NetBSD Problem Report #55892

From www@netbsd.org  Tue Dec 22 13:36:31 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 0BB851A921F
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 22 Dec 2020 13:36:31 +0000 (UTC)
Message-Id: <20201222133630.1118C1A923A@mollari.NetBSD.org>
Date: Tue, 22 Dec 2020 13:36:30 +0000 (UTC)
From: technet@netdog.org
Reply-To: technet@netdog.org
To: gnats-bugs@NetBSD.org
Subject: npf cannot handle large tables
X-Send-Pr-Version: www-1.0

>Number:         55892
>Category:       bin
>Synopsis:       npf cannot handle large tables
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 22 13:40:00 +0000 2020
>Last-Modified:  Sat Jul 24 20:50:01 +0000 2021
>Originator:     Hector
>Release:        NetBSD 9.1
>Organization:
>Environment:
NetBSD apu4ed.home.lan 9.1 NetBSD 9.1 (GENERIC) #0: Sun Oct 18 19:24:30 UTC 2020  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
On attempting to load a npf(7) ruleset which references a table with tens of thousands of entries, npfctl(8) silently runs for a very long time, and then emits some garbage output. At this point, the npf is left in an operable state.

The failure to properly load the ruleset is one bad behaviour.

That loading a ruleset takes minutes is another bad behavior.
>How-To-Repeat:
Here you can download a minimal npf.conf which tries to load a table of about 52,000 subnets.

http://lab.netdog.org/npf.conf

http://lab.netdog.org/ip-blacklist-52k.gz

On a 4-core machine with 4GB of memory, this command:

 # npfctl reload

chewed in silence for about 7 minutes, and then produced this output:

  npfctl: &#65533;8

With a larger table, the run time is longer, and the garbage output is different, being longer.
>Fix:

>Audit-Trail:
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/55892: npf cannot handle large tables
Date: Sat, 24 Jul 2021 20:49:31 +0000

 On Tue, Dec 22, 2020 at 01:40:00PM +0000, technet@netdog.org wrote:
  > Here you can download a minimal npf.conf which tries to load a
  > table of about 52,000 subnets.
  > 
  > http://lab.netdog.org/npf.conf
  > 
  > http://lab.netdog.org/ip-blacklist-52k.gz

 I've put copies of these here so they don't get lost:
    https://www.netbsd.org/~dholland/gnatsblobs/55892

 -- 
 David A. Holland
 dholland@netbsd.org

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.