Very slow afpacket in inline mode

I've just set Snort 3 in inline mode using DAQ afpacket and default Talos rules. Snort is running on Protectli FW4B https://protectli.com/product/fw4b/, which definitely isn't low-end hardware (Intel Celeron J3160 Quad Core at 1.6 GHz). Despite this, download/upload speed on the protected machine is very slow. obraz Without Snort: obraz

Here's profiler output, which suggests it's afpacket fault:

module profile (all, depth 255, sorted by total_time)
#                      module layer    checks   time(us)  avg/check  %/caller  %/total
=                      ====== =====    ======   ========  =========  ========  =======
 1                        daq     1     34086  115054003       3375     98.08    98.08
 2                      other     1     19100     666841         34      0.57     0.57
 3                 stream_tcp     1     16954     455365         26      0.39     0.39
 4                       mpse     1     72276     435544          6      0.37     0.37
 5                     decode     1     19100     213936         11      0.18     0.18
 6                     stream     1     17322     143073          8      0.12     0.12
 7                      appid     1     17322     132244          7      0.11     0.11
 8                 normalizer     1     17322      58814          3      0.05     0.05
 9                  port_scan     1     17322      35996          2      0.03     0.03
 10                 rule_eval     1     19095      35950          1      0.03     0.03
 11                       paf     1     10222      27862          2      0.02     0.02
 12                    eventq     1     22807      25787          1      0.02     0.02
 13                       ssl     1      1749       7640          4      0.01     0.01
 14                    binder     1       180       4821         26      0.00     0.00
 15                stream_udp     1       330       2096          6      0.00     0.00
 16              http_inspect     1       136       1762         12      0.00     0.00
 17                    wizard     1        67       1035         15      0.00     0.00
 18                       dns     1       294        808          2      0.00     0.00
 19              back_orifice     1       330        545          1      0.00     0.00
 20                 arp_spoof     1        30         94          3      0.00     0.00
 21                 stream_ip     1         6         23          3      0.00     0.00
--                      total    --     19100  117304247       6141        --   100.00

My snort.lua:

---------------------------------------------------------------------------
-- 0. configure DAQ
---------------------------------------------------------------------------
daq =
{
        module_dirs =
        {
                '/usr/lib64/daq'
        },
        modules =
        {
                {
                        name = 'afpacket',
                        mode = 'inline'
                }
        },
        inputs =
        {
                'enp1s0.91:enp2s0.131'
        },
        snaplen = 1518
}

Other settings are left as default.

I've noticed that, by default, Snort 3 is compiled with -pg compiler option and no optimization flags, so I edited cmake/configure_options.cmake file, to include release build type with -O3:

if ( ENABLE_DEBUG )
    string ( APPEND DEBUGGING_C_FLAGS " -g -DDEBUG" )
else ()
    string ( APPEND DEBUGGING_C_FLAGS " -DNDEBUG" )
endif ( ENABLE_DEBUG )

if ( ENABLE_RELEASE )
    string ( APPEND DEBUGGING_C_FLAGS " -O3" )
endif ( ENABLE_RELEASE )

if ( ENABLE_PROFILE AND CMAKE_COMPILER_IS_GNUCXX )
    string ( APPEND DEBUGGING_C_FLAGS " -pg" )
endif ( ENABLE_PROFILE AND CMAKE_COMPILER_IS_GNUCXX )

However, it makes no difference at all. I've also checked, that libdaq is by default compiled with -O2, so it shouldn't be an issue. Also, running Snort without Talos ruleset doesn't help.

Have you any idea, why is Snort 3 so slow?

snort3 / snort3

Very slow afpacket in inline mode #112