Date: Tue, 6 Jul 2010 22:48:42 +0200 From: Max Laier <max@love2party.net> To: Jeremy Chadwick <freebsd@jdc.parodius.com> Cc: Roland Smith <rsmith@xs4all.nl>, David Warren <davideugenewarren@gmail.com>, freebsd-stable@freebsd.org Subject: Re: 8.0 network problem Message-ID: <201007062248.42720.max@love2party.net> In-Reply-To: <20100706203222.GA68830@icarus.home.lan> References: <AANLkTin4l7-UzDQW04voF6Lf-vMaHhCrvXP39GGsmgKG@mail.gmail.com> <20100706174155.GA56410@slackbox.erewhon.net> <20100706203222.GA68830@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 06 July 2010 22:32:22 Jeremy Chadwick wrote: > Adding Max Laier (maintainer of pf) to the CC list. He may have some > ideas as to what's causing this. Max, relevant thread details: > > http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057586.html > http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057597.html > http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057602.html > > The last link above indicates the OP gets decent transfer rates with pf > disabled, and includes his pf.conf. Please check "pfctl -si" esp. "state-mismatch" This is always the first indication that something is wrong. In addition you can set a higher pf debugging level (pfctl -xm) in order to get more information on the issue - if the cause is indeed a state mismatch. > On Tue, Jul 06, 2010 at 07:41:55PM +0200, Roland Smith wrote: > > On Tue, Jul 06, 2010 at 01:06:25AM -0500, David Warren wrote: > > > pass out keep state > > > > I think keeping state is the default now. > > It is, but it's worth going over the "history" just so people > understand. I've been schooled on this in the past, but I'm still going > off of memory so if someone knows otherwise please chime in. > > In 7.2 and earlier (I could have the version numbers wrong, but > 7.3-PRERELEASE doesn't require this), you had to explicitly state "keep > state flags S/SA" on TCP traffic, and "keep state" on UDP/ICMP traffic. > This is because said version(s) use older and newer pf, respectively. > > So in the OP's case, the above rule on an older OS would cause mayhem > (excessive states being created for TCP, and improperly at that (any > outbound TCP packet, rather than ones with only SYN set when looking at > only SYN & ACK)). > > In 7.3 and later (including 8.x and onward), the "keep state" parameter > isn't needed; it's explicitly applied unless you use "no_state". pf > also intelligently figures out when to use "flags S/SA" (e.g. for TCP > rules). For example, the following pf.conf rule (notice that there's no > protocol defined): > > pass in quick on em0 inet from any to 1.2.3.4 keep state > > Gets turned into: > > pass in quick on em0 inet from any to 1.2.3.4 flags S/SA keep state > > And "does the right thing" even with UDP/ICMP traffic where there's no > stateful flags involves. Meaning, the "flags S/SA" part applies to any > inbound TCP, and isn't used for other protocols. > > Back to the problem at hand: > > I wonder if it's lack of "quick" on some rules which is causing the > problem; hard to say, and I'm not sure how to "benchmark" pf. > > Furthermore, remember that the OP can move to another NIC and the > problem goes away[1]. I know there have been issues in the past > reported with em(4) and pf ALTQ, but that isn't in use here. > > > > [1]: I assume the OP is updating pf.conf to specify the changed > interface and so on; if not, then I imagine it would be as effective as > disabling pf (thus "it's fast when I use something other than em0" would > be inaccurate). I simply don't know.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201007062248.42720.max>