Project

General

Profile

Actions

Regression #12862

closed

Some ``sysctl`` OIDs in ``loader.conf.local`` are silently removed

Added by David Burns almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
Operating System
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

It is common for advanced pfSense users to make use of FreeBSD /boot/loader.conf.local.

Since release of pfSense CE 2.6 / pfSense+ 22.01 it appears that the following 2 oids are removed from loader.conf.local:
kern.ipc.nmbclusters - only removed in pfSense+ 22.01 for 1100/2100/3100/uFW
net.link.ifqmaxlen - removed in all configs

It appears that this behaviour is coded in /etc/inc/pfsense-utils.inc.

1. Removal of the oid net.link.ifqmaxlen (and resetting it to 128) is particularly problematic - it has been linked to improved OpenVPN performance
(eg. references https://redmine.pfsense.org/issues/10311 & https://redmine.pfsense.org/issues/12237)
NB oid 'net.link.ifqmaxlen' is a read only tunable

2. In the case of kern.ipc.nmbclusters the default is too high for low end platforms such as uFW / SG-1100.
(eg. on SG-1100 kern.ipc.nmbclusters defaults to 1000000 which is 2GB of buffer memory - the SG-1100 only has 1GB of RAM - fortunately FreeBSD does not pre-allocate memory)
This inhibits advanced users attempting to configure a more performant yet conservative configuration (eg. avoid memory exhaustion from DoS attacks)

Lastly this behaviour should likely be added to release notes...

Actions #1

Updated by Viktor Gurov almost 3 years ago

  • Assignee set to Viktor Gurov

David Burns wrote:

1. Removal of the oid net.link.ifqmaxlen (and resetting it to 128) is particularly problematic - it has been linked to improved OpenVPN performance
(eg. references https://redmine.pfsense.org/issues/10311 & https://redmine.pfsense.org/issues/12237)
NB oid 'net.link.ifqmaxlen' is a read only tunable

related to https://github.com/pfsense/pfsense/commit/ae241eeab358329feccc7cf2f98bfd07daf5510c

do not remove net.link.ifqmaxlen from /boot/loader.conf.local:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/639

2. In the case of kern.ipc.nmbclusters the default is too high for low end platforms such as uFW / SG-1100.
(eg. on SG-1100 kern.ipc.nmbclusters defaults to 1000000 which is 2GB of buffer memory - the SG-1100 only has 1GB of RAM - fortunately FreeBSD does not pre-allocate memory)
This inhibits advanced users attempting to configure a more performant yet conservative configuration (eg. avoid memory exhaustion from DoS attacks)

You can manually set the value of kern.ipc.nmbclusters in /boot/loader.conf.local

Actions #2

Updated by Jim Pingle almost 3 years ago

2. In the case of kern.ipc.nmbclusters the default is too high for low end platforms such as uFW / SG-1100.
(eg. on SG-1100 kern.ipc.nmbclusters defaults to 1000000 which is 2GB of buffer memory - the SG-1100 only has 1GB of RAM - fortunately FreeBSD does not pre-allocate memory)
This inhibits advanced users attempting to configure a more performant yet conservative configuration (eg. avoid memory exhaustion from DoS attacks)

The code automatically removes the default values for those on 22.01 on ARM (64-bit and 32-bit) so they should no longer have a defined value, leaving the OS to determine the value. Letting the user override that could be problematic on that hardware.

The value is not touched on other platforms, the user is free to define whatever they feel is necessary.

The default is high, but tuning it depends on their hardware and environment. There isn't any good method or guidance to figure it out automatically since it has to be set before the hardware is initialized to avoid some problems (e.g. on systems with high end NICs with lots of queues, the hardware can fail to initialize if the value is too low). It can also increase under load but the exact values again vary based on the hardware, network environment, configuration, load, etc. Better to set it too high and not need it than to set it too low and hit kernel panics. Though FreeBSD is better here now than it has been in the past.

Actions #3

Updated by Viktor Gurov almost 3 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Jordan G over 2 years ago

Running 22.05.a.20220402.0600 on the 1100, kern.ipc.nmbclusters is not present in /boot/loader.conf or system tunables

Actions #5

Updated by Viktor Gurov over 2 years ago

Jordan Greene wrote in #note-4:

Running 22.05.a.20220402.0600 on the 1100, kern.ipc.nmbclusters is not present in /boot/loader.conf or system tunables

This is the correct behavior for the 1100 appliance (pfsense-plus firmware), see /etc/inc/pfsense-utils.inc#L1152

Actions #6

Updated by Jim Pingle over 2 years ago

  • Subject changed from some sysctl oids in loader.conf.local are silently removed to Some ``sysctl`` OIDs in ``loader.conf.local`` are silently removed
  • Target version set to 2.7.0
  • Plus Target Version set to 22.05

Updating subject for release notes.

Actions #7

Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to Resolved

The value of net.link.ifqmaxlen in loader.conf.local is retained across multiple reboots on 22.05

Actions

Also available in: Atom PDF