From owner-freebsd-current@freebsd.org Fri May 20 14:01:20 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D6268B42084 for ; Fri, 20 May 2016 14:01:20 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from smtp.rlwinm.de (smtp.rlwinm.de [IPv6:2a01:4f8:201:31ef::e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A18F61F4A for ; Fri, 20 May 2016 14:01:20 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from crest.local (unknown [87.253.189.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.rlwinm.de (Postfix) with ESMTPSA id 108131137A; Fri, 20 May 2016 16:01:18 +0200 (CEST) Subject: Re: CURRENT: ipfw: problems with timeouts and worse network performance To: Vladimir Zakharov References: <20160520140152.3ab6fe44@hermann> <20160520125401.GC2371@vzakharov> <38888426-4d91-56ed-9ab3-0d516b0b8d46@rlwinm.de> <20160520135109.GD2371@vzakharov> Cc: freebsd-current@freebsd.org From: Jan Bramkamp Message-ID: <0429473a-6bb6-70cb-05ca-fe0e83c173a0@rlwinm.de> Date: Fri, 20 May 2016 16:01:17 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <20160520135109.GD2371@vzakharov> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2016 14:01:20 -0000 On 20/05/16 15:51, Vladimir Zakharov wrote: > On Fri, May 20, 2016, Jan Bramkamp wrote: >> On 20/05/16 14:54, Vladimir Zakharov wrote: >>> Hello >>> >>> On Fri, May 20, 2016, O. Hartmann wrote: >>>> I reported earlier about broken pipes in ssh sessions to remote hosts, >>>> which occur on an erratic basis. i'm investigating this problem now and >>>> it seems that it is also ipfw-related, but I'm not sure. This problem >>>> is present since a couple of weeks now. >>> >>> Maybe this could help... >>> >>> I've also experienced problems with broken pipes in ssh sessions some >>> time ago. Setting in sysctl.conf >>> >>> net.inet.ip.fw.dyn_ack_lifetime=3600 >>> >>> fixed problem for me. I didn't experiment with the value though. So, >>> possibly, changing default value (300s) to 1 hour is overkill :). >> >> By default the OpenSSH SSH client is configured to use TCP keepalives. >> Those should produce enough packets at a short enough interval to keep >> the dynamic IPFW state established. >> >> Does your traffic pass through libalias? > I guess not. How can I be sure? Libalias is used by ipfw and the old userland natd to implement IPv4 NAT. It requires unmodified access to all packets including their headers. LRO and TSO coalesce packets to reduce save CPU time but the process is loses some of the information required by libalias. Unless your ruleset uses ipfw in-kernel NAT or diverts traffic to natd you don't have to worry about libalias. Use `kldstat -v | grep libalias` to check for libalias in the running kernel and `pgrep natd` to search for running natd instances.