Re: OpenBSD 4.6 + carp + pf + pfsync lockup
On Fri, Sep 10, 2010 at 08:20:30PM -0600, Andy Bradford wrote: Thus said Claudio Jeker on Fri, 10 Sep 2010 21:36:16 +0200: Because on busy servers you need to queue quite a few packets to handle bursts. I was under the impression that UDP is connectionless and therefore does not behave the same as a TCP connection. I would guess that send/recvspace for UDP relates somehow to the size of a UDP datagram, and that even if these UDP datagrams came in bursts, they would not be part of the same send/recvspace. Please correct me if I'm wrong as this is something I've been confused about. Is there possibly some kind of abstraction that treats UDP as connection oriented with respect to send/recvspace? The send/recvspace is for one socket. So for the listening socket all lookup requests end up on the same socket and so on the same recvspace. After digging around a bit more I found the following in /usr/src/sys/netinet/udp_usrreq.c which suggests that at least sendspace is merely the datagram size: u_int udp_sendspace = 9216; /* really max datagram size */ u_int udp_recvspace = 40 * (1024 + sizeof(struct sockaddr_in)); /* 40 1K datagrams */ Yes, the comments are correct. Even if in general all UDP datagrams from the same IP:PORT-IP:PORT combo go into the same recvspace, DNS does not normally use more than one packet for a response, and other responses will not match due to port randomization. Even with DNSSEC and EDNS0, should the default of 40 1K datagrams be sufficient to handle DNS packets? Wrong UDP is normaly not a fully defined 4 touple. Especially the listening sockets (on port 53) can be slammed with packets. On the other hand, if the recvbuffer overflows then packets just get dropped. The sendto() ENOBUFS errors that got mentioned have a different cause (in most cases the interface send queue is overflowed). It's entirely possible that I have completely misunderstood how recvspace relates to connections (I haven't yet found a good exposition of this anywhere). Is recvspace per UDP/TCP connection or more of a generic space for TCP/UDP packets, regardless of connection? The recv/send space is per socket. For TCP it is the same as a connection. UDP has no connections so all packets that you receive on that socket share the recvspace. -- :wq Claudio
fxp0: warning: SCB timed out
I install OpenBSD 4.7 on a firewall NEC_Express_5800_i110Ra-1h Be default i config all the three ethernet adapter ,but only the first em0 can work well,but the other2 one is em1 and the other is is fxp0 can not work well. Who can tell me how to fix this problem ifconfig -a # ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33200 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:16:17:61:5f:2a priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.1.88 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::216:17ff:fe61:5f2a%em0 prefixlen 64 scopeid 0x1 em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:16:17:61:5f:29 priority: 0 media: Ethernet autoselect (none) status: no carrier inet 192.168.1.99 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::216:17ff:fe61:5f29%em1 prefixlen 64 scopeid 0x2 fxp0: flags=8803UP,BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:16:17:61:5f:28 priority: 0 media: Ethernet autoselect (none) status: no carrier inet 192.168.1.111 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::216:17ff:fe61:5f28%fxp0 prefixlen 64 scopeid 0x3 enc0: flags=0 mtu 1536 priority: 0 pflog0: flags=141UP,RUNNING,PROMISC mtu 33200 priority: 0 groups: pflog # # dmesg OpenBSD 4.7 (GENERIC) #558: Wed Mar 17 20:46:15 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) M processor 1.73GHz (GenuineIntel 686-class) 1.73 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2 real mem = 1063743488 (1014MB) avail mem = 1021964288 (974MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 03/22/06, BIOS32 rev. 0 @ 0xfa880, SMBIOS rev. 2.3 @ 0xf (29 entries) bios0: vendor Phoenix Technologies, LTD version v1.0070 date 03/22/2006 bios0: NEC Express5800/i110Ra-1h [N8100-1119] apm0 at bios0: Power Management spec V1.2 (slowidle) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 3.0 @ 0xf/0xcdc4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfccc0/208 (11 entries) pcibios0: PCI Exclusive IRQs: 4 5 9 10 11 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801FB LPC rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0xf600! 