Date: Tue, 30 Oct 2018 15:03:37 +0100 From: "Kristof Provost" <kp@FreeBSD.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: "Rodney W. Grimes" <freebsd-rwg@pdx.rh.CN85.dnsmgr.net>, "Ernie Luzar" <luzar722@gmail.com>, "FreeBSD current" <freebsd-current@freebsd.org> Subject: Re: 12.0-BETA1 vnet with pf firewall Message-ID: <39EBDBD8-4FEE-42D3-809C-B4FD4D4DA20D@FreeBSD.org> In-Reply-To: <1B2DF00D-68FB-453F-82D0-6FC9C2BB6EE2@lists.zabbadoz.net> References: <201810282139.w9SLdO58054096@pdx.rh.CN85.dnsmgr.net> <7D8AB225-061D-4EEC-BC08-5B168F1B44E8@FreeBSD.org> <A1E9089B-FE46-4532-AF5F-2A151B2A703B@FreeBSD.org> <1B2DF00D-68FB-453F-82D0-6FC9C2BB6EE2@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 30 Oct 2018, at 14:29, Bjoern A. Zeeb wrote: > On 30 Oct 2018, at 12:23, Kristof Provost wrote: >> I’m not too familiar with this part of the vnet code, but it looks >> to me like we’ve got more per-vnet variables that was originally >> anticipated, so we may need to just increase the allocated space. > > Can you elfdump -a the two modules and see how big their set_vnet > section sizes are? I see: > > pf.ko: sh_size: 6664 > ipl.ko: sh_size: 2992 > I see exactly the same numbers. > VNET_MODMIN is two pages (8k). So yes, that would exceed the module > space. > Having 6.6k global variable space is a bit excessive? Where does that > come from? multicast used to have a similar problem in the past that > it could not be loaded as a module as it had a massive array there and > we changed it to be malloced and that reduced it to a pointer. > > 0000000000000f38 l O set_vnet 0000000000000428 > vnet_entry_pfr_nulltable That’s a default table. It’s large because it uses MAXPATHLEN for the pfrt_anchor string. > 0000000000000b10 l O set_vnet 00000000000003d0 > vnet_entry_pf_default_rule Default rule. Rules potentially contain names, tag names, interface names, … so it’s a large structure. > 0000000000001370 l O set_vnet 0000000000000690 > vnet_entry_pf_main_anchor Anchors use MAXPATHLEN for the anchor path, so that’s 1024 bytes right away. > 0000000000000000 l O set_vnet 0000000000000120 > vnet_entry_pf_status > pf status. Mostly counters. I’ll see about putting moving those into the heap on my todo list. Best regards, Kristof From owner-freebsd-current@freebsd.org Tue Oct 30 14:14:25 2018 Return-Path: <owner-freebsd-current@freebsd.org> Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 00EE710E987B for <freebsd-current@mailman.ysv.freebsd.org>; Tue, 30 Oct 2018 14:14:25 +0000 (UTC) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5E8C68642D; Tue, 30 Oct 2018 14:14:23 +0000 (UTC) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (localhost [127.0.0.1]) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3) with ESMTP id w9UEELTT061806; Tue, 30 Oct 2018 07:14:21 -0700 (PDT) (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net) Received: (from freebsd-rwg@localhost) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3/Submit) id w9UEEK9v061805; Tue, 30 Oct 2018 07:14:20 -0700 (PDT) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" <freebsd-rwg@pdx.rh.CN85.dnsmgr.net> Message-Id: <201810301414.w9UEEK9v061805@pdx.rh.CN85.dnsmgr.net> Subject: Re: 12.0-BETA1 vnet with pf firewall In-Reply-To: <39EBDBD8-4FEE-42D3-809C-B4FD4D4DA20D@FreeBSD.org> To: Kristof Provost <kp@freebsd.org> Date: Tue, 30 Oct 2018 07:14:20 -0700 (PDT) CC: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, Ernie Luzar <luzar722@gmail.com>, FreeBSD current <freebsd-current@freebsd.org> X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>; List-Post: <mailto:freebsd-current@freebsd.org> List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, <mailto:freebsd-current-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 30 Oct 2018 14:14:25 -0000 > On 30 Oct 2018, at 14:29, Bjoern A. Zeeb wrote: > > On 30 Oct 2018, at 12:23, Kristof Provost wrote: > >> I?m not too familiar with this part of the vnet code, but it looks > >> to me like we?ve got more per-vnet variables that was originally > >> anticipated, so we may need to just increase the allocated space. > > > > Can you elfdump -a the two modules and see how big their set_vnet > > section sizes are? I see: > > > > pf.ko: sh_size: 6664 > > ipl.ko: sh_size: 2992 > > > I see exactly the same numbers. > > > VNET_MODMIN is two pages (8k). So yes, that would exceed the module > > space. > > Having 6.6k global variable space is a bit excessive? Where does that > > come from? multicast used to have a similar problem in the past that > > it could not be loaded as a module as it had a massive array there and > > we changed it to be malloced and that reduced it to a pointer. > > > > 0000000000000f38 l O set_vnet 0000000000000428 > > vnet_entry_pfr_nulltable > That?s a default table. It?s large because it uses MAXPATHLEN for > the pfrt_anchor string. > > > 0000000000000b10 l O set_vnet 00000000000003d0 > > vnet_entry_pf_default_rule > Default rule. Rules potentially contain names, tag names, interface > names, ? so it?s a large structure. > > > 0000000000001370 l O set_vnet 0000000000000690 > > vnet_entry_pf_main_anchor > Anchors use MAXPATHLEN for the anchor path, so that?s 1024 bytes right > away. > > > 0000000000000000 l O set_vnet 0000000000000120 > > vnet_entry_pf_status > > > pf status. Mostly counters. > > I?ll see about putting moving those into the heap on my todo list. Though that removes the current situation, it is a partial fix, doesnt this static sized 2 page VNET_MODMIN needs to be fixed in the longer term? -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39EBDBD8-4FEE-42D3-809C-B4FD4D4DA20D>