usr/local/lib64
#运行如下命令加载
ldonfig
0x02 Suricata的安装
wget https://www.openinfosecfoundation.org/download/suricata-6.0.2.tar.gz
tar -xvzf suricata-6.0.2.tar.gz
cd suricata-6.0.2
#编译时可用的参数比较多,要根据自己的需求增加相关编辑参数。参见下文<./configure常见参数作用简单说明>
#我的编译命令如下:
这是一条命令
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-pfring --with-libpfring-includes=/usr/local/pfring/include
--with-libpfring-libraries=/usr/local/pfring/lib --enable-geoip --enable-luajit --with-libluajit-includes=/usr/local/include/luajit-2.0/
--with-libluajit-libraries=/usr/local/lib/ --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/ --enable-profiling
./configure常见参数作用简单说明:
#使用./configure --help可查看各个参数的说明,其中常见的编译参数如下:
--prefix=/usr/ #Suricata 安装在/usr/bin/.默认安装在/usr/local/
--sysconfdir=/etc #Suricata配置文件存在/etc/suricata/,默认存在 /usr/local/etc/
--localstatedir=/var #设置Suricata日志放在 /var/log/suricata/.默认在 /usr/local/var/log/suricata
--enable-lua #启用Lua支持检测和输出
--enable-geopip #启用GeoIP支持检测
--enable-rust #启用实验Rust支持
--enable-profiling #启用性能分析
--enable-nfqueue #为内联IDP(启用NFQueue支持)启用NFQueue支持,一般开启Suricata的IPS模式时使用
# 加入PF_RING支持
--enable-pfring #启用本机Pf_Ring的支持
--with-libpfring-includes #libpfring的目录
--with-libpfring-libraries #libpfring的库目录
#Lua主要用来编写规则
--enable-luajit #启用Luajit(C语言编写的Lua代码解析器)支持
--with-libluajit-includes #libluajit的目录
--with-libluajit-libraries #libluajit的库目录
#使用scan(一个高性能的多重正则表达式匹配库)时,所需的库
--with-libhs-includes #libhs的目录
--with-libhs-libraries #libhs的库目录
--with-libnss-libraries #libnss的目录
--with-libnss-includes #libnss的库目录
--with-libnspr-libraries #libnspr的目录
--with-libnspr-includes #libnspr的库目录
编译完成,如下图所示:
随后运行如下命令进行安装:
make -j4 # 多线程
make install -j4 # 多线程安装
make install-conf
Suricata安装在/usr/bin/下,相关配置在/etc/suricata/,日志输出在/var/log/suricata/下。运行suricata,返回如下信息,证明安装成功。
执行suricata --build-info,如果上述的安装都没问题的话,可以看到suricata已支持PF_RING、LUA和Hyperscan。如下图所示:
执行报错:
执行suricata命令时出现以下报错:
suricata: error while loading shared libraries: libhs.so.5: cannot open shared object file: No such file or directory
先找系统里有没有 libhs.so,如果有执行一下操作
echo "/usr/local/lib64" | sudo tee --append /etc/ld.so.conf.d/usrlocal.conf
ldconfig
如果没有参考:https://programmersought.com/article/99241925597/
0x03 suricata.yaml配置
suricata.yaml配置文件的相关参数说明可参考这篇文章:Suricata配置文件说明
如下是suricata配置文件的配置:
(1) suricata.yaml基本配置
##
## Step 1: inform Suricata about your network
##
vars:
# more specific is better for alert accuracy and performance
address-groups:
#HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
#配置内网网段
HOME_NET: "[192.168.0.0/16,10.0.0.0/16]"
#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"
EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DC_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: "[22,63501,57891]"
DNP3_PORTS: 20000
MODBUS_PORTS: 502
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
FTP_PORTS: 21
......
......
......
#开一些协议解析的字段,保存更详细的日志,便于溯源#
outputs:
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: fast.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
......
......
......
types:
- alert:
payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
payload-printable: yes # enable dumping payload in printable (lossy) format
packet: yes # enable dumping of packet (without stream segments)
# http-body: yes # enable dumping of http body in Base64
http-body-printable: yes # enable dumping of http body in printable format
# metadata: no # enable inclusion of app layer metadata with alert. Default yes
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
- http:
extended: yes # enable this for extended logging information
# custom allows additional http fields to be included in eve-log
# the example below adds three additional fields when uncommented
custom: [Accept-Encoding, Accept-Language, Authorization,cookie,origin,server]
- dns:
# This configuration uses the new DNS logging format,
# the old configuration is still available:
# 8.1. Suricata.yaml
# Use version 2 logging with the new format:
# DNS answers will be logged in one single event
# rather than an event for each of it.
# Without setting a version the version
# will fallback to 1 for backwards compatibility.
version: 2
# Enable/disable this logger. Default: enabled.
enabled: yes
# Control logging of requests and responses:
# - requests: enable logging of DNS queries
# - responses: enable logging of DNS answers
# By default both requests and responses are logged.
requests: yes
responses: yes
# Format of answer logging:
# - detailed: array item per answer
# - grouped: answers aggregated by type
# Default: all
#formats: [detailed, grouped]