0xd/0x1000 0xd1000/0x1000 0xd2000/0x1800 cpu0 at mainbus0: (uniprocessor) cpu0: unknown Enhanced SpeedStep CPU, msr 0x06120d2606000d26 cpu0: using only highest and lowest power states cpu0: Enhanced SpeedStep 1730 MHz: speeds: 1733, 800 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82915GM Host rev 0x04 vga1 at pci0 dev 2 function 0 Intel 82915GM Video rev 0x04 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xc000, size 0x1000 inteldrm0 at vga1: irq 5 drm0 at inteldrm0 ppb0 at pci0 dev 28 function 0 Intel 82801FB PCIE rev 0x05: irq 5 pci1 at ppb0 bus 1 em0 at pci1 dev 0 function 0 Intel PRO/1000MT (82573E) rev 0x03: irq 5, address 00:16:17:61:5f:2a ppb1 at pci0 dev 28 function 1 Intel 82801FB PCIE rev 0x05: irq 4 pci2 at ppb1 bus 2 em1 at pci2 dev 0 function 0 Intel PRO/1000MT (82573E) rev 0x03: irq 4, address 00:16:17:61:5f:29 uhci0 at pci0 dev 29 function 0 Intel 82801FB USB rev 0x05: irq 9 ehci0 at pci0 dev 29 function 7 Intel 82801FB USB rev 0x05: irq 9 ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb2 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xd5 pci3 at ppb2 bus 3 fxp0 at pci3 dev 8 function 0 Intel PRO/100 VE rev 0x05, i82562: irq 10, address 00:16:17:61:5f:28 inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0 ichpcib0 at pci0 dev 31 function 0 Intel 82801FB LPC rev 0x05: PM disabled pciide0 at pci0 dev 31 function 2 Intel 82801FB SATA rev 0x05: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using irq 11 for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: WDC WD1600BEVT-75ZCT2 wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6 ichiic0 at pci0 dev 31 function 3 Intel 82801FB SMBus rev 0x05: irq 11 iic0 at ichiic0 iic0: addr 0x2f 00=40 01=07 02=00 03=00 04=07 05=00 06=00 07=00 14=14 15=62 16=03 17=04 words 00=40ff 01=07ff 02=00ff 03=00ff 04=07ff 05=00ff 06=00ff 07=00ff spdmem0 at iic0 addr 0x51: 1GB DDR2 SDRAM non-parity PC2-6400CL5 usb1 at uhci0: USB
Re: 4.8 Release and Download and
Am 10.09.2010 03:12, schrieb J.C. Roberts: Personally, I buy the release CDs just for the stickers. ;) Me too :-) My guess is that I'll buy lots of stuff I don't really need at the EuroBSDCon next month... Cheers, Matthias
Re: Python from ports: Makefile:xx: *** missing separator. Stop.
On 2010-09-11, Hugo Osvaldo Barrera h...@osvaldobarrera.com.ar wrote: I've tried building python 2.6 from ports since I need setuptools for 2.6. However, when I try to make install (or any other sort of make), I get this error: # pwd /usr/ports/devel/py-setuptools # make install Makefile:28: *** missing separator.B Stop. # I get the same error for python/2.6 (just different line). I read that missing separator usually refers to there being spaces instead of tabs: I HAVEN'T modified Makefile yet (since I actually forgot), but I don't want to do so if I can't even get it to compile WITHOUT changing anything. Your post lacks information. - What OS version are you using? Current? 4.7? Something else? - Are you using a ports tree which matches the OS version? If you need to work with python 2.6 I strongly suggest running -current. If you are using i386 or sparc64 then just pkg_add -u from an up-to-date mirror and things should just work. Hopefully we should see some for amd64 sometime this week or next. Other arch are likely to take longer (some of them, much longer). If you don't want to wait, then make sure you're using a fully up-to-date -current ports tree. When you 'cvs update' look for any M or C lines and investigate what changes you have in your tree as they are likely to be responsible for the make problem you see. Then you will need to update everything using python; I suggest: pkg_delete -i /var/db/pkg/python-2.5* this will ask you to remove any installed packages which depend on python 2.5; *copy down this list* so you can reinstall the things you need, then let it delete them. When you've removed the packages built with python 2.5, then rebuild the things you need. If you still have problems then followup on po...@.
