Date: Sat, 26 May 2001 16:40:03 -0700 (PDT) From: Kris Kennaway <kris@obsecurity.org> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/27661: >1000 ipfw rules and heavy traffic crash the system Message-ID: <200105262340.f4QNe3U17250@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/27661; it has been noted by GNATS. From: Kris Kennaway <kris@obsecurity.org> To: pekkas@netcore.fi Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/27661: >1000 ipfw rules and heavy traffic crash the system Date: Sat, 26 May 2001 16:32:17 -0700 --cvVnyQ+4j833TQvp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 26, 2001 at 07:31:01AM -0700, pekkas@netcore.fi wrote: > >Description: > See and the threads mentioned there: http://docs.freebsd.org/cgi/getmsg.c= gifetch=3D856687+0+archive/2001/freebsd-stable/20010520.freebsd-stable This URL does not seem to be valid. > I noticed that if you create too many ipfw rules, through which extra > traffic must pass, rather soon you will crash the system. >=20 > In this scenario, adding >1000 non-matching rules before the > standard tcp established rule, and doing 20Mbit/s steady through the > rules, caused kernel load to go to ~8.0 (Dual P3/866) and after less than > an hour, crash the system. When you say "crash" do you mean "panic" (the usual meaning), or "lock up"? If the former, please obtain a panic traceback to aid in debugging. It sounds to me as if this is just a case of giving the system too much work to do. If it has to spend more time processing a packet than the time between packet arrival, things are going to go badly. As far as I know ipfw doesn't have an 'exit clause' which drops packets if they are taking too long to process. I don't know if it would be easy to add one; the best solution, as you noted, is to not write inefficient rulesets. Kris --cvVnyQ+4j833TQvp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ED0AWry0BWjoQKURAqnvAJ99gyJb+UlwYGgS5B8+oCoUCUnQ+gCgizv0 iRgGCS7TGwdQzR2KP9WVIlA= =6kia -----END PGP SIGNATURE----- --cvVnyQ+4j833TQvp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105262340.f4QNe3U17250>