[Bug #3032] IPFW3: memory leakage? objcache(xxx): Exhausted!

Aaron LI aly at aaronly.me
Thu Jun 8 04:33:11 PDT 2017


On Wed, 2017-06-07 at 23:54 +0800, Aaron LI wrote:
> 
> I think it's easy to reproduce this issue with a VM (e.g., VirtialBox)
> installed the latest DFly release or master snapshot, configure about 256 or
> 512 MB RAM, enable IPFW3 (I used the basic and layer4 modules), and
> continuously download/upload some data.  Also keep monitoring the mbuf
> usages (netstat -m).
> 
> I will set up a VM to test this issue and report to you.

Hi Bill,


I've set up a VM with DFly 4.8.0-Release to test this issue, and find that the
issue is very likely caused by the *UDP traffic state check* for IPFW3.

A. VM & System
==============
Host OS: Debian Linux (testing) amd64
VM emulator: VirtualBox 5.1.10
VM memory: 256 MB RAM
Guest OS: DragonFly BSD 4.8.0-Release
Guest network: 192.168.1.236 (bridged)
Host network: 192.168.1.0/24

B. Results
==========
1. With basic IPFW3 rules: "check-state" and "allow tcp from me out via em0
keep-state",
   (1) downloading a lot of data from a remote host: OK (mbuf usages);
   (2) "scp" a lot of data to a remote host: OK (mbuf usages).

2. Use the full IPFW3 rules configured for my home DFly machine (attached
below), then monitor the mbuf usages, and I find the mbuf usages *keep
increasing* as the UDP traffic increases.  For example, after the VM running
for an afternoon:

---------------------------------------------------------
vbox# netstat -m
2652/10560 mbufs in use (current/max):
519/1536 mbuf clusters in use (current/max)
0/512 mbuf jumbo clusters in use (current/max)
	3116 mbufs and mbuf clusters allocated to data
	52 mbufs and mbuf clusters allocated to packet headers
2364 Kbytes allocated to network (28% of mb_map in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines

vbox# ipfw3 show | egrep -v '\s+0\s+0\s+'
00100  859  90620  check-state
00200    2     80  allow tcp from me out via em0 keep-state
00304   12   4088  deny from 0.0.0.0/8 in via em0
00305    3    984  deny from 169.254.0.0/16 in via em0
00310    6    504  allow icmp in via em0 keep-state
00332   17   1632  deny tcp established in via em0
00500  829  87621  allow tcp dst-port 22 in via em0 keep-state
00701 2176 211072  allow udp dst-port 21027 in via em0 keep-state
60000 1319 179663  deny in via em0
---------------------------------------------------------

NOTE:
* The UDP port 21027 is used by Syncthing (https://syncthing.net/) for
discovery broadcasts on IPv4 and multicasts on IPv6.  I'm running Syncthing on
3 other hosts within the LAN 192.168.1.0/24.
* The VM is just idle and runs nothing.

Wish the information help you reproduce and then solve this issue.


My full IPFW3 rules:
---------------------------------------------------------
00010  allow via lo0
00100  check-state
00200  allow tcp from me out via em0
keep-state
00201  allow udp from me out via em0 keep-state
00202  allow icmp
from me out via em0 keep-state
00301  deny from 172.16.0.0/12 in via em0
00303  
deny from 127.0.0.0/8 in via em0
00304  deny from 0.0.0.0/8 in via em0
00305  de
ny from 169.254.0.0/16 in via em0
00306  deny from 192.0.2.0/24 in via em0
00307
  deny from 204.152.64.0/23 in via em0
00308  deny from 224.0.0.0/3 in via em0
0
0310  allow icmp in via em0 keep-state
00315  deny tcp dst-port 113 in via em0
0
0320  deny tcp dst-port 137 in via em0
00321  deny tcp dst-port 138 in via em0
0
0322  deny tcp dst-port 139 in via em0
00323  deny tcp dst-port 81 in via em0
00
332  deny tcp established in via em0
00500  allow tcp dst-port 22 in via em0
keep-state
00500  allow tcp dst-port 8860 in via em0 keep-state
00510  allow tcp
dst-port 80 in via em0 keep-state
00512  allow tcp dst-port 8800 in via em0
keep-state
00513  allow tcp dst-port 8801 in via em0 keep-state
00700  allow tcp
dst-port 22000 in via em0 keep-state
00701  allow udp dst-port 21027 in via em0
keep-state
00800  allow dst-port 51413 in via em0 keep-state
00801  allow tcp
from 192.168.1.0/24 dst-port 9091 in via em0 keep-state
60000  deny in via em0
6
5535  deny
---------------------------------------------------------


Regards,
-- 
Aly
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20170608/be3e5b07/attachment-0002.bin>


More information about the Users mailing list