From owner-freebsd-pf@freebsd.org Fri May 20 13:27:50 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 99E59B4340B for ; Fri, 20 May 2016 13:27:50 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5BEA61B46; Fri, 20 May 2016 13:27:49 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_2 (FreeBSD)) (envelope-from ) id 1b3kSq-000ABb-Qh; Fri, 20 May 2016 16:27:40 +0300 Subject: Re: fragments processing To: freebsd-pf@FreeBSD.org References: <93ccf602-31d6-fe36-4ccc-96ab1a1e2cc1@als.nnov.ru> <0ED6BC86-1DDF-4C80-9C05-6ED19049AB92@FreeBSD.org> From: Max Message-ID: <856294d7-a71c-811b-cc3e-31b81af2d79c@als.nnov.ru> Date: Fri, 20 May 2016 16:27:40 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <0ED6BC86-1DDF-4C80-9C05-6ED19049AB92@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2016 13:27:50 -0000 Hello, Kristof. 20.05.2016 11:53, Kristof Provost пишет: > Hi Max, > > > On 19 May 2016, at 19:49, Max wrote: >> The number of used frags (almost) never decreases. I don't have >> enough experience in programming. But I guess that the problem may be >> in "frag->fr_timeout = time_second;" in pf_fillup_fragment() >> (pf_norm.c). It should be "frag->fr_timeout = time_uptime;". >> Actually, I don't now the difference between those variables. So, >> correct me if I'm wrong. >> > I think you’re right. If I’m reading the code right time_second is > unix time, > but time_uptime is the number of seconds the system has been up. > > Either one should work, but we have to be consistent. > The rest of the code seems to use time_uptime, so this untested patch > should fix your problem. > > diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c > index a2841a2..dbc8818 100644 > --- a/sys/netpfil/pf/pf_norm.c > +++ b/sys/netpfil/pf/pf_norm.c > @@ -374,7 +374,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, > struct pf_frent *frent, > } > > *(struct pf_fragment_cmp *)frag = *key; > - frag->fr_timeout = time_second; > + frag->fr_timeout = time_uptime; > frag->fr_maxlen = frent->fe_len; > TAILQ_INIT(&frag->fr_queue); > I rebuilt the kernel. It seems the problem is gone. >> P.P.S. I confirm the bug >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201519. > > It’s on my list, but unfortunately it’s a very long list. I'll wait for the patch. Thank you. > > Regards, > Kristof Here are some statistics: # sh -c "while true ; do date; { vmstat -z; pfctl -si; } | sed -n '1p;/frag/p'; echo; sleep 5; done" Fri May 20 13:07:11 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 0, 132, 71, 0, 0 pf frag entries: 40, 5000, 0, 600, 147, 0, 0 fragment 4 0.0/s ... Fri May 20 16:07:16 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 0, 132, 761, 0, 0 pf frag entries: 40, 5000, 0, 600, 1531, 0, 0 fragment 4 0.0/s Fri May 20 16:07:21 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1, 131, 771, 0, 0 pf frag entries: 40, 5000, 1, 599, 1551, 0, 0 fragment 5 0.0/s ... Fri May 20 16:07:56 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1, 131, 771, 0, 0 pf frag entries: 40, 5000, 1, 599, 1551, 0, 0 fragment 5 0.0/s Fri May 20 16:08:01 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 0, 132, 771, 0, 0 pf frag entries: 40, 5000, 0, 600, 1551, 0, 0 fragment 5 0.0/s ... Fri May 20 16:11:12 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 0, 132, 771, 0, 0 pf frag entries: 40, 5000, 0, 600, 1551, 0, 0 fragment 5 0.0/s Fri May 20 16:11:17 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1, 131, 781, 0, 0 pf frag entries: 40, 5000, 1, 599, 1571, 0, 0 fragment 6 0.0/s ... Fri May 20 16:11:42 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 1, 131, 781, 0, 0 pf frag entries: 40, 5000, 1, 599, 1571, 0, 0 fragment 6 0.0/s Fri May 20 16:11:47 MSK 2016 ITEM SIZE LIMIT USED FREE REQ FAIL SLEEP pf frags: 120, 0, 0, 132, 781, 0, 0 pf frag entries: 40, 5000, 0, 600, 1571, 0, 0 fragment 6 0.0/s