Re: 4.8 Release and Download and
On 2010-09-09, Keith ke...@scott-land.net wrote: I'd defiantly pay for 802.11G, hope that it's working in this release. ral0: flags=8847UP,BROADCAST,DEBUG,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:22:43:14:9b:35 priority: 4 groups: wlan egress media: IEEE802.11 autoselect (OFDM54 mode 11g) status: active ral0 at pci3 dev 0 function 0 Ralink RT2790 rev 0x00: apic 4 int 18 (irq 11), address 00:22:43:14:9b:35 ral0: MAC/BBP RT2872 (rev 0x0200), RF RT2720 (MIMO 1T2R)
Re: OpenBSD 4.6 + carp + pf + pfsync lockup
Thus said Claudio Jeker on Sat, 11 Sep 2010 11:28:31 +0200: Wrong UDP is normaly not a fully defined 4 touple. Especially the listening sockets (on port 53) can be slammed with packets. On the other hand, if the recvbuffer overflows then packets just get dropped. Thank you for the clarification. So basically, when a socket is in the LISTEN state, if 80 1k UDP packets are sent concurrently to the server from 80 different source IPs, then roughly 50% of them will be dropped (assuming defaults), because the recvspace is dedicated only to this one socket. The recvspace for a response of DNS, on the other hand, isn't likely to be consumed because the only packets coming to it will be response datagrams from a single server answering the query, and even with DNSSEC, and an answer as large as the one returned for an ANY query of bugs.debian.org, the recvspace isn't likely to be flooded. TCP is the same except a socket is more distinct because of the connection tuple so the recvspace is more dedicated. The sendto() ENOBUFS errors that got mentioned have a different cause (in most cases the interface send queue is overflowed). Yes, I suspected that this reported error was unrelated to send/recv space, because once the recvspace is full. Thanks, Andy
Re: fxp0: warning: SCB timed out
On 2010-09-11, Leo chlin@gmail.com wrote: I install OpenBSD 4.7 on a firewall NEC_Express_5800_i110Ra-1h Be default i config all the three ethernet adapter ,but only the first em0 can work well,but the other2 one is em1 and the other is is fxp0 can not work well. Who can tell me how to fix this problem You can try boot -c at the boot loader prompt and disable apm then quit. I'm hoping this will cause it to use acpi instead of apm, which also includes interrupt routing information, which may be more accurate than the information it uses now. If it helps, you can write a modified kernel with: config -ef /bsd disable apm quit Make a note to check this again for the next time you upgrade the kernel (maybe in /etc/motd). If this doesn't help, other options include trying a -current snapshot or looking for a bios upgrade.
Re: 4.7 PF match problem
On 10 sep 2010, at 21.24, Peter N. M. Hansteen wrote:
Per-Olov Sjvholm p...@incedo.org writes:
It seems the first one is unable to convert as is seems no match in
on...
does not work.
Off the top of my head, move the rdr-to bits to your pass rules, make
sure the pass rule without the rdr-to is either the last or a
quick. Or use a negation in the criteria for your match rule. Hard to
be more specific without the full rule set.
- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Here is some more info from the rule set...
I for sure try to find the easiest no rdr statement replacement to what I
had in 4.6. Maybe a mix of sticky match rules in match statements and pass
statements with rdr-to in them will do the trick. However. I try to replace
the earlier no rdr with a negated match rule. It seem I miss something here
or it's simply not possible to achieve anymore. At least it seems to be a
problem to replace the earlier rdr rules from 4.6 with just drop in match
statments. Am I *forced* to mix also pass rules with rdr-to in them?
