Layer 7 / ipfw-classifyd 100% cpu in 2.2

pocket_geek

Does anybody here have Layer 7 traffic shaping working on 2.2?  I have it working well in 2.1.5 but in 2.2 no matter how I have my rules setup, even importing my working config from 2.1.5, ipfw-classifyd goes to 100% CPU and essentially blocks all WAN traffic.

I've tried 2.2 on different hardware and in VMWare and all give the same result.  Tested with my 2.1.5 config and a several variations of a very simple config built from scratch.

winmasta

got same problem

resakse

same here, I disabled layer7 and my cpu comes down to 1%.

pocket_geek

Here is a simple config the demonstrates this issue

Shaper

 <shaper><queue><interface>wan</interface>
		<name>wan</name>
		<scheduler>HFSC</scheduler>
		<bandwidth>2000</bandwidth>
		<bandwidthtype>Kb</bandwidthtype>
		<enabled>on</enabled>
		 <queue><name>good</name>
			<interface>wan</interface>
			<priority>7</priority>
			 <bandwidth><bandwidthtype>Gb</bandwidthtype>
			<enabled>on</enabled>
			<red>red</red>
			<rio>rio</rio>
			<ecn>ecn</ecn>
			<codel>codel</codel>
			<linkshare3>80%</linkshare3>
			<linkshare>on</linkshare>
			<realtime3>20%</realtime3>
			<realtime>on</realtime>
			<upperlimit3>100%</upperlimit3>
			<upperlimit>on</upperlimit></bandwidth></queue> 
		 <queue><name>bad</name>
			<interface>wan</interface>
			<priority>1</priority>
			 <bandwidth><bandwidthtype>Gb</bandwidthtype>
			<enabled>on</enabled>
			<default>default</default>
			<red>red</red>
			<rio>rio</rio>
			<ecn>ecn</ecn>
			<codel>codel</codel>
			<linkshare3>20%</linkshare3>
			<linkshare>on</linkshare>
			<upperlimit3>80%</upperlimit3>
			<upperlimit>on</upperlimit></bandwidth></queue></queue> 
	 <queue><name>lan</name>
		<interface>lan</interface>
		<scheduler>HFSC</scheduler>
		 <queue><name>good</name>
			<interface>lan</interface>
			<priority>7</priority>
			 <bandwidth><bandwidthtype>Gb</bandwidthtype>
			<enabled>on</enabled>
			<red>red</red>
			<rio>rio</rio>
			<ecn>ecn</ecn>
			<linkshare3>80%</linkshare3>
			<linkshare>on</linkshare>
			<realtime3>20%</realtime3>
			<realtime>on</realtime>
			<upperlimit3>100%</upperlimit3>
			<upperlimit>on</upperlimit></bandwidth></queue> 
		 <queue><name>bad</name>
			<interface>lan</interface>
			<priority>1</priority>
			 <bandwidth><bandwidthtype>Gb</bandwidthtype>
			<enabled>on</enabled>
			<default>default</default>
			<red>red</red>
			<rio>rio</rio>
			<ecn>ecn</ecn>
			<linkshare3>20%</linkshare3>
			<linkshare>on</linkshare>
			<upperlimit3>80%</upperlimit3>
			<upperlimit>on</upperlimit></bandwidth></queue> 
		<bandwidth>4000</bandwidth>
		<bandwidthtype>Kb</bandwidthtype>
		<enabled>on</enabled></queue></shaper> 

filter:

 <filter><rule><id><tracker>1422386150</tracker>
		<type>pass</type>
		<interface>wan</interface>
		<ipprotocol>inet</ipprotocol>
		 <tag><tagged><direction>any</direction>
		<quick>yes</quick>
		<floating>yes</floating>
		 <max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
		 <os><protocol>tcp/udp</protocol>
		<source>
			 <any><destination><any></any></destination> 
		 <descr><l7container>voip</l7container>
		 <created><time>1422386150</time>
			<username>admin@192.168.1.100</username></created> 
		 <updated><time>1422386158</time>
			<username>admin@192.168.1.100</username></updated></descr></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> 
	 <rule><type>pass</type>
		<ipprotocol>inet</ipprotocol>

		<interface>lan</interface>
		<tracker>0100000101</tracker>
		<source>
			<network>lan</network>

		 <destination><any></any></destination></rule> 
	 <rule><type>pass</type>
		<ipprotocol>inet6</ipprotocol>

		<interface>lan</interface>
		<tracker>0100000102</tracker>
		<source>
			<network>lan</network>

		 <destination><any></any></destination></rule></filter> 

l7shaper

 <l7shaper><container><name>voip</name>
			<enabled>on</enabled>
			 <description><divert_port>51942</divert_port>
			 <l7rules><protocol>sip</protocol>
				<structure>queue</structure>
				<behaviour>good</behaviour></l7rules> 
			 <l7rules><protocol>rtp</protocol>
				<structure>queue</structure>
				<behaviour>good</behaviour></l7rules></description></container></l7shaper> 

vadonka

Same issue here. Only workaround is to disable the layer 7 completely.

tonybunce

We are seeing the same thing.

I was able to kill ipfw-classifyd from the shell and get back into the firewall.

There are tons of messages like this in the system log:
ipfw-classifyd: packet dropped: output queue full

mcwtim

Try increasing the queue size? The default values are pretty small.

flagman

Hi everybody! I have also this problem on my pfsense ver 2.2. cpu using 100% (new install, this first features its on) /
I trying using layer7 on ver 2.1.5. and its work normal, cpu not very use, about 5%.

doktornotor

Do NOT enable this on 2.2-RELEASE. https://redmine.pfsense.org/issues/4276

RhysIT

Just confirming that this issue is ongoing.

Rhys

Cybdex

Running 2.2.5 atm, and just set up a test environment for this, and can just say i get spammed by: "ipfw-classifyd: unable to write to divert socket: Operation not permitted"

All outbound traffic is completely blocked even tho i made a "queue" rule and not "block".

Guess layer 7 is just not working on 2.2.x?

C

marcogi

Does anybody know where the root cause of the problem is?
Is it into the base FreeBSD kernel, into pfSense patches to FreeBSD kernel, into the userspace ipfw-classifyd?