Date: Tue, 13 Nov 2007 13:30:09 +0100 From: J65nko <j65nko@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: PF, bridge, states and window scaling problem Message-ID: <19861fba0711130430p6cc08013ibfd14b6fb9d2df60@mail.gmail.com> In-Reply-To: <669132de0711121208n32bfb827p4984c6d3383da713@mail.gmail.com> References: <669132de0711121208n32bfb827p4984c6d3383da713@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 12, 2007 9:08 PM, Alupului Costin <costin.alupului@gmail.com> wrote: > Hello all, > > I seem to have quite a problem with PF. I have set up a bridge to > shape my upstream traffic. I use ALTQ with hfsc discipline; but that's > not really important. My problem comes with the filter rules. I have > to use keep state because of the speed benefits (really I don't have a > choice), but PF has a problem when the clients passing traffic through > the bridge use TCP window scaling. Here is an example of four filter > rules that I thought should work to pass the traffic from one client > through the bridge and create a state: > > pass in quick on vlan0 from any to anIP/32 > pass out quick on vlan0 from anIP/32 to any keep state queue ul_client > pass in quick on vlan1 from anIP/32 to any > pass out quick on vlan1 from any to anIP/32 keep state queue dl_client > > The above rules generate state-mismatches. I thought that would be > because pf doesn't see the SYN packet, although it does (one of the > out rules) and should create the state then... I tried writing all the > rules with keep state (even the inbound ones) but then nothing would > work at all. My intention was to create if-bound states, but I > switched back to floating states in the hope that pf would associate > the state created by an outbound rule with the traffic returning on > another interface of the bridge; still didn't work. > > I have read the man page for if_bridge and set the following sysctl variables: > > net.link.bridge.pfil_onlyip: 1 > net.link.bridge.pfil_bridge: 0 > net.link.bridge.pfil_member: 1 > > I have also read some posts on the web that said that pf simply > doesn't have all the hooks necesary to do the filtering inbound and > outbound, but reading the pfil man page I seem to disaggree with that. > > Has anyone encountered the same problem? And, more important: if i > give up the bridge setup and switch to routing, would that have any > effect? I.E: will I then be able to use keep state with the inbound > rules? > > Any help at all would be hugely appreciated as I am trying for about a > week to sort out this problem and can't seem to get any closer. The > only solution was to kindly ask my clients using TCP window scaling > (Vista mostly) to turn off this feature... Now I am seriously > considering bumping my bridge to a router but I am not sure that the > problem will be solved then. > > Oh, here is the setup of the bridge from rc.conf, although there > shouldn't be any problems there (the bridge works fine without pf, or > with pf stateless): > > # > # Core: em2 -> vlan1 > # Border: em1 -> vlan0 > # Bridge0 vlan0 -><- vlan1 > # > cloned_interfaces="bridge0 vlan0 vlan1" > ifconfig_em0="up" > ifconfig_em1="up" > ifconfig_em2="up" > ifconfig_vlan0="vlan 132 vlandev em1 up" > ifconfig_vlan1="vlan 132 vlandev em2 up" > ifconfig_bridge0="addm vlan0 addm vlan1 up" > # Admin iface > ifconfig_em0="inet adminIP netmask 255.255.255.0" > See "Create TCP states on the initial SYN packet" from http://undeadly.org/cgi?action=article&sid=20060928081238 That paragraph explains nicely the necessity of pf to create state on the first packet of the 3-way TCP handshake to prevent TCP window scaling issues. =Adriaan=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19861fba0711130430p6cc08013ibfd14b6fb9d2df60>