Below is the spec of the problem Switch directly to 4.7 break FTP if I
cannot easily solve the no rdr problem
---#--- This is what I have in rc.conf.local ---#---
r...@xanadu:~#more /etc/rc.conf.local
named_flags= # for normal use:
pf=YES # Packet filter / NAT
sshd_flags=-4 # for normal use:
dhcpd_flags=vlan2 # for normal use:
ntpd_flags= # for normal use:
ftpproxy_flags=-R 192.168.2.35 -p 21 -b 82.82.222.222# for normal
use:
---#--- For the case relevant stuff cut out from pf.conf in 4.6 ---#---
nat-anchor ftp-proxy/*
nat on $INTERNET_INT inet from $DMZ1_ORIGO - $INTERNET_INT_IP2
rdr-anchor ftp-proxy/*
nat on $INTERNET_INT from $DMZ1_ORIGO to any - $INTERNET_INT_IP2
nat on $INTERNET_INT from $LAN_INT:network to any - $INTERNET_INT_IP1
nat on $INTERNET_INT from $DMZ1_INT:network to any - $INTERNET_INT_IP1
no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 -
$DMZ1_ORIGO
pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep state
pass in log quick on $DMZ1_INT inet proto tcp from $DMZ1_ORIGO to any flags
S/SA keep state
pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to any
keep state
pass in log quick on $INTERNET_INT inet proto tcp from any to $DMZ1_ORIGO
port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
70, max-src-conn 70, max-src-conn-rate 20/30, overload bad_hosts flush
global)
---#--- I translated this to the following in 4.7---#---
anchor ftp-proxy/*
match out on $INTERNET_INT inet from $DMZ1_ORIGO nat-to $INTERNET_INT_IP2
#rdr-anchor ftp-proxy/*
match out on $INTERNET_INT from $DMZ1_ORIGO to any nat-to $INTERNET_INT_IP2
match out on $INTERNET_INT from $LAN_INT:network to any nat-to
$INTERNET_INT_IP1
match out on $INTERNET_INT from $DMZ1_INT:network to any nat-to
$INTERNET_INT_IP1
# no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
# PROBLEM TO TRANSLATE THE ABOVE ROW
# rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 -
$DMZ1_ORIGO
match in on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2
rdr-to $DMZ1_ORIGO
pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep state
pass in log quick on $DMZ1_INT inet proto tcp from $DMZ1_ORIGO to any flags
S/SA keep state
pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to any
keep state
pass in log quick on $INTERNET_INT inet proto tcp from any to $DMZ1_ORIGO
port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
70, max-src-conn 70, max-src-conn-rate 20/30, overload bad_hosts flush
global)
Everything works except the FTP service on my RFC1918 DMZ.
Suggestions very much appreciated.
(Using just match rules instead of pass rules with rdr-to if possible)
/Peo
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4
Re: 4.7 PF match problem
On 11 sep 2010, at 23.49, Per-Olov Sjvholm wrote:
On 10 sep 2010, at 21.24, Peter N. M. Hansteen wrote:
Per-Olov Sjvholm p...@incedo.org writes:
It seems the first one is unable to convert as is seems no match in
on...
does not work.
Off the top of my head, move the rdr-to bits to your pass rules, make
sure the pass rule without the rdr-to is either the last or a
quick. Or use a negation in the criteria for your match rule. Hard to
be more specific without the full rule set.
- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Here is some more info from the rule set...
I for sure try to find the easiest no rdr statement replacement to what I
had in 4.6. Maybe a mix of sticky match rules in match statements and pass
statements with rdr-to in them will do the trick. However. I try to replace
the earlier no rdr with a negated match rule. It seem I miss something here
or it's simply not possible to achieve anymore. At least it seems to be a
problem to replace the earlier rdr rules from 4.6 with just drop in match
statments. Am I *forced* to mix also pass rules with rdr-to in them?
