From owner-freebsd-pf@freebsd.org Mon Dec 18 04:01:05 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A931E9FF22 for ; Mon, 18 Dec 2017 04:01:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ECF8069A53 for ; Mon, 18 Dec 2017 04:01:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id vBI414Y0086045 for ; Mon, 18 Dec 2017 04:01:04 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 224414] 'kldload pf' or 'pf_enable="YES"' triggers immediate panic Date: Mon, 18 Dec 2017 04:01:04 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Dec 2017 04:01:05 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224414 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Dec 18 07:05:32 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19988EA3955 for ; Mon, 18 Dec 2017 07:05:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F08286E709 for ; Mon, 18 Dec 2017 07:05:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id vBI75VdJ053605 for ; Mon, 18 Dec 2017 07:05:31 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 224414] 'kldload pf' or 'pf_enable="YES"' triggers immediate panic Date: Mon, 18 Dec 2017 07:05:32 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: paul.g.webster@googlemail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Dec 2017 07:05:32 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224414 Paul Webster changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |paul.g.webster@googlemail.c | |om --- Comment #1 from Paul Webster --- I do have some emN hardware somewhere that I know works with freebsd and my current production server seems fairly happy too: igb0: port 0x3000-0x30=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 1f mem 0xb1100000-0xb117ffff,0xb1180000-0xb1183fff irq 17 at devi= ce 0.0 on pci3 igb0: Using MSIX interrupts with 5 vectors igb0: Ethernet address: 00:1e:67:c4:6f:5b igb0: Bound queue 0 to cpu 0 igb0: Bound queue 1 to cpu 1 igb0: Bound queue 2 to cpu 2 igb0: Bound queue 3 to cpu 3 igb0: netmap queues/slots: TX 4/10 I BELIEVE there was a driver change for all intel network hardware coming u= p or just passed though, it might actually be in current (will wait for someone = else to confirm) if you have the ability or time you could try installing one of= the 12-snapshot ISO's to a USB pen and booting that to see if it shows the same issues. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Dec 18 07:21:27 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6BBD5EA3DD3 for ; Mon, 18 Dec 2017 07:21:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 59EAC6F090 for ; Mon, 18 Dec 2017 07:21:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id vBI7LQrS093813 for ; Mon, 18 Dec 2017 07:21:27 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 224414] 'kldload pf' or 'pf_enable="YES"' triggers immediate panic Date: Mon, 18 Dec 2017 07:21:27 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Dec 2017 07:21:27 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224414 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org --- Comment #2 from Kristof Provost --- I would be very useful to have a crashdump, as right now there's not a lot = to go on. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Mon Dec 18 09:59:13 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E133CE82457 for ; Mon, 18 Dec 2017 09:59:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CECE37315C for ; Mon, 18 Dec 2017 09:59:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id vBI9xDCW059043 for ; Mon, 18 Dec 2017 09:59:13 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 224414] 'kldload pf' or 'pf_enable="YES"' triggers immediate panic Date: Mon, 18 Dec 2017 09:59:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Dec 2017 09:59:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224414 --- Comment #3 from Kristof Provost --- If I had to guess (and given that there's no information right now that's a= ll I can do) it might be FreeBSD-EN-17:08-pf.