Hello,
since yesterday Core Update 123 is running on one of my firewall systems. After a reboot, I noticed average load has decreased a little bit (RAM consumption stays the same).
Further, CPU frequency graphs are now working again (Thanks to Arne) and show some flapping freqs between 1.2kHz and 2.0kHz for each core. Before Core Update 121/122, idle frequencies were about 700MHz - not sure what this means.
IDS, squid proxy (with URL filter and upstream proxy enabled), fireinfo and IPsec (N2N connections only) work fine.
The OpenVPN WebUI page now displays a warning about a host certificate being not compliant to RFC3280, saying all host and root certificates should be replaced as soon as possible. This is probably related to https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=400c8afd9841bed350c19209... .
GeoIP database results in WebUI are now as expected.
A check script for CPU vulnerabilities (Spectre, Meltdown, ...) claims system is still vulnerable against CVE-2018-3640 (Spectre v3a), which requires up-to-date µ-codes. The overall results do not differ from a system running 121/122, which surprises me as new microcodes are shipped with this update.
[root@firewall ~]# grep "." /sys/devices/system/cpu/vulnerabilities/* /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Not affected /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW
Besides of the microcode issue, I did not notice any issues. Output of "uname -a" is:
Linux firewall 4.14.50-ipfire #1 SMP Fri Jun 29 16:40:29 GMT 2018 x86_64 Intel(R) Celeron(R) CPU N3150 @ 1.60GHz GenuineIntel GNU/Linux
Thanks, and best regards, Peter Müller
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
On Wed, 2018-08-22 at 19:36 +0200, Peter Müller wrote:
Hello,
since yesterday Core Update 123 is running on one of my firewall systems. After a reboot, I noticed average load has decreased a little bit (RAM consumption stays the same).
That should only be caused by the reboot itself...
Further, CPU frequency graphs are now working again (Thanks to Arne) and show some flapping freqs between 1.2kHz and 2.0kHz for each core. Before Core Update 121/122, idle frequencies were about 700MHz - not sure what this means.
IDS, squid proxy (with URL filter and upstream proxy enabled), fireinfo and IPsec (N2N connections only) work fine.
The OpenVPN WebUI page now displays a warning about a host certificate being not compliant to RFC3280, saying all host and root certificates should be replaced as soon as possible. This is probably related to https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=400c8afd9841bed350c19209... .
Yes. I asked Erik to add some documentation about it.
GeoIP database results in WebUI are now as expected.
A check script for CPU vulnerabilities (Spectre, Meltdown, ...) claims system is still vulnerable against CVE-2018-3640 (Spectre v3a), which requires up-to-date µ-codes. The overall results do not differ from a system running 121/122, which surprises me as new microcodes are shipped with this update.
It looks like we have to rollback the microcode update. Intel has changed the licensing terms in such a way that we won't be able (and no third party either) to provide any performance benchmarks.
So if someone says on the forum that IPFire is "a little bit slower since the last update", that would violate that license.
Testing the throughput of your firewall is a common thing to do and would probably not be possible anymore either.
Basically, it isn't an option to ship this. Other distributions think the same.
[root@firewall ~]# grep "." /sys/devices/system/cpu/vulnerabilities/* /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Not affected /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW
Besides of the microcode issue, I did not notice any issues. Output of "uname -a" is:
Linux firewall 4.14.50-ipfire #1 SMP Fri Jun 29 16:40:29 GMT 2018 x86_64 Intel(R) Celeron(R) CPU N3150 @ 1.60GHz GenuineIntel GNU/Linux
Thanks, and best regards, Peter Müller
Best, - -Michael
-
Michael Tremer -
Peter Müller