From owner-freebsd-pf@FreeBSD.ORG Sun Mar 9 15:17:38 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F5F8106566B for ; Sun, 9 Mar 2008 15:17:38 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.246]) by mx1.freebsd.org (Postfix) with ESMTP id 319C58FC18 for ; Sun, 9 Mar 2008 15:17:38 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so447347anc.13 for ; Sun, 09 Mar 2008 08:17:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=pxhSTQhsXQDnkadqjCAp4efNE9cKoO8ygYFs4rEmc3Q=; b=oYD4SUTf3YzZLYiCjXeWGREeimSyVMH61s9alfv/+lAmyeHMwNjTiKLM2kUDV5NRGq85E1Txug3bbdjEzLAJOkAh0EUmA7hUZLVmfGWNe/BjVyNSLqGqppAPEg3HNwxT3BRD705rLX2KXMsaqcEV5kxu2wWZH/tQ64WCBmt3Qbw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tSrn8zuy/3YR/r0V6a8g8v3RqJcXFjT3nKXT6vazI90Bm+xfnzVGLl35HWpalKeHBOG1Nk+qS422BEaovoxZT34sGKrulUOWQ4oIuwtauGMeF6VToVdrcI3zjeHHi6+ZeIhBzw73xOrEWKzDtEB4W8e8bwIS9lqd+xW7Z78DWKA= Received: by 10.100.202.9 with SMTP id z9mr6067902anf.93.1205074206222; Sun, 09 Mar 2008 07:50:06 -0700 (PDT) Received: by 10.100.8.3 with HTTP; Sun, 9 Mar 2008 07:50:06 -0700 (PDT) Message-ID: <55e8a96c0803090750g225704f4k6298770ee9fa9009@mail.gmail.com> Date: Sun, 9 Mar 2008 09:50:06 -0500 From: "Bill Marquette" To: "Lorenz Helleis" In-Reply-To: <312816.32112.qm@web53707.mail.re2.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <312816.32112.qm@web53707.mail.re2.yahoo.com> Cc: freebsd-pf@freebsd.org Subject: Re: Res: Res: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Mar 2008 15:17:38 -0000 On Fri, Mar 7, 2008 at 4:40 PM, Lorenz Helleis wrote: > This is an internal firewall... I think the entry in the table session = is desapearing, so the client needs to make > another conection. I=B4m thi= nking about create a stateless rule. I suspect this will only decrease your packet rates. From what I understand, state table lookups are MUCH cheaper than rule table lookups. Also, the congestion count increases (from memory) when the nic can't send packets, you might look at increasing then net.inet.ip.intr_queue_maxlen sysctl if net.inet.ip.intr_queue_drops is showing a non-zero value (which it likely is if you are pushing 400kpps w/out increasing the queue). BTW, what version of FreeBSD, I didn't see it already mentioned in the thre= ad. --Bill From owner-freebsd-pf@FreeBSD.ORG Mon Mar 10 11:07:08 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E33E106573D for ; Mon, 10 Mar 2008 11:07:08 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 53E128FC2C for ; Mon, 10 Mar 2008 11:07:08 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2AB78dZ086643 for ; Mon, 10 Mar 2008 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2AB77r8086639 for freebsd-pf@FreeBSD.org; Mon, 10 Mar 2008 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 10 Mar 2008 11:07:07 GMT Message-Id: <200803101107.m2AB77r8086639@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2008 11:07:08 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/116610 pf [patch] teach tcpdump(1) to cope with the new-style pf o kern/117827 pf [pf] [panic] kernel panic with pf and ng o kern/120281 pf [request] lost returning packets to PF for a rdr rule 5 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114095 pf [carp] carp+pf delay with high state limit o kern/114567 pf [pf] LOR pf_ioctl.c + if.c f kern/116645 pf [request] pfctl -k does not work in securelevel 3 o kern/118355 pf [pf] [patch] pfctl help message options order false -t f kern/119661 pf [pf] "queue (someq, empy_acks)" doesn't work o kern/120057 pf [patch] Allow proper settings of ALTQ_HFSC. The check 10 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 10 13:35:55 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D8F71065670 for ; Mon, 10 Mar 2008 13:35:55 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: from core.rxsec.com (core.rxsec.com [64.132.46.102]) by mx1.freebsd.org (Postfix) with SMTP id C883A8FC1A for ; Mon, 10 Mar 2008 13:35:54 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: (qmail 71151 invoked by uid 2009); 10 Mar 2008 13:28:52 -0000 Received: from 10.1.0.239 by core.rxsec.com (envelope-from , uid 2008) with qmail-scanner-1.25-st-qms (clamdscan: 0.86.2/1102. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:0(10.1.0.239):SA:0(-4.4/5.0):. Processed in 4.786095 secs); 10 Mar 2008 13:28:52 -0000 X-Spam-Status: No, hits=-4.4 required=5.0 X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com X-Antivirus-RXSEC: 1.25-st-qms (Clear:RC:0(10.1.0.239):SA:0(-4.4/5.0):. Processed in 4.786095 secs Process 71095) Received: from unknown (HELO ?10.1.0.239?) (cmarlatt@rxsec.com@10.1.0.239) by core.rxsec.com with SMTP; 10 Mar 2008 13:28:47 -0000 Message-ID: <47D5392A.6060407@rxsec.com> Date: Mon, 10 Mar 2008 09:35:38 -0400 From: Chris Marlatt Organization: Receive Security User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Lorenz Helleis References: <151806.66922.qm@web53707.mail.re2.yahoo.com> In-Reply-To: <151806.66922.qm@web53707.mail.re2.yahoo.com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2008 13:35:55 -0000 Lorenz Helleis wrote: > Do the machines generating the traffic have multiple paths? > > The only time I've really seen pf have problems with sessions is when > the devices send and