From owner-freebsd-pf@FreeBSD.ORG Sun Mar 14 00:50:03 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB9D4106564A for ; Sun, 14 Mar 2010 00:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9B7AA8FC15 for ; Sun, 14 Mar 2010 00:50:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2E0o3CH088362 for ; Sun, 14 Mar 2010 00:50:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2E0o3kF088361; Sun, 14 Mar 2010 00:50:03 GMT (envelope-from gnats) Date: Sun, 14 Mar 2010 00:50:03 GMT Message-Id: <201003140050.o2E0o3kF088361@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Nick Leuta Cc: Subject: Re: kern/143543: [pf] [panic] PF route-to causes kernel panic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Nick Leuta List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Mar 2010 00:50:03 -0000 The following reply was made to PR kern/143543; it has been noted by GNATS. From: Nick Leuta To: bug-followup@FreeBSD.org, slava@aprec.ru Cc: Subject: Re: kern/143543: [pf] [panic] PF route-to causes kernel panic Date: Sun, 14 Mar 2010 03:34:50 +0300 I have the similar problem but in a bit different situation... the rule is: pass out quick route-to (vlan2 192.168.0.1) from 192.168.0.2 to any where 192.168.0.2 is binded to the vlan2 interface. The default gateway is 192.168.1.1 and is accessible through another interface. The "ping -S 192.168.0.2 192.168.0.1" command is used for test purposes, and (sic!) the 192.168.0.1 is unreachable (really down...). Without that rule we have: PING 192.168.0.1 (192.168.0.1) from 192.168.0.2: 56 data bytes ping: sendto: Host is down With the rule we obtain the kernel panic (in "ping" process) instead of the "ping: sendto: Host is down" message after the same timeout as in the case without rule. From owner-freebsd-pf@FreeBSD.ORG Sun Mar 14 16:20:10 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03DFB1065670 for ; Sun, 14 Mar 2010 16:20:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CE45D8FC14 for ; Sun, 14 Mar 2010 16:20:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2EGK95Q022238 for ; Sun, 14 Mar 2010 16:20:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2EGK9fc022237; Sun, 14 Mar 2010 16:20:09 GMT (envelope-from gnats) Date: Sun, 14 Mar 2010 16:20:09 GMT Message-Id: <201003141620.o2EGK9fc022237@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: =?windows-1251?B?0eL/8u7x6+Di?= Cc: Subject: Re: kern/143543: [pf] [panic] PF route-to causes kernel panic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?windows-1251?B?0eL/8u7x6+Di?= List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Mar 2010 16:20:10 -0000 The following reply was made to PR kern/143543; it has been noted by GNATS. From: =?windows-1251?B?0eL/8u7x6+Di?= To: bug-followup@FreeBSD.org, slava@aprec.ru Cc: Subject: Re: kern/143543: [pf] [panic] PF route-to causes kernel panic Date: Sun, 14 Mar 2010 19:00:25 +0300 I'm now using ipfw setfib command as workaround, PF as NAT + ipfw works fine for me. --=20 =D1 =F3=E2=E0=E6=E5=ED=E8=E5=EC, =C1=E5=EB=EE=E3=F3=F0=EE=E2 =D1=E2=FF=F2=EE=F1=EB=E0=E2 8 (81555) 7-40-99 =D0=E5=EB=E0=ED=F2, http://www.relant.ru mailto:slava@aprec.ru From owner-freebsd-pf@FreeBSD.ORG Sun Mar 14 20:30:10 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F316C106564A for ; Sun, 14 Mar 2010 20:30:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C7F468FC0C for ; Sun, 14 Mar 2010 20:30:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2EKUA6C036443 for ; Sun, 14 Mar 2010 20:30:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2EKUAmZ036440; Sun, 14 Mar 2010 20:30:10 GMT (envelope-from gnats) Date: Sun, 14 Mar 2010 20:30:10 GMT Message-Id: <201003142030.o2EKUAmZ036440@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Nick Leuta Cc: Subject: Re: kern/143543: [pf] [panic] PF route-to causes kernel panic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Nick Leuta List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Mar 2010 20:30:11 -0000 The following reply was made to PR kern/143543; it has been noted by GNATS. From: Nick Leuta To: bug-followup@FreeBSD.org, slava@aprec.ru Cc: Subject: Re: kern/143543: [pf] [panic] PF route-to causes kernel panic Date: Sun, 14 Mar 2010 23:20:44 +0300 Hmm... Im my case "ipfw fwd" command doesn't work too - it forwards locally generated packets using the routing table (???)... but yes, it has some effect - it changes the interface where the packets are originated. PF's "route-to" command works fine, but only if the destination host is reachable... From owner-freebsd-pf@FreeBSD.ORG Mon Mar 15 11:07:19 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 344F7106564A for ; Mon, 15 Mar 2010 11:07:19 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 21D308FC13 for ; Mon, 15 Mar 2010 11:07:19 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2FB7JpQ026954 for ; Mon, 15 Mar 2010 11:07:19 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2FB7IVK026952 for freebsd-pf@FreeBSD.org; Mon, 15 Mar 2010 11:07:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 15 Mar 2010 11:07:18 GMT Message-Id: <201003151107.o2FB7IVK026952@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Mar 2010 11:07:19 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 43 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Mar 16 19:20:03 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D83E41065675; Tue, 16 Mar 2010 19:20:03 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-fx0-f215.google.com (mail-fx0-f215.google.com [209.85.220.215]) by mx1.freebsd.org (Postfix) with ESMTP id 4E9058FC15; Tue, 16 Mar 2010 19:20:02 +0000 (UTC) Received: by fxm7 with SMTP id 7so304532fxm.3 for ; Tue, 16 Mar 2010 12:20:02 -0700 (PDT) Received: by 10.223.4.217 with SMTP id 25mr6822940fas.82.1268767201821; Tue, 16 Mar 2010 12:20:01 -0700 (PDT) Received: from kkPC (76-10-166-187.dsl.teksavvy.com [76.10.166.187]) by mx.google.com with ESMTPS id f31sm9480184fkf.18.2010.03.16.12.19.59 (version=SSLv3 cipher=RC4-MD5); Tue, 16 Mar 2010 12:20:01 -0700 (PDT) From: "kevin" To: , References: <4B8E4850.1060104@zirakzigil.org> <4B9EA5A2.4010900@zirakzigil.org> In-Reply-To: Date: Tue, 16 Mar 2010 15:19:51 -0400 Message-ID: <00bc01cac53d$a92f0b70$fb8d2250$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcrEhjqFCr63bMSAS2qTuc1O2AZEtAAl5OJAAAaVpCA= Content-Language: en-us Cc: Subject: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Mar 2010 19:20:04 -0000 I have been experiencing this problem with 2x freebsd firewall implementations running pf + transparent bridging + pfsync between both boxes. Today in an effort to narrow down and troubleshoot the issue further, I have decided to build two FreeBSD 7.2-RELEASE implementations using virtualbox. Each box was allocated 256mb ram, 3 NIC's (internal network only) and a 4GB hard drive. I compiled PF/ALTQ/MROUTING into the kernel and installed it. No other fundamental modifications were made. The intent is to reproduce the problem in a controlled environment. And provide any information to @freebsd.org if requested. Here is the pertinent information below. Note both boxes are identical : [UNAME] # uname -a FreeBSD fw 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Tue Mar 16 13:18:05 UTC 2010 root@:/usr/obj/usr/src/sys/FW i386 [IFCONFIG] # ifconfig em0: flags=8902 metric 0 mtu 1500 options=9b ether 08:00:27:91:2d:fd media: Ethernet autoselect (1000baseTX ) status: active em1: flags=8902 metric 0 mtu 1500 options=9b ether 08:00:27:c7:3f:6b media: Ethernet autoselect (1000baseTX ) status: active em2: flags=8843 metric 0 mtu 1500 options=9b ether 08:00:27:de:66:c6 inet 10.0.0.10 netmask 0xffffff00 broadcast 10.0.0.255 media: Ethernet autoselect (1000baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 pflog0: flags=141 metric 0 mtu 33204 pfsync0: flags=41 metric 0 mtu 1460 pfsync: syncdev: em2 syncpeer: 10.0.0.11 maxupd: 128 bridge0: flags=8802 metric 0 mtu 1500 ether 1e:29:e0:82:6e:d6 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: em1 flags=143 ifmaxaddr 0 port 2 priority 128 path cost 20000 member: em0 flags=143 ifmaxaddr 0 port 1 priority 128 path cost 20000 [KERNEL OPTIONS] # Multicast routing support options MROUTING # PF Firewall device pf device pflog device pfsync options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build [RC.CONF] keymap="us.iso" hostname="fw" gateway_enable="YES" sshd_enable="YES" cloned_interfaces="bridge0" ifconfig_bridge0="addm em0 addm em1 up" ifconfig_em0="up" ifconfig_em1="up" ifconfig_em2="inet 10.0.0.10 netmask 255.255.255.0" pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" pfsync_enable="YES" pfsync_syncdev="em2" ifconfig_pfsync0="up syncpeer 10.0.0.11 syncif em2" [PF.CONF] # macros ext_if="em0" int_if="em1" mng_if="em2" tcp_services="{ 22, 113, 53, 80 }" icmp_types="echoreq" # options set block-policy return set loginterface $ext_if set skip on lo # scrub scrub in all random-id fragment reassemble scrub out on $ext_if random-id # filter rules pass in quick pass out quick pass quick on $mng_if proto pfsync Note the only difference in config is the ip address of the pfsycn interface. When both boxes are on , one or both of them start to really slow down and ultimately freeze. No messages are pasted on the console and /var/log/messages is inaccessible during this point. I would like to assist in diagnosing this issue so if anyone wants me to check anything or test, please let me know. I would really like to understand this problem. Thanks, Kevin K. From owner-freebsd-pf@FreeBSD.ORG Wed Mar 17 08:38:05 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5CF41065672; Wed, 17 Mar 2010 08:38:05 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id E7A0A8FC19; Wed, 17 Mar 2010 08:38:04 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id o2H8CvQU006780 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 17 Mar 2010 09:12:57 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id o2H8CuXu015017; Wed, 17 Mar 2010 09:12:56 +0100 (MET) Date: Wed, 17 Mar 2010 09:12:56 +0100 From: Daniel Hartmeier To: kevin Message-ID: <20100317081256.GA21633@insomnia.benzedrine.cx> References: <4B8E4850.1060104@zirakzigil.org> <4B9EA5A2.4010900@zirakzigil.org> <00bc01cac53d$a92f0b70$fb8d2250$@com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00bc01cac53d$a92f0b70$fb8d2250$@com> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2010 08:38:06 -0000 On Tue, Mar 16, 2010 at 03:19:51PM -0400, kevin wrote: > I would like to assist in diagnosing this issue so if anyone wants me to > check anything or test, please let me know. I would really like to > understand this problem. What are your settings for $ sysctl -a | grep bridge.pfil Have you tried filtering only on one of the physical bridge interfaces, with net.link.bridge.pfil_bridge=0 and set skip on { lo0, bridge0, em1 }? Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Mar 17 11:03:43 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF379106566C for ; Wed, 17 Mar 2010 11:03:43 +0000 (UTC) (envelope-from auryn@zirakzigil.org) Received: from mail.zirakzigil.org (mail.zirakzigil.org [82.63.178.63]) by mx1.freebsd.org (Postfix) with ESMTP id 55D8A8FC17 for ; Wed, 17 Mar 2010 11:03:43 +0000 (UTC) Received: from localhost (unknown [192.168.1.2]) by mail.zirakzigil.org (Postfix) with ESMTP id 6808A949DF; Wed, 17 Mar 2010 11:47:38 +0100 (CET) X-Virus-Scanned: amavisd-new at zirakzigil.org Received: from mail.zirakzigil.org ([192.168.1.2]) by localhost (ext.zirakzigil.org [192.168.1.2]) (amavisd-new, port 10024) with ESMTP id A6rXxPIVlijh; Wed, 17 Mar 2010 11:47:35 +0100 (CET) Received: from aurynmob2.giulioferro.it (unknown [192.168.1.2]) (Authenticated sender: auryn@zirakzigil.org) by mail.zirakzigil.org (Postfix) with ESMTPA id 72882949D1; Wed, 17 Mar 2010 11:47:35 +0100 (CET) Message-ID: <4BA0B344.3010708@zirakzigil.org> Date: Wed, 17 Mar 2010 11:47:32 +0100 From: Giulio Ferro User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.7) Gecko/20100223 Thunderbird/3.0.1 MIME-Version: 1.0 To: Daniel Hartmeier References: <4B8E4850.1060104@zirakzigil.org> <4B9EA5A2.4010900@zirakzigil.org> <00bc01cac53d$a92f0b70$fb8d2250$@com> <20100317081256.GA21633@insomnia.benzedrine.cx> In-Reply-To: <20100317081256.GA21633@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2010 11:03:43 -0000 On 17.03.2010 09:12, Daniel Hartmeier wrote: > On Tue, Mar 16, 2010 at 03:19:51PM -0400, kevin wrote: > > >> I would like to assist in diagnosing this issue so if anyone wants me to >> check anything or test, please let me know. I would really like to >> understand this problem. >> > What are your settings for > > $ sysctl -a | grep bridge.pfil > net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 1 net.link.bridge.pfil_onlyip: 1 > Have you tried filtering only on one of the physical bridge interfaces, > with net.link.bridge.pfil_bridge=0 and set skip on { lo0, bridge0, em1 }? > > Daniel > Ok, I'm trying "set skip on {lo0, bridge0}". I'll let you know if there is any improvement. Thanks. From owner-freebsd-pf@FreeBSD.ORG Wed Mar 17 13:55:19 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3F63106566C; Wed, 17 Mar 2010 13:55:18 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.157]) by mx1.freebsd.org (Postfix) with ESMTP id 75A1C8FC25; Wed, 17 Mar 2010 13:55:15 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id e21so532880fga.13 for ; Wed, 17 Mar 2010 06:55:15 -0700 (PDT) Received: by 10.87.1.12 with SMTP id d12mr894947fgi.78.1268834114866; Wed, 17 Mar 2010 06:55:14 -0700 (PDT) Received: from kkPC (76-10-166-187.dsl.teksavvy.com [76.10.166.187]) by mx.google.com with ESMTPS id p17sm11047357fka.39.2010.03.17.06.55.13 (version=SSLv3 cipher=RC4-MD5); Wed, 17 Mar 2010 06:55:13 -0700 (PDT) From: "kevin" To: "'Daniel Hartmeier'" References: <4B8E4850.1060104@zirakzigil.org> <4B9EA5A2.4010900@zirakzigil.org> <00bc01cac53d$a92f0b70$fb8d2250$@com> <20100317081256.GA21633@insomnia.benzedrine.cx> In-Reply-To: <20100317081256.GA21633@insomnia.benzedrine.cx> Date: Wed, 17 Mar 2010 09:55:05 -0400 Message-ID: <012301cac5d9$73d933f0$5b8b9bd0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcrFqapAZS1LXGAFSDCzr+tCp/O1dwAL5TUg Content-Language: en-us Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: RE: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2010 13:55:19 -0000 >What are your settings for > > $ sysctl -a | grep bridge.pfil #bridge options net.link.bridge.pfil_onlyip=1 net.link.bridge.pfil_member=1 net.link.bridge.pfil_bridge=0 > Have you tried filtering only on one of the physical bridge interfaces, > with net.link.bridge.pfil_bridge=0 and set skip on { lo0, bridge0, em1 }? I've only been filtering on one of the bridge interfaces , however I have not 'set skip on' the other interfaces. I will try that. From owner-freebsd-pf@FreeBSD.ORG Wed Mar 17 14:41:49 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DFA2A1065670; Wed, 17 Mar 2010 14:41:49 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-fx0-f224.google.com (mail-fx0-f224.google.com [209.85.220.224]) by mx1.freebsd.org (Postfix) with ESMTP id 4C6888FC1F; Wed, 17 Mar 2010 14:41:48 +0000 (UTC) Received: by fxm24 with SMTP id 24so579613fxm.3 for ; Wed, 17 Mar 2010 07:41:48 -0700 (PDT) Received: by 10.223.17.23 with SMTP id q23mr6465234faa.65.1268836907968; Wed, 17 Mar 2010 07:41:47 -0700 (PDT) Received: from kkPC (76-10-166-187.dsl.teksavvy.com [76.10.166.187]) by mx.google.com with ESMTPS id k29sm2931233fkk.45.2010.03.17.07.41.46 (version=SSLv3 cipher=RC4-MD5); Wed, 17 Mar 2010 07:41:47 -0700 (PDT) From: "kevin" To: "'kevin'" , "'Daniel Hartmeier'" References: <4B8E4850.1060104@zirakzigil.org> <4B9EA5A2.4010900@zirakzigil.org> <00bc01cac53d$a92f0b70$fb8d2250$@com> <20100317081256.GA21633@insomnia.benzedrine.cx> <012501cac5d9$748d68c0$5da83a40$@com> In-Reply-To: <012501cac5d9$748d68c0$5da83a40$@com> Date: Wed, 17 Mar 2010 10:41:38 -0400 Message-ID: <013701cac5df$f4c3ec20$de4bc460$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcrFqapAZS1LXGAFSDCzr+tCp/O1dwAL5TUgAAFcafA= Content-Language: en-us Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: RE: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2010 14:41:50 -0000 >>What are your settings for >> >> $ sysctl -a | grep bridge.pfil >#bridge options >net.link.bridge.pfil_onlyip=1 >net.link.bridge.pfil_member=1 >net.link.bridge.pfil_bridge=0 >> Have you tried filtering only on one of the physical bridge interfaces, >> with net.link.bridge.pfil_bridge=0 and set skip on { lo0, bridge0, em1}? >I've only been filtering on one of the bridge interfaces , however I have >not 'set skip on' the other interfaces. I will try that. I have 'set skip' all interfaces except one of the bridged ones (em0) , in pf.conf. Interesting symptom currently is that the load on both servers is quite high considering they are just virtual machines that aren't actually doing anything : [server1] last pid: 1176; load averages: 2.66, 3.01, 2.87 up 0+00:36:26 10:34:24 22 processes: 1 running, 21 sleeping CPU: % user, % nice, % system, % interrupt, % idle Mem: 8140K Active, 9400K Inact, 27M Wired, 34M Buf, 195M Free Swap: 120M Total, 120M Free [server2] last pid: 1116; load averages: 8.50, 10.11, 8.66 up 0+00:39:35 10:37:46 22 processes: 2 running, 20 sleeping CPU: 0.0% user, 0.0% nice, 95.2% system, 4.8% interrupt, 0.0% idle Mem: 8116K Active, 9560K Inact, 16M Wired, 8K Cache, 34M Buf, 205M Free Swap: 120M Total, 120M Free I decided to ping the pfsync0 interface from server 1 > server 2 : # ping 10.0.0.11 PING 10.0.0.11 (10.0.0.11): 56 data bytes 64 bytes from 10.0.0.11: icmp_seq=3 ttl=64 time=91.159 ms 64 bytes from 10.0.0.11: icmp_seq=3 ttl=64 time=114.017 ms (DUP!) 64 bytes from 10.0.0.11: icmp_seq=4 ttl=64 time=206.446 ms 64 bytes from 10.0.0.11: icmp_seq=5 ttl=64 time=92.209 ms 64 bytes from 10.0.0.11: icmp_seq=5 ttl=64 time=181.774 ms (DUP!) 64 bytes from 10.0.0.11: icmp_seq=5 ttl=64 time=363.855 ms (DUP!) ^C --- 10.0.0.11 ping statistics --- 9 packets transmitted, 3 packets received, +3 duplicates, 66.7% packet loss round-trip min/avg/max/stddev = 91.159/174.910/363.855/95.135 ms If theres anything else I could check , suggestions are welcome. Thanks, Kevin K. From owner-freebsd-pf@FreeBSD.ORG Wed Mar 17 15:46:23 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0DC0A106564A; Wed, 17 Mar 2010 15:46:23 +0000 (UTC) (envelope-from auryn@zirakzigil.org) Received: from mail.zirakzigil.org (mail.zirakzigil.org [82.63.178.63]) by mx1.freebsd.org (Postfix) with ESMTP id 9AB7C8FC0A; Wed, 17 Mar 2010 15:46:22 +0000 (UTC) Received: from localhost (unknown [192.168.1.2]) by mail.zirakzigil.org (Postfix) with ESMTP id 5686D941ED; Wed, 17 Mar 2010 16:46:21 +0100 (CET) X-Virus-Scanned: amavisd-new at zirakzigil.org Received: from mail.zirakzigil.org ([192.168.1.2]) by localhost (ext.zirakzigil.org [192.168.1.2]) (amavisd-new, port 10024) with ESMTP id eSwC-ORBNu8i; Wed, 17 Mar 2010 16:46:18 +0100 (CET) Received: from aurynmob2.giulioferro.it (unknown [192.168.1.2]) (Authenticated sender: auryn@zirakzigil.org) by mail.zirakzigil.org (Postfix) with ESMTPA id 8795F941E4; Wed, 17 Mar 2010 16:46:18 +0100 (CET) Message-ID: <4BA0F947.9070506@zirakzigil.org> Date: Wed, 17 Mar 2010 16:46:15 +0100 From: Giulio Ferro User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.7) Gecko/20100223 Thunderbird/3.0.1 MIME-Version: 1.0 To: Daniel Hartmeier References: <4B8E4850.1060104@zirakzigil.org> <4B9EA5A2.4010900@zirakzigil.org> <00bc01cac53d$a92f0b70$fb8d2250$@com> <20100317081256.GA21633@insomnia.benzedrine.cx> <4BA0B344.3010708@zirakzigil.org> In-Reply-To: <4BA0B344.3010708@zirakzigil.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2010 15:46:23 -0000 On 17.03.2010 11:47, Giulio Ferro wrote: > On 17.03.2010 09:12, Daniel Hartmeier wrote: >> On Tue, Mar 16, 2010 at 03:19:51PM -0400, kevin wrote: >> >>> I would like to assist in diagnosing this issue so if anyone wants >>> me to >>> check anything or test, please let me know. I would really like to >>> understand this problem. >> What are your settings for >> >> $ sysctl -a | grep bridge.pfil > > net.link.bridge.pfil_local_phys: 0 > net.link.bridge.pfil_member: 1 > net.link.bridge.pfil_bridge: 1 > net.link.bridge.pfil_onlyip: 1 > > >> Have you tried filtering only on one of the physical bridge interfaces, >> with net.link.bridge.pfil_bridge=0 and set skip on { lo0, bridge0, >> em1 }? >> >> Daniel > > Ok, I'm trying "set skip on {lo0, bridge0}". > I'll let you know if there is any improvement. No, no improvement. The system froze anyway after about 3-4 hours this time. Please advise! From owner-freebsd-pf@FreeBSD.ORG Wed Mar 17 15:51:40 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92F88106566B for ; Wed, 17 Mar 2010 15:51:40 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail2.jellyfishnet.co.uk (mail2.jellyfishnet.co.uk [93.91.20.10]) by mx1.freebsd.org (Postfix) with ESMTP id 2C7E38FC1B for ; Wed, 17 Mar 2010 15:51:39 +0000 (UTC) Received: from pemexhub01.jellyfishnet.co.uk.local (93.91.20.2) by mail2.jellyfishnet.co.uk (93.91.20.10) with Microsoft SMTP Server (TLS) id 8.1.393.1; Wed, 17 Mar 2010 15:51:41 +0000 Received: from PEMEXMBXVS02.jellyfishnet.co.uk.local ([192.168.65.37]) by pemexhub01.jellyfishnet.co.uk.local ([192.168.65.7]) with mapi; Wed, 17 Mar 2010 15:51:38 +0000 From: Greg Hennessy To: Giulio Ferro , Daniel Hartmeier Date: Wed, 17 Mar 2010 15:50:32 +0000 Thread-Topic: PF + BRIDGE + PFSYNC causes system freezing Thread-Index: AcrF6QVJ1VexhZXyQZiSK+Gv8tubGgAAI4Gl Message-ID: <9E8D76EC267C9444AC737F649CBBAD902767E3BEA5@PEMEXMBXVS02.jellyfishnet.co.uk.local> References: <4B8E4850.1060104@zirakzigil.org> <4B9EA5A2.4010900@zirakzigil.org> <00bc01cac53d$a92f0b70$fb8d2250$@com> <20100317081256.GA21633@insomnia.benzedrine.cx> <4BA0B344.3010708@zirakzigil.org>,<4BA0F947.9070506@zirakzigil.org> In-Reply-To: <4BA0F947.9070506@zirakzigil.org> Accept-Language: en-US, en-GB Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "freebsd-net@freebsd.org" , "freebsd-pf@freebsd.org" Subject: RE: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2010 15:51:40 -0000 A possible corner case with the virtual hosting platform ?=20 Try changing the NICS from EM to something else supported RL on vmware IIRC= .=20 Greg ________________________________________ From: owner-freebsd-pf@freebsd.org [owner-freebsd-pf@freebsd.org] On Behalf= Of Giulio Ferro [auryn@zirakzigil.org] Sent: 17 March 2010 15:46 To: Daniel Hartmeier Cc: freebsd-net@freebsd.org; freebsd-pf@freebsd.org Subject: Re: PF + BRIDGE + PFSYNC causes system freezing On 17.03.2010 11:47, Giulio Ferro wrote: > On 17.03.2010 09:12, Daniel Hartmeier wrote: >> On Tue, Mar 16, 2010 at 03:19:51PM -0400, kevin wrote: >> >>> I would like to assist in diagnosing this issue so if anyone wants >>> me to >>> check anything or test, please let me know. I would really like to >>> understand this problem. >> What are your settings for >> >> $ sysctl -a | grep bridge.pfil > > net.link.bridge.pfil_local_phys: 0 > net.link.bridge.pfil_member: 1 > net.link.bridge.pfil_bridge: 1 > net.link.bridge.pfil_onlyip: 1 > > >> Have you tried filtering only on one of the physical bridge interfaces, >> with net.link.bridge.pfil_bridge=3D0 and set skip on { lo0, bridge0, >> em1 }? >> >> Daniel > > Ok, I'm trying "set skip on {lo0, bridge0}". > I'll let you know if there is any improvement. No, no improvement. The system froze anyway after about 3-4 hours this time. Please