From owner-svn-src-head@FreeBSD.ORG Mon Jan 12 16:06:04 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E2586524; Mon, 12 Jan 2015 16:06:04 +0000 (UTC) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 967D6F7A; Mon, 12 Jan 2015 16:06:04 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1YAhV4-0000es-BF; Mon, 12 Jan 2015 19:05:54 +0300 Date: Mon, 12 Jan 2015 19:05:54 +0300 From: Slawa Olhovchenkov To: Gleb Smirnoff Subject: Re: svn commit: r276747 - head/sys/netpfil/pf Message-ID: <20150112160554.GA2190@zxy.spb.ru> References: <201501060903.t06934qp081875@svn.freebsd.org> <20150107204631.GG15484@FreeBSD.org> <20150108003146.GL15484@FreeBSD.org> <63857483-2879-4620-87EF-FE76197AB99B@lists.zabbadoz.net> <20150112144136.GM15484@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20150112144136.GM15484@FreeBSD.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: Craig Rodrigues , src-committers@freebsd.org, svn-src-all@freebsd.org, Nikos Vassiliadis , svn-src-head@freebsd.org, "Bjoern A. Zeeb" X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2015 16:06:05 -0000 On Mon, Jan 12, 2015 at 05:41:36PM +0300, Gleb Smirnoff wrote: > On Thu, Jan 08, 2015 at 12:49:45AM +0000, Bjoern A. Zeeb wrote: > B> > B> > AFAIU, from the PR there is some panic fixed. What is the actual bug > B> > B> > and why couldn't it be fixed with having per-vnet thread? > B> > B> > B> > B> You don't 30000 whatever pf purging threads on a system all running, possibly competing for some resources, e.g., locks? > B> > > B> > Isn't a vnet, which is a jail, already a set of a dozen of processes? So, > B> > if you are speaking of "30000 whatever pf purging threads", then you > B> > already mean "1 mln whatever processes". > B> > B> jail/VNETs can exist without a single process attached. > B> > B> But I guess the point is that there is only so much work we can do at the same time and we should be very careful in what we try to parallellellellize as with 5 vnets it might be fine, with a couple of thousand you may keep a system busy with itself. > > Let's admit that thousand of vnets all running pf is bizarre design > and has no practical application. Hosted firewall/NAT for ISP/Data centers.