Regression #12862
closedSome ``sysctl`` OIDs in ``loader.conf.local`` are silently removed
100%
Description
It is common for advanced pfSense users to make use of FreeBSD /boot/loader.conf.local.
Since release of pfSense CE 2.6 / pfSense+ 22.01 it appears that the following 2 oids are removed from loader.conf.local:
kern.ipc.nmbclusters - only removed in pfSense+ 22.01 for 1100/2100/3100/uFW
net.link.ifqmaxlen - removed in all configs
It appears that this behaviour is coded in /etc/inc/pfsense-utils.inc.
1. Removal of the oid net.link.ifqmaxlen (and resetting it to 128) is particularly problematic - it has been linked to improved OpenVPN performance
(eg. references https://redmine.pfsense.org/issues/10311 & https://redmine.pfsense.org/issues/12237)
NB oid 'net.link.ifqmaxlen' is a read only tunable
2. In the case of kern.ipc.nmbclusters the default is too high for low end platforms such as uFW / SG-1100.
(eg. on SG-1100 kern.ipc.nmbclusters defaults to 1000000 which is 2GB of buffer memory - the SG-1100 only has 1GB of RAM - fortunately FreeBSD does not pre-allocate memory)
This inhibits advanced users attempting to configure a more performant yet conservative configuration (eg. avoid memory exhaustion from DoS attacks)
Lastly this behaviour should likely be added to release notes...
Updated by Viktor Gurov over 2 years ago
- Assignee set to Viktor Gurov
David Burns wrote:
1. Removal of the oid net.link.ifqmaxlen (and resetting it to 128) is particularly problematic - it has been linked to improved OpenVPN performance
(eg. references https://redmine.pfsense.org/issues/10311 & https://redmine.pfsense.org/issues/12237)
NB oid 'net.link.ifqmaxlen' is a read only tunable
related to https://github.com/pfsense/pfsense/commit/ae241eeab358329feccc7cf2f98bfd07daf5510c
do not remove net.link.ifqmaxlen from /boot/loader.conf.local:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/639
2. In the case of kern.ipc.nmbclusters the default is too high for low end platforms such as uFW / SG-1100.
(eg. on SG-1100 kern.ipc.nmbclusters defaults to 1000000 which is 2GB of buffer memory - the SG-1100 only has 1GB of RAM - fortunately FreeBSD does not pre-allocate memory)
This inhibits advanced users attempting to configure a more performant yet conservative configuration (eg. avoid memory exhaustion from DoS attacks)
You can manually set the value of kern.ipc.nmbclusters in /boot/loader.conf.local
Updated by Jim Pingle over 2 years ago
2. In the case of kern.ipc.nmbclusters the default is too high for low end platforms such as uFW / SG-1100.
(eg. on SG-1100 kern.ipc.nmbclusters defaults to 1000000 which is 2GB of buffer memory - the SG-1100 only has 1GB of RAM - fortunately FreeBSD does not pre-allocate memory)
This inhibits advanced users attempting to configure a more performant yet conservative configuration (eg. avoid memory exhaustion from DoS attacks)
The code automatically removes the default values for those on 22.01 on ARM (64-bit and 32-bit) so they should no longer have a defined value, leaving the OS to determine the value. Letting the user override that could be problematic on that hardware.
The value is not touched on other platforms, the user is free to define whatever they feel is necessary.
The default is high, but tuning it depends on their hardware and environment. There isn't any good method or guidance to figure it out automatically since it has to be set before the hardware is initialized to avoid some problems (e.g. on systems with high end NICs with lots of queues, the hardware can fail to initialize if the value is too low). It can also increase under load but the exact values again vary based on the hardware, network environment, configuration, load, etc. Better to set it too high and not need it than to set it too low and hit kernel panics. Though FreeBSD is better here now than it has been in the past.
Updated by Viktor Gurov over 2 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset c2bb95522780cbeffd1bca97c44c673ec7f973f1.
Updated by Jordan G over 2 years ago
Running 22.05.a.20220402.0600 on the 1100, kern.ipc.nmbclusters is not present in /boot/loader.conf or system tunables
Updated by Viktor Gurov over 2 years ago
Jordan Greene wrote in #note-4:
Running 22.05.a.20220402.0600 on the 1100, kern.ipc.nmbclusters is not present in /boot/loader.conf or system tunables
This is the correct behavior for the 1100 appliance (pfsense-plus firmware), see /etc/inc/pfsense-utils.inc#L1152
Updated by Jim Pingle over 2 years ago
- Subject changed from some sysctl oids in loader.conf.local are silently removed to Some ``sysctl`` OIDs in ``loader.conf.local`` are silently removed
- Target version set to 2.7.0
- Plus Target Version set to 22.05
Updating subject for release notes.
Updated by Jim Pingle over 2 years ago
- Status changed from Feedback to Resolved
The value of net.link.ifqmaxlen
in loader.conf.local
is retained across multiple reboots on 22.05