Below is the spec of the problem Switch directly to 4.7 break FTP if I
cannot easily solve the no rdr problem
---#--- This is what I have in rc.conf.local ---#---
r...@xanadu:~#more /etc/rc.conf.local
named_flags= # for normal use:
pf=YES # Packet filter / NAT
sshd_flags=-4 # for normal use:
dhcpd_flags=vlan2 # for normal use:
ntpd_flags= # for normal use:
ftpproxy_flags=-R 192.168.2.35 -p 21 -b 82.82.222.222# for normal
use:
---#--- For the case relevant stuff cut out from pf.conf in 4.6 ---#---
nat-anchor ftp-proxy/*
nat on $INTERNET_INT inet from $DMZ1_ORIGO - $INTERNET_INT_IP2
rdr-anchor ftp-proxy/*
nat on $INTERNET_INT from $DMZ1_ORIGO to any - $INTERNET_INT_IP2
nat on $INTERNET_INT from $LAN_INT:network to any - $INTERNET_INT_IP1
nat on $INTERNET_INT from $DMZ1_INT:network to any - $INTERNET_INT_IP1
no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 -
$DMZ1_ORIGO
pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep
state
pass in log quick on $DMZ1_INT inet proto tcp from $DMZ1_ORIGO to any flags
S/SA keep state
pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to
any keep state
pass in log quick on $INTERNET_INT inet proto tcp from any to $DMZ1_ORIGO
port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
70, max-src-conn 70, max-src-conn-rate 20/30, overload bad_hosts flush
global)
---#--- I translated this to the following in 4.7---#---
anchor ftp-proxy/*
match out on $INTERNET_INT inet from $DMZ1_ORIGO nat-to $INTERNET_INT_IP2
#rdr-anchor ftp-proxy/*
match out on $INTERNET_INT from $DMZ1_ORIGO to any nat-to $INTERNET_INT_IP2
match out on $INTERNET_INT from $LAN_INT:network to any nat-to
$INTERNET_INT_IP1
match out on $INTERNET_INT from $DMZ1_INT:network to any nat-to
$INTERNET_INT_IP1
# no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
# PROBLEM TO TRANSLATE THE ABOVE ROW
# rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 -
$DMZ1_ORIGO
match in on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2
rdr-to $DMZ1_ORIGO
pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep
state
pass in log quick on $DMZ1_INT inet proto tcp from $DMZ1_ORIGO to any flags
S/SA keep state
pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to
any keep state
pass in log quick on $INTERNET_INT inet proto tcp from any to $DMZ1_ORIGO
port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
70, max-src-conn 70, max-src-conn-rate 20/30, overload bad_hosts flush
global)
Everything works except the FTP service on my RFC1918 DMZ.
Suggestions very much appreciated.
(Using just match rules instead of pass rules with rdr-to if possible)
/Peo
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key:
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4
Sorry... Forgot that I had this rule as well that is involved...
pass in log quick on $INTERNET_INT inet proto tcp from any to
$INTERNET_INT_IP2 port { 21 } flags S/SA keep state (max-src-nodes 50,
max-src-states 70, max-s
rc-conn 70, max-src-conn-rate 20/30, overload bad_hosts flush global)
That is the reason I don't want a no-rdr for port 21 to INTERNET_IP2 so it
terminates in the firewall with the ftp-proxy and not in the DMZ server.
