From owner-freebsd-pf@freebsd.org Mon Dec 14 10:25:08 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2EC3A443A5 for ; Mon, 14 Dec 2015 10:25:08 +0000 (UTC) (envelope-from krzysiek@airnet.opole.pl) Received: from mail.bestpartner.pl (airmax.pl [176.111.128.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 694E3175D for ; Mon, 14 Dec 2015 10:25:07 +0000 (UTC) (envelope-from krzysiek@airnet.opole.pl) Received: from [176.111.149.40] (helo=[10.10.11.223]) by da.airnet.opole.pl with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from ) id 1a8QJO-000E79-2A for freebsd-pf@freebsd.org; Mon, 14 Dec 2015 11:24:58 +0100 Subject: Re: Machine freezes when loading pf ruleset To: freebsd-pf@freebsd.org References: <894145A3DDBDEF4880E00D334DCD87263EC814A8@MXS2.zuv.uni-muenchen.de> <894145A3DDBDEF4880E00D334DCD87263EC83B6C@MXS2.zuv.uni-muenchen.de> <566B4370.6090309@airnet.opole.pl> <894145A3DDBDEF4880E00D334DCD87264AA602D3@MXS2.zuv.uni-muenchen.de> From: Krzysiek Message-ID: <566E98F9.8090000@airnet.opole.pl> Date: Mon, 14 Dec 2015 11:24:57 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: <894145A3DDBDEF4880E00D334DCD87264AA602D3@MXS2.zuv.uni-muenchen.de> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-Antivirus-Scanner: Clean mail though you should still use an Antivirus X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2015 10:25:08 -0000 Hello Andrej This is exactly my issue. Thanks a lot! Krzysiek Barcikowski W dniu 2015-12-14 o 10:54, Kolontai Andrej pisze: > Hello Krzysiek, > > we've actually managed to resolve our problem. I guess I should have reported that back to the list, sorry for that. > > Yet, our problem was not related to the issues addressed by the patch. It turned out to be a small bug in pfctl (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202996). > > In our configuration, pfctl effectively set the debug level to "loud" before loading the ruleset and back to the normal value after it finished. > That caused a lot of messages to be sent to the console and syslog right out from the pf code. In result, this reduced the pf processing to the speed of the console/syslog which apparently is not much on our machines. At least not enough for gbit traffic. That's why the machine appeared to be frozen. > > You can only be affected by this bug if you have set the debug level inside the ruleset, i.e. "set debug urgent". If that is the case just remove the statement and try again. The debug level can also be set via command line if necessary. > > So far, we never had any problems again. > > Viele Grüße > Andrej Kolontai > > Ludwig-Maximilians-Universitaet Muenchen > Ref. VI.4 (IT-Sicherheit & Verzeichnisdienste) > Martiusstrasse 4 / 207 > 80802 Muenchen > > phone +49 (0)89 2180-3815 > email mailto:andrej.kolontai@verwaltung.uni-muenchen.de > web http://www.uni-muenchen.de/zuv/it/ > > >> -----Original Message----- >> From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- >> pf@freebsd.org] On Behalf Of Krzysiek >> Sent: Friday, December 11, 2015 10:43 PM >> To: freebsd-pf@freebsd.org >> Subject: Re: Machine freezes when loading pf ruleset >> >> W dniu 2015-08-27 o 15:32, Kolontai Andrej pisze: >>>> The patch provided at https://reviews.freebsd.org/D3503 should help your >> case. >>>> During a full ruleset reload, taking into account so many rules, you will >> impact normal packet processing. >>>> Hence you have the feeling of the box being frozen or not forwarding >> traffic. >>>> That patch reduces the overhead of reloading a ruleset. >>>> Though even more lock breakdown is necessary on pf(4) but that is >> another topic. >>> Sounds great. I'll try that. >>> >>> Andrej >>> >>> _______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> Hello, >> >> Dear Andrej >> Please let us know, did the provided patch work for you? >> I'm experiencing similar problems with 10.2 (r287460M), but my ruleset >> is just 45 lines (`pfctl -sr | wc -l`). >> Btw. I'm not using CARP/pfsync, just pf and pflog. >> >> Thanks! >> Best regards >> Krzysiek Barcikowski >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >