From owner-freebsd-pf@freebsd.org Thu Oct 1 01:06:30 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE703A0DA58 for ; Thu, 1 Oct 2015 01:06:30 +0000 (UTC) (envelope-from felixgallo@gmail.com) Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 979E610B9 for ; Thu, 1 Oct 2015 01:06:30 +0000 (UTC) (envelope-from felixgallo@gmail.com) Received: by ykft14 with SMTP id t14so64932584ykf.0 for ; Wed, 30 Sep 2015 18:06:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=Q7Jos4BqswS3D20ZLbWE0hYLRvlKU8Z6BkqyiscTvdI=; b=gUxhHLMHiljccv+2v5Yka5ZwoV9FUn4LPBRvCtsugF0LOgHhwCWhBAhN+bxvixhoCS hrrpnmOX3svm0H9092ITx8jHTj6ji8PSihza4IdhyeeV81Q6Ff9tNF+L7cSrtzOmW+iA YZXBzhMbWAuVRG8wpA5gW+BKDRbuXx1vDYXLT7y/JmMZc76Mbai1KZGq3H7dA3/aPaDe qT2SVrZfLZUXr3E/6xyCggiS/Dl9zsh6RficWxiQdDXgJsj71kMBvcISb96Jiphzd4Jt nTpaPmANVvuyehDlEPfqkFbCUlUJulfpXPlYpBOyeutVtL+AalHwx6hQNwLkhtZn7TfU zgGQ== X-Received: by 10.170.206.85 with SMTP id x82mr5895312yke.76.1443661589600; Wed, 30 Sep 2015 18:06:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.214.131 with HTTP; Wed, 30 Sep 2015 18:06:10 -0700 (PDT) From: Felix Gallo Date: Wed, 30 Sep 2015 18:06:10 -0700 Message-ID: Subject: PF appears to lock up a machine with a large number of jails To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2015 01:06:31 -0000 FreeBSD ip-172-31-63-223 10.2-RELEASE FreeBSD 10.2-RELEASE #0 r286666: Wed Aug 12 15:26:37 UTC 2015 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 I am using the github dev version of 'iocage' (an ezjail-like shell script) to generate a large number of jails. SITUATION 1. When I am creating the jails, which all use a shared ipv6 interface to the hosts' loopback, in a loop, after a certain number of jails (sometimes ~70, sometimes ~100), the machine appears to hang. Upon reboot, the machine has nothing interesting in the logs. SITUATION 2. I then realized that I had TSO enabled on the interface, which seems to interact very badly with pf. So I disabled it and started creating the jails again. Again, it hung the box, but this time seemed to take a lot longer to do so (over 100 jails created). SITUATION 3. I rebooted. I then disabled pf and created the jails. This went fine and I was able to create and run 750 jails without issue. SITUATION 4. I rebooted. I disabled TSO. I then attempted to re-enable pf with pfctl -e. This immediately killed the box. SITUATION 5. I rebooted. I then deleted all my jails, recreated a smaller number (150) with PF disabled and TSO disabled, and then re-enabled PF. This appeared to work for a time, but after some period of time, the machine again hung. Not sure how else to help debug this one; happy to help if given direction. F.