receive traffic via different paths or multiple > paths (i.e. traffic comes in via firewall01 but goes out firewall02 and > firewall01 and firewall02 do not implement pfsync). > > Regards, > > Chris > > > I have 2 firewalls , and they were working very good until yesterday... I implemente pfsync in the firewalls... > > I think i need to optimize the rules , like increase the tables.. or something like this.... > > did you increase this values on your firewall ? > > Tell me about your firewall... > > Lorenz. > Please correct me if I'm reading this incorrectly. But it sounds like you're saying the firewalls worked fine until you implemented pfsync, is this correct? If so try backing out of that to isolate that change and confirm this. I've seen pfsync packets either by lost of "slow" in synchronizing with the other firewall and as a result state mismatching occurring on the secondary firewall (if both are active - i.e. arp balance). If you're using that try disabling it and see if there is an improvement. Also, have you made any modifications to sysctl.conf and loader.conf? If so please post them here. Regards, Chris From owner-freebsd-pf@FreeBSD.ORG Mon Mar 10 13:50:48 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 766F41065672 for ; Mon, 10 Mar 2008 13:50:48 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: from web53704.mail.re2.yahoo.com (web53704.mail.re2.yahoo.com [206.190.37.25]) by mx1.freebsd.org (Postfix) with SMTP id 4AC088FC3A for ; Mon, 10 Mar 2008 13:50:48 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: (qmail 89688 invoked by uid 60001); 10 Mar 2008 13:50:47 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Message-ID; b=Ag0/hkvYJdQH/ldNmgG0ZEh+SX9gAPA1j8yRj+HmdH4pmjsFt/2pe2vCjhoWjwrSQQsl21383az4DYsXZZ3gaurl1Y+2lqXS0NJcrV7gUwneMpObZAgAe7TOW4vpn0WpEA2m2S8j1kypfKEcDUvA0DpHwNDrO4fCfkNqqRdLw/8=; X-YMail-OSG: m3I0m_4VM1lV5EAKgnHy2QmlteqqYluqQVMlZpibLq2TS.2lii7lks8.38TY0nbEvZpqtyVj7DOK2xEFVtTxZVsYCYVWvDNwiV68QIy9N2WTNkGvDm9pX81c3hR_Uw-- Received: from [200.189.112.13] by web53704.mail.re2.yahoo.com via HTTP; Mon, 10 Mar 2008 06:50:47 PDT X-Mailer: YahooMailRC/902.35 YahooMailWebService/0.7.162 Date: Mon, 10 Mar 2008 06:50:47 -0700 (PDT) From: Lorenz Helleis To: Chris Marlatt MIME-Version: 1.0 Message-ID: <418597.89158.qm@web53704.mail.re2.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Res: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2008 13:50:48 -0000 Please correct me if I'm reading this incorrectly. But it sounds like =0Ayo= u're saying the firewalls worked fine until you implemented pfsync, is =0At= his correct?=0A=0AYou read incorrecly, evertything is OK with pfsync=0A=0A= If so try backing out of that to isolate that change and confirm this. =0AI= 've seen pfsync packets either by lost of "slow" in synchronizing with =0At= he other firewall and as a result state mismatching occurring on the =0Asec= ondary firewall (if both are active - i.e. arp balance). If you're =0Ausing= that try disabling it and see if there is an improvement.=0A=0AAlso, have = you made any modifications to sysctl.conf and loader.conf? If =0Aso please = post them here.=0A=0A=0Aeverthing was ok until we start tomake backups pass= ing through the firewall. The only thing that Ichange AFTER the problem wa= s:=0A=0AADD this line on sysctl.conf: =0A=0Anet.inet.ip.ifq.maxlen=3D1024= =0A=0Abut it didn't solve the problem.=0A=0A =0A=0ALorenz.=0A=0A=0A=0A = Abra sua conta no Yahoo! Mail, o =C3=BAnico sem limite de espa=C3=A7o para= armazenamento!=0Ahttp://br.mail.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Mon Mar 10 14:53:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 62F7F1065672 for ; Mon, 10 Mar 2008 14:53:45 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from v-smtp-auth-relay-1.gradwell.net (v-smtp-auth-relay-1.gradwell.net [79.135.125.40]) by mx1.freebsd.org (Postfix) with ESMTP id C73008FC20 for ; Mon, 10 Mar 2008 14:53:44 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from 87-194-161-157.bethere.co.uk ([87.194.161.157] helo=[192.168.0.227] country=GB ident=gregh#pop3*nviz$net) by v-smtp-auth-relay-1.gradwell.net with esmtpa (Gradwell gwh-smtpd 1.286) id 47d548be.66c3.1c7; Mon, 10 Mar 2008 14:42:06 +0000 (envelope-sender ) Message-ID: <47D5488E.1080605@nviz.net> Date: Mon, 10 Mar 2008 14:41:18 +0000 From: Greg Hennessy User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Lorenz Helleis References: <418597.89158.qm@web53704.mail.re2.yahoo.com> In-Reply-To: <418597.89158.qm@web53704.mail.re2.yahoo.