NetBSD Problem Report #55892
From www@netbsd.org Tue Dec 22 13:36:31 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 0BB851A921F
for <gnats-bugs@gnats.NetBSD.org>; Tue, 22 Dec 2020 13:36:31 +0000 (UTC)
Message-Id: <20201222133630.1118C1A923A@mollari.NetBSD.org>
Date: Tue, 22 Dec 2020 13:36:30 +0000 (UTC)
From: technet@netdog.org
Reply-To: technet@netdog.org
To: gnats-bugs@NetBSD.org
Subject: npf cannot handle large tables
X-Send-Pr-Version: www-1.0
>Number: 55892
>Category: bin
>Synopsis: npf cannot handle large tables
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Dec 22 13:40:00 +0000 2020
>Last-Modified: Thu Jun 12 12:45:01 +0000 2025
>Originator: Hector
>Release: NetBSD 9.1
>Organization:
>Environment:
NetBSD apu4ed.home.lan 9.1 NetBSD 9.1 (GENERIC) #0: Sun Oct 18 19:24:30 UTC 2020 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
On attempting to load a npf(7) ruleset which references a table with tens of thousands of entries, npfctl(8) silently runs for a very long time, and then emits some garbage output. At this point, the npf is left in an operable state.
The failure to properly load the ruleset is one bad behaviour.
That loading a ruleset takes minutes is another bad behavior.
>How-To-Repeat:
Here you can download a minimal npf.conf which tries to load a table of about 52,000 subnets.
http://lab.netdog.org/npf.conf
http://lab.netdog.org/ip-blacklist-52k.gz
On a 4-core machine with 4GB of memory, this command:
# npfctl reload
chewed in silence for about 7 minutes, and then produced this output:
npfctl: �8
With a larger table, the run time is longer, and the garbage output is different, being longer.
>Fix:
>Audit-Trail:
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/55892: npf cannot handle large tables
Date: Sat, 24 Jul 2021 20:49:31 +0000
On Tue, Dec 22, 2020 at 01:40:00PM +0000, technet@netdog.org wrote:
> Here you can download a minimal npf.conf which tries to load a
> table of about 52,000 subnets.
>
> http://lab.netdog.org/npf.conf
>
> http://lab.netdog.org/ip-blacklist-52k.gz
I've put copies of these here so they don't get lost:
https://www.netbsd.org/~dholland/gnatsblobs/55892
--
David A. Holland
dholland@netbsd.org
From: "Thomas Klausner" <wiz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/55892 CVS commit: pkgsrc/lang/chibi-scheme
Date: Wed, 11 Dec 2024 09:27:17 +0000
Module Name: pkgsrc
Committed By: wiz
Date: Wed Dec 11 09:27:17 UTC 2024
Modified Files:
pkgsrc/lang/chibi-scheme: Makefile PLIST distinfo
Log Message:
chibi-scheme: update to 0.11.0.
Based on PR 55892 by db7.
What's Changed
Fix documentation on building a standalone statically linked executable including compiled libs by @lubgr in #746
Initialize variables in FFI tests by @ilammy in #748
Fix usage of signbit() in SRFI 144 by @ilammy in #747
(chibi math prime) fix miller-rabin-composite?, factor, etc (issue #751), add factor-alist by @wrog in #752
CMake update 1/3: basic modernization (preserving all current functionality) by @lubgr in #755
CMake update 2/3: lift platform restriction by @lubgr in #758
Triviality: silence an unused variable warning in compiled test by @lubgr in #763
CMake update 3/3: provide install target by @lubgr in #761
Parse syntax-rules more strictly by @mnieper in #768
Simplify snprintf usage by @lassik in #770
Fix indentation of test runner output by @jgesswein in #764
CMake linux fix: add linker flags -lm -lutil and -ldl (when configured for dynamic loading) by @lubgr in #779
Add missing constants to SRFI-144 by @jpellegrini in #780
Fix disconnects. Support more MIME types. Fix comment. by @arthurgleckler in #787
Add support for SRFI 227 by @dpk in #788
Fix SRFI 227 exports by @mnieper in #795
Add reference-barrier to (srfi 124) by @dpk in #796
Fix SRFI 124 imports for reference-barrier by @dpk in #797
Minor documentation improvements (C API) by @lubgr in #807
Build fails with SEXP_USE_MALLOC by @dpapavas in #809
Export sexp_get_stack_trace by @dpapavas in #813
Expose construction of foreign procedures. by @dpapavas in #806
Identifier macros by @dpk in #805
Fix definition of full-match? (Proposed fix for #816) by @dpk in #818
(chibi parse): Ensure reason is always a string by @nmeum in #821
lib/chibi/diff.scm: Fix string ANSI coloring call by @ztzg in #823
(chibi parse): allow (optionally) passing custom fk to parse-commit by @nmeum in #824
Better case-lambda tests by @dpk in #828
SRFI-144: accept zero arguments for flmax/flmin by @jpellegrini in #832
Fix SEXP_CUSTOM_LONG_LONGS lsint_to_sint by @rschifflin in #839
