Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 13 Oct 2020 11:38:49 +0200
From:      Miroslav Lachman <000.fbsd@quip.cz>
To:        Kristof Provost <kp@FreeBSD.org>, "Eugene M. Zheganin" <emz@norma.perm.ru>
Cc:        freebsd-net@freebsd.org, freebsd-stable <freebsd-stable@FreeBSD.org>
Subject:   Re: pf and hnX interfaces
Message-ID:  <3a276ae4-59d2-5637-f6d2-2252f9fe4d4d@quip.cz>
In-Reply-To: <5FB9EFF9-0D95-4FC6-9469-2FC29D479379@FreeBSD.org>
References:  <7166d87e-7547-6be8-42a7-b0957ca4f543@norma.perm.ru> <5FB9EFF9-0D95-4FC6-9469-2FC29D479379@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 13/10/2020 11:19, Kristof Provost wrote:
> On 13 Oct 2020, at 10:58, Eugene M. Zheganin wrote:

>> Is there some issue with pf and hn interfaces that I'm unaware about?
>>
> There’s no interface specific code in pf, so it wouldn’t be specific to 
> hn interfaces.
> 
>> Are these symptoms of a bug ?
>>
> Perhaps. It can also be a symptom of resource exhaustion.
> Are there any signs of memory allocation failures, or incrementing error 
> counters (in netstat or in pfctl)?

I have seen this kind of errors in VirtualBox with PF and emulated Intel 
interface (emX)

Oct  1 22:42:19 bobik postfix/smtp[35330]: connect to 
aspmx.l.google.com[108.177.126.27]:25: Permission denied
Oct  1 22:42:19 bobik postfix/smtp[36246]: connect to 
aspmx.l.google.com[108.177.126.27]:25: Permission denied
Oct  1 22:42:19 bobik postfix/smtp[35330]: connect to 
alt2.aspmx.l.google.com[108.177.97.27]:25: Permission denied
Oct  1 22:42:19 bobik postfix/smtp[36246]: connect to 
alt1.aspmx.l.google.com[172.253.118.27]:25: Permission denied
Oct  1 22:42:19 bobik postfix/smtp[35330]: connect to 
alt1.aspmx.l.google.com[172.253.118.27]:25: Permission denied
Oct  1 22:42:19 bobik postfix/smtp[36246]: connect to 
alt2.aspmx.l.google.com[108.177.97.27]:25: Permission denied


I think it is related to states table exhaustion (reported in 
freebsd-pf@ mailing list about a week ago).

My firewall rules are open for all outgoing traffic.

So I think your problem is related to some resource exhaustion too.

Kind regards
Miroslav Lachman



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3a276ae4-59d2-5637-f6d2-2252f9fe4d4d>