Date: Sat, 12 Mar 2022 17:47:15 -0600 From: Kristof Provost <kp@FreeBSD.org> To: Johan Hendriks <joh.hendriks@gmail.com> Cc: Michael Gmelin <grembo@freebsd.org>, freebsd-net@freebsd.org, ">> \\\\\\\\Patrick M. Hausen\\\\" <hausen@punkt.de> Subject: Re: epair and vnet jail loose connection. Message-ID: <94B8885D-F63F-40C3-9E7E-158CC252FF9A@FreeBSD.org> In-Reply-To: <CAOaKuAXrVONqZ1zHYJxLVo_=LF7GNGjUAmz0zoNoO3o=sq58bQ@mail.gmail.com> References: <41ED1534-5E98-4D46-A562-811E80F82C5F@FreeBSD.org> <43AA6B37-6235-4787-A03F-B4C264C75A58@freebsd.org> <B3094CE7-4869-4CF2-853D-F70E84B28914@FreeBSD.org> <CAOaKuAXrVONqZ1zHYJxLVo_=LF7GNGjUAmz0zoNoO3o=sq58bQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--=_MailMate_A4C45A6B-01D8-4051-9E0E-3AED5196B518_= Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable I=E2=80=99m still failing to reproduce. Is pf absolutely required to trigger the issue? Is haproxy (i.e. can you = trigger it with iperf)? Is the bridge strictly required? Kristof On 12 Mar 2022, at 8:18, Johan Hendriks wrote: > For me this minimal setup let me see the drop off of the network from = > the > haproxy server. > > 2 jails, one with haproxy, one with nginx which is using the following = > html > file to be served. > > <!DOCTYPE html> > <html> > <head> > <title>Page Title</title> > </head> > <body> > > <h1>My First Heading</h1> > <p>My first paragraph.</p> > > </body> > </html> > >> From a remote machine i do a hey -h2 -n 10 -c 10 -z 300s = >> https://wp.test.nl > Then a ping on the jailhost to the haproxy shows the following > > [ /] > ping 10.233.185.20 > PING 10.233.185.20 (10.233.185.20): 56 data bytes > 64 bytes from 10.233.185.20: icmp_seq=3D0 ttl=3D64 time=3D0.054 ms > 64 bytes from 10.233.185.20: icmp_seq=3D1 ttl=3D64 time=3D0.050 ms > 64 bytes from 10.233.185.20: icmp_seq=3D2 ttl=3D64 time=3D0.041 ms > <SNIP> > 64 bytes from 10.233.185.20: icmp_seq=3D169 ttl=3D64 time=3D0.050 ms > 64 bytes from 10.233.185.20: icmp_seq=3D170 ttl=3D64 time=3D0.154 ms > 64 bytes from 10.233.185.20: icmp_seq=3D171 ttl=3D64 time=3D0.054 ms > 64 bytes from 10.233.185.20: icmp_seq=3D172 ttl=3D64 time=3D0.039 ms > 64 bytes from 10.233.185.20: icmp_seq=3D173 ttl=3D64 time=3D0.160 ms > 64 bytes from 10.233.185.20: icmp_seq=3D174 ttl=3D64 time=3D0.045 ms > ^C > --- 10.233.185.20 ping statistics --- > 335 packets transmitted, 175 packets received, 47.8% packet loss > round-trip min/avg/max/stddev =3D 0.037/0.070/0.251/0.040 ms > > > ifconfig > vtnet0: flags=3D8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> = > metric 0 > mtu 1500 > options=3D4c00bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_H= WCSUM,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6> > ether 56:16:e9:80:5e:41 > inet 87.233.191.146 netmask 0xfffffff0 broadcast 87.233.191.159 > inet 87.233.191.156 netmask 0xffffffff broadcast 87.233.191.156 > inet 87.233.191.155 netmask 0xffffffff broadcast 87.233.191.155 > inet 87.233.191.154 netmask 0xffffffff broadcast 87.233.191.154 > media: Ethernet autoselect (10Gbase-T <full-duplex>) > status: active > nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > vtnet1: flags=3D8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 = > mtu 1500 > options=3D4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_H= WCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6> > ether 56:16:2c:64:32:35 > media: Ethernet autoselect (10Gbase-T <full-duplex>) > status: active > nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > options=3D680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > inet 127.0.0.1 netmask 0xff000000 > groups: lo > nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> > bridge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 = > mtu > 1500 > ether 58:9c:fc:10:ff:82 > inet 10.233.185.1 netmask 0xffffff00 broadcast 10.233.185.255 > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > member: epair20a flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> > ifmaxaddr 0 port 7 priority 128 path cost 2000 > member: epair18a flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> > ifmaxaddr 0 port 15 priority 128 path cost 2000 > groups: bridge > nd6 options=3D9<PERFORMNUD,IFDISABLED> > bridge1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 = > mtu > 1500 > ether 58:9c:fc:10:d9:1a > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > member: vtnet0 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> > ifmaxaddr 0 port 1 priority 128 path cost 2000 > groups: bridge > nd6 options=3D9<PERFORMNUD,IFDISABLED> > pflog0: flags=3D141<UP,RUNNING,PROMISC> metric 0 mtu 33160 > groups: pflog > epair18a: flags=3D8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> = > metric > 0 mtu 1500 > description: jail_web01 > options=3D8<VLAN_MTU> > ether 02:77:ea:19:c7:0a > groups: epair > media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) > status: active > nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > epair20a: flags=3D8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> = > metric > 0 mtu 1500 > description: jail_haproxy > options=3D8<VLAN_MTU> > ether 02:9b:93:8c:59:0a > groups: epair > media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) > status: active > nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > > jail.conf > > # Global settings applied to all jails. > $domain =3D "test.nl"; > > exec.start =3D "/bin/sh /etc/rc"; > exec.stop =3D "/bin/sh /etc/rc.shutdown"; > exec.clean; > > mount.fstab =3D "/storage/jails/$name.fstab"; > > exec.system_user =3D "root"; > exec.jail_user =3D "root"; > mount.devfs; > sysvshm=3D"new"; > sysvsem=3D"new"; > allow.raw_sockets; > allow.set_hostname =3D 0; > allow.sysvipc; > enforce_statfs =3D "2"; > devfs_ruleset =3D "11"; > > path =3D "/storage/jails/${name}"; > host.hostname =3D "${name}.${domain}"; > > > # Networking > vnet; > vnet.interface =3D "vnet0"; > > # Commands to run on host before jail is created > exec.prestart =3D "ifconfig epair${ip} create up description = > jail_${name}"; > exec.prestart +=3D "ifconfig epair${ip}a up"; > exec.prestart +=3D "ifconfig bridge0 addm epair${ip}a up"; > exec.created =3D "ifconfig epair${ip}b name vnet0"; > > # Commands to run in jail after it is created > exec.start +=3D "/bin/sh /etc/rc"; > > # commands to run in jail when jail is stopped > exec.stop =3D "/bin/sh /etc/rc.shutdown"; > > # Commands to run on host when jail is stopped > exec.poststop =3D "ifconfig bridge0 deletem epair${ip}a"; > exec.poststop +=3D "ifconfig epair${ip}a destroy"; > persist; > > web01 { > $ip =3D 18; > } > > haproxy { > $ip =3D 20; > mount.fstab =3D ""; > path =3D "/storage/jails/${name}"; > } > > pf.conf > > #######################################################################= > ext_if=3D"vtnet0" > table <bruteforcers> persist > table <torlist> persist > table <ssh-trusted> persist file "/usr/local/etc/pf/ssh-trusted" > table <custom-block> persist file "/usr/local/etc/pf/custom-block" > table <jailnetworks> { 10.233.185.0/24, 192.168.10.0/24 } > > icmp_types =3D "echoreq" > junk_ports=3D"{ 135,137,138,139,445,68,67,3222,17500 }" > > # Log interface > set loginterface $ext_if > > # Set limits > set limit { states 40000, frags 20000, src-nodes 20000 } > > scrub on $ext_if all fragment reassemble no-df random-id > > # ---- Nat jails to the web > binat on $ext_if from 10.233.185.15/32 to !10.233.185.0/24 -> > 87.233.191.156/32 # saltmaste > binat on $ext_if from 10.233.185.20/32 to !10.233.185.0/24 -> > 87.233.191.155/32 # haproxy > binat on $ext_if from 10.233.185.22/32 to !10.233.185.0/24 -> > 87.233.191.154/32 # web-comb > > nat on $ext_if from <jailnetworks> to any -> ($ext_if:0) > > # ---- First rule obligatory "Pass all on loopback" > pass