NetBSD Problem Report #55892
From www@netbsd.org Tue Dec 22 13:36:31 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 0BB851A921F
for <gnats-bugs@gnats.NetBSD.org>; Tue, 22 Dec 2020 13:36:31 +0000 (UTC)
Message-Id: <20201222133630.1118C1A923A@mollari.NetBSD.org>
Date: Tue, 22 Dec 2020 13:36:30 +0000 (UTC)
From: technet@netdog.org
Reply-To: technet@netdog.org
To: gnats-bugs@NetBSD.org
Subject: npf cannot handle large tables
X-Send-Pr-Version: www-1.0
>Number: 55892
>Category: bin
>Synopsis: npf cannot handle large tables
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Dec 22 13:40:00 +0000 2020
>Last-Modified: Sat Jul 24 20:50:01 +0000 2021
>Originator: Hector
>Release: NetBSD 9.1
>Organization:
>Environment:
NetBSD apu4ed.home.lan 9.1 NetBSD 9.1 (GENERIC) #0: Sun Oct 18 19:24:30 UTC 2020 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
On attempting to load a npf(7) ruleset which references a table with tens of thousands of entries, npfctl(8) silently runs for a very long time, and then emits some garbage output. At this point, the npf is left in an operable state.
The failure to properly load the ruleset is one bad behaviour.
That loading a ruleset takes minutes is another bad behavior.
>How-To-Repeat:
Here you can download a minimal npf.conf which tries to load a table of about 52,000 subnets.
http://lab.netdog.org/npf.conf
http://lab.netdog.org/ip-blacklist-52k.gz
On a 4-core machine with 4GB of memory, this command:
# npfctl reload
chewed in silence for about 7 minutes, and then produced this output:
npfctl: �8
With a larger table, the run time is longer, and the garbage output is different, being longer.
>Fix:
>Audit-Trail:
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/55892: npf cannot handle large tables
Date: Sat, 24 Jul 2021 20:49:31 +0000
On Tue, Dec 22, 2020 at 01:40:00PM +0000, technet@netdog.org wrote:
> Here you can download a minimal npf.conf which tries to load a
> table of about 52,000 subnets.
>
> http://lab.netdog.org/npf.conf
>
> http://lab.netdog.org/ip-blacklist-52k.gz
I've put copies of these here so they don't get lost:
https://www.netbsd.org/~dholland/gnatsblobs/55892
--
David A. Holland
dholland@netbsd.org
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.