Date: Tue, 6 Jul 2010 13:32:22 -0700 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: Roland Smith <rsmith@xs4all.nl> Cc: Max Laier <max@love2party.net>, David Warren <davideugenewarren@gmail.com>, freebsd-stable@freebsd.org Subject: Re: 8.0 network problem Message-ID: <20100706203222.GA68830@icarus.home.lan> In-Reply-To: <20100706174155.GA56410@slackbox.erewhon.net> References: <AANLkTin4l7-UzDQW04voF6Lf-vMaHhCrvXP39GGsmgKG@mail.gmail.com> <20100705055105.GA21681@icarus.home.lan> <AANLkTim5X6YSsbU-HFiUy6PPG_bf0_Hymd7q7ozOsHaD@mail.gmail.com> <AANLkTinDRYNiCef9V_qRv5Ge2DotVjQep6M3guUwx35E@mail.gmail.com> <20100706174155.GA56410@slackbox.erewhon.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Adding Max Laier (maintainer of pf) to the CC list. He may have some ideas as to what's causing this. Max, relevant thread details: http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057586.html http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057597.html http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057602.html The last link above indicates the OP gets decent transfer rates with pf disabled, and includes his pf.conf. On Tue, Jul 06, 2010 at 07:41:55PM +0200, Roland Smith wrote: > On Tue, Jul 06, 2010 at 01:06:25AM -0500, David Warren wrote: > > pass out keep state > > I think keeping state is the default now. It is, but it's worth going over the "history" just so people understand. I've been schooled on this in the past, but I'm still going off of memory so if someone knows otherwise please chime in. In 7.2 and earlier (I could have the version numbers wrong, but 7.3-PRERELEASE doesn't require this), you had to explicitly state "keep state flags S/SA" on TCP traffic, and "keep state" on UDP/ICMP traffic. This is because said version(s) use older and newer pf, respectively. So in the OP's case, the above rule on an older OS would cause mayhem (excessive states being created for TCP, and improperly at that (any outbound TCP packet, rather than ones with only SYN set when looking at only SYN & ACK)). In 7.3 and later (including 8.x and onward), the "keep state" parameter isn't needed; it's explicitly applied unless you use "no_state". pf also intelligently figures out when to use "flags S/SA" (e.g. for TCP rules). For example, the following pf.conf rule (notice that there's no protocol defined): pass in quick on em0 inet from any to 1.2.3.4 keep state Gets turned into: pass in quick on em0 inet from any to 1.2.3.4 flags S/SA keep state And "does the right thing" even with UDP/ICMP traffic where there's no stateful flags involves. Meaning, the "flags S/SA" part applies to any inbound TCP, and isn't used for other protocols. Back to the problem at hand: I wonder if it's lack of "quick" on some rules which is causing the problem; hard to say, and I'm not sure how to "benchmark" pf. Furthermore, remember that the OP can move to another NIC and the problem goes away[1]. I know there have been issues in the past reported with em(4) and pf ALTQ, but that isn't in use here. [1]: I assume the OP is updating pf.conf to specify the changed interface and so on; if not, then I imagine it would be as effective as disabling pf (thus "it's fast when I use something other than em0" would be inaccurate). I simply don't know. -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100706203222.GA68830>