From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:57:14 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 34E3416A4CF; Thu, 16 Sep 2004 03:57:14 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 14913 invoked by uid 1005); 20 Nov 2003 12:00:27 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 14910 invoked from network); 20 Nov 2003 12:00:27 -0000 Received: from moutng.kundenserver.de (212.227.126.177) by pd9530776.dip.t-dialin.net with SMTP; 20 Nov 2003 12:00:27 -0000 Received: from [212.227.126.139] (helo=mxng12.kundenserver.de) by moutng3.kundenserver.de with esmtp (Exim 3.35 #1) id 1AMnR4-0000NI-00 for max@vampire.homelinux.org; Thu, 20 Nov 2003 12:57:22 +0100 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng12.kundenserver.de with esmtp (Exim 3.35 #1) id 1AMnQz-0008E4-00 for max@love2party.net; Thu, 20 Nov 2003 12:57:17 +0100 Received: from turing (localhost [127.0.0.1])ESMTP id 6C63139080D; Thu, 20 Nov 2003 06:44:44 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Thu, 20 Nov 2003 06:44:36 -0500 (EST) X-Original-To: pf4freebsd@freelists.org Delivered-To: pf4freebsd@freelists.org Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) ESMTP id F3B9B390744 for ; Thu, 20 Nov 2003 06:44:34 -0500 (EST) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id hAKBqgAh005792 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Thu, 20 Nov 2003 20:52:42 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.9/8.12.9) with ESMTP id hAKBuW6U020965 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 20 Nov 2003 20:56:32 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.9/8.12.9/Submit) id hAKBuW4t020964 for pf4freebsd@freelists.org; Thu, 20 Nov 2003 20:56:32 +0900 (KST) (envelope-from yongari@kt-is.co.kr) From: Pyun YongHyeon To: pf4freebsd@freelists.org Message-ID: <20031120115632.GC20609@kt-is.co.kr> References: <3FB2ACA6.7030302@kasimir.com> <20031113032327.GA28113@kt-is.co.kr> <3FB3EB22.8000802@kasimir.com> Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3FB3EB22.8000802@kasimir.com> User-Agent: Mutt/1.4.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) X-archive-position: 224 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: yongari@kt-is.co.kr Precedence: normal X-list: pf4freebsd Content-Transfer-Encoding: quoted-printable X-Provags-Forward: ad1e83286d02b5e55817d47b0d69ba84 X-UID: 342 X-Length: 5791 X-Mailman-Approved-At: Thu, 16 Sep 2004 03:59:49 +0000 Subject: [pf4freebsd] Re: nfsd send error 1 probably caused by pf ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:57:14 -0000 X-Original-Date: Thu, 20 Nov 2003 20:56:32 +0900 X-List-Received-Date: Thu, 16 Sep 2004 03:57:14 -0000 On Thu, Nov 13, 2003 at 09:35:46PM +0100, Florian C. Smeets wrote: >=20 > if i remove this line (the last but one) the problem disapears: >=20 > pass out quick on $Int keep state >=20 Hello, I have spent serveral days to analyze the problem. Here is detailed explanations from Daniel. > A pf state entry will only correctly support window scaling if the stat= e > engine has seen both the initial SYN and SYN+ACK of the connection. >=20 > So, it's important that you create state on the initial SYN packet (the > subsequent SYN+ACK will match the state) when you want windows scaling > support. >=20 > Normally, rulesets create state on the first SYN only, as in >=20 > block all > pass in on $if proto tcp ... flags S/SA keep state > pass out on $if proto tcp ... flags S/SA keep state >=20 > This means only SYN (but not SYN+ACK) will match any TCP pass rules and > create state. Any other TCP packets (SYN+ACK, etc.) will be blocked, > unless they match an existing state entry. >=20 > This means window scaling (and other features that require that pf has > seen the handshake for a state entry, like modulate state, etc.) will > work. But if you flush the state entries, existing connections will > break and have to be re-established by the peers (as only a new > handshake can create state). So a pfctl -Fs (or firewall reboot) kills > all ongoing TCP connections. >=20 > If you want pf to be able to pick up existing connections after a state > table flush, you can remove 'flags S/SA' from the 'pass ... keep state' > rules. This will create state when pf sees the next packet of an > existing connection. >=20 > But state entries created from anything else but the initial SYN packet > will not properly support some features (like wscale, sequence number > modulation, etc.). If the existing connection has been using these, it > will (or might) eventually break. In quite subtle ways, as we see now. >=20 > Your rules were not creating state (for incoming connections from the > nfs client) on the initial SYN, but they passed the initial SYN > statelessly and created state on the outgoing SYN+ACK. Hence, the state > entries didn't see the full handshake, and wscale was not supported, > leading to the breakage described. >=20 > This completely explains all the effects. I should have spotted it > earlier. In conclusion, you should create a state on a initial SYN packet in order to avoid this NFS server error. (e.g. pass in on $interface proto tcp all flags S/SA) Thanks. Regards, Pyun YongHyeon --=20 Pyun YongHyeon