From owner-freebsd-pf@freebsd.org Thu Oct 1 01:06:30 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE703A0DA58 for ; Thu, 1 Oct 2015 01:06:30 +0000 (UTC) (envelope-from felixgallo@gmail.com) Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 979E610B9 for ; Thu, 1 Oct 2015 01:06:30 +0000 (UTC) (envelope-from felixgallo@gmail.com) Received: by ykft14 with SMTP id t14so64932584ykf.0 for ; Wed, 30 Sep 2015 18:06:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=Q7Jos4BqswS3D20ZLbWE0hYLRvlKU8Z6BkqyiscTvdI=; b=gUxhHLMHiljccv+2v5Yka5ZwoV9FUn4LPBRvCtsugF0LOgHhwCWhBAhN+bxvixhoCS hrrpnmOX3svm0H9092ITx8jHTj6ji8PSihza4IdhyeeV81Q6Ff9tNF+L7cSrtzOmW+iA YZXBzhMbWAuVRG8wpA5gW+BKDRbuXx1vDYXLT7y/JmMZc76Mbai1KZGq3H7dA3/aPaDe qT2SVrZfLZUXr3E/6xyCggiS/Dl9zsh6RficWxiQdDXgJsj71kMBvcISb96Jiphzd4Jt nTpaPmANVvuyehDlEPfqkFbCUlUJulfpXPlYpBOyeutVtL+AalHwx6hQNwLkhtZn7TfU zgGQ== X-Received: by 10.170.206.85 with SMTP id x82mr5895312yke.76.1443661589600; Wed, 30 Sep 2015 18:06:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.214.131 with HTTP; Wed, 30 Sep 2015 18:06:10 -0700 (PDT) From: Felix Gallo Date: Wed, 30 Sep 2015 18:06:10 -0700 Message-ID: Subject: PF appears to lock up a machine with a large number of jails To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2015 01:06:31 -0000 FreeBSD ip-172-31-63-223 10.2-RELEASE FreeBSD 10.2-RELEASE #0 r286666: Wed Aug 12 15:26:37 UTC 2015 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 I am using the github dev version of 'iocage' (an ezjail-like shell script) to generate a large number of jails. SITUATION 1. When I am creating the jails, which all use a shared ipv6 interface to the hosts' loopback, in a loop, after a certain number of jails (sometimes ~70, sometimes ~100), the machine appears to hang. Upon reboot, the machine has nothing interesting in the logs. SITUATION 2. I then realized that I had TSO enabled on the interface, which seems to interact very badly with pf. So I disabled it and started creating the jails again. Again, it hung the box, but this time seemed to take a lot longer to do so (over 100 jails created). SITUATION 3. I rebooted. I then disabled pf and created the jails. This went fine and I was able to create and run 750 jails without issue. SITUATION 4. I rebooted. I disabled TSO. I then attempted to re-enable pf with pfctl -e. This immediately killed the box. SITUATION 5. I rebooted. I then deleted all my jails, recreated a smaller number (150) with PF disabled and TSO disabled, and then re-enabled PF. This appeared to work for a time, but after some period of time, the machine again hung. Not sure how else to help debug this one; happy to help if given direction. F. From owner-freebsd-pf@freebsd.org Thu Oct 1 07:08:02 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 62293A0CDBC for ; Thu, 1 Oct 2015 07:08:02 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 285621B9F for ; Thu, 1 Oct 2015 07:08:02 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [192.168.1.238] (unknown [193.12.234.195]) by venus.codepro.be (Postfix) with ESMTPSA id 3C0F2B0DD; Thu, 1 Oct 2015 09:07:58 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\)) Subject: Re: PF appears to lock up a machine with a large number of jails From: Kristof Provost In-Reply-To: Date: Thu, 1 Oct 2015 09:07:57 +0200 Cc: freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <8ACD4B80-D6F4-4811-9B28-F48544944214@FreeBSD.org> References: To: Felix Gallo X-Mailer: Apple Mail (2.3094) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2015 07:08:02 -0000 > On 01 Oct 2015, at 03:06, Felix Gallo wrote: >=20 > SITUATION 2. >=20 > I then realized that I had TSO enabled on the interface, which seems = to > interact