From owner-freebsd-pf@FreeBSD.ORG Mon Nov 5 11:06:37 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 65109CF6 for ; Mon, 5 Nov 2012 11:06:37 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 49F448FC0C for ; Mon, 5 Nov 2012 11:06:37 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qA5B6bX1001248 for ; Mon, 5 Nov 2012 11:06:37 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qA5B6aCE001246 for freebsd-pf@FreeBSD.org; Mon, 5 Nov 2012 11:06:36 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 Nov 2012 11:06:36 GMT Message-Id: <201211051106.qA5B6aCE001246@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Nov 2012 11:06:37 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 47 problems total. From owner-freebsd-pf@FreeBSD.ORG Fri Nov 9 05:43:58 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 02A0A8A7 for ; Fri, 9 Nov 2012 05:43:58 +0000 (UTC) (envelope-from wicked@baot.se) Received: from mail-wg0-f42.google.com (mail-wg0-f42.google.com [74.125.82.42]) by mx1.freebsd.org (Postfix) with ESMTP id 81B5F8FC0C for ; Fri, 9 Nov 2012 05:43:57 +0000 (UTC) Received: by mail-wg0-f42.google.com with SMTP id fm10so221649wgb.1 for ; Thu, 08 Nov 2012 21:43:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent:x-gm-message-state; bh=5L9J0IQEdaGOxk3UFQbo0ZPfMcvQ0WW0+i9fnMgvoH0=; b=HJ2G8+GPOougBGxb7L6HSswGiaSWLTW5ToAkYt3av9e7tLIjoYdIJ1xNS5awbPM82Z m0071b6KIO/6FRvNrAIXZxEyw6hAFuiCFGCduLzSU3+U9ZBF+ugg9vE/0V6k9XZz3NiK icOJnr6AMbm4qga/WYz62oHEC1L7WW2CT703CePM4UYd5bIT5tg4aKWjbiitLefvkFoU Wa28+gPUNLGH8mn2pLV4KdzLWuGaQrkAQH7i+UKH2mOh2cUrbSqPOe+KOtXdjXGbmCnn SUdjq3f6N6Hvbec0ouBH5i41f/Y4Tsckn4OQeEmV/8TjtExh1WGQ/12ATtVf4LVQODX5 Yt5w== Received: by 10.216.226.98 with SMTP id a76mr4587036weq.5.1352439830243; Thu, 08 Nov 2012 21:43:50 -0800 (PST) Received: from baot.se (baot.se. [82.192.84.2]) by mx.google.com with ESMTPS id ey2sm783497wib.9.2012.11.08.21.43.48 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 08 Nov 2012 21:43:49 -0800 (PST) Received: by baot.se (sSMTP sendmail emulation); Fri, 09 Nov 2012 05:40:16 +0000 Date: Fri, 9 Nov 2012 05:40:16 +0000 From: "Anders N." To: freebsd-pf@freebsd.org Subject: pf synproxy slowdown Message-ID: <20121109054016.GA76137@baot.se> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Gm-Message-State: ALoCoQl7r49bQGtTWLrkiJVkEJ1gPJEOBJdghgcUSwswOCtn86LL9rtleqxb8LShb0WWoXAseY8J Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Nov 2012 05:43:58 -0000 Hi. I've got a server running pf that has been displaying some odd (at least to me) behavior. I use the "synproxy state"[1] option quite a few times in my config without any ill effects that I've noticed until now. I realized it was on every open port except for ssh, so I added it to my ssh line: pass in on $ext_if proto tcp from any to $IP port 22 flags S/SA synproxy state After doing so, scp/sftp/rsync have all slowed down to a crawl! I get ~1/4th the speed I usually do from the server with it enabled there. Remove it, speed goes back to normal. I'm using synproxy state with some other other services that send large amounts of data very quickly (http, torrents, etc) and none of them exhibit this slowdown, so I'm wondering why scp is so slow with it. Here's the rest of my pf.conf, if it matters: ext_if = "bge0" set block-policy drop scrub in all block in all block in quick on $ext_if from any to 255.255.255.255 pass out on $ext_if from any to any pass out keep state set skip on lo0 block in quick from urpf-failed antispoof quick for $ext_if block in from no-route to any block drop in log (all) quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32 } to any block drop out log (all) quick on $ext_if from any to { 10.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32 } block in quick on $ext_if proto tcp flags FUP/WEUAPRSF block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF block in quick on $ext_if proto tcp flags /WEUAPRSF block in quick on $ext_if proto tcp flags SR/SR block in quick on $ext_if proto tcp flags SF/SF pass in on $ext_if proto tcp from any to $IP port 22 flags S/SA synproxy state pass in on $ext_if proto tcp from any to $IP port 80 flags S/SA synproxy state pass in on $ext_if proto tcp from any to $IP port 9999 flags S/SA synproxy state I'm not on the list, so please CC me if it's not too much trouble. [1] http://www.openbsd.org/faq/pf/filter.html From owner-freebsd-pf@FreeBSD.ORG Fri Nov 9 05:54:27 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 51E43B3D; Fri, 9 Nov 2012 05:54:27 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id BA63A8FC12; Fri, 9 Nov 2012 05:54:26 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id qA95sI86007475; Fri, 9 Nov 2012 09:54:18 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id qA95sIbZ007474; Fri, 9 Nov 2012 09:54:18 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Fri, 9 Nov 2012 09:54:18 +0400 From: Gleb Smirnoff To: "Anders N." Subject: Re: pf synproxy slowdown Message-ID: <20121109055418.GU84182@FreeBSD.org> References: <20121109054016.GA76137@baot.se> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20121109054016.GA76137@baot.se> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-questions@FreeBSD.org, freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Nov 2012 05:54:27 -0000 On Fri, Nov 09, 2012 at 05:40:16AM +0000, Anders N. wrote: A> Hi. I've got a server running pf that has been displaying some odd (at least to me) behavior. A> A> I use the "synproxy state"[1] option quite a few times in my config without any ill effects that I've noticed until now. I realized it was on every open port except for ssh, so I added it to my ssh line: A> A> pass in on $ext_if proto tcp from any to $IP port 22 flags S/SA synproxy state A> A> After doing so, scp/sftp/rsync have all slowed down to a crawl! I get ~1/4th the speed I usually do from the server with it enabled there. Remove it, speed goes back to normal. I'm using synproxy state with some other other services that send large amounts of data very quickly (http, torrents, etc) and none of them exhibit this slowdown, so I'm wondering why scp is so slow with it. Here's the rest of my pf.conf, if it matters: This is because synproxy module doesn't know which TCP extensions does the backend TCP stack supports, thus announces none to the remote peer. Connection created via synproxy rule will not support neither window scaling, nor SACK, nor timestamps. Obviously, this results in bad performance. -- Totus tuus, Glebius.