Hello Tamas,
</snip>
On Tue, Jan 03, 2023 at 02:36:48PM +0000, Csillag Tamas wrote:
> >
> > please also watch vmstat
> >
> > vmstat -m |egrep -e '^Name|^pfst'
> >
> > on a system with diff applied. just to make sure the crafted diff for
> > 7.2
> > does not introduce a memory/reference leak.
>
> We have upgraded 4 days ago and no crash so far (we got a panic every 1-2 days
> before).
thanks for giving it a try.
>
> the counters are:
>
> # vmstat -m |egrep -e '^Name|^pfst'
> Name Size Requests Fail InUse Pgreq Pgrel Npage Hiwat Minpg Maxpg
> Idle
> pfstate 336 141455484 0 20234 1514647 1512747 1900 72427 0 8
> 5
> pfstkey 120 141513216 0 20248 458277 457547 730 26333 0 8
> 2
> pfstitem 24 138870982 0 17696 68005 67869 136 5047 0 8
> 0
>
> We are interested in the "Size" column, right? That is constant.
> I can send an update tomorrow with the full output again if useful.
Column Size is the 'sizeof (pfstate)', so it is supposed to be constant.
the most important column to watch here is 'InUse'. It says how many
objects is currently allocated from given pool. This number should be
oscillating. Taking few samples over a time period (hoour, day...) should
show some oscillation of InUse counter around some mean value. It's dynamic
so it depends on how much busy your firewall is.
if there would be memory leak then InUse counter will be steadily growing.
However looking at single sample you've collected it looks like there
is no memory leak. The memory seems to be reclaimed. Pgreq column indicates
pf was running for some time already.
>
> If it remains stable for some time (maybe 1-2 weeks?), can this be included in
> the next syspatch? Then others will not be bitten with the same issue and we
> can switch back to standard syspatch patches and kernel.
OK, please report back after a week or so if patched systems will be still
happy. I'll ask other folks in OpenBSD to create a syspatch. I can not
promise anything (if syspatch will be issued or not). The work must
be done by other people.
thanks and
regards
sashan
