From owner-freebsd-current@freebsd.org Tue Oct 30 14:03:42 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DBAD610E9484 for ; Tue, 30 Oct 2018 14:03:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8BF1385D54; Tue, 30 Oct 2018 14:03:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 3CD86225BC; Tue, 30 Oct 2018 14:03:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [10.0.2.195] (ptr-8rh08k1sdreej3vz59v.18120a2.ip6.access.telenet.be [IPv6:2a02:1811:240e:402:f4d0:f72c:7583:2073]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 4A27226560; Tue, 30 Oct 2018 15:03:39 +0100 (CET) From: "Kristof Provost" To: "Bjoern A. Zeeb" Cc: "Rodney W. Grimes" , "Ernie Luzar" , "FreeBSD current" Subject: Re: 12.0-BETA1 vnet with pf firewall Date: Tue, 30 Oct 2018 15:03:37 +0100 X-Mailer: MailMate (2.0BETAr6125) Message-ID: <39EBDBD8-4FEE-42D3-809C-B4FD4D4DA20D@FreeBSD.org> In-Reply-To: <1B2DF00D-68FB-453F-82D0-6FC9C2BB6EE2@lists.zabbadoz.net> References: <201810282139.w9SLdO58054096@pdx.rh.CN85.dnsmgr.net> <7D8AB225-061D-4EEC-BC08-5B168F1B44E8@FreeBSD.org> <1B2DF00D-68FB-453F-82D0-6FC9C2BB6EE2@lists.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Oct 2018 14:03:42 -0000 On 30 Oct 2018, at 14:29, Bjoern A. Zeeb wrote: > On 30 Oct 2018, at 12:23, Kristof Provost wrote: >> I’m not too familiar with this part of the vnet code, but it looks >> to me like we’ve got more per-vnet variables that was originally >> anticipated, so we may need to just increase the allocated space. > > Can you elfdump -a the two modules and see how big their set_vnet > section sizes are? I see: > > pf.ko: sh_size: 6664 > ipl.ko: sh_size: 2992 > I see exactly the same numbers. > VNET_MODMIN is two pages (8k). So yes, that would exceed the module > space. > Having 6.6k global variable space is a bit excessive? Where does that > come from? multicast used to have a similar problem in the past that > it could not be loaded as a module as it had a massive array there and > we changed it to be malloced and that reduced it to a pointer. > > 0000000000000f38 l O set_vnet 0000000000000428 > vnet_entry_pfr_nulltable That’s a default table. It’s large because it uses MAXPATHLEN for the pfrt_anchor string. > 0000000000000b10 l O set_vnet 00000000000003d0 > vnet_entry_pf_default_rule Default rule. Rules potentially contain names, tag names, interface names, … so it’s a large structure. > 0000000000001370 l O set_vnet 0000000000000690 > vnet_entry_pf_main_anchor Anchors use MAXPATHLEN for the anchor path, so that’s 1024 bytes right away. > 0000000000000000 l O set_vnet 0000000000000120 > vnet_entry_pf_status > pf status. Mostly counters. I’ll see about putting moving those into the heap on my todo list. Best regards, Kristof From owner-freebsd-current@freebsd.org Tue Oct 30 14:14:25 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 00EE710E987B for ; Tue, 30 Oct 2018 14:14:25 +0000 (UTC) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5E8C68642D; Tue, 30 Oct 2018 14:14:23 +0000 (UTC) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (localhost [127.0.0.1]) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3) with ESMTP id w9UEELTT061806; Tue, 30 Oct 2018 07:14:21 -0700 (PDT) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: (from freebsd-rwg@localhost) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3/Submit) id w9UEEK9v061805; Tue, 30 Oct 2018 07:14:20 -0700 (PDT) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <201810301414.w9UEEK9v061805@pdx.rh.CN85.dnsmgr.net> Subject: Re: 12.0-BETA1 vnet with pf firewall In-Reply-To: <39EBDBD8-4FEE-42D3-809C-B4FD4D4DA20D@FreeBSD.org> To: Kristof Provost Date: Tue, 30 Oct 2018 07:14:20 -0700 (PDT) CC: "Bjoern A. Zeeb" , Ernie Luzar , FreeBSD current X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Oct 2018 14:14:25 -0000 > On 30 Oct 2018, at 14:29, Bjoern A. Zeeb wrote: > > On 30 Oct 2018, at 12:23, Kristof Provost wrote: > >> I?m not too familiar with this part of the vnet code, but it looks > >> to me like we?ve got more per-vnet variables that was originally > >> anticipated, so we may need to just increase the allocated space. > > > > Can you elfdump -a the two modules and see how big their set_vnet > > section sizes are? I see: > > > > pf.ko: sh_size: 6664 > > ipl.ko: sh_size: 2992 > > > I see exactly the same numbers. > > > VNET_MODMIN is two pages (8k). So yes, that would exceed the module > > space. > > Having 6.6k global variable space is a bit excessive? Where does that > > come from? multicast used to have a similar problem in the past that > > it could not be loaded as a module as it had a massive array there and > > we changed it to be malloced and that reduced it to a pointer. > > > > 0000000000000f38 l O set_vnet 0000000000000428 > > vnet_entry_pfr_nulltable > That?s a default table. It?s large because it uses MAXPATHLEN for > the pfrt_anchor string. > > > 0000000000000b10 l O set_vnet 00000000000003d0 > > vnet_entry_pf_default_rule > Default rule. Rules potentially contain names, tag names, interface > names, ? so it?s a large structure. > > > 0000000000001370 l O set_vnet 0000000000000690 > > vnet_entry_pf_main_anchor > Anchors use MAXPATHLEN for the anchor path, so that?s 1024 bytes right > away. > > > 0000000000000000 l O set_vnet 0000000000000120 > > vnet_entry_pf_status > > > pf status. Mostly counters. > > I?ll see about putting moving those into the heap on my todo list. Though that removes the current situation, it is a partial fix, doesnt this static sized 2 page VNET_MODMIN needs to be fixed in the longer term? -- Rod Grimes rgrimes@freebsd.org