=20 Make sure you've updated your installation to the latest 11.1 patch version. https://www.freebsd.org/security/advisories/FreeBSD-EN-17:08.pf.asc --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue Dec 19 03:37:45 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 80E45E80A69 for ; Tue, 19 Dec 2017 03:37:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6F3011F8F for ; Tue, 19 Dec 2017 03:37:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id vBJ3bjcM063439 for ; Tue, 19 Dec 2017 03:37:45 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 224414] 'kldload pf' or 'pf_enable="YES"' triggers immediate panic Date: Tue, 19 Dec 2017 03:37:45 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: freebsd-bugzilla@senator.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2017 03:37:45 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224414 --- Comment #4 from S Senator --- This problem description matches the presented stack trace and panic: from: https://www.freebsd.org/security/advisories/FreeBSD-EN-17:08.pf.asc "A pf housekeeping thread (pf_purge_thread) could potentially use an uninitialized variable, leading to a division by zero and a kernel panic." After following the remediation steps: (freebsd-update fetch; freebsd-update install) this does not occur. This may be closed. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Tue Dec 19 07:23:33 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 090D2E907E7 for ; Tue, 19 Dec 2017 07:23:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EB45B6A1DE for ; Tue, 19 Dec 2017 07:23:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id vBJ7NWvI057501 for ; Tue, 19 Dec 2017 07:23:32 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 224414] 'kldload pf' or 'pf_enable="YES"' triggers immediate panic Date: Tue, 19 Dec 2017 07:23:32 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2017 07:23:33 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224414 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Closed Resolution|--- |FIXED --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Fri Dec 22 20:30:45 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 03872E87D9C; Fri, 22 Dec 2017 20:30:45 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from mx2.enfer-du-nord.net (mx2.enfer-du-nord.net [87.98.149.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BCEFF65759; Fri, 22 Dec 2017 20:30:41 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from [IPv6:2003:8c:2e03:dc01:c8f8:8a2b:f09d:2a5a] (p2003008C2E03DC01C8F88A2BF09D2A5A.dip0.t-ipconnect.de [IPv6:2003:8c:2e03:dc01:c8f8:8a2b:f09d:2a5a]) by mx2.enfer-du-nord.net (Postfix) with ESMTPSA id 3z3Krs1746z3Dv; Fri, 22 Dec 2017 21:30:37 +0100 (CET) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: performance issue within VNET jail From: Michael Grimm In-Reply-To: <5A3D67EC.6010907@grosbein.net> Date: Fri, 22 Dec 2017 21:30:35 +0100 Cc: Eugene Grosbein Content-Transfer-Encoding: quoted-printable Message-Id: <53687746-C487-4712-AA52-DE86CE70FDEF@ellael.org> References: <4F5EE3F6-0163-4435-8726-56B0D4AE9FAF@ellael.org> <8102F5FD-DCFC-4EF8-A443-9E6C9EB1F467@ellael.org> <8C8A172B-4D4F-4066-8B94-EF5F59E2D345@ellael.org> <5A3D67EC.6010907@grosbein.net> To: freebsd-net@freebsd.org, freebsd-pf@FreeBSD.org X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean X-Mailer: Apple Mail (2.3445.5.20) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Dec 2017 20:30:45 -0000 Hi =E2=80=94 [ I am including freebsd-pf@FreeBSD.org now and removing = freebsd-jail@FreeBSD.org ] [ Thread starts at = https://lists.freebsd.org/pipermail/freebsd-net/2017-December/049470.html = ] Eugene Grosbein wrote: > Michael Grimm wrote: >> Kristof Provost wrote: >>> I run a very similar setup (although on CURRENT), and see no = performance issues from my jails. >>=20 >> In utter despair I did upgrade one server to CURRENT (#327076) today, = but that hasn't been successful :-( >>=20 >> Ok, right now I do know: >>=20 >> (#) there is *no* performance loss (TCP) when: >>=20 >> (-) fetching files from outside through PF/extIF to host >> (-) fetching files from partner server host via IPSEC tunnel = bound