# Answer types to log.
# Default: all
types: [a, aaaa, cname, mx, ns, ptr, txt]
- tls:
extended: yes # enable this for extended logging information
# output TLS transaction where the session is resumed using a
# session id
#session-resumption: no
# custom allows to control which tls fields that are included
# in eve-log
#custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3]
- files:
force-magic: no # force logging magic on all logged files
# force logging of checksums, available hash functions are md5,
# sha1 and sha256
#force-hash: [md5]
#- drop:
# alerts: yes # log alerts that caused drops
# flows: all # start or all: 'start' logs only a single drop
# # per flow direction. All logs each dropped pkt.
- smtp:
extended: yes # enable this for extended logging information
# this includes: bcc, message-id, subject, x_mailer, user-agent
# custom fields logging from the list:
# reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
# x-originating-ip, in-reply-to, references, importance, priority,
# sensitivity, organization, content-md5, date
custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
......
......
......
#规则这块使用suricata-update管理,相关suricata.yaml文件的配置参见0x04#
(2) PF_RING – suricata.yaml 配置
还有些其他参数可能还得深入研究下。大致配置如下:
# Runmode the engine should use. Please check --list-runmodes to get the available
# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
# load balancing).
runmode: workers
......
......
# packet size (MTU + hardware header) on your system.
default-packet-size: 1522
......
......
# Defrag settings:
defrag:
memcap: 512mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 30
......
......
flow:
memcap: 1gb
hash-size: 1048576
prealloc: 1048576
emergency-recovery: 30
#managers: 1 # default to one flow manager
#recyclers: 1 # default to one flow recycler thread
......
......
flow-timeouts:
default:
new: 3
established: 30
closed: 0
bypassed: 10
emergency-new: 3
emergency-established: 10
emergency-closed: 0
emergency-bypassed: 10
tcp:
new: 6
established: 100
closed: 12
bypassed: 100
emergency-new: 1
emergency-established: 5
emergency-closed: 2
emergency-bypassed: 50
udp:
new: 3
established: 30
bypassed: 100
emergency-new: 3
emergency-established: 10
emergency-bypassed: 50
icmp:
new: 3
established: 30
bypassed: 100
emergency-new: 1
emergency-established: 10
emergency-bypassed: 50
......
......
stream:
memcap: 12gb
checksum-validation: no # reject wrong csums
prealloc-sesions: 500000 #per thread
midstream: true
asyn-oneside: true
inline: no # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 20gb
depth: 12mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
#randomize-chunk-range: 10
#raw: yes
#segment-prealloc: 2048
#check-overlap-different-data: true
......
......
# PF_RING configuration. for use with native PF_RING support
# for more info see http://www.ntop.org/products/pf_ring/
pfring:
- interface: enp26s0f1
# Number of receive threads. If set to 'auto' Suricata will first try
# to use CPU (core) count and otherwise RSS queue count.
threads: 16
# Default clusterid. PF_RING will load balance packets based on flow.
# All threads/processes that will participate need to have the same
# clusterid.
cluster-id: 99
# Default PF_RING cluster type. PF_RING can load balance per flow.
# Possible values are cluster_flow or cluster_round_robin.
cluster-type: cluster_flow
# bpf filter for this interface
#bpf-filter: tcp
- interface: enp26s0f0 # 多张网卡填写多个interface内容
threads: 16 # 启用线程,auto启用所有空闲的cpu
cluster-id: 98 # id不能重复
cluster-type: cluster_flow
......
......
libhtp:
default-config:
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 12mb
response-body-limit: 12mb
# inspection limits
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 40kb
response-body-inspect-window: 16kb
suricata.yaml配置完成后,运行suricata -T以测试模式运行suricata,看下suricata.yaml是否有报错,如果有报错,要仔细检查下。要特别注意回车符和空格。若无报错,运行结果如下所示:
0x04 安装suricata-update管理规则
安装suricata-update的文章参见之前写的文章:
Suricata规则介绍、以及使用suricata-update做规则管理
suricata-update管理规则,会默认将多个规则集的每一条都写到/var/lib/suricata/rules/suricata.rules文件中。所以我们要在suricata的配置文件suricata.yaml中配置suricata的规则指定使用suricata.rules,其他的一些默认规则的配置都注释掉。suricata.yaml的配置如下图所示:
多个规则文件换行接着写,例如:
rule-files:
- suricata.rules
- suricata-ssh.rules
- cve_office.rules
suricata-update其他的一些使用简单介绍如下:
# 列出suricata-update支持的所有的规则源
suricata-update list-sources
# 启用一个规则集(我这边启用的是ET的规则集)
suricata-update enable-source et/open
目前把suricata-update这边能用的规则全部都enable了,后续根据误报情况再做优化。开启的规则集如下:
规则集开启完成后,使用如下命令进行规则下载和更新:
# 规则下载和更新
suricata-update
下载更新完,总共有3万+的规则:
规则下载和更新完后,使用suricata -T命令测试。若有相关规则报错,直接将该条报错的规则进行注释。suricata-update支持便捷的禁用规则的方法,在/etc/suricata目录下新建disable.conf。配置文件中写入规则特征,每次更新会禁用该规则。
参考Suricata-update的官方文档,disable.conf中支持三种规则特征:
支持三种方式进行规则禁用:规则的sid、正则表达式和规则组名。
报错的规则数量不多,我这边直接使用sid进行禁用,disable.conf中写入报错规则的sid后,使用如下命令进行规则更新:
suricata-update --disable-conf /etc/suricata/disable.conf
更多suricata-update的使用,请参照suricata-update的官网文档:
https://suricata-update.readthedocs.io
TIPS:更新完规则后,suricata不需要重新启动来载入新的规则,使用命令 ps -ef | grep suricata查看suricata的pid,通过kill命令发送usr2信号来重新加载suricata规则 kill -USR2 pid
0x05 Suricata的运行
待suricata的规则配置完成后,直接使用如下命令运行:
suricata --pfring-int=enp26s0f1 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml --init-errors-fatal -D -v
若需要停止suricata,运行如下命令即可:
ps -ef | grep suricata|grep -v grep
kill -9 id
rm -f /var/run/suricata.pid
报错:运行suricata时只有1个进程在跑,出现机器被跑死的情况
修改回原detect参数即可
原配置:
跑单核配置问题:
detect:
profile: high
custom-values:
toclient-groups: 100000
toserver-groups: 100000
sgh-mpm-context: full
inspection-recursion-limit: 1000000
Suricata之outputs
eve.json(事件输出日志)
根据时间进行文件储存
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve-%Y-%m-%d_%H:%M.json
# 根据秒、分钟、小时、天.
#分别写成eve-%Y-%m-%d_%H:%M:%S.json、eve-%Y-%m-%d_%H:%M.json、eve-%Y-%m-%d_%H.json、eve-%Y-%m-%d_%H.json
rotate-interval: hour
# 按每小时轮询存储文件,也可以按秒(30s)、分钟(minute)、天(day)
# 可以替换 30m为每30分钟一次,30h每30小时一次,30d 每30天一次,或30w每30周循环一次。
下面这个例子是一个简单的报警信息
03/26/2018-20:22:37.097370 [**] [1:0:0] hit baidu.com... [**] [Classification: (null)] [Priority: 3] {TCP} 10.2.41.231:48910 -> 221.130.253.135:8080
时间戳 03/26/2018-20:22:37.097370
报警信息分隔符 [**]
报警信息内容 hit baidu.com...
类型分类 [Classification: (null)]
优先级 [Priority: 3]
匹配到的协议类型 {TCP}
源IP地址以及端口 10.2.41.231:48910
数据流向 ->
目标IP地址以及端口 221.130.253.135:8080
Suricata网卡优化
Suricata网卡优化:丢包主要是网卡丢包或者内核丢包,网卡丢包在ifconfig里面就可以看到,具体原因还得通过ethtool来定位
查看网卡具体丢包原因:ethtool -S enp26s0f0 | ag 'error|drop'
网卡优化配置:
网卡RSS队列,对于ids设备来说影响性能,默认cpu有多少核心就会有多少队列数,如果设置为1导致rx_missed_errors可以改成2
查看队列:ethtool -L enp26s0f0
ethtool -L enp26s0f0 combined 1
ethtool -L enp26s0f1 combined 1
巨型帧将最大传输单元增加到9000 默认1500 ,数据包越小产生的CPU中断越多
ifconfig enp26s0f0 mtu 9000
ifconfig enp26s0f1 mtu 9000
网卡ring buffer 的值并非越大越好 将原来4096降到512
ethtool -g rx 512
网卡优化命令:
sudo ethtool -K enp26s0f0 rx off
sudo ethtool -K enp26s0f0 tx off
sudo ethtool -K enp26s0f0 sg off
sudo ethtool -K enp26s0f0 tso off
sudo ethtool -K enp26s0f0 gso off
sudo ethtool -K enp26s0f0 gro off
sudo ethtool -K enp26s0f0 lro off
sudo ethtool -K enp26s0f0 rxvlan off
sudo ethtool -K enp26s0f0 txvlan off
sudo ethtool -K enp26s0f0 ntuple off
sudo ethtool -K enp26s0f0 rxhash off
sudo ethtool -A enp26s0f0 rx off tx off
sudo ethtool -K enp26s0f1 rx off
sudo ethtool -K enp26s0f1 tx off
sudo ethtool -K enp26s0f1 sg off
sudo ethtool -K enp26s0f1 tso off
sudo ethtool -K enp26s0f1 gso off
sudo ethtool -K enp26s0f1 gro off
sudo ethtool -K enp26s0f1 lro off
sudo ethtool -K enp26s0f1 rxvlan off
sudo ethtool -K enp26s0f1 txvlan off
sudo ethtool -K enp26s0f1 ntuple off
sudo ethtool -K enp26s0f1 rxhash off
sudo ethtool -A enp26s0f1 rx off tx off
参考链接:https://www.cnblogs.com/luxiaojun/p/8808949.html
参考链接:scirius部署
日志参考:https://www.shuzhiduo.com/A/Gkz1k6EG5R/
扫一扫
2280
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