advise! _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"= From owner-freebsd-pf@FreeBSD.ORG Wed Mar 17 16:37:39 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 102FB106568D; Wed, 17 Mar 2010 16:37:39 +0000 (UTC) (envelope-from auryn@zirakzigil.org) Received: from mail.zirakzigil.org (mail.zirakzigil.org [82.63.178.63]) by mx1.freebsd.org (Postfix) with ESMTP id 95AE38FC0C; Wed, 17 Mar 2010 16:37:38 +0000 (UTC) Received: from localhost (unknown [192.168.1.2]) by mail.zirakzigil.org (Postfix) with ESMTP id 9817894AEE; Wed, 17 Mar 2010 17:37:37 +0100 (CET) X-Virus-Scanned: amavisd-new at zirakzigil.org Received: from mail.zirakzigil.org ([192.168.1.2]) by localhost (ext.zirakzigil.org [192.168.1.2]) (amavisd-new, port 10024) with ESMTP id RlB7thNKCJVI; Wed, 17 Mar 2010 17:37:35 +0100 (CET) Received: from aurynmob2.giulioferro.it (unknown [192.168.1.2]) (Authenticated sender: auryn@zirakzigil.org) by mail.zirakzigil.org (Postfix) with ESMTPA id B99A694AE5; Wed, 17 Mar 2010 17:37:34 +0100 (CET) Message-ID: <4BA1054B.304@zirakzigil.org> Date: Wed, 17 Mar 2010 17:37:31 +0100 From: Giulio Ferro User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.7) Gecko/20100223 Thunderbird/3.0.1 MIME-Version: 1.0 To: Greg Hennessy References: <4B8E4850.1060104@zirakzigil.org> <4B9EA5A2.4010900@zirakzigil.org> <00bc01cac53d$a92f0b70$fb8d2250$@com> <20100317081256.GA21633@insomnia.benzedrine.cx> <4BA0B344.3010708@zirakzigil.org>, <4BA0F947.9070506@zirakzigil.org> <9E8D76EC267C9444AC737F649CBBAD902767E3BEA5@PEMEXMBXVS02.jellyfishnet.co.uk.local> In-Reply-To: <9E8D76EC267C9444AC737F649CBBAD902767E3BEA5@PEMEXMBXVS02.jellyfishnet.co.uk.local> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-net@freebsd.org" , "freebsd-pf@freebsd.org" Subject: Re: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2010 16:37:39 -0000 On 17.03.2010 16:50, Greg Hennessy wrote: > A possible corner case with the virtual hosting platform ? > > Try changing the NICS from EM to something else supported RL on vmware IIRC. > > > Nope, I'm not using virtualization, that's the other guy. I'm using a physical machine... > Greg > > ________________________________________ > From: owner-freebsd-pf@freebsd.org [owner-freebsd-pf@freebsd.org] On Behalf Of Giulio Ferro [auryn@zirakzigil.org] > Sent: 17 March 2010 15:46 > To: Daniel Hartmeier > Cc: freebsd-net@freebsd.org; freebsd-pf@freebsd.org > Subject: Re: PF + BRIDGE + PFSYNC causes system freezing > > On 17.03.2010 11:47, Giulio Ferro wrote: > >> On 17.03.2010 09:12, Daniel Hartmeier wrote: >> >>> On Tue, Mar 16, 2010 at 03:19:51PM -0400, kevin wrote: >>> >>> >>>> I would like to assist in diagnosing this issue so if anyone wants >>>> me to >>>> check anything or test, please let me know. I would really like to >>>> understand this problem. >>>> >>> What are your settings for >>> >>> $ sysctl -a | grep bridge.pfil >>> >> net.link.bridge.pfil_local_phys: 0 >> net.link.bridge.pfil_member: 1 >> net.link.bridge.pfil_bridge: 1 >> net.link.bridge.pfil_onlyip: 1 >> >> >> >>> Have you tried filtering only on one of the physical bridge interfaces, >>> with net.link.bridge.pfil_bridge=0 and set skip on { lo0, bridge0, >>> em1 }? >>> >>> Daniel >>> >> Ok, I'm trying "set skip on {lo0, bridge0}". >> I'll let you know if there is any improvement. >> > > No, no improvement. > > The system froze anyway after about 3-4 hours this time. > > Please advise! > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Mar 17 16:47:30 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38A6F1065670 for ; Wed, 17 Mar 2010 16:47:30 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.8]) by mx1.freebsd.org (Postfix) with ESMTP id C31A08FC1C for ; Wed, 17 Mar 2010 16:47:29 +0000 (UTC) Received: from vampire.homelinux.org (dslb-088-067-228-035.pools.arcor-ip.net [88.67.228.35]) by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis) id 0LkUkZ-1NLMPT2FDv-00cMj6; Wed, 17 Mar 2010 17:47:28 +0100 Received: (qmail 96182 invoked from network); 17 Mar 2010 16:47:28 -0000 Received: from f8x64.laiers.local (192.168.4.188) by mx.laiers.local with SMTP; 17 Mar 2010 16:47:28 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 17 Mar 2010 17:47:28 +0100 User-Agent: KMail/1.12.4 (FreeBSD/8.0-RELEASE-p2; KDE/4.3.5; amd64; ; ) References: <4B8E4850.1060104@zirakzigil.org> <9E8D76EC267C9444AC737F649CBBAD902767E3BEA5@PEMEXMBXVS02.jellyfishnet.co.uk.local> <4BA1054B.304@zirakzigil.org> In-Reply-To: <4BA1054B.304@zirakzigil.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201003171747.28053.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18Ux3XraTClzpY4r64DEwFk3pxDkohcmm/4X61 bCa7Uqvlr7NEWvMT+zxciAPzRTm0J8/ihED5kYuC5GtOkvCJEg LtGBHDWQGmoNNJyx968qA== Cc: "freebsd-net@freebsd.org" , Giulio Ferro , Greg Hennessy Subject: Re: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2010 16:47:30 -0000 On Wednesday 17 March 2010 17:37:31 Giulio Ferro wrote: > On 17.03.2010 16:50, Greg Hennessy wrote: > > A possible corner case with the virtual hosting platform ? > > > > Try changing the NICS from EM to something else supported RL on vmware > > IIRC. > > Nope, I'm not using virtualization, that's the other guy. > > I'm using a physical machine... Can you enable WITNESS and compile in DDB. Make sure to report any LORs and once the system freezes try to enter the debugger and get ps and locks information. show allchains show alllocks ps After that you can try to "call doadump" so you get the information in the coredump and don't have to transcribe it manually. Thanks, Max From owner-freebsd-pf@FreeBSD.ORG Wed Mar 17 16:58:02 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 637881065673; Wed, 17 Mar 2010 16:58:02 +0000 (UTC) (envelope-from auryn@zirakzigil.org) Received: from mail.zirakzigil.org (mail.zirakzigil.org [82.63.178.63]) by mx1.freebsd.org (Postfix) with ESMTP id D31A78FC18; Wed, 17 Mar 2010 16:58:01 +0000 (UTC) Received: from localhost (unknown [192.168.1.2]) by mail.zirakzigil.org (Postfix) with ESMTP id 466ED94EA9; Wed, 17 Mar 2010 17:58:00 +0100 (CET) X-Virus-Scanned: amavisd-new at zirakzigil.org Received: from mail.zirakzigil.org ([192.168.1.2]) by localhost (ext.zirakzigil.org [192.168.1.2]) (amavisd-new, port 10024) with ESMTP id Q2OXnKDBeKhY; Wed, 17 Mar 2010 17:57:57 +0100 (CET) Received: from aurynmob2.giulioferro.it (unknown [192.168.1.2]) (Authenticated sender: auryn@zirakzigil.org) by mail.zirakzigil.org (Postfix) with ESMTPA id A738094EA0; Wed, 17 Mar 2010 17:57:57 +0100 (CET) Message-ID: <4BA10A12.2060903@zirakzigil.org> Date: Wed, 17 Mar 2010 17:57:54 +0100 From: Giulio Ferro User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.7) Gecko/20100223 Thunderbird/3.0.1 MIME-Version: 1.0 To: Max Laier References: <4B8E4850.1060104@zirakzigil.org> <9E8D76EC267C9444AC737F649CBBAD902767E3BEA5@PEMEXMBXVS02.jellyfishnet.co.uk.local> <4BA1054B.304@zirakzigil.org> <201003171747.28053.max@love2party.net> In-Reply-To: <201003171747.28053.