openbsd 4.6 pf pfruleitempl leak

Wed, 20 Apr 2011 10:07:07 -0700 

hello.
i manage an 4.6 obsd router/firewall for a friend's company. it will panic every 10-14 days, even with GENERIC kernel. first fix was to schedule a reboot from cron every week. 


i looked into this recently. vmstat -m shows huge usage for 
pfruleitempl, about 100
megabytes per day. looking into pf.c i see that space is requested in 
pfruleitempl for every
packet that matches a rule but is not released if said packet does not 
create a state.


fix:

--- pf.c        Sun Jun 28 18:32:45 2009
+++ pf.c        Wed Apr 20 19:19:07 2011

@@ -3066,6 +3066,10 @@ pf_test_rule(struct pf_rule **rm, struct pf_state 
**sm

                        pool_put(&pf_state_key_pl, sk);
                if (nk != NULL)
                        pool_put(&pf_state_key_pl, nk);
+               while ((ri = SLIST_FIRST(&rules))) {
+                   SLIST_REMOVE_HEAD(&rules, entry);
+                   pool_put(&pf_rule_item_pl, ri);
+               }
        }

        /* copy back packet headers if we performed NAT operations */
@@ -3093,6 +3097,10 @@ cleanup:
                pool_put(&pf_state_key_pl, sk);
        if (nk != NULL)
                pool_put(&pf_state_key_pl, nk);
+       while ((ri = SLIST_FIRST(&rules))) {
+           SLIST_REMOVE_HEAD(&rules, entry);
+           pool_put(&pf_rule_item_pl, ri);
+       }
        return (PF_DROP);
 }

(inspiration from similar code in pf_free_state())

effects visible after 5 minutes:

before:


pfruleitempl  12    15164    0    15114    45     0    45    45     0 
  8    0

In use 2257K, total allocated 32896K; utilization 6.9%
 7:06PM  up 5 mins, 1 user, load averages: 0.17, 0.14, 0.07

after:


pfruleitempl  12    15849    0       20     1     0     1     1     0 
  8    0

In use 1863K, total allocated 32896K; utilization 5.7%
 7:13PM  up 5 mins, 1 user, load averages: 0.98, 0.50, 0.22

computer is working fine after 3 wks uptime.

to reproduce:


create a pf ruleset with many rules that pass packets but do not create 
state.

filter a lot of network traffic.
observe pfruleitempl increase.
after unknown/variable amount of time, observe panic.
can't create panics

and ddb outputs as users will scream. no money to build spare. i use a 
custom kernel but
this happens with GENERIC too. google reveals other people with similar 
(identical?)

problems:

http://www.google.com/#sclient=psy&hl=en&safe=off&biw=1280&bih=834&source=hp&q=pfruleitempl&aq=f&aqi=g-v1&aql=&oq=&pbx=1&bav=on.2,or.r_gc.r_pw.&fp=ccd042fd0786cb36


i program DSPs in native language for a living and i am new to openbsd. 
please do not

throw rock.























					Reply via email to