[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-pf
Subject:    Re: Kernel panic with PF
From:       Michal Mertl <mime () traveller ! cz>
Date:       2006-07-21 10:03:40
Message-ID: 1153476220.1140.34.camel () genius ! i ! cz
[Download RAW message or body]

Daniel Hartmeier wrote:
> On Fri, Jul 21, 2006 at 10:57:28AM +0200, Michal Mertl wrote:
> 
> > The proxy in fact runs in parallel (according to "pfctl -s info" it did
> > about 50 inserts and removal in the state table per second - some 10Mbit
> > of traffic, probably mostly HTTP) and it is quite possible that your
> > explanation is correct. I will forward your suspicion to the vendor.
> > This functionality of the software (using PF with anchors) is quite new
> > - they used different mechanisms in previous versions so it may well
> > have some bugs.
> 
> Anchors were introduced for this purpose, i.e. splitting the ruleset
> into separate pieces, over each of which a single process can have
> authority, so different processes don't stomp on each other's toes with
> ruleset modifications.

They (the Kernun authors) run multiple processes for each proxy.
Originally they used slightly modified Apached core for their proxies I
believe. Thus there are probably more processes using the same anchor.

I don't really understand what they do inside - I would think that when
there are no traffic blocking rules, there's no point in doing anything
with PF except initial setting of the rdr rule to the proxy.

> Ask them if they really need to still use DIOCCHANGERULE, as the idea
> with anchors is generally to only operate within one anchor, and usually
> flush or replace the (smaller) ruleset within.
> 
> Each anchor has its own ticket, so if you're seeing ticket mismatches,
> that means there are concurrent operations on the same anchor, even.

I see. It would be better if they were part of this communication
because I don't know the internals (although I have the source code). I
have problems reaching them at the moment though.


> Daniel
> 


[prev in list] [next in list] [prev in thread] [next in thread]