From owner-freebsd-questions@FreeBSD.ORG Thu Feb 22 22:45:07 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8C6A416A402 for ; Thu, 22 Feb 2007 22:45:07 +0000 (UTC) (envelope-from j65nko@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.230]) by mx1.freebsd.org (Postfix) with ESMTP id 4B75813C474 for ; Thu, 22 Feb 2007 22:45:07 +0000 (UTC) (envelope-from j65nko@gmail.com) Received: by nz-out-0506.google.com with SMTP id i11so310095nzh for ; Thu, 22 Feb 2007 14:45:06 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TmNVqvMonBpeg6WK2DEF8xmwSOedhcwpNiEnEEEVUa+y0/ZGOKJUEhmsCi/luC7dHueit1mqN6UmuNOxK+UHmnMYr2pHuSiJS0IEU48xYUEb0Keo4gxZFKtyoazo2LLD+SUEYGutIn2mpHbrgweR15Ehb0euI80k2olh07/Do/c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YGnV5Ndd1O5m+qPPNNMPOsX+eKLZE4YyV9mVV/NJsnQ8Fsc2ojVfKRRMQUTJXNWkbzeBwRrf463QYoVmBD28TQydDJnBMUkaqVekUI9gKYu3j9u0RNwYzQhPaA7wYpVK78I5cZdGSfcAF9GI7XI0WthquRh38ssMuFLVIzD9q80= Received: by 10.65.210.18 with SMTP id m18mr2113914qbq.1172184306626; Thu, 22 Feb 2007 14:45:06 -0800 (PST) Received: by 10.65.211.18 with HTTP; Thu, 22 Feb 2007 14:45:06 -0800 (PST) Message-ID: <19861fba0702221445r3124eecbq852d774d0ed4e479@mail.gmail.com> Date: Thu, 22 Feb 2007 23:45:06 +0100 From: J65nko To: freebsd-questions@freebsd.org In-Reply-To: <20070222143030.0b858e86@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200702202021.55723.pablo.fernandez@rs.com.ar> <19861fba0702211038p3144271ey1e30cf67311678ef@mail.gmail.com> <20070222143030.0b858e86@gumby.homeunix.com> Cc: RW Subject: Re: PF slowing down file copies X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Feb 2007 22:45:07 -0000 On 2/22/07, RW wrote: > On Wed, 21 Feb 2007 19:38:39 +0100 > J65nko wrote: > > > For keeping state on TCP connections you should only create state on > > the first packet of the 3 way TCP handshake. Using "flags S/SA" will > > ensure this. This will prevent problems with TCP windows scaling.. > > Why? Creating a state entry causes subsequent packets, in the same tcp > connection, to bypass the rules altogether. > The OP did not keep state on TCP connections using "flags S/SA". That can cause problems for TCP window scaling (defined in RFC 1323) and result in stalling connections. >From http://undeadly.org/cgi?action=article&sid=20060928081238 under "Create TCP states on the initial SYN packet" ----------- quote ------------------------------ pf does know about window scaling and supports it. However, the prerequisite is that you create state on the initial SYN, so pf can associate the first two packets of the handshake with the state entry. Since the entire negotiation of the window scaling factors takes place only in these two packets, there is no reliable way to deduce the factors after the handshake. Window scaling wasn't widely used in the past, but this is changing rapidly. Just recently, Linux started using window scaling by default. If you experience stalling connections, especially when problems are limited to certain combinations of hosts, and you see 'BAD state' messages related to these connections logged, verify that you're really creating states on the initial packet of a connection. ---------- end of quote ------------------- To prevent these TCP windows scaling issues, the current pf version of OpenBSD-4.1 BETA defaults to "flags S/SA keep state" for TCP pass rules. Don't know when this feature will make it into FreeBSD ;) Other issues the OP should look into are the optimizing tips given in http://undeadly.org/cgi?action=article&sid=20060927091645 Adriaan