So many filterdns instances…

eri--

Do you have a long list of aliases in the one where you have the hostname?

AhnHEL

@dhatz:

However it seems that the new filterdns needs too much memory at system startup, causing errors like:

swap_pager_getswapspace(16): failed
swap_pager_getswapspace(12): failed
swap_pager_getswapspace(6): failed
swap_pager_getswapspace(16): failed
swap_pager_getswapspace(12): failed
swap_pager_getswapspace(9): failed

and it dies shortly after…

I'm seeing this too on my Atom box but not on my Whitebox.  Same snap from yesterday and both amd64.  Filterdns eats up all my memory and then uses up all the swap space before it dies.

dhatz

@ermal:

Do you have a long list of aliases in the one where you have the hostname?

I have

• two (2) aliases in fw -> aliases
  www_google_com
  www_paypal_com
  (note: this was just for testing)

• one (1) hostname in IPsec

• no "allowed hostnames" in CP

In the past (until ~2 months ago) these settings resulted into two filterdns processes: one for fw-aliases and one for ipsec, none for CP.

jimp

It's chewing through 100% cpu and all my RAM until it runs out of swap space for me, and I only have three aliases that contain hostnames.

truss -p on the filterdns proc shows it trying doing mmap over and over again.

mmap(0x0,1048576,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1953497088 (0x8b900000)
mmap(0x0,1048576,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1952448512 (0x8ba00000)
mmap(0x0,1048576,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1951399936 (0x8bb00000)
mmap(0x0,1048576,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1950351360 (0x8bc00000)
mmap(0x0,1048576,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1949302784 (0x8bd00000)

I have a few decent-sized aliases but nothing huge. The filterdns.conf file on this box was only three lines. The size of the aliases involved in the filterdns thread were 1, 63, and 3. So it shouldn't have been all that busy/large.

68313 root     124   20   545M   543M RUN      0:05 35.35% filterdns{github.com}
68313 root     124   20   545M   543M RUN      0:05 35.35% filterdns{filterdns}
68313 root     124   20   545M   543M RUN      0:05 35.25% filterdns{some.other.hostname.you.dont.need.to.see}
  262 root      76   20  3416K   736K kqread   1:14 12.35% check_reload_status
68313 root      76   20   545M   543M ucond    0:00 10.99% filterdns{signal-thread}

filterdns -v shows 1.1.

Size and sha256 match the one on the builder so it is the most current build. (tar is set to preserve old creation times, so of course the date doesn't update…)

-r-xr-xr-x  1 root  wheel  24160 Nov 19 05:07 /usr/local/sbin/filterdns
SHA256 (/usr/local/sbin/filterdns) = 193ebd8250147041b79385d84efe0f5d09f9ce868ba666b18f91b5098ecce1f3

It was being run with the following parameters:

/usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1

phil.davis

@ermal - when you sort this out, and each time filterdns is updated, can you bump the version number in filterdns.c - that will make it very easy for us all to quickly see which version we have.

eri--

Should be better on the later snapshots.
Sorry for the noise.

jimp

Seems a bit better so far, copied a binary off the builder to my box and it isn't constantly using that much cpu now, though it did still spike up and use 100% total for about 20-30 sec it did eventually slow down and fall off the first screen of top output.

dhatz

Latest snap v1.2 seems better (no more out-of-swap issues) but is still exits and dumps core:

Jan 28 06:34:45 fw kernel: pid 18434 (filterdns), uid 0: exited on signal 11 (core dumped)
Jan 28 06:34:53 fw kernel: pid 26566 (filterdns), uid 0: exited on signal 11 (core dumped)
Jan 28 06:35:23 fw kernel: pid 21538 (filterdns), uid 0, was killed: out of swap space
Jan 28 08:25:37 fw kernel: pid 49708 (filterdns), uid 0: exited on signal 11 (core dumped)
Jan 28 08:25:50 fw kernel: pid 71990 (filterdns), uid 0: exited on signal 11 (core dumped)
Jan 28 08:25:52 fw kernel: pid 81465 (filterdns), uid 0: exited on signal 11 (core dumped)
Jan 28 18:26:29 fw kernel: pid 10297 (filterdns), uid 0: exited on signal 11 (core dumped) <– updated to latest snap

MD5 (/usr/local/sbin/filterdns) = aea0850239de6ab9817f9330f1807cec
SHA256 (/usr/local/sbin/filterdns) = f2c43ff8e8d6f21047c351e071a203df48bc2899ca7f1564a9cd1998e690081d

On my system there is currently only one filterdns process, whereas there should be a second one handling ipsec hostname(s) – at least that was the case until ~2 months ago.

Edit: There are only two filterdns-related files on my system:

/var/etc/filterdns.conf
pf www.google.com www_google_com
pf www.paypal.com www_paypal_com

and

/var/etc/ipsec/filterdns-ipsec.hosts
cmd vpn.example.com '/usr/local/sbin/pfSctl -c "service reload ipsecdns"'
(whereas vpn.example.com is the name used in P1 remote gw)

Finally /var/run/filterdns-ipsec.pid shows 10297 and timestamp 18:26 which is the process that had crashed earlier (see syslog extract copied above)

eri--

Found the issue the ipsec instance is crashing for you.
Should be fixed on next coming snapshot.

dhatz

I'm afraid that even the latest snap is still crashing on my system, same symptoms as in my last post.

eri--

Some more protections put on the next snapshots.
Though it runs happily here.

dhatz

Sorry latest snap filterdns v1.2 still bombs out on my VM:

MD5 (/usr/local/sbin/filterdns) = feb00f677248ba323cfdf6398660653a

syslog:
Jan 29 23:56:14 fw kernel: pid 48762 (filterdns), uid 0: exited on signal 11 (core dumped)
Jan 29 23:56:30 fw kernel: pid 80109 (filterdns), uid 0: exited on signal 11 (core dumped)

ls -lR /var | fgrep filterdns:
-rw-r–r--  1 root  wheel    66 Jan 29 23:56 filterdns.conf
-rw-r--r--  1 root  wheel    75 Jan 29 23:56 filterdns-ipsec.hosts
-rw-r--r--  1 root  wheel       6 Jan 29 23:56 filterdns-ipsec.pid
-rw-r--r--  1 root  wheel       6 Jan 29 22:24 filterdns.pid <–-- strange time-stamp

ps:
22425  ??  Is     0:00.03 /usr/local/sbin/filterdns -p /var/run/filterdns.pid -

filterdns.pid:
22425

filterdns-ipsec.pid:
80109

But if filterdns works fine for everyone else, maybe I should re-install my pfsense from scratch, or I can send you my /filterdns.core file (3.4MB) …

eri--

Probably that's teh best choice i guess!

phil.davis

For the record, my filterdns is working OK on 3 systems running 2.1-BETA1 (i386) built on Tue Jan 29 16:42:56 EST 2013
My 11-entry table now has 12 entries, I guess one of the names in the list has changed its IP address, and the old value is also left in the table.
I only have the 1 ordinary filterdns for pf.

dhatz

@phil.davis:

I only have the 1 ordinary filterdns for pf.

Phil: Well, that might be difference, since in my test-VM I (should) have 2 filterdns processes (one for pf-fw-aliases and another for ipsec). The "ordinary" filterdns seems to work for me too, it's the ipsec-related one that bombs out …

Ermal: I don't see what good a full re-install from sceatch will do (I guess in IT it's standard procedure LOL), but I'll try it anyway.

Update: I'm happy to report that I just upgraded the existing VM to the very latest snap (from 29-Jan to 30-Jan-2013 04:20:11 EST) and filterdns now seems to work correctly for ipsec too! Only odd thing I've noticed is that the /var/run/filterdns*.pid files seem to have old time-stamps.