svn commit: r276747 - head/sys/netpfil/pf

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Thu Jan 8 00:50:26 UTC 2015 

> On 08 Jan 2015, at 00:31 , Gleb Smirnoff <glebius at FreeBSD.org> wrote:
> 
> On Thu, Jan 08, 2015 at 12:21:57AM +0000, Bjoern A. Zeeb wrote:
> B> 
> B> > On 07 Jan 2015, at 20:46 , Gleb Smirnoff <glebius at freebsd.org> wrote:
> B> > 
> B> > On Tue, Jan 06, 2015 at 09:03:04AM +0000, Craig Rodrigues wrote:
> B> > C> Author: rodrigc
> B> > C> Date: Tue Jan  6 09:03:03 2015
> B> > C> New Revision: 276747
> B> > C> URL: https://svnweb.freebsd.org/changeset/base/276747
> B> > C> 
> B> > C> Log:
> B> > C>   Instead of creating a purge thread for every vnet, create
> B> > C>   a single purge thread and clean up all vnets from this thread.
> B> > C>   
> B> > C>   PR:                     194515
> B> > C>   Differential Revision:  D1315
> B> > C>   Submitted by:           Nikos Vassiliadis <nvass at gmx.com>
> B> > 
> B> > I am not sure that this is a good idea. The core idea of VNETs
> B> > is that they are isolated from each other. If we serialize purging,
> B> > then vnets are strongly affecting each other.
> B> > 
> B> > AFAIU, from the PR there is some panic fixed. What is the actual bug
> B> > and why couldn't it be fixed with having per-vnet thread?
> B> 
> B> You don’t 30000 whatever pf purging threads on a system all running, possibly competing for some resources, e.g., locks?
> 
> Isn't a vnet, which is a jail, already a set of a dozen of processes? So,
> if you are speaking of "30000 whatever pf purging threads", then you
> already mean “1 mln whatever processes".

jail/VNETs can exist without a single process attached.

But I guess the point is that there is only so much work we can do at the same time and we should be very careful in what we try to parallellellellize as with 5 vnets it might be fine, with a couple of thousand you may keep a system busy with itself.


> Speaking of pf purging threads competing for resources. If someone wants
> really independent pfs in vnets, then locks should be virtualized as well.

No please don’t.  The only places where we “virtualise” locks for VNETs is part of data structures which are vnet specific (virtualised).

— 
Bjoern A. Zeeb                                  Charles Haddon Spurgeon:
"Friendship is one of the sweetest joys of life.  Many might have failed
 beneath the bitterness of their trial  had they not found a friend."

More information about the svn-src-head mailing list