Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 12 Dec 2006 22:51:04 -0800 (PST)
From:      Luke Dean <LukeD@pobox.com>
To:        Charles Sprickman <spork@bway.net>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: pf killing NFS
Message-ID:  <20061212224537.Y97228@border.crystalsphere.multiverse>
In-Reply-To: <Pine.OSX.4.61.0612130030020.354@white.nat.fasttrackmonkey.com>
References:  <Pine.OSX.4.61.0612130030020.354@white.nat.fasttrackmonkey.com>

next in thread | previous in thread | raw e-mail | index | archive | help


On Wed, 13 Dec 2006, Charles Sprickman wrote:

> Hi all,
>
> I'm running a 6.2-RC1 box (cvsup'd today) that has two broadcom nics.  One is 
> an internal network (nfs) and the other is external.
>
> PF has this rule for all traffic on the private net:
>
> [root@archive /home/jails]# pfctl -sr|grep bge1
> pass in quick on bge1 inet from 192.168.1.0/24 to any
> pass out quick on bge1 inet from any to 192.168.1.0/24
>
> No state since these are "quick" and symmetrical.
>
> Doing something like "ls /usr/ports" will just hang until interrupted. Using 
> tcp for nfs makes it workable, but very slow.
>
> If I disable pf (pfctl -d), both types of mounts work, and speed is 
> excellent.  I also just found that if I remove the "scrub in all" statement 
> and change it to "scrub in on bge0", things are fine.

I believe it's a bad idea to run NFS traffic through scrub unless you use 
the "no-df" option with it.  I just don't scrub my internal network 
traffic at all.
I got this from "man pf.conf":

      scrub has the following options:

      no-df
            Clears the dont-fragment bit from a matching IP packet.  Some oper-
            ating systems are known to generate fragmented packets with the
            dont-fragment bit set.  This is particularly true with NFS.  Scrub
            will drop such fragmented dont-fragment packets unless no-df is
            specified.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061212224537.Y97228>