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-net@freebsd.org" , Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2010 16:58:02 -0000 On 17.03.2010 17:47, Max Laier wrote: > On Wednesday 17 March 2010 17:37:31 Giulio Ferro wrote: > >> On 17.03.2010 16:50, Greg Hennessy wrote: >> >>> A possible corner case with the virtual hosting platform ? >>> >>> Try changing the NICS from EM to something else supported RL on vmware >>> IIRC. >>> >> Nope, I'm not using virtualization, that's the other guy. >> >> I'm using a physical machine... >> > Can you enable WITNESS and compile in DDB. Make sure to report any LORs and > once the system freezes try to enter the debugger and get ps and locks > information. > > show allchains > show alllocks > ps > > After that you can try to "call doadump" so you get the information in the > coredump and don't have to transcribe it manually. > > Thanks, > Max > Sorry, I'm not really an expert of this, but how can I enter the debugger if the system has frozen? From owner-freebsd-pf@FreeBSD.ORG Wed Mar 17 17:00:55 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79D80106566B for ; Wed, 17 Mar 2010 17:00:55 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 0CD3B8FC15 for ; Wed, 17 Mar 2010 17:00:54 +0000 (UTC) Received: from vampire.homelinux.org (dslb-088-066-043-023.pools.arcor-ip.net [88.66.43.23]) by mrelayeu.kundenserver.de (node=mrbap2) with ESMTP (Nemesis) id 0Me5Bm-1OHs7x1qda-00PQiP; Wed, 17 Mar 2010 18:00:51 +0100 Received: (qmail 96546 invoked from network); 17 Mar 2010 17:00:51 -0000 Received: from f8x64.laiers.local (192.168.4.188) by laiers.local with SMTP; 17 Mar 2010 17:00:51 -0000 From: Max Laier Organization: FreeBSD To: Giulio Ferro Date: Wed, 17 Mar 2010 18:00:51 +0100 User-Agent: KMail/1.12.4 (FreeBSD/8.0-RELEASE-p2; KDE/4.3.5; amd64; ; ) References: <4B8E4850.1060104@zirakzigil.org> <201003171747.28053.max@love2party.net> <4BA10A12.2060903@zirakzigil.org> In-Reply-To: <4BA10A12.2060903@zirakzigil.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201003171800.51027.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+weWVFYLtOszBEahMXHi0iVn1drlfj4yQz38i 8z5i0mMQvoilUoTbUA7rQHXRVsBeP24HqzmqMN/X8jnH3BPf14 gVBF6xkrVCeJ3dNGwTVaA== Cc: "freebsd-net@freebsd.org" , Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2010 17:00:55 -0000 On Wednesday 17 March 2010 17:57:54 Giulio Ferro wrote: > On 17.03.2010 17:47, Max Laier wrote: > > On Wednesday 17 March 2010 17:37:31 Giulio Ferro wrote: > >> On 17.03.2010 16:50, Greg Hennessy wrote: > >>> A possible corner case with the virtual hosting platform ? > >>> > >>> Try changing the NICS from EM to something else supported RL on vmware > >>> IIRC. > >> > >> Nope, I'm not using virtualization, that's the other guy. > >> > >> I'm using a physical machine... > > > > Can you enable WITNESS and compile in DDB. Make sure to report any LORs > > and once the system freezes try to enter the debugger and get ps and > > locks information. > > > > show allchains > > show alllocks > > ps > > > > After that you can try to "call doadump" so you get the information in > > the coredump and don't have to transcribe it manually. > > > > Thanks, > > Max > > Sorry, I'm not really an expert of this, but how can I enter the debugger > if the system has frozen? Ctrl+Alt+ESC (in default configuration). From owner-freebsd-pf@FreeBSD.ORG Wed Mar 17 17:39:27 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA072106564A; Wed, 17 Mar 2010 17:39:27 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail1.jellyfishnet.co.uk (mail1.jellyfishnet.co.uk [93.91.20.9]) by mx1.freebsd.org (Postfix) with ESMTP id 5EECD8FC19; Wed, 17 Mar 2010 17:39:27 +0000 (UTC) Received: from pemexhub01.jellyfishnet.co.uk.local (93.91.20.2) by mail1.jellyfishnet.co.uk (93.91.20.9) with Microsoft SMTP Server (TLS) id 8.1.393.1; Wed, 17 Mar 2010 17:39:34 +0000 Received: from PEMEXMBXVS02.jellyfishnet.co.uk.local ([192.168.65.37]) by pemexhub01.jellyfishnet.co.uk.local ([192.168.65.7]) with mapi; Wed, 17 Mar 2010 17:39:26 +0000 From: Greg Hennessy To: Giulio Ferro Date: Wed, 17 Mar 2010 17:38:50 +0000 Thread-Topic: PF + BRIDGE + PFSYNC causes system freezing Thread-Index: AcrF+Mk3M5n8IHJfQT6K0OEUciN90w== Message-ID: <1893309981.58859.1268847562863.JavaMail.rim@bda094.bisx.produk.on.blackberry> References: <4B8E4850.1060104@zirakzigil.org><4B9EA5A2.4010900@zirakzigil.org> <00bc01cac53d$a92f0b70$fb8d2250$@com><20100317081256.GA21633@insomnia.benzedrine.cx><4BA0B344.3010708@zirakzigil.org>, <4BA0F947.9070506@zirakzigil.org><9E8D76EC267C9444AC737F649CBBAD902767E3BEA5@PEMEXMBXVS02.jellyfishnet.co.uk.local><4BA1054B.304@zirakzigil.org> In-Reply-To: <4BA1054B.304@zirakzigil.org> Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-rim-org-msg-ref-id: 1695615789 acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "freebsd-net@freebsd.org" , "freebsd-pf@freebsd.org" Subject: Re: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Greg Hennessy List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2010 17:39:28 -0000 My bad, that'll teach me to reply in haste :-) Sent using BlackBerry=AE from Orange -----Original Message----- From: Giulio Ferro Date: Wed, 17 Mar 2010 16:37:31=20 To: Greg Hennessy Cc: Daniel Hartmeier; freebsd-net@freebsd.org; freebsd-pf@freebsd.org Subject: Re: PF + BRIDGE + PFSYNC causes system freezing On 17.03.2010 16:50, Greg Hennessy wrote: > A possible corner case with the virtual hosting platform ? > > Try changing the NICS from EM to something else supported RL on vmware II= RC. > > > =20 Nope, I'm not using virtualization, that's the other guy. I'm using a physical machine... > Greg > >________________________________________ > From: owner-freebsd-pf@freebsd.org [owner-freebsd-pf@freebsd.org] On Beha= lf Of Giulio Ferro [auryn@zirakzigil.org] > Sent: 17 March 2010 15:46 > To: Daniel Hartmeier > Cc: freebsd-net@freebsd.org; freebsd-pf@freebsd.org > Subject: Re: PF + BRIDGE + PFSYNC causes system freezing > > On 17.03.2010 11:47, Giulio Ferro wrote: > =20 >> On 17.03.2010 09:12, Daniel Hartmeier wrote: >> =20 >>> On Tue, Mar 16, 2010 at 03:19:51PM -0400, kevin wrote: >>> >>> =20 >>>> I would like to assist in diagnosing this issue so if anyone wants >>>> me to >>>> check anything or test, please let me know. I would really like to >>>> understand this problem. >>>> =20 >>> What are your settings for >>> >>> $ sysctl -a | grep bridge.pfil >>> =20 >> net.link.bridge.pfil_local_phys: 0 >> net.link.bridge.pfil_member: 1 >> net.link.bridge.pfil_bridge: 1 >> net.link.bridge.pfil_onlyip: 1 >> >> >> =20 >>> Have you tried filtering only on one of the physical bridge interfaces, >>> with net.link.bridge.pfil_bridge=3D0 and set skip on { lo0, bridge0, >>> em1 }? >>> >>> Daniel >>> =20 >> Ok, I'm trying "set skip on {lo0, bridge0}". >> I'll let you know if there is any improvement. >> =20 > > No, no improvement. > > The system froze anyway after about 3-4 hours this time. > > Please advise! >_______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Thu Mar 18 14:04:15 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E51991065679; Thu, 18 Mar 2010 14:04:15 +0000 (UTC) (envelope-from auryn@zirakzigil.org) Received: from mail.zirakzigil.org (mail.zirakzigil.org [82.63.178.63]) by mx1.freebsd.org (Postfix) with ESMTP id 5F20C8FC23; Thu, 18 Mar 2010 14:04:15 +0000 (UTC) Received: from localhost (unknown [192.168.1.2]) by mail.zirakzigil.org (Postfix) with ESMTP id 30CEB94531; Thu, 18 Mar 2010 15:04:13 +0100 (CET) X-Virus-Scanned: amavisd-new at zirakzigil.org Received: from mail.zirakzigil.org ([192.168.1.2]) by localhost (ext.zirakzigil.org [192.168.1.2]) (amavisd-new, port 10024) with ESMTP id EbTY5LJFKbSp; Thu, 18 Mar 2010 15:04:09 +0100 (CET) Received: from aurynmob2.giulioferro.it (unknown [192.168.1.2]) (Authenticated sender: auryn@zirakzigil.org) by mail.zirakzigil.org (Postfix) with ESMTPA id 7A77094527; Thu, 18 Mar 2010 15:04:09 +0100 (CET) Message-ID: <4BA232D6.6030400@zirakzigil.org> Date: Thu, 18 Mar 2010 15:04:06 +0100 From: Giulio Ferro User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.7) Gecko/20100223 Thunderbird/3.0.1 MIME-Version: 1.0 To: Max Laier References: <4B8E4850.1060104@zirakzigil.org> <201003171747.28053.max@love2party.net> <4BA10A12.2060903@zirakzigil.org> <201003171800.51027.max@love2party.net> In-Reply-To: <201003171800.51027.