Add (chibi shell) to the documentation. in #843
Add a crutch to better detect snow binary extension dir. in #848
Install manpages in man/man1, not man in #847
Fix scribble documentation for shell.scm in #849
Make (shell) in (chibi shell) return exit status of last command. in #854
cmake: Exclude (chibi shell) test on Win32 by @okuoku in #858
Add support for SXML indentation on output. by @arthurgleckler in #867
Fix bug: attributes without values didn't work. by @arthurgleckler in #868
Add a feature to cache the most recent string index->cursor result by @dpk in #793
Fix syntax-tests to use mutable-environment by @dpk in #871
Make macro-aux safe for other things together with syntax-case by @dpk in #870
Add support for exporting statically compiled libraries from C by @dpapavas in #856
Fix exit call on plan9/9front by @smazga in #888
Provide identifier-syntax and make-variable-transformer through standardized SRFI libraries. by @mnieper in #887
Fix #880 by @chk-jxcn in #896
Fix bug: sexp_read_number can't parse a/b@c-style number correctly. by @nkoguro in #898
add simple http client and server examples by @adamfeuer in #903
add support for Guile [snow-chibi] by @rgherdt in #907
Update .gitignore by @lassik in #912
Drop (chibi sxml) dependency on let-optionals by @lassik in #913
Fix broken import in (srfi 193) by @lassik in #915
Add index-swap, fix assert in array-append by @gambiteer in #918
Fix SRFI 231 install by @gambiteer in #919
SRFI 231: Add index-* tests by @gambiteer in #920
SRFI 231: Declare char-storage-class, fix interval-projections by @gambiteer in #937
Handle basic special characters in write by @raviqqe in #939
(chibi test): Put newlines after test results etc in verbose mode by @dpk in #942
Fix #944: concatenate! work with empty lists in any position by @ekaitz-zarraga in #945
Add srfi-64 by @ekaitz-zarraga in #943
Reduce iterations in concatenate! by @ekaitz-zarraga in #946
Avoid needless allocation in read-bytevector! by @wasamasa in #950
Fix: segmentation fault during GC marking by @petteripiiroinen in #954
Added missing argument to sexp_string_cursor_set by @0xJonas in #956
improve readme for mac users by @aisk in #932
Unwind on exit by @raviqqe in #940
Fix typo in (chibi app) example. by @arthurgleckler in #978
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/chibi-scheme/Makefile
cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/chibi-scheme/PLIST
cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/chibi-scheme/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Fredrik Pettai <pettai@sunet.se>
To: "gnats-bugs@netbsd.org" <gnats-bugs@NetBSD.org>
Cc:
Subject: Re: bin/55892 (npf cannot handle large tables)
Date: Thu, 12 Jun 2025 14:43:22 +0200
--Apple-Mail=_AD973DDA-9911-4C81-9231-F659562E0F25
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
Regarding PR bin/55892 (npf cannot handle large tables)
It=E2=80=99s also true for NetBSD 9.4 i386, and the list can be much =
smaller to make npf / networking fail.
My list was only 25k ip-addresses then npf never finished loading.
(A shorter list, ~20k entries works fine=E2=80=A6)
npf.conf:
$wired_if =3D "vioif0"
table <blacklist> type ipset file "/etc/npf_blacklist"
alg "icmp"
procedure "log" {
# Note: npf_ext_log kernel module should be loaded, if not =
built-in.
# Also, the interface created, e.g.: ifconfig npflog0 create
log: npflog0
}
group "wired" on $wired_if {
block in final from <blacklist>
pass stateful in final family inet4 proto icmp to $wired_if
pass in final family inet6 proto ipv6-icmp to $wired_if
[=E2=80=A6]
Re,
/P
--Apple-Mail=_AD973DDA-9911-4C81-9231-F659562E0F25
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEgg5OFRpTcEdGGed61TYFTBam+AgFAmhKy2oACgkQ1TYFTBam
+AhRgQ//QbWBxSWlfvoeEWqZEEqDaKn5j8tKqSPdT3UrrfEoM8SxklHU1WGzFvc2
IN6lY2KkY1JrXsGREjmuWdGWk4bwPEN4fF1327xFnznPWt5TyOnRdKpyFDW+Xntj
GfYAHhvxiMUmrfBJL4htuJAItBI3nakLZAnC7AuVF9gInNHPCZbVRZEMTg4foOsI
WZnkUZvRo3fbIpdyIdUChm38HFmBdFe30jiQzeDqavTk5ySop3/n1dMm79iJnRON
FMcJsOk3goPR1KPjAnQ4VXKTjk1BccYLqu+Jir69uzxjsskVLQiAM2303p4H83Kj
TNN3Aar+FSKezmr1bVTPrOsuPzuaNUnJon6evAt+JQHxdpSw4XcovasBq5AxVE3+
CpnyiSao5qedvN8Bdq3T4Ja3hXnJTDiM2I5k4Uj+ylpCY85DOgKSZyXTfy0V1RUU
YWNhuOZMHCYJZSh/t6S5VVgUeDBeKYofUqxCN+XdNQe9USo4mKu7H5EqY/nh1rBn
Qa4eWSiNERtpPA9zMz00Gs0VypwORF7rUyQZzEKDY5bWlvLq3+458kZ3hIfmnri7
4p5gObyY9jjbopbl/0QYNaF7Y/EBUKJx5EA22jEs4xEkHZxHvkFlKVO0neSX1jRC
JSwfsUpiDYLdFViL94J1miMEx953m+/VYXgMMPrTWyf0Tj84nD8=
=Rbx8
-----END PGP SIGNATURE-----
--Apple-Mail=_AD973DDA-9911-4C81-9231-F659562E0F25--
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home