From owner-freebsd-pf@FreeBSD.ORG Tue Dec 18 08:03:25 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11DC316A478 for ; Tue, 18 Dec 2007 08:03:25 +0000 (UTC) (envelope-from silver.salonen@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.freebsd.org (Postfix) with ESMTP id 9884A13C4E3 for ; Tue, 18 Dec 2007 08:03:24 +0000 (UTC) (envelope-from silver.salonen@gmail.com) Received: by ug-out-1314.google.com with SMTP id y2so75430uge.37 for ; Tue, 18 Dec 2007 00:03:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date:user-agent:mime-version:content-disposition:x-length:x-uid:message-id:content-type:content-transfer-encoding; bh=N4CP9fFj1215kF6VmiJZ1omAo4pyNhpJu7e4lZ10FRk=; b=knwv5xZZ8lj5DsAX+MNmLl8E2fNCr+td913g4w16gvBmNI0hq1cNzIW97tAafvQGXrCgFd4l05knI17C4FEg1YJ/LaDV4Hjqhd20Kp5erzKAWsXzLqBG3ch4vL3WS5NJ5Xh2LGZxqpWvAUHqld8tMhwRqQu/cv7IAgmJBUUevFo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:mime-version:content-disposition:x-length:x-uid:message-id:content-type:content-transfer-encoding; b=KuGKSaFoOlCyh5f2Ihvp0k7kzWCeiIz4+iT9FR5kpFekBGJ7PxmSLo0G8I2Cw5eDv3TV4vta2lDJG8aWXu+neRaTqWmE9TJHkM99isrVOh8SY5QdY9CMLSoIYx6gR/nluz1jAGrcmjaz4wpuuNrdLjAczOMMAfk28kiJGHxoEzY= Received: by 10.67.29.12 with SMTP id g12mr519459ugj.12.1197963313720; Mon, 17 Dec 2007 23:35:13 -0800 (PST) Received: from ?192.168.8.99? ( [195.50.198.178]) by mx.google.com with ESMTPS id f19sm18816767fka.2007.12.17.23.35.08 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 17 Dec 2007 23:35:08 -0800 (PST) From: Silver Salonen To: freebsd-pf@freebsd.org Date: Tue, 18 Dec 2007 09:34:58 +0200 User-Agent: KMail/1.9.7 MIME-Version: 1.0 Content-Disposition: inline X-Length: 749 X-UID: 49 Message-Id: <200712180934.58755.silver.salonen@gmail.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: occasional "Operation not permitted" on state-mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2007 08:03:25 -0000 Hello! I have some FreeBSD-boxes (2x6.3-PRERELEASE (installed on 08.Dec), 1x6.2-RELEASE) with PF configured. They are connected with OpenVPN LAN-to-LAN and the problem is that a few times per hour connection drops between computers from one LAN to another. At first I blamed OpenVPN, then I blamed bridge, but now I've realized that the problem is in PF. So I've tried increasing TCP-timeouts and setting optimization to "aggressive", but well, it's still the same. I monitor connections by sending TCP packets once per second to some other host and wait for reply. I use Nagios-plugins' check_tcp for that. The script looks like: ===== while [ 1 ]; do pfctl -si |grep mismatch /usr/local/libexec/nagios/check_tcp -H $host -p $port -t 2 pfctl -si |grep mismatch sleep 1 done ===== So if I let this script into action, I see that in 2-3 minutes, check_tcp gets "Operation not permitted" error and just in this moment packet-mismatch counter is increased by one (on machine with lesser traffic, I get the timeout in a few hours). That's on both 6.3-PRERELEASE as well as on 6.2-RELEASE. I've tried connections: * along WAN to IPFW-enabled machines * along WAN to PF-enabled machines * along LAN to PF-enabled machines * along LAN to Windows machines * along VPN to PF-enabled machines * along VPN to Windows machines Sometimes I get just some connection timeout: CRITICAL - Socket timeout after 2 seconds (I don't know what could cause that). I can see this behaviour in about every FreeBSD/PF machine I have. The basic PF-configuration looks like: ===== set block-policy return set loginterface $ext_if set timeout tcp.closed 15 set optimization aggressive scrub in all no-df block drop out quick on $ext_if from ($ext_if) to 0.0.0.0 block log all pass quick on lo0 all pass out all modulate state pass out proto tcp all flags S/SA modulate state pass on $int_if all modulate state pass on $int_if proto tcp all flags S/SA modulate state pass in on $ext_if proto tcp from any to ($ext_if) port $tcp_services flags S/SA modulate state ===== Is PF buggy or have I misconfigured smth? -- Silver