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-net@freebsd.org" , Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2010 14:04:16 -0000 On 17.03.2010 18:00, Max Laier wrote: > Can you enable WITNESS and compile in DDB. Make sure to report any LORs >>> and once the system freezes try to enter the debugger and get ps and >>> locks information. >>> >>> show allchains >>> show alllocks >>> ps >>> >>> After that you can try to "call doadump" so you get the information in >>> the coredump and don't have to transcribe it manually. >>> >>> Thanks, >>> Max >>> >> Sorry, I'm not really an expert of this, but how can I enter the debugger >> if the system has frozen? >> > Ctrl+Alt+ESC (in default configuration). > _______________________________________________ > I've added this to the kernel option KDB option WITNESS option WITNESS_KDB option DDB Now it can't even boot properly. It stops when it tries to configure networking: uma_zalloc_arg: zone "256" with the following non-sleepable locks held: exclusive rw ifnet_rw (ifnet_rw) r = 0 (0xffffffff80e31b20) locked @ /usr/src/sys/net/if.c:414 show allchains show alllocks exclusive rw ifnet_rw (ifnet_rw) r = 0 (0xffffffff80e31b20) locked @ /usr/src/sys/net/if.c:414 exclusive sx ifnet_sx (ifnet_sx) r = 0 (0xffffffff80e31b40) locked @ /usr/src/sys/net/if.c:414 ps call doadump Cannot dump. Device not defined or unavailable Hope it helps... From owner-freebsd-pf@FreeBSD.ORG Thu Mar 18 14:26:02 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E3057106564A for ; Thu, 18 Mar 2010 14:26:02 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 744A98FC1A for ; Thu, 18 Mar 2010 14:26:02 +0000 (UTC) Received: from vampire.homelinux.org (dslb-088-066-020-132.pools.arcor-ip.net [88.66.20.132]) by mrelayeu.kundenserver.de (node=mrbap2) with ESMTP (Nemesis) id 0LzYuY-1NVs3X0ImA-014DgX; Thu, 18 Mar 2010 15:26:01 +0100 Received: (qmail 15434 invoked from network); 18 Mar 2010 14:26:00 -0000 Received: from f8x64.laiers.local (192.168.4.188) by laiers.local with SMTP; 18 Mar 2010 14:26:00 -0000 From: Max Laier Organization: FreeBSD To: freebsd-net@freebsd.org Date: Thu, 18 Mar 2010 15:26:00 +0100 User-Agent: KMail/1.12.4 (FreeBSD/8.0-RELEASE-p2; KDE/4.3.5; amd64; ; ) References: <4B8E4850.1060104@zirakzigil.org> <201003171800.51027.max@love2party.net> <4BA232D6.6030400@zirakzigil.org> In-Reply-To: <4BA232D6.6030400@zirakzigil.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201003181526.00442.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+1IJxw9DwRYeef8sHHGjtXf3zuSFaRpH4uc08 2xW+4DDagot54rB5wnUb0K1cYnEn+5Gd4wxo8sFnabdHYtGRFB OAcIij0u8YBjPHZkhXQuw== Cc: Giulio Ferro , Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2010 14:26:03 -0000 On Thursday 18 March 2010 15:04:06 Giulio Ferro wrote: > On 17.03.2010 18:00, Max Laier wrote: > > Can you enable WITNESS and compile in DDB. Make sure to report any LORs > > > >>> and once the system freezes try to enter the debugger and get ps and > >>> locks information. > >>> > >>> show allchains > >>> show alllocks > >>> ps > >>> > >>> After that you can try to "call doadump" so you get the information in > >>> the coredump and don't have to transcribe it manually. > >>> > >>> Thanks, > >>> Max > >> > >> Sorry, I'm not really an expert of this, but how can I enter the > >> debugger if the system has frozen? > > > > Ctrl+Alt+ESC (in default configuration). > > _______________________________________________ > > I've added this to the kernel > > option KDB > option WITNESS > option WITNESS_KDB remove WITNESS_KDB, it's not what you want. > option DDB > > > Now it can't even boot properly. It stops when it tries to configure > networking: > uma_zalloc_arg: zone "256" with the following non-sleepable locks held: > exclusive rw ifnet_rw (ifnet_rw) r = 0 (0xffffffff80e31b20) locked @ > /usr/src/sys/net/if.c:414 a "bt" would help in this case to see where the bad alloc is. > show allchains > > > show alllocks > exclusive rw ifnet_rw (ifnet_rw) r = 0 (0xffffffff80e31b20) locked @ > /usr/src/sys/net/if.c:414 > exclusive sx ifnet_sx (ifnet_sx) r = 0 (0xffffffff80e31b40) locked @ > /usr/src/sys/net/if.c:414 > > ps > > > call doadump > Cannot dump. Device not defined or unavailable define "dumpdev" in rc.conf to a swap partition with enough space or call dumpon(8). Thanks, Max From owner-freebsd-pf@FreeBSD.ORG Thu Mar 18 14:47:53 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1338D1065673 for ; Thu, 18 Mar 2010 14:47:53 +0000 (UTC) (envelope-from pawelekc@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.185]) by mx1.freebsd.org (Postfix) with ESMTP id A02608FC2B for ; Thu, 18 Mar 2010 14:47:52 +0000 (UTC) Received: by gv-out-0910.google.com with SMTP id r4so26854gve.39 for ; Thu, 18 Mar 2010 07:47:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=rU/8OTFMlKDuC+HAJj4h4gG7pk+fAb2TSBJ+GgUxjUo=; b=D9uxem4n5jgHf24FpcCfOFry+R55FaKSz9N5OooLndkxI9J+Ncxv1rf2xonOQ1MXDm 8xlNyk01peCclSuCQW0/+TLj2bhiPVvY0t6r01VQoiSMOSXkEbL+pC0/t48UuL0DGsKh Lquulidw/F9fdFqNFEPKB64Tgf8XcV1hLtdOU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=TKwWNGvOxk5+Qakksp2sy35LnZKBwcCAh5ow0QPVIH8oF4BQLZr558dqG5zFLqQmGx T15Yas8XbRTJaojHmZoQNMNuSXmmBb0NurwO5GuzsCNoD5xh64H+oJXYVSOubPvuXbyy M8hHC/FwWXAtB6fkvJVlxUpvXS2rHUZ/R/wRE= MIME-Version: 1.0 Received: by 10.204.4.88 with SMTP id 24mr2720824bkq.129.1268921911574; Thu, 18 Mar 2010 07:18:31 -0700 (PDT) Date: Thu, 18 Mar 2010 15:18:31 +0100 Message-ID: From: "pawelekc@gmail.com" To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Synproxy state - advertising 0 window size X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2010 14:47:53 -0000 I have small network like this: [Internet] --- rl0(FreeBSD - router)rl1 --- [Lan] I wanted to make whole outgoing packets from the Lan look the same. It means that every SYN packet has the same TCP/IP stack. So I thought about PF's synproxy state. I know synproxy was made for other puprose but I tried to do something like this (this is piece of my PF firewall): ext_if="rl0" int_if="rl1" set skip on lo scrub on $int_if min-ttl 129 nat on $ext_if from !($ext_if) to any -> ($ext_if) pass in on $int_if proto tcp from any to any port {443, 8074} flags S/SA synproxy state (ports are only examples) Everything on this configuration works well but let's see listing from tcpdump: ### NATed synproxy packet### # tcpdump -i rl0 -n -vvv 'tcp[13] & 2 != 0' tcpdump: listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes 15:09:14.680832 IP (tos 0x10, ttl 128, id 35567, offset 0, flags [DF], proto TCP (6), length 44) 10.0.0.101.51220 > 91.111.111.12.443: Flags [S], cksum 0xf73f (correct), seq 2917250499, win 0, options [mss 1460], length 0 15:09:14.714002 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 44) 91.111.111.12.443 > 10.0.0.101.51220: Flags [S.], cksum 0x819e (correct), seq 1940581141, ack 2917250500, win 5840, options [mss 1460], length 0 ###System SYN#### 15:11:05.876433 IP (tos 0x0, ttl 128, id 35741, offset 0, flags [DF], proto TCP (6), length 48) 10.0.0.101.55040 > 94.23.95.22.80: Flags [S], cksum 0x7741 (correct), seq 414405961, win 65535, options [mss 1460,sackOK,eol], length 0 15:11:05.920871 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 44) 94.23.95.22.80 > 10.0.0.101.55040: Flags [S.], cksum 0xcccf (correct), seq 106340672, ack 414405962, win 5840, options [mss 1460], length 0 1. In first SYN packet (from PF's synproxy) we can see that it doesnt have any options (why?) and it advertises 0 windows size why? 2. In second SYN which comes from FreeBSD (time stamps are disabled and ttl is changed) there are options and window size. Why do these both packets are different? Is it normal that synproxy sends SYNs with 0 window size? From owner-freebsd-pf@FreeBSD.ORG Thu Mar 18 16:39:37 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48B7E1065692; Thu, 18 Mar 2010 16:39:37 +0000 (UTC) (envelope-from auryn@zirakzigil.org) Received: from mail.zirakzigil.org (mail.zirakzigil.org [82.63.178.63]) by mx1.freebsd.org (Postfix) with ESMTP id DF33B8FC13; Thu, 18 Mar 2010 16:39:36 +0000 (UTC) Received: from localhost (unknown [192.168.1.2]) by mail.zirakzigil.org (Postfix) with ESMTP id 93D1994119; Thu, 18 Mar 2010 17:39:35 +0100 (CET) X-Virus-Scanned: amavisd-new at zirakzigil.org Received: from mail.zirakzigil.org ([192.168.1.2]) by localhost (ext.zirakzigil.org [192.168.1.2]) (amavisd-new, port 10024) with ESMTP id RsyQBK1csLi0; Thu, 18 Mar 2010 17:39:32 +0100 (CET) Received: from aurynmob2.giulioferro.it (unknown [192.168.1.2]) (Authenticated sender: auryn@zirakzigil.org) by mail.zirakzigil.org (Postfix) with ESMTPA id 38C2D9410C; Thu, 18 Mar 2010 17:39:32 +0100 (CET) Message-ID: <4BA25741.6070007@zirakzigil.org> Date: Thu, 18 Mar 2010 17:39:29 +0100 From: Giulio Ferro User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.7) Gecko/20100223 Thunderbird/3.0.1 MIME-Version: 1.0 To: Max Laier References: <4B8E4850.1060104@zirakzigil.org> <201003171800.51027.max@love2party.net> <4BA232D6.6030400@zirakzigil.org> <201003181526.00442.max@love2party.net> In-Reply-To: <201003181526.00442.