From owner-freebsd-pf@freebsd.org Mon Dec 14 09:55:26 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A575A43DDD for ; Mon, 14 Dec 2015 09:55:26 +0000 (UTC) (envelope-from Andrej.Kolontai@verwaltung.uni-muenchen.de) Received: from mailto1.verwaltung.uni-muenchen.de (mailto1.verwaltung.uni-muenchen.de [141.84.149.5]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (Client CN "Cisco Appliance Demo Certificate", Issuer "Cisco Appliance Demo Certificate" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 705C310FD for ; Mon, 14 Dec 2015 09:55:24 +0000 (UTC) (envelope-from Andrej.Kolontai@verwaltung.uni-muenchen.de) X-IronPort-AV: E=McAfee;i="5700,7163,8014"; a="9153744" X-IronPort-AV: E=Sophos;i="5.20,426,1444687200"; d="scan'208";a="9153744" Received: from cashts2.zuv.uni-muenchen.de ([10.153.81.104]) by smtpout1.verwaltung.uni-muenchen.de with ESMTP/TLS/AES256-SHA; 14 Dec 2015 10:54:10 +0100 Received: from MXS2.zuv.uni-muenchen.de ([fe80::e8db:cdb2:9a:a69f]) by CASHTS2.zuv.uni-muenchen.de ([::1]) with mapi id 14.03.0266.001; Mon, 14 Dec 2015 10:54:10 +0100 From: Kolontai Andrej To: "'freebsd-pf@freebsd.org'" Subject: RE: Machine freezes when loading pf ruleset Thread-Topic: Machine freezes when loading pf ruleset Thread-Index: AQHRNFzucmFzgWc5D0WUWL6FojqnDJ7KNUHQ Date: Mon, 14 Dec 2015 09:54:10 +0000 Message-ID: <894145A3DDBDEF4880E00D334DCD87264AA602D3@MXS2.zuv.uni-muenchen.de> References: <894145A3DDBDEF4880E00D334DCD87263EC814A8@MXS2.zuv.uni-muenchen.de> <894145A3DDBDEF4880E00D334DCD87263EC83B6C@MXS2.zuv.uni-muenchen.de> <566B4370.6090309@airnet.opole.pl> In-Reply-To: <566B4370.6090309@airnet.opole.pl> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.23.107.156] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2015 09:55:26 -0000 Hello Krzysiek, we've actually managed to resolve our problem. I guess I should have report= ed that back to the list, sorry for that.=20 Yet, our problem was not related to the issues addressed by the patch. It t= urned out to be a small bug in pfctl (https://bugs.freebsd.org/bugzilla/sho= w_bug.cgi?id=3D202996). In our configuration, pfctl effectively set the debug level to "loud" befor= e loading the ruleset and back to the normal value after it finished. That caused a lot of messages to be sent to the console and syslog right ou= t from the pf code. In result, this reduced the pf processing to the speed = of the console/syslog which apparently is not much on our machines. At leas= t not enough for gbit traffic. That's why the machine appeared to be frozen= .=20 You can only be affected by this bug if you have set the debug level inside= the ruleset, i.e. "set debug urgent". If that is the case just remove the = statement and try again. The debug level can also be set via command line i= f necessary. So far, we never had any problems again.=20 Viele Gr=FC=DFe=20 Andrej Kolontai Ludwig-Maximilians-Universitaet Muenchen Ref. VI.4 (IT-Sicherheit & Verzeichnisdienste)=20 Martiusstrasse 4 / 207 80802 Muenchen phone +49 (0)89 2180-3815 email mailto:andrej.kolontai@verwaltung.uni-muenchen.de web http://www.uni-muenchen.de/zuv/it/ >-----Original Message----- >From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- >pf@freebsd.org] On Behalf Of Krzysiek >Sent: Friday, December 11, 2015 10:43 PM >To: freebsd-pf@freebsd.org >Subject: Re: Machine freezes when loading pf ruleset > >W dniu 2015-08-27 o 15:32, Kolontai Andrej pisze: >>> The patch provided at https://reviews.freebsd.org/D3503 should help you= r >case. >>> During a full ruleset reload, taking into account so many rules, you wi= ll >impact normal packet processing. >>> Hence you have the feeling of the box being frozen or not forwarding >traffic. >>> That patch reduces the overhead of reloading a ruleset. >>> Though even more lock breakdown is necessary on pf(4) but that is >another topic. >> Sounds great. I'll try that. >> >> Andrej >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >Hello, > >Dear Andrej >Please let us know, did the provided patch work for you? >I'm experiencing similar problems with 10.2 (r287460M), but my ruleset >is just 45 lines (`pfctl -sr | wc -l`). >Btw. I'm not using CARP/pfsync, just pf and pflog. > >Thanks! >Best regards >Krzysiek Barcikowski >_______________________________________________ >freebsd-pf@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"