very badly with pf. So I disabled it and started creating = the > jails again. Again, it hung the box, but this time seemed to take a = lot > longer to do so (over 100 jails created). I=E2=80=99m currently looking at the TSO problem with pf. I think I understand the problem, and it=E2=80=99s limited to bad = checksums. It shouldn=E2=80=99t trigger panics. I=E2=80=99ve added the lockup with jails to my (ever growing) todo list. Can you create a PR for this? Regards, Kristof From owner-freebsd-pf@freebsd.org Thu Oct 1 12:59:16 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 03DA9A0DA17 for ; Thu, 1 Oct 2015 12:59:16 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B918C1A3B for ; Thu, 1 Oct 2015 12:59:15 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 60F272840C for ; Thu, 1 Oct 2015 14:51:47 +0200 (CEST) Received: from illbsd.quip.test (ip-89-177-49-111.net.upcbroadband.cz [89.177.49.111]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 9D42928422 for ; Thu, 1 Oct 2015 14:51:46 +0200 (CEST) Message-ID: <560D2C62.6000504@quip.cz> Date: Thu, 01 Oct 2015 14:51:46 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Cannot connect to self IP after upgrade to FreeBSD 10.2 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2015 12:59:16 -0000 Is there any change in PF how "antispoof" works in 10.2? I have machines on 10.1 with rule antispoof quick for { $ext_if, lo0 } it is translated to block drop in quick on ! bge1 inet from A.B.C.0/25 to any block drop in quick inet from A.B.C.D to any block drop in quick on ! lo0 inet from 127.0.0.0/8 to any block drop in quick on ! lo0 inet6 from ::1 to any It worked for a years on 7.x, 8.x, 9.x, 10.1, but after recent upgrade to 10.2 I cannot connect to self IP (A.B.C.D) from console. It is blocked by rule block drop in quick inet from A.B.C.D to any A.B.C.D is public IP address. I can connect to public services from the outside, but cannot connect from machine it-self. What was changed in PF in 10.2? Are there any easy option to user antispoof and still be able to connect from machine itself? The machine is old Sun Fire X2100 M2 with FreeBSD 10.2-RELEASE-p3 amd64 GENERIC and Broadcom BCM5714 interfaces. Miroslav Lachman From owner-freebsd-pf@freebsd.org Thu Oct 1 13:03:40 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 71FA5A0DDB4 for ; Thu, 1 Oct 2015 13:03:40 +0000 (UTC) (envelope-from xi@borderworlds.dk) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 445F41EA2 for ; Thu, 1 Oct 2015 13:03:39 +0000 (UTC) (envelope-from xi@borderworlds.dk) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 3C31B20296 for ; Thu, 1 Oct 2015 09:03:38 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute3.internal (MEProxy); Thu, 01 Oct 2015 09:03:38 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=borderworlds.dk; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=0Tut2PvKTYL7TcsAXv1yx0atxrE=; b=dh4sgv F2A5YMXAhb/B2HAYzcLStBZ54tHIdLaWJXLV8Iy4OqAHGZ1M45zUDxsfkITkcm6U TNFuMAVi32xV11zDl0SxcHgvqV2ZmxKLn/vLl1LGmcR45YhxN8S/v4Wb8JFH3w9O GQElpqM9M/iIAOUkSSCUjRk21k9aGcPrjWv7g= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=0Tut2PvKTYL7Tcs AXv1yx0atxrE=; b=lya1Ja+dinJVpVShS7uxixLt7dl2uXT7E8VXPNa/S3/XeaY 4DnjcJHkFabACQrU45iqg1FCy0+tLgGa9XZz3b3SUbv5Ik3t1cVOkuUholM0SB18 H2dHDOmQ035WJw01Tvpxa5otsyEG9PKbI5RiwLnChWtoTWW8y3c2HN8G3bq4= X-Sasl-enc: vLIvmcv7XE3PMYi5ATqDJy1E+nWWBLfGxNEHgcvvwrwY 1443704617 Received: from borg.borderworlds.dk (unknown [89.233.7.66]) by mail.messagingengine.com (Postfix) with ESMTPA id 7F9846800F1; Thu, 1 Oct 2015 09:03:37 -0400 (EDT) Subject: Re: Cannot connect to self IP after upgrade to FreeBSD 10.2 To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-pf@freebsd.org