quick on lo0 all > pass quick on bridge0 all > pass quick on bridge1 all > > # ---- Block TOR exit addresses > block quick proto { tcp, udp } from <torlist> to $ext_if > > # ---- Second rule "Block all in and pass all out" > block in log all > pass out all keep state > > # IPv6 pass in/out all IPv6 ICMP traffic > pass in quick proto icmp6 all > > # Pass all lo0 > set skip on lo0 > > ############### FIREWALL = > ############################################### > # ---- Block custom ip's and logs > block quick proto { tcp, udp } from <custom-block> to $ext_if > > # ---- Jail poorten > pass in quick on { $ext_if } proto tcp from any to 10.233.185.22 port = > { > smtp 80 443 993 995 1956 } keep state > pass in quick on { $ext_if } proto tcp from any to 10.233.185.20 port = > { > smtp 80 443 993 995 1956 } keep state > pass in quick on { $ext_if } proto tcp from any to 10.233.185.15 port = > { > 4505 4506 } keep state > > # ---- Allow ICMP > pass in inet proto icmp all icmp-type $icmp_types keep state > pass out inet proto icmp all icmp-type $icmp_types keep state > > pass in quick on $ext_if inet proto tcp from any to $ext_if port { 80, = > 443 > } flags S/SA keep state > pass in quick on $ext_if inet proto tcp from <ssh-trusted> to $ext_if = > port > { 4505 4506 } flags S/SA keep state > block log quick from <bruteforcers> > pass quick proto tcp from <ssh-trusted> to $ext_if port ssh flags S/SA = > keep > state > > This is as minimal i can get it. > > Hope this helps. > regards, > Johan Hendriks > > > Op za 12 mrt. 2022 om 02:10 schreef Kristof Provost <kp@freebsd.org>: > >> On 11 Mar 2022, at 18:55, Michael Gmelin wrote: >>>> On 12. Mar 2022, at 01:21, Kristof Provost <kp@freebsd.org> wrote: >>>> >>>> =EF=BB=BFOn 11 Mar 2022, at 17:44, Johan Hendriks wrote: >>>>>> On 09/03/2022 20:55, Johan Hendriks wrote: >>>>>> The problem: >>>>>> I have a FreeBSD 14 machine and a FreeBSD 13-stable machine, both >> running the same jails just to test the workings. >>>>>> >>>>>> The jails that are running are a salt master, a haproxy jail, 2 >> webservers, 2 varnish servers, 2 php jails one for php8.0 and one = >> with 8.1. >> All the jails are connected to bridge0 and all the jails use vnet. >>>>>> >>>>>> I believe this worked on an older 14-HEAD machine, but i did not = >>>>>> do a >> lot with it back then, and when i started testing again and after = >> updating >> the OS i noticed that one of the varnish jails lost it's network = >> connection >> after running for a few hours. I thought it was just something on = >> HEAD so >> never really looked at it. But later on when i start using the jails = >> again >> and testing a test wordpress site i noticed that with a simple load = >> test my >> haproxy jail within one minute looses it's network connection. I see >> nothing in the logs, on the host and on the jail. >>>>>> From the jail i can not ping the other jails or the IP adres of = >>>>>> the >> bridge. I can however ping the jails own IP adres. From the host i = >> can also >> not ping the haproxy jail IP adres. If i start a tcpdump on the = >> epaira >> interface from the haproxy jail i do see the packets arrive but not = >> in the >> jail. >>>>>> >>>>>> I used ZFS to send all the jails to a 13-STABLE machine and = >>>>>> copied >> over the jail.conf file as well as the pf.conf file and i saw the = >> same >> behavior. >>>>>> >>>>>> Then i tried to use 13.0-RELEASE-p7 and on that machine i do not = >>>>>> see >> this happening. There i can stress test the machine for 10 minutes = >> without >> a problem but on 14-HEAD and 13-STABLE within a minute the jail's = >> network >> connection fails and only a restart of the jail brings it back online = >> to >> exhibit the same behavior if i start a simple load test which it = >> should >> handle nicely. >>>>>> >>>>>> One of the jail hosts is running