Date: Sat, 21 May 2016 17:11:22 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 209680] ipfw: when enabled, net connections time out/ssh results in "broken pipe" Message-ID: <bug-209680-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209680 Bug ID: 209680 Summary: ipfw: when enabled, net connections time out/ssh results in "broken pipe" Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: ohartman@zedat.fu-berlin.de Since a couple of weeks (if not more than a months for now) I observe the f= act that when IPFW is enabled (in kernel, no module load!), network performance= is sometime worse, connections server/client drops erratically (PostgreSQL 9.5, Apache 2.4 webservices, copies of large files (> 200GB, I think it is the = time that takes the copy that is relevant, not the size, the connection is 1GBit) via rsync and especially ssh connections to remote systems (remote maintena= nce is a nightmare recently). I'm not deeply in debugging, I observe, and I can give you this informatio= n. The problem occurs on different systems, all in common running most recent CURRENT (at the moment r300375). The systems do have different x86_amd64 architecture - Core2Duo dual socket XEONs as well as Haswell single socket XEONs, with different NICs (i210, i219, Broadcom, some Realtek, some Intel = em). Also in common on these systems is the usage of IPFW statically in-kernel. = Some private systems also habe libalias/in-kernel-NAT and pppoe, but that doesn't matter as well as the fact the problems occur with the vanilla ipfw-scripts delivered with FreeBSD (usage via type WORKSTATION) or with custom ipfw rul= eset scripts. On a erratic basis, the connection drops or has a kind of hang that lasts f= or seconds. This prevents us from uploading large vector maps for GIS applicat= ions into PostgreSQL databases provided by a FBSD server. The connection has timeouts or drops. A nightmare is the usage of SSH for maintenance. Sometim= es after several seonds after establishing the connection or after 30 minutes = and more the connection dies with a broken pipe (ssh: Fssh_packet_write_wait: Connection to XXX.XXX.XXX.XXX port 22: Broken pipe). All of those reported problems do vanish if I disable IPFW via "ipfw disable firewall". My in-kernel config for IPFW is (this is the config of a home system, beware that NAT is not enabled on the servers): # # IPFW Firewall # options IPFIREWALL # firewall options IPFIREWALL_VERBOSE # enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=3D10 #limit verbosity #options IPFIREWALL_NAT # ipfw kernel nat support #options LIBALIAS # ipfw kernel nat support options IPDIVERT # divert sockets options DUMMYNET # traffic shaper, bandwidth manager and del= ay emulator #options HZ=3D2000 # strongly recommended # #options IPFIREWALL_DEFAULT_TO_ACCEPT # allow everything = by default --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-209680-8>