Hello Andrej
This is exactly my issue. Thanks a lot!
Krzysiek Barcikowski
W dniu 2015-12-14 o 10:54, Kolontai Andrej pisze:
Hello Krzysiek,
we've actually managed to resolve our problem. I guess I should have reported
that back to the list, sorry for that.
Yet, our problem was not related to the issues addressed by the patch. It
turned out to be a small bug in pfctl
(https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202996).
In our configuration, pfctl effectively set the debug level to "loud" before
loading the ruleset and back to the normal value after it finished.
That caused a lot of messages to be sent to the console and syslog right out
from the pf code. In result, this reduced the pf processing to the speed of the
console/syslog which apparently is not much on our machines. At least not
enough for gbit traffic. That's why the machine appeared to be frozen.
You can only be affected by this bug if you have set the debug level inside the ruleset,
i.e. "set debug urgent". If that is the case just remove the statement and try
again. The debug level can also be set via command line if necessary.
So far, we never had any problems again.
Viele Grüße
Andrej Kolontai
Ludwig-Maximilians-Universitaet Muenchen
Ref. VI.4 (IT-Sicherheit & Verzeichnisdienste)
Martiusstrasse 4 / 207
80802 Muenchen
phone +49 (0)89 2180-3815
email mailto:[email protected]
web http://www.uni-muenchen.de/zuv/it/
-----Original Message-----
From: [email protected] [mailto:owner-freebsd-
[email protected]] On Behalf Of Krzysiek
Sent: Friday, December 11, 2015 10:43 PM
To: [email protected]
Subject: Re: Machine freezes when loading pf ruleset
W dniu 2015-08-27 o 15:32, Kolontai Andrej pisze:
The patch provided at https://reviews.freebsd.org/D3503 should help your
case.
During a full ruleset reload, taking into account so many rules, you will
impact normal packet processing.
Hence you have the feeling of the box being frozen or not forwarding
traffic.
That patch reduces the overhead of reloading a ruleset.
Though even more lock breakdown is necessary on pf(4) but that is
another topic.
Sounds great. I'll try that.
Andrej
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
Hello,
Dear Andrej
Please let us know, did the provided patch work for you?
I'm experiencing similar problems with 10.2 (r287460M), but my ruleset
is just 45 lines (`pfctl -sr | wc -l`).
Btw. I'm not using CARP/pfsync, just pf and pflog.
Thanks!
Best regards
Krzysiek Barcikowski
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