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2010 16:39:37 -0000 On 18.03.2010 15:26, Max Laier wrote: Ok, it's happened again... and once the system freezes try to enter the debugger and get ps and >>>>> locks information. >>>>> >>>>> show allchains >>>>> No result >>>>> show alllocks >>>>> Process 4483 (sshd) thread 0xffffff0002ded3a0 (100159) exclusive sx so_rcv_sx (so_rcv_sx) r = 0 (0xffffff0002c79b98) locked @ /usr/src/sys/kern/uipc_sockbuf.c:148 Process 12 (intr) thread 0xffffff000242b3a0 (100028) exclusive sleep mutex if_bridge (if_bridge) r = 0 (0xffffff000282d018) locked @ /usr/src/sys/modules/if_bridge/../../net/if_bridge.c:2162 Process 12 (intr) thread 0xffffff00023d3ae0 (100021) exclusive slepp mutex Giant (Giant) r = 1 (0xffffffff80c6f660) locked @ /usr/src/sys/dev/usb/usb_transfer.c:3009 Process 12 (intr) thread 0xffffff00022603a0 (1000007) exclusive sleep mutex carp_if (carp_if) r = 0 (0xffffff0002730360) locked @ /usr/src/sys/netinet/ip_carp.c:881 >>>>> ps >>>>> >>>>> This yields a lot of lines, tell me if you want me to report something special > a "bt" would help in this case to see where the bad alloc is. > > Tracing pid 12 tid 100021 td 0xffffff00023d3ae0 kdb_enter() at kdb_enter+0x3d ... Thank for your interest. From owner-freebsd-pf@FreeBSD.ORG Thu Mar 18 19:35:59 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47FA4106566B for ; Thu, 18 Mar 2010 19:35:59 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id CEB3B8FC12 for ; Thu, 18 Mar 2010 19:35:57 +0000 (UTC) Received: from vampire.homelinux.org (dslb-088-066-054-235.pools.arcor-ip.net [88.66.54.235]) by mrelayeu.kundenserver.de (node=mrbap0) with ESMTP (Nemesis) id 0MLi3n-1Ns4f13WJ1-000Qsj; Thu, 18 Mar 2010 20:35:56 +0100 Received: (qmail 20394 invoked from network); 18 Mar 2010 19:35:56 -0000 Received: from f8x64.laiers.local (192.168.4.188) by mx.laiers.local with SMTP; 18 Mar 2010 19:35:56 -0000 From: Max Laier Organization: FreeBSD To: Giulio Ferro Date: Thu, 18 Mar 2010 20:35:56 +0100 User-Agent: KMail/1.12.4 (FreeBSD/8.0-RELEASE-p2; KDE/4.3.5; amd64; ; ) References: <4B8E4850.1060104@zirakzigil.org> <201003181526.00442.max@love2party.net> <4BA25741.6070007@zirakzigil.org> In-Reply-To: <4BA25741.6070007@zirakzigil.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201003182035.56363.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/nEna8mBLZVC9+IKZvWxlwO+gdd+SHBAyNfvH whU5NHUdvHyN8AIS44DpabYtD3+wwzgZR/ltcSEQkzvEXtaEVr dRy4dhGYuypUsPbL1qIbw== Cc: freebsd-net@freebsd.org, Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2010 19:35:59 -0000 On Thursday 18 March 2010 17:39:29 Giulio Ferro wrote: > On 18.03.2010 15:26, Max Laier wrote: > > Ok, it's happened again... > and once the system freezes try to enter the debugger and get ps and > > >>>>> locks information. > >>>>> > >>>>> show allchains > > No result Okay ... so it looks like this is a live lock (not a deadlock) and it's probably caused by relooping packets. Now we "only" have to find the culprit for the loop ... can you share your setup details, again? The simpler the better. > >>>>> show alllocks > > Process 4483 (sshd) thread 0xffffff0002ded3a0 (100159) > exclusive sx so_rcv_sx (so_rcv_sx) r = 0 (0xffffff0002c79b98) locked @ > /usr/src/sys/kern/uipc_sockbuf.c:148 > Process 12 (intr) thread 0xffffff000242b3a0 (100028) > exclusive sleep mutex if_bridge (if_bridge) r = 0 (0xffffff000282d018) > locked @ /usr/src/sys/modules/if_bridge/../../net/if_bridge.c:2162 > Process 12 (intr) thread 0xffffff00023d3ae0 (100021) > exclusive slepp mutex Giant (Giant) r = 1 (0xffffffff80c6f660) locked @ > /usr/src/sys/dev/usb/usb_transfer.c:3009 > Process 12 (intr) thread 0xffffff00022603a0 (1000007) > exclusive sleep mutex carp_if (carp_if) r = 0 (0xffffff0002730360) > locked @ /usr/src/sys/netinet/ip_carp.c:881 > > >>>>> ps > > This yields a lot of lines, tell me if you want me to report something > special > > > a "bt" would help in this case to see where the bad alloc is. > > Tracing pid 12 tid 100021 td 0xffffff00023d3ae0 > kdb_enter() at kdb_enter+0x3d > ... > > Thank for your interest. > > > !DSPAM:4ba25756174452108219161! > From owner-freebsd-pf@FreeBSD.ORG Thu Mar 18 20:38:02 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB561106566C; Thu, 18 Mar 2010 20:38:02 +0000 (UTC) (envelope-from auryn@zirakzigil.org) Received: from mail.zirakzigil.org (mail.zirakzigil.org [82.63.178.63]) by mx1.freebsd.org (Postfix) with ESMTP id 5C3798FC1E; Thu, 18 Mar 2010 20:38:02 +0000 (UTC) Received: from localhost (unknown [192.168.1.2]) by mail.zirakzigil.org (Postfix) with ESMTP id E1D2894D7B; Thu, 18 Mar 2010 21:38:00 +0100 (CET) X-Virus-Scanned: amavisd-new at zirakzigil.org Received: from mail.zirakzigil.org ([192.168.1.2]) by localhost (ext.zirakzigil.org [192.168.1.2]) (amavisd-new, port 10024) with ESMTP id RkWFll9hwuAi; Thu, 18 Mar 2010 21:37:57 +0100 (CET) Received: from aurynmob2.giulioferro.it (unknown [192.168.1.2]) (Authenticated sender: auryn@zirakzigil.org) by mail.zirakzigil.org (Postfix) with ESMTPA id E5EFA94D71; Thu, 18 Mar 2010 21:37:56 +0100 (CET) Message-ID: <4BA28F22.6080401@zirakzigil.org> Date: Thu, 18 Mar 2010 21:37:54 +0100 From: Giulio Ferro User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.7) Gecko/20100223 Thunderbird/3.0.1 MIME-Version: 1.0 To: Max Laier References: <4B8E4850.1060104@zirakzigil.org> <201003181526.00442.max@love2party.net> <4BA25741.6070007@zirakzigil.org> <201003182035.56363.max@love2party.net> In-Reply-To: <201003182035.56363.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2010 20:38:02 -0000 On 18.03.2010 20:35, Max Laier wrote: > Okay ... so it looks like this is a live lock (not a deadlock) and it's > probably caused by relooping packets. Now we "only" have to find the culprit > for the loop ... > > can you share your setup details, again? The simpler the better. > > Ok > uname -a FreeBSD firewall-1.acme.com 8.0-STABLE FreeBSD 8.0-STABLE #2: Thu Mar 18 15:59:27 CET 2010 root@acme.com:/usr/obj/usr/src/sys/FIREWALL amd64 > cat /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet.ip.fastforwarding=1 net.inet.carp.preempt=1 Services running : sshd, named, inetd, ntpd, openvpn (tap), racoon, pptp, asterisk 2 physical interfaces : bce0, bce1 11 vlan interfaces : vlan1, ..., vlan11 (vlandev bce1) 11 carp interfaces ; carp1, ..., carp11 (carp1 has 23 alias addresses) 1 bridge interfaces : bridge0 addm vlan35 (used by openvpn) 2 gif interfaces : gif0, gif1 (racoon / IPSEC) 8 static routes pf packet filter : 12 rdr rules, 3 nat rules, set skip{lo0, bridge0}, 4 pass quick, block log all, about 30 pass keep state This should be all. I'm available for any test / patch... Thanks. From owner-freebsd-pf@FreeBSD.ORG Fri Mar 19 01:01:46 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D42B2106567F for ; Fri, 19 Mar 2010 01:01:46 +0000 (UTC) (envelope-from