under VMWARE and the other is >> running under Ubuntu with KVM. The 13.0-RELEASE-p7 jail host is = >> running >> under Ubuntu with KVM >>>>>> >>>>>> Thank you for your time. >>>>>> regards >>>>>> Johan >>>>>> >>>>> I did some bisecting and the latest commit that works on FreeBSD >> 13-Stable is 009a56b2e >>>>> Then the commit 2e0bee4c7 if_epair: implement fanout and above is >> showing the symptoms described above. >>>>> >>>> Interestingly I cannot reproduce stalls in simple epair setups. >>>> It would be useful if you could reduce the setup with the problem = >>>> into >> a minimal configuration so we can figure out what other factors are >> involved. >>> >>> If there are clear instructions on how to reproduce, I=E2=80=99m happ= y to = >>> help >> experimenting (I=E2=80=99m relying heavily on epair at this point). >>> >>> @Kristof: Did you try on bare metal or on vms? >>> >> Both. >> >> Kristof >> --=_MailMate_A4C45A6B-01D8-4051-9E0E-3AED5196B518_= Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <!DOCTYPE html> <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/xhtml; charset=3Dutf-8"= > </head> <body><div style=3D"font-family: sans-serif;"><div class=3D"plaintext" st= yle=3D"white-space: normal;"><p dir=3D"auto">I=E2=80=99m still failing to= reproduce.</p> <p dir=3D"auto">Is pf absolutely required to trigger the issue? Is haprox= y (i.e. can you trigger it with iperf)? <br> Is the bridge strictly required?</p> <p dir=3D"auto">Kristof</p> <p dir=3D"auto">On 12 Mar 2022, at 8:18, Johan Hendriks wrote: <br> </p></div><blockquote class=3D"embedded" style=3D"margin: 0 0 5px; paddin= g-left: 5px; border-left: 2px solid #136BCE; color: #136BCE;"><div id=3D"= F15475DE-793E-4A29-95C3-2EA5B501E738"> <div dir=3D"ltr">For me this minimal setup let me see the drop off of the= network from the haproxy server.<br> <br> 2 jails, one with haproxy, one with nginx which is using the following ht= ml file to be served.<br> <br> <!DOCTYPE html><br> <html><br> <head><br> <title>Page Title</title><br> </head><br> <body><br> <br> <h1>My First Heading</h1><br> <p>My first paragraph.</p><br> <br> </body><br> </html><br> <br> =46rom a remote machine i do a hey -h2 -n 10 -c 10 -z 300s <a = href=3D"https://wp.test.nl">https://wp.test.nl</a><br>; Then a ping on the jailhost to the haproxy shows the following<br> <br> [ /] > ping 10.233.185.20<br> PING 10.233.185.20 (10.233.185.20): 56 data bytes<br> 64 bytes from <a href=3D"http://10.233.185.20">10.233.185.20</a>: icmp_se= q=3D0 ttl=3D64 time=3D0.054 ms<br> 64 bytes from <a href=3D"http://10.233.185.20">10.233.185.20</a>: icmp_se= q=3D1 ttl=3D64 time=3D0.050 ms<br> 64 bytes from <a href=3D"http://10.233.185.20">10.233.185.20</a>: icmp_se= q=3D2 ttl=3D64 time=3D0.041 ms<br> <SNIP><br> 64 bytes from <a href=3D"http://10.233.185.20">10.233.185.20</a>: icmp_se= q=3D169 ttl=3D64 time=3D0.050 ms<br> 64 bytes from <a href=3D"http://10.233.185.20">10.233.185.20</a>: icmp_se= q=3D170 ttl=3D64 time=3D0.154 ms<br> 64 bytes from <a href=3D"http://10.233.185.20">10.233.185.20</a>: icmp_se= q=3D171 ttl=3D64 time=3D0.054 ms<br> 64 bytes from <a href=3D"http://10.233.185.20">10.233.185.20</a>: icmp_se= q=3D172 ttl=3D64 time=3D0.039 ms<br> 64 bytes from <a href=3D"http://10.233.185.20">10.233.185.20</a>: icmp_se= q=3D173 ttl=3D64 time=3D0.160 ms<br> 64 bytes from <a href=3D"http://10.233.185.20">10.233.185.20</a>: icmp_se= q=3D174 ttl=3D64 time=3D0.045 ms<br> ^C<br> --- 10.233.185.20 ping statistics ---<br> 335 packets transmitted, 175 packets received, 47.8% packet loss<br> round-trip min/avg/max/stddev =3D 0.037/0.070/0.251/0.040 ms<br> <br> <br> ifconfig<br> vtnet0: flags=3D8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>= ; metric 0 mtu 1500<br> options=3D4c00bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_= HWCSUM,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6><br> ether 