OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
(no subject)

From: Massimo (massimocedoc.mo.it)
Date: Fri Aug 20 2004 - 08:57:18 CDT

Hi all,
  I was in the process of replacing an old PIX 515 with a new couple of
OBSD 3.5 boxes with all the new great features enabled, for instance
CARP and pfsync.
CARP is intended to be used in preempt mode.
The main box is a Pentium IV 3.2 with 2G RAM, a RAID-1 SCSI adapter and
10 em(4) network cards (i can post the dmesg if interested).
After installing 3.5-release i've taken the OS to -stable as described
on openbsd.org/stable.html.
All was smooth as possible till, after setting everything up: carp,
pfsync, pf i've tested (with almost no load) the box connected to the
LAN, then came the kernel warning:
"/bsd: WARNING: mclpool limit reached; increase NMBCLUSTERS"

The kernel is GENERIC.

Digging through the MLs archive i've charged the em(4) nics as guilty
for the problem for their much use of mbuf, i've also seen some
developers suggest to move to -current as a solution as there there are
a lot of "huge improvement" in the kernel area managing mbuf, so i've
taken today available snapshot (files dated 19/08), backed up al my
configs, installed the snapshots from scratch and put on line again all
my configs, something seems to have changed... better.

Now with the box with all enabled but only on nic connected the LAN
(used as a source to install from ports) i got
from netstat -m:
1898 mbufs in use:
        1869 mbufs allocated to data
        26 mbufs allocated to packet headers
        3 mbufs allocated to socket names and addresses
1792/1822/6144 mbuf clusters in use (current/peak/max)
4164 Kbytes allocated to network (97% in use)
0 requests for memory denied
0 requests for memory delayed
78 calls to protocol drain routines

from vmstat -m:
Memory Totals: In Use Free Requests
                 1620K 77K 268864
--- snippet ---
bufpl 116 10 0 10 1 0 1 1
0 8 1
mbpl 256 502411 0 500442 211 81 130 132
1 8 6
mclpl 2048 155319 4 153527 911 0 911 911 4
3072 14
sockpl 200 397 0 381 1 0 1 1
0 8 0
--- snippet ---

before with 3.5-stable i got mbufs from netstat -m always growing till
the warning now they are stable at that level (the box is with no load
at all)

For what i can see i'm going to deploy this box with 19/08 snapshots
(3.6-beta) but i would like to know how to track future enhancement
especially security enhancement and if there's some special hints you
would like to give to me. Thanks!

Regards

--
Massimo