bin/55892: npf cannot handle large tables

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/55892: npf cannot handle large tables
From: technet%netdog.org@localhost
Date: Tue, 22 Dec 2020 13:40:00 +0000 (UTC)

>Number:         55892
>Category:       bin
>Synopsis:       npf cannot handle large tables
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 22 13:40:00 +0000 2020
>Originator:     Hector
>Release:        NetBSD 9.1
>Organization:
>Environment:
NetBSD apu4ed.home.lan 9.1 NetBSD 9.1 (GENERIC) #0: Sun Oct 18 19:24:30 UTC 2020  mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
On attempting to load a npf(7) ruleset which references a table with tens of thousands of entries, npfctl(8) silently runs for a very long time, and then emits some garbage output. At this point, the npf is left in an operable state.

The failure to properly load the ruleset is one bad behaviour.

That loading a ruleset takes minutes is another bad behavior.
>How-To-Repeat:
Here you can download a minimal npf.conf which tries to load a table of about 52,000 subnets.

http://lab.netdog.org/npf.conf

http://lab.netdog.org/ip-blacklist-52k.gz

On a 4-core machine with 4GB of memory, this command:

 # npfctl reload

chewed in silence for about 7 minutes, and then produced this output:

  npfctl: &#65533;8

With a larger table, the run time is longer, and the garbage output is different, being longer.
>Fix:

Prev by Date: Re: kern/55889: panic when boot GENERIC64 kernel on RaspberryPi4 (without RPi4_UEFI_Firmware)
Next by Date: Re: kern/26204 (if_txp doesn't work with 3com 3CR990B-FX, panics at boot time)
Previous by Thread: bin/55891: /usr/bin/nl breaks POSIX compatibility
Next by Thread: Re: bin/55892: npf cannot handle large tables
Indexes:

Home | Main Index | Thread Index | Old Index