56:16:e9:80:5e:41<br> inet 87.233.191.146 netmask 0xfffffff0 broadcast 87.233.191.159<br> inet 87.233.191.156 netmask 0xffffffff broadcast 87.233.191.156<br> inet 87.233.191.155 netmask 0xffffffff broadcast 87.233.191.155<br> inet 87.233.191.154 netmask 0xffffffff broadcast 87.233.191.154<br> media: Ethernet autoselect (10Gbase-T <full-duplex>)<br> status: active<br> nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL><br> vtnet1: flags=3D8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric= 0 mtu 1500<br> options=3D4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_= HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6><br> ether 56:16:2c:64:32:35<br> media: Ethernet autoselect (10Gbase-T <full-duplex>)<br> status: active<br> nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL><br> lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384= <br> options=3D680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6><b= r> inet6 ::1 prefixlen 128<br> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3<br> inet 127.0.0.1 netmask 0xff000000<br> groups: lo<br> nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL><br> bridge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metri= c 0 mtu 1500<br> ether 58:9c:fc:10:ff:82<br> inet 10.233.185.1 netmask 0xffffff00 broadcast 10.233.185.255<br> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15<br> maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200<br> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0<br> member: epair20a flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP><br= > ifmaxaddr 0 port 7 priority 128 path cost 2000= <br> member: epair18a flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP><br= > ifmaxaddr 0 port 15 priority 128 path cost 200= 0<br> groups: bridge<br> nd6 options=3D9<PERFORMNUD,IFDISABLED><br> bridge1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metri= c 0 mtu 1500<br> ether 58:9c:fc:10:d9:1a<br> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15<br> maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200<br> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0<br> member: vtnet0 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP><br> ifmaxaddr 0 port 1 priority 128 path cost 2000= <br> groups: bridge<br> nd6 options=3D9<PERFORMNUD,IFDISABLED><br> pflog0: flags=3D141<UP,RUNNING,PROMISC> metric 0 mtu 33160<br> groups: pflog<br> epair18a: flags=3D8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST&= gt; metric 0 mtu 1500<br> description: jail_web01<br> options=3D8<VLAN_MTU><br> ether 02:77:ea:19:c7:0a<br> groups: epair<br> media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)<br> status: active<br> nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL><br> epair20a: flags=3D8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST&= gt; metric 0 mtu 1500<br> description: jail_haproxy<br> options=3D8<VLAN_MTU><br> ether 02:9b:93:8c:59:0a<br> groups: epair<br> media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)<br> status: active<br> nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL><br> <br> jail.conf<br> <br> # Global settings applied to all jails.<br> $domain =3D "<a href=3D"http://test.nl">test.nl</a>";<br>; <br> exec.start =3D "/bin/sh /etc/rc";<br> exec.stop =3D "/bin/sh /etc/rc.shutdown";<br> exec.clean;<br> <br> mount.fstab =3D "/storage/jails/$name.fstab";<br> <br> exec.system_user =3D "root";<br> exec.jail_user =3D "root";<br> mount.devfs;<br> sysvshm=3D"new";<br> sysvsem=3D"new";<br> allow.raw_sockets;<br> allow.set_hostname =3D 0;<br> allow.sysvipc;<br> enforce_statfs =3D "2";<br> devfs_ruleset =3D "11";<br> <br> path =3D "/storage/jails/${name}";<br> host.hostname =3D "${name}.