/Peo
--
GPG keyID: 5231C0C4
GPG fingerprint: B232
kernel hangs by many connections (reproducable)
Hello. I use my OBSD machine to test some server on another machine. They are connected by pathcord, 1Gbit network cards are used. Test program (uses kqueue) do many (I want thousands) connections to server. Write query, read answer. And it tries to keep that much connections by doing as much new connections as needed. When number of connections kept below 100 - all ok. But if I raise them (upto about 500-1000) the program start these connections, do some write/read (show about 10-20 successful reads) and the kernel hangs. 1-2 sec after start. Tweaks - kern.maxfiles=16384 and openfiles-cur/max=8192 for my user. Info from ddb (see dmesg below): ddb show panic the kernel did not panic ddb trace Debugger(0,3f8,0,0,1) at Debugger+0x4 comintr(d1571000) at comintr+0x287 Xrecurse_legacy4() at Xrecurse_legacy4+0xb3 --- interrupt --- pool_do_get(d0a10b60,0,0,0,60) at pool_do_get+0x2c2 pool_get(d0a10b60,0,8000,0,0) at pool_get+0x54 m_gethdr(1,1,8000,369e99,0) at m_gethdr+0x39 m_clget(0,1,d1526054,800,d03e1aeb) at m_clget+0x10a re_newbuf(d1526000,10,d999eb48,d02b30cc,d1526000) at re_newbuf+0x35 re_rx_list_fill(d1526000,20,60,58,d1520010) at re_rx_list_fill+0x21 re_rxeof(d1526000,d9799800,3e,10,10) at re_rxeof+0x37c re_intr(d1526000) at re_intr+0x12a Xrecurse_legacy11() at Xrecurse_legacy11+0xb7 --- interrupt --- filt_soread(d9a5bdc0,0,0,d9a5bd98,d9a5bd98) at filt_soread+0x1 selwakeup(d9a5bdbc,d9b08300,d9b08200,d9b08300,d9a5bd98) at selwakeup+0x22 sowakeup(d9a5bd4c,d9a5bd98,14,d999ed24,1) at sowakeup+0x1d tcp_input(d9b08300,14,0,0,6) at tcp_input+0x26ac ipv4_input(d9b08300,0,d999ede8,d0202089,d03d0058) at ipv4_input+0x42a ipintr(d03d0058,d09e0010,10,d5d10010,d09e72c0) at ipintr+0x49 Bad frame pointer: 0xd999ede8 ddb ps PID PPID PGRPUID S FLAGS WAIT COMMAND 3410 32488 3410 1000 2 0x4000penetrator 16754 6068 16754 1000 3 0x44180 poll systat 6068 20285 6068 1000 3 0x4080 pause ksh 20285 13637 13637 1000 3 0x180 selectsshd 13637 9091 13637 0 3 0x4080 netio sshd 921 24774921 1000 3 0x4080 poll top 24774 7958 24774 1000 3 0x4080 pause ksh 7958 18572 18572 1000 3 0x180 selectsshd 18572 9091 18572 0 3 0x4080 netio sshd 20295 16560 16560 1000 3 0x180 netio ftpd 16560 28104 16560 0 3 0x4080 netio ftpd 32488 24805 32488 1000 3 0x4080 pause ksh 24805 1162 1162 1000 3 0x180 selectsshd 1162 9091 1162 0 3 0x4080 netio sshd 11793 1 11793 0 3 0x40180 selectsendmail 24133 1 24133 0 2 0x4080getty 5061 1 5061 0 3 0x4080 ttyin getty 16343 1 16343 0 3 0x4080 ttyin getty 27708 1 27708 0 3 0x4080 ttyin getty 21353 1 21353 0 3 0x4080 ttyin getty 25731 1 25731 0 3 0x4080 ttyin getty 4928 1 4928 0 30x80 selectcron 4928 1 4928 0 30x80 selectcron 9091 1 9091 0 30x80 selectsshd 18814 30428 30428 70 3 0x180 selectnamed 30428 1 30428 0 3 0x180 netio named 9309 32415 32415 74 3 0x180 bpf pflogd 32415 1 32415 0 30x80 netio pflogd 18677 8041 8041 73 3 0x180 poll syslogd 8041 1 8041 0 30x88 netio syslogd 15 0 0 0 30x100200 aiodoned aiodoned 14 0 0 0 30x100200 syncerupdate 13 0 0 0 30x100200 cleaner cleaner 12 0 0 0 30x100200 reaperreaper 11 0 0 0 30x100200 pgdaemon pagedaemon 10 0 0 0 30x100200 bored crypto 9 0 0 0 30x100200 pftm pfpurge 8 0 0 0 30x100200 usbevtusb1 7 0 0 0 30x100200 usbtskusbtask 6 0 0 0 30x100200 usbevtusb0 5 0 0 0 30x100200 apmev apm0 4 0 0 0 30x100200 bored syswq 3 0 0 0 3 0x40100200idle0 *2 0 0 0 70x100200kmthread 1 0 1 0 3 0x4080 wait init 0 -1 0 0 3 0x80200 scheduler swapper ddb show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle inpcbpl228 34150 240261 06161 0 80 plimitpl 148 250 11 1
