hi sashan, i wish all a Happy New Year :)
On Thu, Dec 29, 2022 at 03:23:17PM +0100, Alexandr Nedvedicky wrote: > Hello Tamas, > > </snip> > > > if upgrading to snapshots is not an option for you. can you give > > > a try to patch below? it's dlg's commit merged to 7.2. There is > > > some divergence between current and 7.2 (*_state_import()) got > > > moved from if_pfsync.c to pf.c in current. I had to craft that > > > part of diff manually. > > > > > > thanks a lot for your help > > > > I am going to advise the team operating the firewall. > > > > I have 2 goals: > > . have the issue fixed (and get the hosts stable) > > . end up with something that is upgradable (e.g.: syspatch) in a reasonable > > way > > (and probably have the fix available for others) > > > > If applying the patch to 7.2 helps with the testing to get a syspatch out > > that > > would be probably the best. > > please also watch vmstat > > vmstat -m |egrep -e '^Name|^pfst' > > on a system with diff applied. just to make sure the crafted diff for 7.2 > does not introduce a memory/reference leak. We have upgraded 4 days ago and no crash so far (we got a panic every 1-2 days before). the counters are: # vmstat -m |egrep -e '^Name|^pfst' Name Size Requests Fail InUse Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle pfstate 336 141455484 0 20234 1514647 1512747 1900 72427 0 8 5 pfstkey 120 141513216 0 20248 458277 457547 730 26333 0 8 2 pfstitem 24 138870982 0 17696 68005 67869 136 5047 0 8 0 We are interested in the "Size" column, right? That is constant. I can send an update tomorrow with the full output again if useful. If it remains stable for some time (maybe 1-2 weeks?), can this be included in the next syspatch? Then others will not be bitten with the same issue and we can switch back to standard syspatch patches and kernel. Regards, Tamas --
