Date: Mon, 14 Dec 2015 09:54:10 +0000 From: Kolontai Andrej <Andrej.Kolontai@Verwaltung.Uni-Muenchen.DE> To: "'freebsd-pf@freebsd.org'" <freebsd-pf@freebsd.org> Subject: RE: Machine freezes when loading pf ruleset Message-ID: <894145A3DDBDEF4880E00D334DCD87264AA602D3@MXS2.zuv.uni-muenchen.de> In-Reply-To: <566B4370.6090309@airnet.opole.pl> References: <b248a69a-0768-4e55-b2a2-4571e28b858f@CASHTS1.zuv.uni-muenchen.de> <CAE63ME69-J-bh9%2B0cPA6w%2BXAPAm1D08S7uvfi1O9bQyNE_ju1A@mail.gmail.com> <894145A3DDBDEF4880E00D334DCD87263EC814A8@MXS2.zuv.uni-muenchen.de> <CAPBZQG3L75iTF1u6k4WpkpzqaH-y75cW%2BYaEXrMAVx7=QgaEzg@mail.gmail.com> <894145A3DDBDEF4880E00D334DCD87263EC83B6C@MXS2.zuv.uni-muenchen.de> <566B4370.6090309@airnet.opole.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Krzysiek, we've actually managed to resolve our problem. I guess I should have report= ed that back to the list, sorry for that.=20 Yet, our problem was not related to the issues addressed by the patch. It t= urned out to be a small bug in pfctl (https://bugs.freebsd.org/bugzilla/sho= w_bug.cgi?id=3D202996). In our configuration, pfctl effectively set the debug level to "loud" befor= e loading the ruleset and back to the normal value after it finished. That caused a lot of messages to be sent to the console and syslog right ou= t from the pf code. In result, this reduced the pf processing to the speed = of the console/syslog which apparently is not much on our machines. At leas= t not enough for gbit traffic. That's why the machine appeared to be frozen= .=20 You can only be affected by this bug if you have set the debug level inside= the ruleset, i.e. "set debug urgent". If that is the case just remove the = statement and try again. The debug level can also be set via command line i= f necessary. So far, we never had any problems again.=20 Viele Gr=FC=DFe=20 Andrej Kolontai Ludwig-Maximilians-Universitaet Muenchen Ref. VI.4 (IT-Sicherheit & Verzeichnisdienste)=20 Martiusstrasse 4 / 207 80802 Muenchen phone +49 (0)89 2180-3815 email mailto:andrej.kolontai@verwaltung.uni-muenchen.de web http://www.uni-muenchen.de/zuv/it/ >-----Original Message----- >From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- >pf@freebsd.org] On Behalf Of Krzysiek >Sent: Friday, December 11, 2015 10:43 PM >To: freebsd-pf@freebsd.org >Subject: Re: Machine freezes when loading pf ruleset > >W dniu 2015-08-27 o 15:32, Kolontai Andrej pisze: >>> The patch provided at https://reviews.freebsd.org/D3503 should help you= r >case. >>> During a full ruleset reload, taking into account so many rules, you wi= ll >impact normal packet processing. >>> Hence you have the feeling of the box being frozen or not forwarding >traffic. >>> That patch reduces the overhead of reloading a ruleset. >>> Though even more lock breakdown is necessary on pf(4) but that is >another topic. >> Sounds great. I'll try that. >> >> Andrej >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >Hello, > >Dear Andrej >Please let us know, did the provided patch work for you? >I'm experiencing similar problems with 10.2 (r287460M), but my ruleset >is just 45 lines (`pfctl -sr | wc -l`). >Btw. I'm not using CARP/pfsync, just pf and pflog. > >Thanks! >Best regards >Krzysiek Barcikowski >_______________________________________________ >freebsd-pf@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?894145A3DDBDEF4880E00D334DCD87264AA602D3>