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Res: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2008 14:53:45 -0000 Lorenz Helleis wrote: > everthing was ok until we start tomake backups passing through the firewall. What sort of 'backups', using what exactly ? Did you monitor the input Q drop figure from net.inet.ip.intr_queue_drops before during and after the service impacting traffic ? Do you capture interface statistics using something like Cacti ? Some idea of packet forwarding rate, before during and after would be useful. Regards Greg From owner-freebsd-pf@FreeBSD.ORG Mon Mar 10 20:24:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5FCCF1065672 for ; Mon, 10 Mar 2008 20:24:35 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: from web53707.mail.re2.yahoo.com (web53707.mail.re2.yahoo.com [206.190.37.28]) by mx1.freebsd.org (Postfix) with SMTP id EF0858FC28 for ; Mon, 10 Mar 2008 20:24:34 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: (qmail 37920 invoked by uid 60001); 10 Mar 2008 20:24:34 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Message-ID; b=yQfFgv5GWR4xk0WmyqZvp7Vwi/mapcXFcqF3KXPki1EFDRBc5d7Pl5LjTu++KoMs44i+ocYRkgbjWSUK6uFW3x/8now95e4XGATZ24QYvKhkcBm2c4/I6ne/RtBb/YES6R3qu5SCJbaCweP+QZk8h5XsHcbtyQcuNk842jKy6wA=; X-YMail-OSG: U_GXVdsVM1k5c97rVFMAcVe4A2ZaHH4geddDJEimRjjg3Pj4laOYrW8XAxvIuPEAmdrLNZHj8fT230YNpgstGhur1yTONszTXF3_V46gvJyeWLCrMP0nz0MLIdlnCPTI Received: from [200.201.112.31] by web53707.mail.re2.yahoo.com via HTTP; Mon, 10 Mar 2008 13:24:33 PDT X-Mailer: YahooMailRC/902.35 YahooMailWebService/0.7.162 Date: Mon, 10 Mar 2008 13:24:33 -0700 (PDT) From: Lorenz Helleis To: Greg Hennessy MIME-Version: 1.0 Message-ID: <69544.37828.qm@web53707.mail.re2.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Res: Res: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2008 20:24:35 -0000 >What sort of 'backups', using what exactly ?=0A=0A>Did you monitor the inp= ut Q drop figure from=0A=0A > net.inet.ip.intr_queue_drops=0A=0A> before = during and after the service impacting traffic ?=0A=0A> Do you capture inte= rface statistics using something like Cacti ?=0A=0A> Some idea of packet fo= rwarding rate, before during and after would be useful.=0A=0A=0A=0AIs a TS= M server. There are a lot of traffic, but not too much sessions. The number= of packets per second increase a lot. So the another conections is being d= roped.=0A=0Anet.inet.ip.ifq.drops=3D7082987=0A=0Athis number was increasing= , but i change this value net.inet.ip.ifq.maxlen=3D1024 , it was 50 .. . S= o now, the ifq.drops is not increasing any more, but it didn't solve the pr= oblem.=0A=0A=0A=0A=0A=0A=0A Abra sua conta no Yahoo! Mail, o =C3=BAnic= o sem limite de espa=C3=A7o para armazenamento!=0Ahttp://br.mail.yahoo.com/ From owner-freebsd-pf@FreeBSD.ORG Tue Mar 11 09:43:56 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E76B1065670 for ; Tue, 11 Mar 2008 09:43:56 +0000 (UTC) (envelope-from zinovik@mail.kspu.karelia.ru) Received: from mail.kspu.karelia.ru (mail.kspu.karelia.ru [195.209.249.1]) by mx1.freebsd.org (Postfix) with ESMTP id CD4C98FC22 for ; Tue, 11 Mar 2008 09:43:55 +0000 (UTC) (envelope-from zinovik@mail.kspu.karelia.ru) Received: from localhost (localhost.kspu.karelia.ru [127.0.0.1]) by mail.kspu.karelia.ru (Postfix) with ESMTP id 91ED5B241F6 for ; Tue, 11 Mar 2008 12:09:17 +0300 (MSK) X-Virus-Scanned: amavisd-new at kspu.karelia.ru Received: from mail.kspu.karelia.ru ([127.0.0.1]) by localhost (mail.kspu.karelia.ru [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MIU6RuvObIKq for ; Tue, 11 Mar 2008 12:09:17 +0300 (MSK) Received: from localhost (unknown [192.168.70.251]) by mail.kspu.karelia.ru (Postfix) with ESMTP id 0A66DB2413F for ; Tue, 11 Mar 2008 12:09:17 +0300 (MSK) Date: Tue, 11 Mar 2008 12:09:53 +0300 From: Igor Zinovik To: freebsd-pf@freebsd.org Message-ID: <20080311090953.GA1764@zinovik.kspu.karelia.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r; format=flowed Content-Disposition: inline X-Comment-To: "Igor Zinovik" Subject: PF perfomance in freebsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2008 09:43:56 -0000 Hello, freebsd-pf@ readers. I decided to switch from ipf to pf at work. So i try to explain to coadmin why pf is better than ipf. My main arguments for switching from ipf are that pf is still maintained and feature rich. Main disadvantage of ipf is that it is hard to maintain configuration file (since it does not support macros we created shell script to obtain macro support). henning@openbsd.org greatly improved pf performance in 2007. I'd like to know does this change somehow affects pf performance on freebsd. If it matters we are running freebsd RELENG_5. http://marc.info/?l=openbsd-cvs&m=118037274607974&w=2 From owner-freebsd-pf@FreeBSD.ORG Tue Mar 11 11:53:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92C401065670 for ; Tue, 11 Mar 2008 11:53:58 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from c-0500.emailmediator.com (c-0500.emailmediator.com [64.85.162.118]) by mx1.freebsd.org (Postfix) with ESMTP id 530918FC1E for ; Tue, 11 Mar 2008 11:53:58 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from pool-71-123-170-155.dllstx.dsl-w.verizon.net ([71.123.170.155] helo=reedmedia.net) by c-0500.emailmediator.com with esmtpa (Exim 4.67) (envelope-from ) id 1JZ2RO-0005YU-It; Tue, 11 Mar 2008 07:14:43 -0400 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 13224-1205234091; Tue, 11 Mar 2008 06:14:52 -0500 Date: Tue, 11 Mar 2008 06:14:51 -0500 (CDT) From: "Jeremy C. Reed" To: Igor Zinovik In-Reply-To: <20080311090953.GA1764@zinovik.kspu.karelia.ru> Message-ID: References: <20080311090953.GA1764@zinovik.kspu.karelia.