dudu@dudu.ro) Received: from mail-fx0-f224.google.com (mail-fx0-f224.google.com [209.85.220.224]) by mx1.freebsd.org (Postfix) with ESMTP id 5E1188FC18 for ; Fri, 19 Mar 2010 01:01:46 +0000 (UTC) Received: by fxm24 with SMTP id 24so38254fxm.3 for ; Thu, 18 Mar 2010 18:01:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.65.18 with SMTP id g18mr9813106fai.32.1268958821187; Thu, 18 Mar 2010 17:33:41 -0700 (PDT) In-Reply-To: References: From: Vlad Galu Date: Fri, 19 Mar 2010 01:33:21 +0100 Message-ID: To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Fwd: Crash in pf(4) with a fairly recent RELENG_8 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Mar 2010 01:01:46 -0000 Duh, never thought of writing to this list first :/ Forwarded conversation Subject: Crash in pf(4) with a fairly recent RELENG_8 ------------------------ From: *Vlad Galu* Date: Thu, Mar 18, 2010 at 12:38 AM To: freebsd-stable@freebsd.org Luckily I could find this coredump: -- cut here -- #0 doadump () at pcpu.h:223 #1 0xffffffff802f4ace in boot (howto=260) at ../../../kern/kern_shutdown.c:416 #2 0xffffffff802f4eab in panic (fmt=Variable "fmt" is not available. ) at ../../../kern/kern_shutdown.c:579 #3 0xffffffff805064d2 in trap_fatal (frame=0xffffff80000345c0, eva=0) at ../../../amd64/amd64/trap.c:857 #4 0xffffffff80506e8c in trap (frame=0xffffff80000345c0) at ../../../amd64/amd64/trap.c:644 #5 0xffffffff804eec93 in calltrap () at ../../../amd64/amd64/exception.S:224 #6 0xffffffff801a1140 in pf_state_tree_id_RB_MINMAX () at ../../../contrib/pf/net/pf.c:401 #7 0xffffffff801a1210 in pf_src_tree_RB_FIND (head=Variable "head" is not available. ) at ../../../contrib/pf/net/pf.c:396 #8 0xffffffff801a3594 in pf_insert_src_node (sn=0xffffff8000034868, rule=0xffffff0001694000, src=0xffffff000d75701c, af=2 '\002') at ../../../contrib/pf/net/pf.c:850 #9 0xffffffff801acd6e in pf_test_tcp (rm=0xffffff8000034978, sm=0xffffff8000034970, direction=1, kif=0xffffff000132ab00, m=0xffffff001e052b00, off=20, h=0xffffff000d757010, pd=0xffffff8000034990, am=0xffffff8000034980, rsm=0xffffff8000034968, ifq=0x0, inp=0x0) at ../../../contrib/pf/net/pf.c:3500 #10 0xffffffff801ae7a6 in pf_test (dir=1, ifp=0xffffff0001201000, m0=0xffffff8000034ac8, eh=Variable "eh" is not available. ) at ../../../contrib/pf/net/pf.c:7066 #11 0xffffffff801b33a9 in pf_check_in (arg=Variable "arg" is not available. ) at ../../../contrib/pf/net/pf_ioctl.c:3646 -- and here -- -- Good, fast & cheap. Pick any two. ---------- From: *Vlad Galu* Date: Thu, Mar 18, 2010 at 12:44 AM To: freebsd-stable@freebsd.org The pf_src_node struct in frame #8 is this: -- cut here-- (kgdb) p k $1 = {entry = {rbe_left = 0x0, rbe_right = 0x0, rbe_parent = 0xffffffff00000000, rbe_color = 0}, addr = {pfa = {v4 = { s_addr = 1684237067}, v6 = {__u6_addr = { __u6_addr8 = "\vkcd\200???\001\000\000\000\000\000\000", __u6_addr16 = {27403, 25699, 65408, 65535, 1, 0, 0, 0}, __u6_addr32 = {1684237067, 4294967168, 1, 0}}}, addr8 = "\vkcd\200???\001\000\000\000\000\000\000", addr16 = {27403, 25699, 65408, 65535, 1, 0, 0, 0}, addr32 = {1684237067, 4294967168, 1, 0}}}, raddr = {pfa = {v4 = {s_addr = 12}, v6 = {__u6_addr = { __u6_addr8 = "\f\000\000\000\000\000\000\000\000?2\001\000???", __u6_addr16 = {12, 0, 0, 0, 43776, 306, 65280, 65535}, __u6_addr32 = {12, 0, 20097792, 4294967040}}}, addr8 = "\f\000\000\000\000\000\000\000\000?2\001\000???", addr16 = {12, 0, 0, 0, 43776, 306, 65280, 65535}, addr32 = {12, 0, 20097792, 4294967040}}}, rule = {ptr = 0xffffff0001694000, nr = 23674880}, kif = 0xffffffff801a9858, bytes = {18446743523953737740, 18446742974423724064}, packets = {3354, 17179869187}, states = 23510160, conn = 4294967040, conn_rate = {limit = 23403040, seconds = 4294967040, count = 20097792, last = 4294967040}, creation = 2, expire = 0, af = 2 '\002', ruletype = 0 '\0'} -- and here-- The byte count looks weird... -- Good, fast & cheap. Pick any two. From owner-freebsd-pf@FreeBSD.ORG Fri Mar 19 07:20:06 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE095106566B for ; Fri, 19 Mar 2010 07:20:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9C46D8FC16 for ; Fri, 19 Mar 2010 07:20:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2J7K61B089377 for ; Fri, 19 Mar 2010 07:20:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2J7K6fJ089370; Fri, 19 Mar 2010 07:20:06 GMT (envelope-from gnats) Date: Fri, 19 Mar 2010 07:20:06 GMT Message-Id: <201003190720.o2J7K6fJ089370@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Yoshiaki Kasahara Cc: Subject: Re: kern/144311: massive ICMP storm on lo0 occurs when using pf(4) 'reply-to' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Yoshiaki Kasahara List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Mar 2010 07:20:06 -0000 The following reply was made to PR kern/144311; it has been noted by GNATS. From: Yoshiaki Kasahara To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/144311: massive ICMP storm on lo0 occurs when using pf(4) 'reply-to' Date: Fri, 19 Mar 2010 16:09:18 +0900 (JST) I found a workaround for the problem. The problem won't happen when I removed TSO support from the interface which is used for the default route. About my old server, only msk(4) has TSO support, so the problem only happend when I used msk(4) for the default route. (My original post was a bit confused and incorrect, sorry). I guess there is something wrong with TSO related code (ip_output.c or tcp_output.c ?), but it is too much for me to understand them.... From owner-freebsd-pf@FreeBSD.ORG Fri Mar 19 13:40:04 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 842D61065672 for ; Fri, 19 Mar 2010 13:40:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 589438FC18 for ; Fri, 19 Mar 2010 13:40:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2JDe3qg017604 for ; Fri, 19 Mar 2010 13:40:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2JDe3o8017603; Fri, 19 Mar 2010 13:40:03 GMT (envelope-from gnats) Date: Fri, 19 Mar 2010 13:40:03 GMT Message-Id: <201003191340.o2JDe3o8017603@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Max Laier Cc: Subject: Re: kern/144311: [pf] [icmp] massive ICMP storm on lo0 occurs when using pf(4) 'reply-to' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Max Laier List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Mar 2010 13:40:04 -0000 The following reply was made to PR kern/144311; it has been noted by GNATS. From: Max Laier To: bug-followup@freebsd.org, kasahara@nc.kyushu-u.ac.jp Cc: Pyun YongHyeon Subject: Re: kern/144311: [pf] [icmp] massive ICMP storm on lo0 occurs when using pf(4) 'reply-to' Date: Fri, 19 Mar 2010 14:35:05 +0100 --Boundary-00=_J23oL/ZH/GBB7xo Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Can you please test the attached patch (by Pyun YongHyeon) and let us know if this fixes the situation for you? Thanks, Max Laier --Boundary-00=_J23oL/ZH/GBB7xo Content-Type: text/x-patch; charset="ISO-8859-1"; name="pf.routeto.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pf.routeto.patch" Index: sys/contrib/pf/net/pf.c =================================================================== --- sys/contrib/pf/net/pf.c (revision 203960) +++ sys/contrib/pf/net/pf.c (working copy) @@ -6375,6 +6375,7 @@ m0->m_pkthdr.csum_flags &= ifp->if_hwassist; if (ntohs(ip->ip_len) <= ifp->if_mtu || + (m0->m_pkthdr.csum_flags & ifp->if_hwassist & CSUM_TSO) != 0 || (ifp->if_hwassist & CSUM_FRAGMENT && ((ip->ip_off & htons(IP_DF)) == 0))) { /* @@ -6449,7 +6450,7 @@ * Too large for interface; fragment if possible. * Must be able to put at least 8 bytes per fragment. */ - if (ip->ip_off & htons(IP_DF)) { + if (ip->ip_off & htons(IP_DF) || (m0->m_pkthdr.csum_flags & CSUM_TSO)) { KMOD_IPSTAT_INC(ips_cantfrag); if (r->rt != PF_DUPTO) { #ifdef __FreeBSD__ --Boundary-00=_J23oL/ZH/GBB7xo--