Closed hannesm closed 2 years ago
Thanks for that PR. After some times setting up correctly my mirage-fw I can confirm that it doesn't burn the CPU anymore. LGTM (together with the mirage-nat update that also helps in solving this issue)!
I would like to verify first that the mirage-nat change (and 3.0.1 release) fixes the issue. This change here is "purely cosmetical" and shouldn't be needed. Though it as well helps to avoid busy loops (since the free_udp_port
will be bounded).
While working on this, another issue is how DNS replies are handled with a single global mailbox (Lwt_mvar)
This means there can be concurrent requests with unclear ordering, and also the Lwt_mvar.put (in uplink) can block if there's nobody reading the mailbox (which only my_dns is). So that code should be revised that DNS replies are matching the requests, and there's no blocking behaviour if more replies are received than requests that were sent. Especially evil since there's a timeout which cancels the Lwt_mvar.take...
Thanks @hannesm for your amazing work on that points! I can confirm that the PR with mirage-nat alone (without this PR) permit to not overload CPU, but I'll feel better to have a bounded loop :)
this has been part of https://github.com/mirage/qubes-mirage-firewall/pull/163 and the 0.8.3 release
This avoids using the entire CPU. See #158 for the issue description (especially my comment https://github.com/mirage/qubes-mirage-firewall/issues/158#issuecomment-1307610459).