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: PF perfomance in freebsd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2008 11:53:58 -0000 On Tue, 11 Mar 2008, Igor Zinovik wrote: > I decided to switch from ipf to pf at work. So i try to explain to > coadmin why pf is better than ipf. My main arguments for switching from > ipf are that pf is still maintained and feature rich. Main disadvantage > of ipf is that it is hard to maintain configuration file (since it does > not support macros we created shell script to obtain macro support). These arguments are not true. IPF is maintained. FreeBSD's official handbook says "IPFILTER is actively being supported and maintained, with updated versions being released regularly." The FAQ was last updated in 07/05/07 (July 2007 I assume). It looks the latest release of IP Filter (4.1.28) was released on Oct. 17, 2007. IPF is feature rich. Some examples: tuning during run-time; save state over reboots; active and testing filter which can be swapped; can generate C code for filter rules hard-coded in custom kernel; flush specific TCP states (at run-time); flush idle states that are a certain age (at run-time); provides tools to generate simple ruleset and testing of rulesets without enabling on real firewall (and using various packet input formats); able to call kernel functions per a rule; authentication (such as password) for rules; lookup tables; packet per second matching; few built in proxies; some load balancing; checksum verifications; and more. IPF does support macros. It has always supported nested variable substitution. (Sadly this is not documented.) Jeremy C. Reed p.s. I primarily use PF because of its great documentation -- in fact, I published an edited, indexed, cross-referenced, and improved version of some PF docs in book format. From owner-freebsd-pf@FreeBSD.ORG Tue Mar 11 12:27:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C402106566C for ; Tue, 11 Mar 2008 12:27:46 +0000 (UTC) (envelope-from rajasuperman@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.235]) by mx1.freebsd.org (Postfix) with ESMTP id D0EA68FC1C for ; Tue, 11 Mar 2008 12:27:45 +0000 (UTC) (envelope-from rajasuperman@gmail.com) Received: by wr-out-0506.google.com with SMTP id c49so1478347wra.19 for ; Tue, 11 Mar 2008 05:27:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=WP81AwK25CkJpv/Q/zYLzY2DPUwQqevty34KnaRkEYM=; b=QZ1ClMzvvjMfXxznI63sZdGNnqZbTZvcumv5GE4UqRAqMjiByuvNh/0p23DOT1ypOYKFI9uTihi4VkFO4/hlaZpNwMHwPmEe76cOS7cvLhFsIUKXUBlp3CC5tfb+o21V2/Nr5UwNeK59X/qaXcQTi4ypQ/wjY+6/hNG7qQ9CxGM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SObnQpGwnHsZeyDzSB0cAf9+W0o8BilbQuKq2p5opdUfriolXSZcwxNj9XS9mduhZ2ivRuqhe78LDe02D5fyVpr3Vzzm8M33soxAZ6T5s/lr4kuSFbVknTnrnmJgB/xzJyEREIWVFYwxeD2B5oWEXRPe0z6d/iYJRlgLsfuwBXs= Received: by 10.141.204.16 with SMTP id g16mr3982510rvq.275.1205232353815; Tue, 11 Mar 2008 03:45:53 -0700 (PDT) Received: by 10.67.94.17 with HTTP; Tue, 11 Mar 2008 03:45:53 -0700 (PDT) Message-ID: <92f9a9560803110345g638105e5rc717ac1a5aec0c5f@mail.gmail.com> Date: Tue, 11 Mar 2008 16:15:53 +0530 From: "Raja Subramanian" To: "Kurt Dethier" In-Reply-To: <47D19DE3.3000007@androme.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <47D19DE3.3000007@androme.com> Cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy and route-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2008 12:27:46 -0000 On Sat, Mar 8, 2008 at 1:26 AM, Kurt Dethier wrote: > Also I think I would need a route-to and reply-to in the anchor > rules created by ftp-proxy. Is this possible ? pfSense (a firewall based on FreeBSD) has the following pftpx patch that will let you do what you need. You can pass the route-to interface/gateway IP addr in the command line. You can find pftpx-routeto here: http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/pfPorts/pftpx-routeto/#dirlist You'll need to run a separate of pftpx-routeto instance for every WAN interface on your box and round-robin your ftp traffic from your LAN interface to each pftpx-routeto instance. I have this setup working nicely on my FreeBSD 6.2 machine. The ftp-proxy author is not interested in accepting this patch stating that routing decisions must not be decided by user space apps and should remain within the kernel. That said, he's come up with a clever solution -- implemented in ftp-proxy found in OpenBSD 4.2 -- ftp-proxy can include custom pf tags in the rules it automatically inserts. You can then match tagged packets in later pf rules and route the ftp traffic over appropriate links. Note that as before, you'll need a separate instance of ftp-proxy tagging for every WAN interface on your box. Let me know if you require any further help. - Raja From owner-freebsd-pf@FreeBSD.ORG Thu Mar 13 16:54:14 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 01B8A1065675; Thu, 13 Mar 2008 16:54:14 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C6EA78FC16; Thu, 13 Mar 2008 16:54:13 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2DGsDlc092668; Thu, 13 Mar 2008 16:54:13 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2DGsDo2092664; Thu, 13 Mar 2008 16:54:13 GMT (envelope-from remko) Date: Thu, 13 Mar 2008 16:54:13 GMT Message-Id: <200803131654.m2DGsDo2092664@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 16:54:14 -0000 Synopsis: connect randomly fails with EPERM with some pf rules Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: remko Responsible-Changed-When: Thu Mar 13 16:53:53 UTC 2008 Responsible-Changed-Why: reassign to pf team. http://www.freebsd.org/cgi/query-pr.cgi?pr=121668 From owner-freebsd-pf@FreeBSD.ORG Thu Mar 13 19:00:09 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D2EEB1065671 for ; Thu, 13 Mar 2008 19:00:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B86768FC1B for ; Thu, 13 Mar 2008 19:00:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2DJ09Ah002401 for ; Thu, 13 Mar 2008 19:00:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2DJ09TY002400; Thu, 13 Mar 2008 19:00:09 GMT (envelope-from gnats) Date: Thu, 13 Mar 2008 19:00:09 GMT Message-Id: <200803131900.m2DJ09TY002400@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Kian Mohageri Cc: Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Kian Mohageri List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 19:00:09 -0000 The following reply was made to PR kern/121668; it has been noted by GNATS. From: Kian Mohageri To: bug-followup@FreeBSD.org, lfrigault@agneau.org Cc: Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules Date: Thu, 13 Mar 2008 11:29:52 -0700 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB37C85A9359B7920117FA840 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Does state-mismatch counter increase when this happens (pfctl -si)? I remember similar behavior and it was caused by source port reuse on the client (so the new connection caused a state mismatch on an old state= ). --------------enigB37C85A9359B7920117FA840 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkfZcqMACgkQfLazdIP7nIMD5gCfU0eN8zZ9mOpIzd5e365sukEW Zn4An3w78DG1Fv3kRWMJdFAEgsyxwbD/ =yDIr -----END PGP SIGNATURE----- --------------enigB37C85A9359B7920117FA840-- From owner-freebsd-pf@FreeBSD.ORG Thu Mar 13 19:20:08 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 755EA1065671 for ; Thu, 13 Mar 2008 19:20:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5EF458FC24 for ; Thu, 13 Mar 2008 19:20:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2DJK8WZ004453 for ; Thu, 13 Mar 2008 19:20:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2DJK8or004452; Thu, 13 Mar 2008 19:20:08 GMT (envelope-from gnats) Date: Thu, 13 Mar 2008 19:20:08 GMT Message-Id: <200803131920.m2DJK8or004452@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Laurent Frigault Cc: Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Laurent Frigault List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 19:20:08 -0000 The following reply was made to PR kern/121668; it has been noted by GNATS. From: Laurent Frigault To: Kian Mohageri Cc: bug-followup@FreeBSD.org Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules Date: Thu, 13 Mar 2008 20:16:58 +0100 On Thu, Mar 13, 2008 at 11:29:52AM -0700, Kian Mohageri wrote: > Does state-mismatch counter increase when this happens (pfctl -si)? I re-run the teste and yes and the state-mismatch counter increase is exactly the number of connect failling with EPERM. > I remember similar behavior and it was caused by source port reuse on > the client (so the new connection caused a state mismatch on an old > state). The previous connection are closed. If the source port can't be reused yet, then the kernel should use an other one for the new connection. If it can, then pf should allow it. If the connect (SYN) does not match an existing state, The pf rule should create a new state. Am I wrong ? I don't fixe the source port in my sample and mysql client don't either. How can I work around this ? Regards, -- Laurent Frigault | From owner-freebsd-pf@FreeBSD.ORG Thu Mar 13 19:30:02 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1ABF1065674 for ; Thu, 13 Mar 2008 19:30:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BB8EB8FC27 for ; Thu, 13 Mar 2008 19:30:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2DJU20p004713 for ; Thu, 13 Mar 2008 19:30:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2DJU2Px004712; Thu, 13 Mar 2008 19:30:02 GMT (envelope-from gnats) Date: Thu, 13 Mar 2008 19:30:02 GMT Message-Id: <200803131930.m2DJU2Px004712@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 19:30:02 -0000 The following reply was made to PR kern/121668; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, lfrigault@agneau.org Cc: Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules Date: Thu, 13 Mar 2008 20:26:39 +0100 > sysctl net.inet.tcp.nolocaltimewait=1 > not needed, but helps to reproduce the problem with client and server > on the same computer. Okay, now this is just asking for trouble. pf does thorough checks on TCP states, one of which is to enforce the 2MSL quite time before port reuse. If you set above sysctl you specificly ask FreeBSD to break that rule and thus cause pf to bark. You can also hit the issue if you have a large number of (consecutive) connections between two hosts (e.g. [poorly configured] squid -> www-backends, mysql, ...). The sollution is to: 1) Reduce the connection spree and use one permanent connection 2) Increase the ephemeral port range net.inet.ip.portrange.hi{first,last} 3) Decrease the pf state timeout tcp.