Skip to content

fix: use /32 host netmask for loopback aliases to stop mDNSResponder storm#21

Open
kriszyp wants to merge 1 commit into
mainfrom
kris/loopback-host-netmask
Open

fix: use /32 host netmask for loopback aliases to stop mDNSResponder storm#21
kriszyp wants to merge 1 commit into
mainfrom
kris/loopback-host-netmask

Conversation

@kriszyp

@kriszyp kriszyp commented Jul 4, 2026

Copy link
Copy Markdown
Member

Summary

scripts/setup-loopback.sh now configures each 127.0.0.x loopback alias with a host (/32) netmask instead of the implicit class-A (/8), and removes any pre-existing alias before re-adding it (so re-running converts a machine still on the old /8 aliases).

Why

With the implicit /8 mask, every alias claims to own the entire 127.0.0.0/8 network. At large pool counts the overlapping-subnet interface addresses drive macOS mDNSResponder's address-conflict defense (PacketRRConflict) into an O(n²) storm — pinning a CPU core and flooding UDP/5353 with loopback mDNS announcements. Diagnosed on a dev machine where the pool had been set up with COUNT≈254.

Empirically measured on macOS (same box, same run):

aliases netmask mDNSResponder CPU pkts/8s on 5353
254 /8 ~65% 85
254 /32 ~0% 5 (floor)

A /32 host route removes the subnet overlap, so there's no conflict cascade even at the full 254-address pool — no reduction in pool capacity or change to test-isolation semantics.

Where to look

  • The only functional change is the ifconfig invocation in scripts/setup-loopback.sh:38. Worth a sanity check on two points: the macOS ifconfig lo0 alias <ip> netmask 255.255.255.255 up syntax (verified on the box — the alias reports 0xffffffff), and the idempotent -alias line (harmless no-op when the address is absent). This is macOS/BSD-specific; Linux CI doesn't run this script (all of 127/8 is routable there by default).

Generated by an LLM (Claude Opus 4.8). The /32 fix was validated empirically as above rather than by cross-model code review, given it's a one-line shell-config change.

…storm

setup-loopback.sh created each 127.0.0.x alias with the implicit class-A /8
netmask, so every alias claimed the entire 127.0.0.0/8 network. At large pool
counts (e.g. 254) the overlapping-subnet interface addresses drive macOS
mDNSResponder's address-conflict defense (PacketRRConflict) into an O(n^2)
storm — pinning a CPU core and flooding port 5353 with loopback mDNS
announcements. Configuring each alias with a host /32 netmask removes the
subnet overlap; measured 254 aliases /8 => ~65% CPU vs 254 /32 => ~0%.

Also remove any pre-existing alias before re-adding so re-running the script
converts a machine still configured with the old /8 aliases.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@kriszyp kriszyp requested review from Ethan-Arrowood and heskew July 4, 2026 03:05

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the loopback setup script on macOS to use a host (/32) netmask instead of the default class-A (/8) netmask, resolving a CPU-pinning issue in mDNSResponder caused by overlapping subnets. It also updates the README to document this change. Feedback on the changes suggests appending || true to the ifconfig -alias command to prevent the script from exiting prematurely under set -e if the alias does not already exist.

Comment thread scripts/setup-loopback.sh
# Remove any pre-existing alias first so re-running this converts a machine previously
# configured with the old /8 aliases; ifconfig alias on an existing address does not
# reliably reset its netmask. The `-alias` is a harmless no-op if the address is absent.
sudo ifconfig lo0 -alias 127.0.0.$i 2>/dev/null

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

If this script is executed in an environment where set -e is enabled (which is common in CI/CD pipelines or when sourced/wrapped by other scripts), the script will exit immediately on the first iteration if the alias does not already exist, because ifconfig lo0 -alias returns a non-zero exit status when the alias is absent.\n\nTo prevent this, append || true to the command so that it always evaluates to a successful exit status.

Suggested change
sudo ifconfig lo0 -alias 127.0.0.$i 2>/dev/null
sudo ifconfig lo0 -alias 127.0.0.$i 2>/dev/null || true

@kriszyp kriszyp marked this pull request as ready for review July 4, 2026 03:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant