Regression #12862
closed
Some ``sysctl`` OIDs in ``loader.conf.local`` are silently removed
Added by David Burns over 2 years ago.
Updated over 2 years ago.
Category:
Operating System
Plus Target Version:
22.05
Description
It is common for advanced pfSense users to make use of FreeBSD /boot/loader.conf.local.
Since release of pfSense CE 2.6 / pfSense+ 22.01 it appears that the following 2 oids are removed from loader.conf.local:
kern.ipc.nmbclusters - only removed in pfSense+ 22.01 for 1100/2100/3100/uFW
net.link.ifqmaxlen - removed in all configs
It appears that this behaviour is coded in /etc/inc/pfsense-utils.inc.
1. Removal of the oid net.link.ifqmaxlen (and resetting it to 128) is particularly problematic - it has been linked to improved OpenVPN performance
(eg. references https://redmine.pfsense.org/issues/10311 & https://redmine.pfsense.org/issues/12237)
NB oid 'net.link.ifqmaxlen' is a read only tunable
2. In the case of kern.ipc.nmbclusters the default is too high for low end platforms such as uFW / SG-1100.
(eg. on SG-1100 kern.ipc.nmbclusters defaults to 1000000 which is 2GB of buffer memory - the SG-1100 only has 1GB of RAM - fortunately FreeBSD does not pre-allocate memory)
This inhibits advanced users attempting to configure a more performant yet conservative configuration (eg. avoid memory exhaustion from DoS attacks)
Lastly this behaviour should likely be added to release notes...
- Assignee set to Viktor Gurov
2. In the case of kern.ipc.nmbclusters the default is too high for low end platforms such as uFW / SG-1100.
(eg. on SG-1100 kern.ipc.nmbclusters defaults to 1000000 which is 2GB of buffer memory - the SG-1100 only has 1GB of RAM - fortunately FreeBSD does not pre-allocate memory)
This inhibits advanced users attempting to configure a more performant yet conservative configuration (eg. avoid memory exhaustion from DoS attacks)
The code automatically removes the default values for those on 22.01 on ARM (64-bit and 32-bit) so they should no longer have a defined value, leaving the OS to determine the value. Letting the user override that could be problematic on that hardware.
The value is not touched on other platforms, the user is free to define whatever they feel is necessary.
The default is high, but tuning it depends on their hardware and environment. There isn't any good method or guidance to figure it out automatically since it has to be set before the hardware is initialized to avoid some problems (e.g. on systems with high end NICs with lots of queues, the hardware can fail to initialize if the value is too low). It can also increase under load but the exact values again vary based on the hardware, network environment, configuration, load, etc. Better to set it too high and not need it than to set it too low and hit kernel panics. Though FreeBSD is better here now than it has been in the past.
- Status changed from New to Feedback
- % Done changed from 0 to 100
Running 22.05.a.20220402.0600 on the 1100, kern.ipc.nmbclusters is not present in /boot/loader.conf or system tunables
Jordan Greene wrote in #note-4:
Running 22.05.a.20220402.0600 on the 1100, kern.ipc.nmbclusters is not present in /boot/loader.conf or system tunables
This is the correct behavior for the 1100 appliance (pfsense-plus firmware), see /etc/inc/pfsense-utils.inc#L1152
- Subject changed from some sysctl oids in loader.conf.local are silently removed to Some ``sysctl`` OIDs in ``loader.conf.local`` are silently removed
- Target version set to 2.7.0
- Plus Target Version set to 22.05
Updating subject for release notes.
- Status changed from Feedback to Resolved
The value of net.link.ifqmaxlen in loader.conf.local is retained across multiple reboots on 22.05
Also available in: Atom
PDF
Updated by Viktor Gurov 
Updated by 
Updated by