{closing,closed} in order to relax the check. You can do this globaly and on a per-rule basis. -- Max From owner-freebsd-pf@FreeBSD.ORG Thu Mar 13 19:50:03 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22A331065670 for ; Thu, 13 Mar 2008 19:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0BEA38FC19 for ; Thu, 13 Mar 2008 19:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2DJo21I006729 for ; Thu, 13 Mar 2008 19:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2DJo2Ir006726; Thu, 13 Mar 2008 19:50:02 GMT (envelope-from gnats) Date: Thu, 13 Mar 2008 19:50:02 GMT Message-Id: <200803131950.m2DJo2Ir006726@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Kian Mohageri Cc: Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Kian Mohageri List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 19:50:03 -0000 The following reply was made to PR kern/121668; it has been noted by GNATS. From: Kian Mohageri To: Laurent Frigault Cc: bug-followup@FreeBSD.org Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules Date: Thu, 13 Mar 2008 12:44:48 -0700 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1FD5631B7DA864ECD09DF906 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Laurent Frigault wrote: > On Thu, Mar 13, 2008 at 11:29:52AM -0700, Kian Mohageri wrote: >> Does state-mismatch counter increase when this happens (pfctl -si)? >=20 > I re-run the teste and yes and the state-mismatch counter increase is > exactly the number of connect failling with EPERM. >=20 >> I remember similar behavior and it was caused by source port reuse on >> the client (so the new connection caused a state mismatch on an old >> state). >=20 > The previous connection are closed. > If the source port can't be reused yet, then the kernel should use an > other one for the new connection. If it can, then pf should allow it. >=20 > If the connect (SYN) does not match an existing state, The pf rule > should create a new state.=20 >=20 It does "match" a state (source/dest is same), which is the problem. Even though the connection is closed, the state hasn't yet been purged. Refer to pf.conf(5) for how to adjust tcp.closed so the state is purged sooner, or adjust the available dynamic port range (sysctl net.inet.ip.portrange). I don't know if this is intended behavior or not. I've never run into it on OpenBSD, but pf is integrated much more tightly into their system obviously and I'm guessing their port reuse code is pretty different too.= --------------enig1FD5631B7DA864ECD09DF906 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkfZhDMACgkQfLazdIP7nIPoxwCcCpBWdXiAgDzZaVFoT0kDXTu/ 8HkAn2PZMIDfks+DWYOxg26SMe3knOOO =uZ0y -----END PGP SIGNATURE----- --------------enig1FD5631B7DA864ECD09DF906-- From owner-freebsd-pf@FreeBSD.ORG Thu Mar 13 22:50:06 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 637531065672 for ; Thu, 13 Mar 2008 22:50:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4F2588FC20 for ; Thu, 13 Mar 2008 22:50:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2DMo5KC040285 for ; Thu, 13 Mar 2008 22:50:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2DMo5fX040278; Thu, 13 Mar 2008 22:50:05 GMT (envelope-from gnats) Date: Thu, 13 Mar 2008 22:50:05 GMT Message-Id: <200803132250.m2DMo5fX040278@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Laurent Frigault Cc: Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Laurent Frigault List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 22:50:06 -0000 The following reply was made to PR kern/121668; it has been noted by GNATS. From: Laurent Frigault To: Kian Mohageri Cc: bug-followup@FreeBSD.org Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules Date: Thu, 13 Mar 2008 23:49:43 +0100 On Thu, Mar 13, 2008 at 12:44:48PM -0700, Kian Mohageri wrote: > >> I remember similar behavior and it was caused by source port reuse > >> on the client (so the new connection caused a state mismatch on an > >> old state). > > > > The previous connection are closed. > > If the source port can't be reused yet, then the kernel should use an > > other one for the new connection. If it can, then pf should allow it. > > > > If the connect (SYN) does not match an existing state, The pf rule > > should create a new state. > > It does "match" a state (source/dest is same), which is the problem. ok. > Even though the connection is closed, the state hasn't yet been purged. > Refer to pf.conf(5) for how to adjust tcp.closed so the state is purged > sooner, or adjust the available dynamic port range (sysctl > net.inet.ip.portrange). I try to disable net.inet.ip.portrange.randomized and set tcp.closed timeout to 0. That seems to work arround the problem in most cases. Are there any risk at setting the timeout to 0 ? > I don't know if this is intended behavior or not. I've never run into > it on OpenBSD, but pf is integrated much more tightly into their > system obviously and I'm guessing their port reuse code is pretty > different too. Maybe the port randomization is different too. -- Laurent Frigault | From owner-freebsd-pf@FreeBSD.ORG Thu Mar 13 23:30:03 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0C861065670 for ; Thu, 13 Mar 2008 23:30:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9C1518FC12 for ; Thu, 13 Mar 2008 23:30:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2DNU3lg042765 