svn commit: r276747 - head/sys/netpfil/pf

[Julian Elischer]

On 1/8/15 8:31 AM, Gleb Smirnoff wrote:
> On Thu, Jan 08, 2015 at 12:21:57AM +0000, Bjoern A. Zeeb wrote:
> B>
> B> > On 07 Jan 2015, at 20:46 , Gleb Smirnoff <glebius at freebsd.org> wrote:
> B> >
> B> > On Tue, Jan 06, 2015 at 09:03:04AM +0000, Craig Rodrigues wrote:
> B> > C> Author: rodrigc
> B> > C> Date: Tue Jan  6 09:03:03 2015
> B> > C> New Revision: 276747
> B> > C> URL: https://svnweb.freebsd.org/changeset/base/276747
> B> > C>
> B> > C> Log:
> B> > C>   Instead of creating a purge thread for every vnet, create
> B> > C>   a single purge thread and clean up all vnets from this thread.
> B> > C>
> B> > C>   PR:                     194515
> B> > C>   Differential Revision:  D1315
> B> > C>   Submitted by:           Nikos Vassiliadis <nvass at gmx.com>
> B> >
> B> > I am not sure that this is a good idea. The core idea of VNETs
> B> > is that they are isolated from each other. If we serialize purging,
> B> > then vnets are strongly affecting each other.
> B> >
> B> > AFAIU, from the PR there is some panic fixed. What is the actual bug
> B> > and why couldn't it be fixed with having per-vnet thread?
> B>
> B> You don’t 30000 whatever pf purging threads on a system all running, possibly competing for some resources, e.g., locks?
>
> Isn't a vnet, which is a jail, already a set of a dozen of processes? So,
> if you are speaking of "30000 whatever pf purging threads", then you
> already mean "1 mln whatever processes".
Actually, no.
as we have presetned it, a vnet is part of a jail.
But, it was originally an independnent
thing, like FIBS,  and a jail may exist with a single process.
  I think one should be enough.. or if that it is not sufficient, then 
at maximum, one per cpu
>
> Speaking of pf purging threads competing for resources. If someone wants
> really independent pfs in vnets, then locks should be virtualized as well.
>