Date: Tue, 16 Mar 2010 15:19:51 -0400 From: "kevin" <k@kevinkevin.com> To: <freebsd-pf@freebsd.org>, <freebsd-net@freebsd.org> Subject: PF + BRIDGE + PFSYNC causes system freezing Message-ID: <00bc01cac53d$a92f0b70$fb8d2250$@com> References: <4B8E4850.1060104@zirakzigil.org> <4B9EA5A2.4010900@zirakzigil.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I have been experiencing this problem with 2x freebsd firewall
implementations running pf + transparent bridging + pfsync between both
boxes.
Today in an effort to narrow down and troubleshoot the issue further, I have
decided to build two FreeBSD 7.2-RELEASE implementations using virtualbox.
Each box was allocated 256mb ram, 3 NIC's (internal network only) and a 4GB
hard drive. I compiled PF/ALTQ/MROUTING into the kernel and installed it. No
other fundamental modifications were made.
The intent is to reproduce the problem in a controlled environment. And
provide any information to @freebsd.org if requested.
Here is the pertinent information below. Note both boxes are identical :
[UNAME]
# uname -a
FreeBSD fw 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Tue Mar 16 13:18:05 UTC 2010
root@:/usr/obj/usr/src/sys/FW i386
[IFCONFIG]
# ifconfig
em0: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:91:2d:fd
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em1: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:c7:3f:6b
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:de:66:c6
inet 10.0.0.10 netmask 0xffffff00 broadcast 10.0.0.255
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460
pfsync: syncdev: em2 syncpeer: 10.0.0.11 maxupd: 128
bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 1e:29:e0:82:6e:d6
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: em1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 2 priority 128 path cost 20000
member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 1 priority 128 path cost 20000
[KERNEL OPTIONS]
# Multicast routing support
options MROUTING
# PF Firewall
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
options ALTQ_NOPCC # Required for SMP build
[RC.CONF]
keymap="us.iso"
hostname="fw"
gateway_enable="YES"
sshd_enable="YES"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em0 addm em1 up"
ifconfig_em0="up"
ifconfig_em1="up"
ifconfig_em2="inet 10.0.0.10 netmask 255.255.255.0"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
pfsync_enable="YES"
pfsync_syncdev="em2"
ifconfig_pfsync0="up syncpeer 10.0.0.11 syncif em2"
[PF.CONF]
# macros
ext_if="em0"
int_if="em1"
mng_if="em2"
tcp_services="{ 22, 113, 53, 80 }"
icmp_types="echoreq"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# scrub
scrub in all random-id fragment reassemble
scrub out on $ext_if random-id
# filter rules
pass in quick
pass out quick
pass quick on $mng_if proto pfsync
Note the only difference in config is the ip address of the pfsycn
interface. When both boxes are on , one or both of them start to really slow
down and ultimately freeze. No messages are pasted on the console and
/var/log/messages is inaccessible during this point.
I would like to assist in diagnosing this issue so if anyone wants me to
check anything or test, please let me know. I would really like to
understand this problem.
Thanks,
Kevin K.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00bc01cac53d$a92f0b70$fb8d2250$>