${domain}";<br> <br> <br> # Networking<br> vnet;<br> vnet.interface =3D "vnet0";<br> <br> # Commands to run on host before jail is created<br> exec.prestart =3D "ifconfig epair${ip} create up description= jail_${name}";<br> exec.prestart +=3D "ifconfig epair${ip}a up";<br> exec.prestart +=3D "ifconfig bridge0 addm epair${ip}a up";<b= r> exec.created =3D "ifconfig epair${ip}b name vnet0";<br> <br> # Commands to run in jail after it is created<br> exec.start +=3D "/bin/sh /etc/rc";<br> <br> # commands to run in jail when jail is stopped<br> exec.stop =3D "/bin/sh /etc/rc.shutdown";<br> <br> # Commands to run on host when jail is stopped<br> exec.poststop =3D "ifconfig bridge0 deletem epair${ip}a";<br= > exec.poststop +=3D "ifconfig epair${ip}a destroy";<br> persist;<br> <br> web01 {<br> $ip =3D 18;<br> }<br> <br> haproxy {<br> $ip =3D 20;<br> mount.fstab =3D "";<br> path =3D "/storage/jails/${name}";<br> }<br> <br> pf.conf<br> <br> #######################################################################<b= r> ext_if=3D"vtnet0"<br> table <bruteforcers> persist<br> table <torlist> persist<br> table <ssh-trusted> persist file "/usr/local/etc/pf/ssh-trusted"<br= > table <custom-block> persist file "/usr/local/etc/pf/custom-block"<= br> table <jailnetworks> { <a href=3D"http://10.233.185.0/24">10.233.18= 5.0/24</a>, <a href=3D"http://192.168.10.0/24">192.168.10.0/24</a>; }<br> <br> icmp_types =3D "echoreq"<br> junk_ports=3D"{ 135,137,138,139,445,68,67,3222,17500 }"<br> <br> # Log interface<br> set loginterface $ext_if<br> <br> # Set limits<br> set limit { states 40000, frags 20000, src-nodes 20000 }<br> <br> scrub on $ext_if all fragment reassemble no-df random-id<br> <br> # ---- Nat jails to the web<br> binat on $ext_if from <a href=3D"http://10.233.185.15/32">10.233.185.15/3= 2</a> to !<a href=3D"http://10.233.185.0/24">10.233.185.0/24</a>; -> <a= href=3D"http://87.233.191.156/32">87.233.191.156/32</a>; # saltmaste<br> binat on $ext_if from <a href=3D"http://10.233.185.20/32">10.233.185.20/3= 2</a> to !<a href=3D"http://10.233.185.0/24">10.233.185.0/24</a>; -> <a= href=3D"http://87.233.191.155/32">87.233.191.155/32</a>; # haproxy<br> binat on $ext_if from <a href=3D"http://10.233.185.22/32">10.233.185.22/3= 2</a> to !<a href=3D"http://10.233.185.0/24">10.233.185.0/24</a>; -> <a= href=3D"http://87.233.191.154/32">87.233.191.154/32</a>; # web-comb<br> <br> nat on $ext_if from <jailnetworks> to any -> ($ext_if:0)<br> <br> # ---- First rule obligatory "Pass all on loopback"<br> pass quick on lo0 all<br> pass quick on bridge0 all<br> pass quick on bridge1 all<br> <br> # ---- Block TOR exit addresses<br> block quick proto { tcp, udp } from <torlist> to $ext_if<br> <br> # ---- Second rule "Block all in and pass all out"<br> block in log all<br> pass out all keep state<br> <br> # IPv6 pass in/out all IPv6 ICMP traffic<br> pass in quick proto icmp6 all<br> <br> # Pass all lo0<br> set skip on lo0<br> <br> ############### FIREWALL ###############################################<= br> # ---- Block custom ip's and logs<br> block quick proto { tcp, udp } from <custom-block> to $ext_if<br> <br> # ---- Jail poorten<br> pass in quick on { $ext_if } proto tcp from any to 10.233.185.22 port { s= mtp 80 443 993 995 1956 } keep state<br> pass in quick on { $ext_if } proto tcp from any to 10.233.185.20 port { s= mtp 80 443 993 995 1956 } keep state<br> pass in quick on { $ext_if } proto tcp from any to 10.233.185.15 port { 4= 505 4506 } keep state<br> <br> # ---- Allow ICMP<br> pass in inet proto icmp all icmp-type $icmp_types keep state<br> pass out inet proto icmp all icmp-type $icmp_types keep state<br> <br> pass in quick on $ext_if inet proto tcp from any to $ext_if port { 80, 44= 3 } flags S/SA keep state<br> pass in quick on $ext_if inet proto tcp from <ssh-trusted> to $ext_= if port { 4505 4506 } flags S/SA keep state<br> block log quick from <bruteforcers><br> pass quick proto tcp from <ssh-trusted> to $ext_if port ssh flags S= /SA keep state<br> <br> This is as minimal i can get it.