to extIF (ESP) to host >> (-) fetching files from partner server host via IPSEC tunnel = bound to extIF (ESP) to jail via bridge >> (-) fetching files from partner server jail via bridge and then = via IPSEC tunnel bound to extIF (ESP) to host >> (-) fetching files from partner server jail via bridge and then = via IPSEC tunnel bound to extIF (ESP) and then via bridge to jail >>=20 >> (#) there is a *dramatic* performance loss (TCP) when: >>=20 >> (-) fetching files from outside through PF/extIF via bridge to = jail >>=20 >> (#) I did try to tweak the following settings *without* success: >>=20 >> (-) sysctl net.inet.tcp.tso=3D0=20 >> (-) sysctl net.link.bridge.pfil_onlyip=3D0 >> (-) sysctl net.link.bridge.pfil_bridge=3D0 >> (-) sysctl net.link.bridge.pfil_member=3D0=20 >> (-) reducing mtu to 1400 (1490 before) on all interfaces extIF, = bridge, epairXs >> (-) deactivating "scrub in all" and "scrub out on $extIF all = random-id" in /etc/pf.conf >> (-) setting "set require-order yes" and "set require-order no" = in /etc/pf.conf [1] >>=20 >> [1] I do see more a lot of out-of-order packages within a jail = "netstat -s -p tcp" after those slow downloads, but not after downloads = via IPSEC tunnel from partner host. >>=20 >> That leads me to the conclusions: >>=20 >> (#) the bridge is not to blame >> (#) it's either the PF/NATing or something else, right? >>=20 >> Thanks for your suggestions so far, but I am lost here. Any ideas? >=20 > It seems to me some kind of bug in the PF. > I personally never tried it, I use ipfw and it works just fine. Before testing IPFW (which I have never used before) I'd like to ask the = experts in freebsd-pf@FreeBSD.org about possible tests/tweaks regarding = PF. Thanks to all involved so far and regards, Michael From owner-freebsd-pf@freebsd.org Sat Dec 23 13:12:03 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2B08EEA56F1; Sat, 23 Dec 2017 13:12:03 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id CBF103AA3; Sat, 23 Dec 2017 13:12:02 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 7072025D3A6F; Sat, 23 Dec 2017 13:11:54 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id A36C7D1F86C; Sat, 23 Dec 2017 13:11:53 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id o_N6HaD3ToTQ; Sat, 23 Dec 2017 13:11:51 +0000 (UTC) Received: from [192.168.1.224] (unknown [IPv6:fde9:577b:c1a9:f001::2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 1949BD1F7F6; Sat, 23 Dec 2017 13:11:49 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Michael Grimm" Cc: freebsd-net@freebsd.org, freebsd-pf@FreeBSD.org Subject: Re: performance issue within VNET jail Date: Sat, 23 Dec 2017 13:11:40 +0000 X-Mailer: MailMate (2.0BETAr6102) Message-ID: In-Reply-To: <53687746-C487-4712-AA52-DE86CE70FDEF@ellael.org> References: <4F5EE3F6-0163-4435-8726-56B0D4AE9FAF@ellael.org> <8102F5FD-DCFC-4EF8-A443-9E6C9EB1F467@ellael.org> <8C8A172B-4D4F-4066-8B94-EF5F59E2D345@ellael.org> <5A3D67EC.6010907@grosbein.net> <53687746-C487-4712-AA52-DE86CE70FDEF@ellael.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Dec 2017 13:12:03 -0000 On 22 Dec 2017, at 20:30, Michael Grimm wrote: > Hi — > > [ I am including freebsd-pf@FreeBSD.org now and removing > freebsd-jail@FreeBSD.org ] > [ Thread starts at > https://lists.freebsd.org/pipermail/freebsd-net/2017-December/049470.html > ] >>> >>> (#) there is a *dramatic* performance loss (TCP) when: >>> >>> (-) fetching files from outside through PF/extIF via bridge to jail … >>> >>> Thanks for your suggestions so far, but I am lost here. Any ideas? >> >> It seems to me some kind of bug in the PF. >> I personally never tried it, I use ipfw and it works just fine. > > Before testing IPFW (which I have never used before) I'd like to ask > the experts in freebsd-pf@FreeBSD.org about possible tests/tweaks > regarding PF. OK, too complicated setups; I am not getting it fully. Can you please just describe the one case that doesn’t work well in all detail and ignore all the others for a moment? (a) what’s the external host interface? (b) pf runs on the base