for ; Thu, 13 Mar 2008 23:30:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2DNU3iG042764; Thu, 13 Mar 2008 23:30:03 GMT (envelope-from gnats) Date: Thu, 13 Mar 2008 23:30:03 GMT Message-Id: <200803132330.m2DNU3iG042764@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Laurent Frigault Cc: Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Laurent Frigault List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 23:30:03 -0000 The following reply was made to PR kern/121668; it has been noted by GNATS. From: Laurent Frigault To: Max Laier Cc: bug-followup@freebsd.org Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules Date: Fri, 14 Mar 2008 00:20:00 +0100 On Thu, Mar 13, 2008 at 08:26:39PM +0100, Max Laier wrote: > > sysctl net.inet.tcp.nolocaltimewait=1 > > not needed, but helps to reproduce the problem with client and server > > on the same computer. > > Okay, now this is just asking for trouble. pf does thorough checks on TCP > states, one of which is to enforce the 2MSL quite time before port reuse. > If you set above sysctl you specificly ask FreeBSD to break that rule and > thus cause pf to bark. The nolocaltimewait=1 was only to help to reproduce the problem. > You can also hit the issue if you have a large number of (consecutive) > connections between two hosts (e.g. [poorly configured] squid -> > www-backends, mysql, ...). The sollution is to: I discover this problem with connection between CGI scripts and a mysql server. > 1) Reduce the connection spree and use one permanent connection Not allways possible with CGI. > 2) Increase the ephemeral port range net.inet.ip.portrange.hi{first,last} Interesting point. Lowering first seems to help. Disabeling net.inet.ip.portrange.randomized helps a lot too. > 3) Decrease the pf state timeout tcp.{closing,closed} in order to relax > the check. You can do this globaly and on a per-rule basis. I've set closed to 1 and closing to 30 That helps too. It does not seems possible to set tcp.closed to 0 on a per rule basis : This is accepted : pass out quick on lo0 proto tcp from any to any port 9 flags S/SA keep state ( tcp.closing 30 , tcp.closed 0 ) But pfctl -srules -vvv prints : @0 pass out quick on lo0 proto tcp from any to any port = discard flags S/SA keep state (tcp.closing 30) [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 51151 ] the tcp.closed seems to be ignored It works with tcp.closed set to 1 Regards, -- Laurent Frigault | From owner-freebsd-pf@FreeBSD.ORG Fri Mar 14 09:30:04 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 979D21065675 for ; Fri, 14 Mar 2008 09:30:04 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from websrv01.jr-hosting.nl (websrv01.jr-hosting.nl [78.47.69.233]) by mx1.freebsd.org (Postfix) with ESMTP id 7AE9D8FC13 for ; Fri, 14 Mar 2008 09:30:04 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from localhost ([127.0.0.1] helo=galain.elvandar.org) by websrv01.jr-hosting.nl with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Ja5oC-000CgE-Fg; Fri, 14 Mar 2008 09:02:36 +0000 Received: from 194.74.82.3 (SquirrelMail authenticated user remko) by galain.elvandar.org with HTTP; Fri, 14 Mar 2008 10:02:36 +0100 (CET) Message-ID: <32006.194.74.82.3.1205485356.squirrel@galain.elvandar.org> In-Reply-To: <200803132330.m2DNU3iG042764@freefall.freebsd.org> References: <200803132330.m2DNU3iG042764@freefall.freebsd.org> Date: Fri, 14 Mar 2008 10:02:36 +0100 (CET) From: "Remko Lodder" To: "Laurent Frigault" User-Agent: SquirrelMail/1.4.13 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: remko@elvandar.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2008 09:30:04 -0000 > It does not seems possible to set tcp.closed to 0 on a per rule basis : > This is accepted : > pass out quick on lo0 proto tcp from any to any port 9 flags S/SA keep > state ( tcp.closing 30 , tcp.closed 0 ) > > But pfctl -srules -vvv prints : > @0 pass out quick on lo0 proto tcp from any to any port = discard flags > S/SA keep state (tcp.closing 30) > [ Evaluations: 1 Packets: 0 Bytes: 0 States: > 0 ] > [ Inserted: uid 0 pid 51151 ] > > the tcp.closed seems to be ignored > > It works with tcp.closed set to 1 > Why are you filtering on your local IP stack anyway? filtering on lo0 is not that common, or at least in my point of view not used often and presents problems all the way. Just a random reply to something I feel -strange-. Thanks, remko -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Fri Mar 14 11:34:52 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4985C1065673; Fri, 14 Mar 2008 11:34:52 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3E8A08FC16; Fri, 14 Mar 2008 11:34:52 +0000 (UTC) (envelope-from mlaier@FreeBSD.org) Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2EBYqDU005650; Fri, 14 Mar 2008 11:34:52 GMT (envelope-from mlaier@freefall.freebsd.org) Received: (from mlaier@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2EBYpph005646; Fri, 14 Mar 2008 11:34:51 GMT (envelope-from mlaier) Date: Fri, 14 Mar 2008 11:34:51 GMT Message-Id: <200803141134.m2EBYpph005646@freefall.freebsd.org> To: lfrigault@agneau.org, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org From: mlaier@FreeBSD.org Cc: