Two Options: which to choose?

Max Laier max at love2party.net
Thu Jun 30 22:38:11 GMT 2005 

On Thursday 30 June 2005 23:58, Maciej Wierzbicki wrote:
> On Thu, Jun 30, 2005 at 05:53:20PM -0400, Matt Juszczak wrote:
> > You say it didn't crash for a month, but then you say to try FreeBSD with
> > PF because it works perfectly.  To me, a month of uptime isn't perfectly.
>
> It is, comparing to two- or three-day uptime periodic when it crashes. With
> IPF. :-)
>
> > Can you elaborate?  Is your machine still crashing even though its taking
> > a month instead of a few days like it did previously?
>
> What I meant was: after removing IPF I did not get any crash.

I have said it before, I'll say it again for the record:  IPF's shared lock 
implementation is *BROKEN* by design.  This is caused by a misunderstanding 
of the sx(9) implementation in FreeBSD - it seems to me.  The problem with 
the current sx(9) implementation is that it *sleeps* (not to confuse with 
"blocks") in the shared case which leads to deadlocks/panics/and other bad 
things.  The only way out of this at the moment is a hand-rolled shared lock 
implementation (as done for pfil(9) and ipfw) which has to take care of 
starvation protection somehow.  The existing sx(9) ignores this issue by 
sleeping in the shared case, which is valid in some cases but just not 
practical here.

One might argue that this is hardly IPF's fault and sx(9) should be fixed.  
The way in which the reworked locking was rushed into RELENG_5, however, was 
far from professional (IMHO) and is what causes you the headache.</rant>

I hope that PF does it better when we change to a shared lock - which I am 
certainly planing on.  This is a non-trivial task and needs time.  Right now 
there is one issue with PF and SMP which is documented in the pf.conf(5) 
manpage.  In 5.4 there is an additional problem with pfsync that has been 
fixed in RELENG_5 a couple of days ago.

To summarize: Unless you see crashes unrelated to PF or network, you should 
stay with 5.4+PF as it is in good shape.  If you see crashes that hint into 
the PF/network corner, please let us know.  Most of the time "debug.mpsafenet 
= 0" can help to fix things, it's up to you if the performance implication is 
a problem.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050701/e63545cf/attachment.bin

More information about the freebsd-stable mailing list