References: <560D2C62.6000504@quip.cz> From: Christian Laursen Organization: The Border Worlds Message-ID: <560D2F28.8060109@borderworlds.dk> Date: Thu, 1 Oct 2015 15:03:36 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <560D2C62.6000504@quip.cz> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2015 13:03:40 -0000 On 10/01/15 14:51, Miroslav Lachman wrote: > [snip] > Are there any easy option to user antispoof and still be able to > connect from machine itself? I don't know anything about the antispoof feature, but I always put "set skip on lo0" at the top of my pf rulesets. That will bypass pf for all local traffic and I think it will work in this case. /Christian From owner-freebsd-pf@freebsd.org Thu Oct 1 13:31:30 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BE084A0B426 for ; Thu, 1 Oct 2015 13:31:30 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7E17010A6 for ; Thu, 1 Oct 2015 13:31:30 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 32B5328412; Thu, 1 Oct 2015 15:31:28 +0200 (CEST) Received: from illbsd.quip.test (ip-89-177-49-111.net.upcbroadband.cz [89.177.49.111]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 6BAE928411; Thu, 1 Oct 2015 15:31:27 +0200 (CEST) Message-ID: <560D35AE.9010603@quip.cz> Date: Thu, 01 Oct 2015 15:31:26 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: Christian Laursen , freebsd-pf@freebsd.org Subject: Re: Cannot connect to self IP after upgrade to FreeBSD 10.2 [solved] References: <560D2C62.6000504@quip.cz> <560D2F28.8060109@borderworlds.dk> In-Reply-To: <560D2F28.8060109@borderworlds.dk> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2015 13:31:30 -0000 Christian Laursen wrote on 10/01/2015 15:03: > On 10/01/15 14:51, Miroslav Lachman wrote: >> [snip] >> Are there any easy option to user antispoof and still be able to >> connect from machine itself? > I don't know anything about the antispoof feature, but I always put "set > skip on lo0" at the top of my pf rulesets. > > That will bypass pf for all local traffic and I think it will work in > this case. Yes, I have skip on lo0 too. Now I know what was the problem. I accidentally removed 127.0.0.1 from lo0 when manipulating with another aliased IP. Then I added 127.0.0.1 back, but system behaves anbormally in this "local traffic" case. After reboot, it all went fine and previous PF rules with antispoof work as expected. Sorry for the noise. Miroslav Lachman From owner-freebsd-pf@freebsd.org Fri Oct 2 10:08:08 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C9270A0E1FA; Fri, 2 Oct 2015 10:08:08 +0000 (UTC) (envelope-from kp@vega.codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 95FF41825; Fri, 2 Oct 2015 10:08:08 +0000 (UTC) (envelope-from kp@vega.codepro.be) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id CF743B40F; Fri, 2 Oct 2015 12:08:05 +0200 (CEST) Received: by vega.codepro.be (Postfix, from userid 1001) id C8174FE9F; Fri, 2 Oct 2015 12:08:05 +0200 (CEST) Date: Fri, 2 Oct 2015 12:08:05 +0200 From: Kristof Provost To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Subject: pf+TSO patch Message-ID: <20151002100805.GL3433@vega.codepro.be> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline X-Checked-By-NSA: Probably User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2015 10:08:08 -0000 Hi, I've found a little time to look at the pf TSO issue (which made pf unusable on Xen VMs, like Amazon EC2). I've posted the patch here: https://reviews.freebsd.org/D3779 It still needs a bit more testing, but so far it looks good. I'd be very grateful for any brave souls who want to give this a try. This work was very kindly sponsored by RootBSD (rootbsd.net). Regards, Kristof