Layer 7 / ipfw-classifyd 100% cpu in 2.2



  • Does anybody here have Layer 7 traffic shaping working on 2.2?  I have it working well in 2.1.5 but in 2.2 no matter how I have my rules setup, even importing my working config from 2.1.5, ipfw-classifyd goes to 100% CPU and essentially blocks all WAN traffic.

    I've tried 2.2 on different hardware and in VMWare and all give the same result.  Tested with my 2.1.5 config and a several variations of a very simple config built from scratch.



  • got same problem



  • same here, I disabled layer7 and my cpu comes down to 1%.



  • Here is a simple config the demonstrates this issue

    Shaper

    
     <shaper><queue><interface>wan</interface>
    		<name>wan</name>
    		<scheduler>HFSC</scheduler>
    		<bandwidth>2000</bandwidth>
    		<bandwidthtype>Kb</bandwidthtype>
    		<enabled>on</enabled>
    		 <queue><name>good</name>
    			<interface>wan</interface>
    			<priority>7</priority>
    			 <bandwidth><bandwidthtype>Gb</bandwidthtype>
    			<enabled>on</enabled>
    			<red>red</red>
    			<rio>rio</rio>
    			<ecn>ecn</ecn>
    			<codel>codel</codel>
    			<linkshare3>80%</linkshare3>
    			<linkshare>on</linkshare>
    			<realtime3>20%</realtime3>
    			<realtime>on</realtime>
    			<upperlimit3>100%</upperlimit3>
    			<upperlimit>on</upperlimit></bandwidth></queue> 
    		 <queue><name>bad</name>
    			<interface>wan</interface>
    			<priority>1</priority>
    			 <bandwidth><bandwidthtype>Gb</bandwidthtype>
    			<enabled>on</enabled>
    			<default>default</default>
    			<red>red</red>
    			<rio>rio</rio>
    			<ecn>ecn</ecn>
    			<codel>codel</codel>
    			<linkshare3>20%</linkshare3>
    			<linkshare>on</linkshare>
    			<upperlimit3>80%</upperlimit3>
    			<upperlimit>on</upperlimit></bandwidth></queue></queue> 
    	 <queue><name>lan</name>
    		<interface>lan</interface>
    		<scheduler>HFSC</scheduler>
    		 <queue><name>good</name>
    			<interface>lan</interface>
    			<priority>7</priority>
    			 <bandwidth><bandwidthtype>Gb</bandwidthtype>
    			<enabled>on</enabled>
    			<red>red</red>
    			<rio>rio</rio>
    			<ecn>ecn</ecn>
    			<linkshare3>80%</linkshare3>
    			<linkshare>on</linkshare>
    			<realtime3>20%</realtime3>
    			<realtime>on</realtime>
    			<upperlimit3>100%</upperlimit3>
    			<upperlimit>on</upperlimit></bandwidth></queue> 
    		 <queue><name>bad</name>
    			<interface>lan</interface>
    			<priority>1</priority>
    			 <bandwidth><bandwidthtype>Gb</bandwidthtype>
    			<enabled>on</enabled>
    			<default>default</default>
    			<red>red</red>
    			<rio>rio</rio>
    			<ecn>ecn</ecn>
    			<linkshare3>20%</linkshare3>
    			<linkshare>on</linkshare>
    			<upperlimit3>80%</upperlimit3>
    			<upperlimit>on</upperlimit></bandwidth></queue> 
    		<bandwidth>4000</bandwidth>
    		<bandwidthtype>Kb</bandwidthtype>
    		<enabled>on</enabled></queue></shaper> 
    
    

    filter:

    
     <filter><rule><id><tracker>1422386150</tracker>
    		<type>pass</type>
    		<interface>wan</interface>
    		<ipprotocol>inet</ipprotocol>
    		 <tag><tagged><direction>any</direction>
    		<quick>yes</quick>
    		<floating>yes</floating>
    		 <max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
    		 <os><protocol>tcp/udp</protocol>
    		<source>
    			 <any><destination><any></any></destination> 
    		 <descr><l7container>voip</l7container>
    		 <created><time>1422386150</time>
    			<username>admin@192.168.1.100</username></created> 
    		 <updated><time>1422386158</time>
    			<username>admin@192.168.1.100</username></updated></descr></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> 
    	 <rule><type>pass</type>
    		<ipprotocol>inet</ipprotocol>
    
    		<interface>lan</interface>
    		<tracker>0100000101</tracker>
    		<source>
    			<network>lan</network>
    
    		 <destination><any></any></destination></rule> 
    	 <rule><type>pass</type>
    		<ipprotocol>inet6</ipprotocol>
    
    		<interface>lan</interface>
    		<tracker>0100000102</tracker>
    		<source>
    			<network>lan</network>
    
    		 <destination><any></any></destination></rule></filter> 
    
    

    l7shaper

     <l7shaper><container><name>voip</name>
    			<enabled>on</enabled>
    			 <description><divert_port>51942</divert_port>
    			 <l7rules><protocol>sip</protocol>
    				<structure>queue</structure>
    				<behaviour>good</behaviour></l7rules> 
    			 <l7rules><protocol>rtp</protocol>
    				<structure>queue</structure>
    				<behaviour>good</behaviour></l7rules></description></container></l7shaper> 
    


  • Same issue here. Only workaround is to disable the layer 7 completely.



  • We are seeing the same thing.

    I was able to kill ipfw-classifyd from the shell and get back into the firewall.

    There are tons of messages like this in the system log:
    ipfw-classifyd: packet dropped: output queue full



  • Try increasing the queue size? The default values are pretty small.



  • Hi everybody! I have also this problem on my pfsense ver 2.2. cpu using 100% (new install, this first features its on) /
    I trying using layer7 on ver 2.1.5. and its work normal, cpu not very use, about 5%.


  • Banned

    Do NOT enable this on 2.2-RELEASE. https://redmine.pfsense.org/issues/4276



  • Just confirming that this issue is ongoing.

    Rhys



  • Running 2.2.5 atm, and just set up a test environment for this, and can just say i get spammed by: "ipfw-classifyd: unable to write to divert socket: Operation not permitted"

    All outbound traffic is completely blocked even tho i made a "queue" rule and not "block".

    Guess layer 7 is just not working on 2.2.x?

    C



  • Does anybody know where the root cause of the problem is?
    Is it into the base FreeBSD kernel, into pfSense patches to FreeBSD kernel, into the userspace ipfw-classifyd?


Log in to reply