system? (c) you are bridging into a VNET-jail? How exactly? Are you bridging to epairs? (d) where exactly are you NATing? (e) why are you bridging and NATing? That makes little sense to me. Couldn’t you NAT and forward or just bridge? (f) what’s inside the VNET jail? Another pf or anything? (g) out of curiosity, does dmesg on the base system indicate anything? To understand your performance problem better: (1) you are doing a fetch of a rather large file to test from within the VNET jail? Or what are you fetching? Are you using fetch? (2) if you fetch from within the same VNET jail does that perform? (3) if you fetch something to the VNET jail from the base system just going through your internal setup but not leaving the machine, does that still perform? (4) if you fetch something to the VNET jail from the same LAN (if possible to test) does that perform? (5) if you fetch something to the VNET jail from a close by location does that make a difference to something on the other side of the planet? /bz From owner-freebsd-pf@freebsd.org Sat Dec 23 14:06:16 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2E8A0EA67FC; Sat, 23 Dec 2017 14:06:16 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from mx1.enfer-du-nord.net (mx1.enfer-du-nord.net [IPv6:2001:41d0:302:1100::7:9a96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D59B9644D8; Sat, 23 Dec 2017 14:06:15 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from [IPv6:2003:8c:2e30:b801:3cc5:4d29:36db:5290] (p2003008C2E30B8013CC54D2936DB5290.dip0.t-ipconnect.de [IPv6:2003:8c:2e30:b801:3cc5:4d29:36db:5290]) by mx1.enfer-du-nord.net (Postfix) with ESMTPSA id 3z3nGr5lqNz3Cq; Sat, 23 Dec 2017 15:06:12 +0100 (CET) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: [SOLVED] performance issue within VNET jail From: Michael Grimm In-Reply-To: Date: Sat, 23 Dec 2017 15:06:10 +0100 Cc: freebsd-net@freebsd.org, freebsd-pf@FreeBSD.org Content-Transfer-Encoding: quoted-printable Message-Id: <5FD6CE98-601B-46B7-B598-83BE5A31200A@ellael.org> References: <4F5EE3F6-0163-4435-8726-56B0D4AE9FAF@ellael.org> <8102F5FD-DCFC-4EF8-A443-9E6C9EB1F467@ellael.org> <8C8A172B-4D4F-4066-8B94-EF5F59E2D345@ellael.org> <5A3D67EC.6010907@grosbein.net> <53687746-C487-4712-AA52-DE86CE70FDEF@ellael.org> To: "Bjoern A. Zeeb" X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean X-Mailer: Apple Mail (2.3445.5.20) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Dec 2017 14:06:16 -0000 Bjoern A. Zeeb wrote: >=20 > On 22 Dec 2017, at 20:30, Michael Grimm wrote: >> Hi =E2=80=94 >>=20 >> [ I am including freebsd-pf@FreeBSD.org now and removing = freebsd-jail@FreeBSD.org ] >> [ Thread starts at = https://lists.freebsd.org/pipermail/freebsd-net/2017-December/049470.html = ] >>>>=20 >>>> (#) there is a *dramatic* performance loss (TCP) when: >>>>=20 >>>> (-) fetching files from outside through PF/extIF via bridge to = jail > =E2=80=A6 >>>>=20 >>>> Thanks for your suggestions so far, but I am lost here. Any ideas? >>>=20 >>> It seems to me some kind of bug in the PF. >>> I personally never tried it, I use ipfw and it works just fine. >>=20 >> Before testing IPFW (which I have never used before) I'd like to ask = the experts in freebsd-pf@FreeBSD.org about possible tests/tweaks = regarding PF. >=20 > OK, too complicated setups; I am not getting it fully. ;-) > Can you please just describe the one case that doesn=E2=80=99t work = well in all detail and ignore all the others for a moment? >=20 > (a) what=E2=80=99s the external host interface? vtnet > (b) pf runs on the base system? yes > (c) you are bridging into a VNET-jail? How exactly? Are you bridging = to epairs? yes, I am bridging epairs > (d) where exactly are you NATing? I am NATing IPv4 and IPv6 at the host' PF ffirewall > (e) why are you bridging and NATing? That makes little sense to me. = Couldn=E2=80=99t you NAT and forward or just bridge? hmm, that has been developed by myself over the years. I do "consider" = my jails as jails with their own network stack, like isolated "VM".