From owner-freebsd-pf@FreeBSD.ORG Wed Mar 17 14:41:49 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DFA2A1065670; Wed, 17 Mar 2010 14:41:49 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-fx0-f224.google.com (mail-fx0-f224.google.com [209.85.220.224]) by mx1.freebsd.org (Postfix) with ESMTP id 4C6888FC1F; Wed, 17 Mar 2010 14:41:48 +0000 (UTC) Received: by fxm24 with SMTP id 24so579613fxm.3 for ; Wed, 17 Mar 2010 07:41:48 -0700 (PDT) Received: by 10.223.17.23 with SMTP id q23mr6465234faa.65.1268836907968; Wed, 17 Mar 2010 07:41:47 -0700 (PDT) Received: from kkPC (76-10-166-187.dsl.teksavvy.com [76.10.166.187]) by mx.google.com with ESMTPS id k29sm2931233fkk.45.2010.03.17.07.41.46 (version=SSLv3 cipher=RC4-MD5); Wed, 17 Mar 2010 07:41:47 -0700 (PDT) From: "kevin" To: "'kevin'" , "'Daniel Hartmeier'" References: <4B8E4850.1060104@zirakzigil.org> <4B9EA5A2.4010900@zirakzigil.org> <00bc01cac53d$a92f0b70$fb8d2250$@com> <20100317081256.GA21633@insomnia.benzedrine.cx> <012501cac5d9$748d68c0$5da83a40$@com> In-Reply-To: <012501cac5d9$748d68c0$5da83a40$@com> Date: Wed, 17 Mar 2010 10:41:38 -0400 Message-ID: <013701cac5df$f4c3ec20$de4bc460$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcrFqapAZS1LXGAFSDCzr+tCp/O1dwAL5TUgAAFcafA= Content-Language: en-us Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: RE: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2010 14:41:50 -0000 >>What are your settings for >> >> $ sysctl -a | grep bridge.pfil >#bridge options >net.link.bridge.pfil_onlyip=1 >net.link.bridge.pfil_member=1 >net.link.bridge.pfil_bridge=0 >> Have you tried filtering only on one of the physical bridge interfaces, >> with net.link.bridge.pfil_bridge=0 and set skip on { lo0, bridge0, em1}? >I've only been filtering on one of the bridge interfaces , however I have >not 'set skip on' the other interfaces. I will try that. I have 'set skip' all interfaces except one of the bridged ones (em0) , in pf.conf. Interesting symptom currently is that the load on both servers is quite high considering they are just virtual machines that aren't actually doing anything : [server1] last pid: 1176; load averages: 2.66, 3.01, 2.87 up 0+00:36:26 10:34:24 22 processes: 1 running, 21 sleeping CPU: % user, % nice, % system, % interrupt, % idle Mem: 8140K Active, 9400K Inact, 27M Wired, 34M Buf, 195M Free Swap: 120M Total, 120M Free [server2] last pid: 1116; load averages: 8.50, 10.11, 8.66 up 0+00:39:35 10:37:46 22 processes: 2 running, 20 sleeping CPU: 0.0% user, 0.0% nice, 95.2% system, 4.8% interrupt, 0.0% idle Mem: 8116K Active, 9560K Inact, 16M Wired, 8K Cache, 34M Buf, 205M Free Swap: 120M Total, 120M Free I decided to ping the pfsync0 interface from server 1 > server 2 : # ping 10.0.0.11 PING 10.0.0.11 (10.0.0.11): 56 data bytes 64 bytes from 10.0.0.11: icmp_seq=3 ttl=64 time=91.159 ms 64 bytes from 10.0.0.11: icmp_seq=3 ttl=64 time=114.017 ms (DUP!) 64 bytes from 10.0.0.11: icmp_seq=4 ttl=64 time=206.446 ms 64 bytes from 10.0.0.11: icmp_seq=5 ttl=64 time=92.209 ms 64 bytes from 10.0.0.11: icmp_seq=5 ttl=64 time=181.774 ms (DUP!) 64 bytes from 10.0.0.11: icmp_seq=5 ttl=64 time=363.855 ms (DUP!) ^C --- 10.0.0.11 ping statistics --- 9 packets transmitted, 3 packets received, +3 duplicates, 66.7% packet loss round-trip min/avg/max/stddev = 91.159/174.910/363.855/95.135 ms If theres anything else I could check , suggestions are welcome. Thanks, Kevin K.