<br> <br> Hope this helps.<br> regards,<br> Johan Hendriks<br> <br></div> <br> <div class=3D"gmail_quote"> <div dir=3D"ltr" class=3D"gmail_attr">Op za 12 mrt. 2022 om 02:10 schreef= Kristof Provost <<a href=3D"mailto:kp@freebsd.org">kp@freebsd.org</a>= >:<br></div> <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;borde= r-left:1px solid rgb(204,204,204);padding-left:1ex">On 11 Mar 2022, at 18= :55, Michael Gmelin wrote:<br> >> On 12. Mar 2022, at 01:21, Kristof Provost <<a href=3D"mailto= :kp@freebsd.org" target=3D"_blank">kp@freebsd.org</a>> wrote:<br> >><br> >> =EF=BB=BFOn 11 Mar 2022, at 17:44, Johan Hendriks wrote:<br> >>>> On 09/03/2022 20:55, Johan Hendriks wrote:<br> >>>> The problem:<br> >>>> I have a FreeBSD 14 machine and a FreeBSD 13-stable mach= ine, both running the same jails just to test the workings.<br> >>>><br> >>>> The jails that are running are a salt master, a haproxy&= nbsp; jail, 2 webservers, 2 varnish servers, 2 php jails one for php8.0 a= nd one with 8.1. All the jails are connected to bridge0 and all the jails= use vnet.<br> >>>><br> >>>> I believe this worked on an older 14-HEAD machine, but i= did not do a lot with it back then, and when i started testing again and= after updating the OS i noticed that one of the varnish jails lost it's = network connection after running for a few hours. I thought it was just s= omething on HEAD so never really looked at it. But later on when i start = using the jails again and testing a test wordpress site i noticed that wi= th a simple load test my haproxy jail within one minute looses it's netwo= rk connection. I see nothing in the logs, on the host and on the jail.<br= > >>>> From the jail i can not ping the other jails or the IP a= dres of the bridge. I can however ping the jails own IP adres. From the h= ost i can also not ping the haproxy jail IP adres. If i start a tcpdump o= n the epaira interface from the haproxy jail i do see the packets arrive = but not in the jail.<br> >>>><br> >>>> I used ZFS to send all the jails to a 13-STABLE machine = and copied over the jail.conf file as well as the pf.conf file and i saw = the same behavior.<br> >>>><br> >>>> Then i tried to use 13.0-RELEASE-p7 and on that machine = i do not see this happening. There i can stress test the machine for 10 m= inutes without a problem but on 14-HEAD and 13-STABLE within a minute the= jail's network connection fails and only a restart of the jail brings it= back online to exhibit the same behavior if i start a simple load test w= hich it should handle nicely.<br> >>>><br> >>>> One of the jail hosts is running under VMWARE and the ot= her is running under Ubuntu with KVM. The 13.0-RELEASE-p7 jail host is ru= nning under Ubuntu with KVM<br> >>>><br> >>>> Thank you for your time.<br> >>>> regards<br> >>>> Johan<br> >>>><br> >>> I did some bisecting and the latest commit that works on Fre= eBSD 13-Stable is 009a56b2e<br> >>> Then the commit 2e0bee4c7 if_epair: implement fanout a= nd above is showing the symptoms described above.<br> >>><br> >> Interestingly I cannot reproduce stalls in simple epair setups.<= br> >> It would be useful if you could reduce the setup with the proble= m into a minimal configuration so we can figure out what other factors ar= e involved.<br> ><br> > If there are clear instructions on how to reproduce, I=E2=80=99m hap= py to help experimenting (I=E2=80=99m relying heavily on epair at this po= int).<br> ><br> > @Kristof: Did you try on bare metal or on vms?<br> ><br> Both.<br> <br> Kristof<br></blockquote> </div></div></blockquote> <div class=3D"plaintext" style=3D"white-space: normal;"> </div> </div></body> </html> --=_MailMate_A4C45A6B-01D8-4051-9E0E-3AED5196B518_=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?94B8885D-F63F-40C3-9E7E-158CC252FF9A>