Date: Tue, 18 Dec 2007 09:34:58 +0200 From: Silver Salonen <silver.salonen@gmail.com> To: freebsd-pf@freebsd.org Subject: occasional "Operation not permitted" on state-mismatch Message-ID: <200712180934.58755.silver.salonen@gmail.com>
next in thread | raw e-mail | index | archive | help
Hello! I have some FreeBSD-boxes (2x6.3-PRERELEASE (installed on 08.Dec), 1x6.2-RELEASE) with PF configured. They are connected with OpenVPN LAN-to-LAN and the problem is that a few times per hour connection drops between computers from one LAN to another. At first I blamed OpenVPN, then I blamed bridge, but now I've realized that the problem is in PF. So I've tried increasing TCP-timeouts and setting optimization to "aggressive", but well, it's still the same. I monitor connections by sending TCP packets once per second to some other host and wait for reply. I use Nagios-plugins' check_tcp for that. The script looks like: ===== while [ 1 ]; do pfctl -si |grep mismatch /usr/local/libexec/nagios/check_tcp -H $host -p $port -t 2 pfctl -si |grep mismatch sleep 1 done ===== So if I let this script into action, I see that in 2-3 minutes, check_tcp gets "Operation not permitted" error and just in this moment packet-mismatch counter is increased by one (on machine with lesser traffic, I get the timeout in a few hours). That's on both 6.3-PRERELEASE as well as on 6.2-RELEASE. I've tried connections: * along WAN to IPFW-enabled machines * along WAN to PF-enabled machines * along LAN to PF-enabled machines * along LAN to Windows machines * along VPN to PF-enabled machines * along VPN to Windows machines Sometimes I get just some connection timeout: CRITICAL - Socket timeout after 2 seconds (I don't know what could cause that). I can see this behaviour in about every FreeBSD/PF machine I have. The basic PF-configuration looks like: ===== set block-policy return set loginterface $ext_if set timeout tcp.closed 15 set optimization aggressive scrub in all no-df block drop out quick on $ext_if from ($ext_if) to 0.0.0.0 block log all pass quick on lo0 all pass out all modulate state pass out proto tcp all flags S/SA modulate state pass on $int_if all modulate state pass on $int_if proto tcp all flags S/SA modulate state pass in on $ext_if proto tcp from any to ($ext_if) port $tcp_services flags S/SA modulate state ===== Is PF buggy or have I misconfigured smth? -- Silver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712180934.58755.silver.salonen>