Subject: Re: kern/121668: [pf] connect randomly fails with EPERM with some pf rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2008 11:34:52 -0000 Synopsis: [pf] connect randomly fails with EPERM with some pf rules State-Changed-From-To: open->closed State-Changed-By: mlaier State-Changed-When: Fri Mar 14 11:33:49 UTC 2008 State-Changed-Why: Further discussion belongs to freebsd-pf@, thanks. http://www.freebsd.org/cgi/query-pr.cgi?pr=121668 From owner-freebsd-pf@FreeBSD.ORG Fri Mar 14 21:36:44 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4A631065672 for ; Fri, 14 Mar 2008 21:36:44 +0000 (UTC) (envelope-from lolo@agneau.org) Received: from bergerie.agneau.org (bergerie.agneau.org [88.173.248.15]) by mx1.freebsd.org (Postfix) with ESMTP id 5FF708FC1E for ; Fri, 14 Mar 2008 21:36:44 +0000 (UTC) (envelope-from lolo@agneau.org) Received: by bergerie.agneau.org (Postfix, from userid 500) id 4333D1092DA; Fri, 14 Mar 2008 22:09:03 +0100 (CET) Date: Fri, 14 Mar 2008 22:09:03 +0100 From: Laurent Frigault To: Remko Lodder Message-ID: <20080314210903.GA20532@obelix.bergerie.agneau.org> References: <200803132330.m2DNU3iG042764@freefall.freebsd.org> <32006.194.74.82.3.1205485356.squirrel@galain.elvandar.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <32006.194.74.82.3.1205485356.squirrel@galain.elvandar.org> User-Agent: Mutt/1.4.2.3i X-Powered-By: UUCP Cc: freebsd-pf@freebsd.org Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2008 21:36:44 -0000 On Fri, Mar 14, 2008 at 10:02:36AM +0100, Remko Lodder wrote: > Why are you filtering on your local IP stack anyway? filtering on lo0 > is not that common, or at least in my point of view not used often and > presents problems all the way. I don't. It was just a way to provide a simple case to reproduce the problem. I have seen rare case when filtering local traffic was needed to enforce multi-jail isolations. Usualy, I just have a stateless quick rule that allow everything on lo0 at the beginning of the ruleset before the default block log quick all at the end -- Laurent Frigault | From owner-freebsd-pf@FreeBSD.ORG Fri Mar 14 22:32:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20A901065689 for ; Fri, 14 Mar 2008 22:32:14 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.233]) by mx1.freebsd.org (Postfix) with ESMTP id CB8EE8FC1E for ; Fri, 14 Mar 2008 22:32:13 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so4685480wxd.7 for ; Fri, 14 Mar 2008 15:32:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=AMfA31v8fdRkaFmQgNkE6RVNbqKmpbQqXEwJdXJeyNQ=; b=KfMYaaJbv52ovaxkMa6u6Iw6702RCVLyeVh+3PaxzZcrftqyoeCuUWo9fCC6mcgpddq3x00g5wLTttqV+yLuqAb1O1n7vawj6IlfP0E1iQ7IU3reNeDOoqXBuSUHDbTm1OTuPlUZcdTyGKSNZrP+vRFCHlhv4koFIdMIGzDGuDQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=GxvXsrNQ2wNiHuTFnl7SUhfnHfBDOrnwIplVyj6c/qSByQ7XHV4I3wQyi1JVPzhWrF4qIZ8FhfGaDeHdJjjLD/wxeYoXRi83+916L/kOM++Zaol68BNX2fxdv2fg6a6E5sXYFbIWWonQh7OyWlKiUxNd5Qt0fLdloqdwMqbJ3u4= Received: by 10.65.119.14 with SMTP id w14mr25020795qbm.93.1205533930409; Fri, 14 Mar 2008 15:32:10 -0700 (PDT) Received: by 10.65.84.4 with HTTP; Fri, 14 Mar 2008 15:32:07 -0700 (PDT) Message-ID: Date: Fri, 14 Mar 2008 15:32:07 -0700 From: "Kian Mohageri" To: "Laurent Frigault" In-Reply-To: <20080314210903.GA20532@obelix.bergerie.agneau.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200803132330.m2DNU3iG042764@freefall.freebsd.org> <32006.194.74.82.3.1205485356.squirrel@galain.elvandar.org> <20080314210903.GA20532@obelix.bergerie.agneau.org> Cc: freebsd-pf@freebsd.org Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2008 22:32:14 -0000 On Fri, Mar 14, 2008 at 2:09 PM, Laurent Frigault wrote: > On Fri, Mar 14, 2008 at 10:02:36AM +0100, Remko Lodder wrote: > > > Why are you filtering on your local IP stack anyway? filtering on lo0 > > is not that common, or at least in my point of view not used often and > > presents problems all the way. > > I don't. It was just a way to provide a simple case to reproduce the > problem. > > I have seen rare case when filtering local traffic was needed to enforce > multi-jail isolations. > > Usualy, I just have a stateless quick rule that allow everything on > lo0 at the beginning of the ruleset before the default block log quick > all at the end > > May want to use 'set skip' instead. From owner-freebsd-pf@FreeBSD.ORG Sat Mar 15 08:17:49 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 77F53106567C; Sat, 15 Mar 2008 08:17:49 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 42BC28FC14; Sat, 15 Mar 2008 08:17:49 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2F8HnPI009276; Sat, 15 Mar 2008 08:17:49 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2F8Hntv009272; Sat, 15 Mar 2008 08:17:49 GMT (envelope-from linimon) Date: Sat, 15 Mar 2008 08:17:49 GMT Message-Id: <200803150817.m2F8Hntv009272@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/121704: [pf] PF mangles loopback packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Mar 2008 08:17:49 -0000 Old Synopsis: PF mangles loopback packets New Synopsis: [pf] PF mangles loopback packets Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sat Mar 15 08:17:19 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=121704