=20 > (f) what=E2=80=99s inside the VNET jail? Another pf or anything? no more firewall, my jails are merely service jails (dns, mail, web, = =E2=80=A6) > (g) out of curiosity, does dmesg on the base system indicate anything? No. > To understand your performance problem better: >=20 > (1) you are doing a fetch of a rather large file to test from within = the VNET jail? Or what are you fetching? Are you using fetch? yes, I do something like the following with the jail: wget = https://download.freebsd.org/ftp/releases/ISO-IMAGES/11.1/FreeBSD-11.1-REL= EASE-amd64-bootonly.iso -O /dev/null > (2) if you fetch from within the same VNET jail does that perform? > (3) if you fetch something to the VNET jail from the base system just = going through your internal setup but not leaving the machine, does that = still perform? > (4) if you fetch something to the VNET jail from the same LAN (if = possible to test) does that perform? > (5) if you fetch something to the VNET jail from a close by location = does that make a difference to something on the other side of the = planet? I will skip these questions for the time being, because I did solve my = issue 15 minutes before your mail ;-) And I feel sorry for all your now = "wasted" efforts in trying to help me. As I am using vtnet interface in a cloud environment (Public Cloud by = OVH) I did read the vtnet(4) man pages and stumbled about "LOADER = TUNABLES" like: hw.vtnet.lro_disable hw.vtnet.X.lro_disable This tunable disables LRO. The default value is 0. Well, without knowing and understanding the implications of those loader = tunables I did disabled them step by step, and bingo, setting =E2=80=A6 hw.vtnet.lro_disable=3D"1" =E2=80=A6 in /boot/loader.conf" and performance is back from KB/s to = MB/s. I really do not understand what I have done and why it is working and = whether that will have negative implications for my servers. Perhaps = someone of you experts could help me understand it. Because I am leaving in some hours for Xmas vacations, I won't be able = to come back to this issue for some days now.=20 I'd like to thank all of you for your patience and help, and: Merry Christmas and with kind regards, Michael From owner-freebsd-pf@freebsd.org Sat Dec 23 14:41:11 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 885F4EA7309; Sat, 23 Dec 2017 14:41:11 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4118C65661; Sat, 23 Dec 2017 14:41:11 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 5092025D3888; Sat, 23 Dec 2017 14:41:08 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 45198D1F86B; Sat, 23 Dec 2017 14:41:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id kzLfhmU8yNcl; Sat, 23 Dec 2017 14:41:06 +0000 (UTC) Received: from [10.248.105.126] (unknown [IPv6:fde9:577b:c1a9:f001::2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id BBADFD1F7F6; Sat, 23 Dec 2017 14:41:05 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Michael Grimm" Cc: freebsd-net@freebsd.org, freebsd-pf@FreeBSD.org Subject: Re: [SOLVED] performance issue within VNET jail Date: Sat, 23 Dec 2017 14:41:11 +0000 X-Mailer: MailMate (2.0BETAr6102) Message-ID: In-Reply-To: <5FD6CE98-601B-46B7-B598-83BE5A31200A@ellael.org> References: <4F5EE3F6-0163-4435-8726-56B0D4AE9FAF@ellael.org> <8102F5FD-DCFC-4EF8-A443-9E6C9EB1F467@ellael.org> <8C8A172B-4D4F-4066-8B94-EF5F59E2D345@ellael.org> <5A3D67EC.6010907@grosbein.net> <53687746-C487-4712-AA52-DE86CE70FDEF@ellael.org> <5FD6CE98-601B-46B7-B598-83BE5A31200A@ellael.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Dec 2017 14:41:11 -0000 On 23 Dec 2017, at 14:06, Michael Grimm wrote: > I will skip these questions for the time being, because I did solve my > issue 15 minutes before your mail ;-) And I feel sorry for all your > now "wasted" efforts in trying to help me. That’s OK. You solved the issue; that’s what’s important! > Because I am leaving in some hours for Xmas vacations, I won't be able > to come back to this issue for some days now. > > I'd like to thank all of you for your patience and help, and: > > Merry Christmas and with kind regards, And to you! /bz