From owner-freebsd-questions@FreeBSD.ORG  Tue Aug 19 16:07:07 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 81F7C4D0
 for <freebsd-questions@freebsd.org>; Tue, 19 Aug 2014 16:07:07 +0000 (UTC)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com
 [IPv6:2607:f8b0:4001:c05::231])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 520E43FE9
 for <freebsd-questions@freebsd.org>; Tue, 19 Aug 2014 16:07:07 +0000 (UTC)
Received: by mail-ig0-f177.google.com with SMTP id hn18so9843146igb.4
 for <freebsd-questions@freebsd.org>; Tue, 19 Aug 2014 09:07:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=oeIea6xiKIfYPueCzfpayV8/2YyNTTR+NUWKg26cnyc=;
 b=rlQlxKUBDtDf43JI0J4ASx9gNu1nHQ/wDshQ4BR6/lEAYwMZ+7+VleUWu3kbgz6hVb
 Q1xRutJAEwsAW+FmlTJjoW7/XtPT77xkuaIV8WIdUyXvdzo5SphGeiifidDucuJBJlcL
 wgQu16gLw1LU9TmOdXLPMVMfk5v73VlzRka16wjCoujEUUC7YIH+3c7za0mqO1gZgEIX
 HyPozqIHORqom1U3W6bhvuogBDZPa+Ljn70eSI9pk4Jh85f3FGhSOQnqUyk2L41OX4YW
 0YnstdPjyjVxTb6NgGrZNj6EgWRC2/GmO5Nnnlnjf0CjC3w9UIw/Op8Twqz6Crlkf0gP
 Vefg==
MIME-Version: 1.0
X-Received: by 10.50.32.73 with SMTP id g9mr6823767igi.31.1408464426521; Tue,
 19 Aug 2014 09:07:06 -0700 (PDT)
Received: by 10.107.14.83 with HTTP; Tue, 19 Aug 2014 09:07:06 -0700 (PDT)
Date: Tue, 19 Aug 2014 18:07:06 +0200
Message-ID: <CAFnNK68_yMXz3mvMRjK+SFy+oZFYAHkxFmaz8t0_ZX_hS9OyCw@mail.gmail.com>
Subject: FreeBSD 10 + ipfilter problems with the stateful rules
From: Roman Serbski <mefystofel@gmail.com>
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 16:07:07 -0000

Hello,

#uname -a

FreeBSD freebsd-tmpl 10.0-STABLE FreeBSD 10.0-STABLE #0 r270138: Tue Aug 19
15:33:27 CEST 2014
root@freebsd-tmpl:/usr/obj/usr/src/sys/BSDTMPL2014081902
amd64

The kernel was compiled with:

options         IPFILTER
options         IPFILTER_LOG
options         IPFILTER_LOOKUP
options         IPFILTER_DEFAULT_BLOCK

Here is the ipfilter ruleset:

# ipfstat -in

@1 pass in quick on lo0 from any to any
@2 block in quick on vmx0 from any to any with frag
@3 block in quick on vmx0 proto tcp from any to any with short
@4 block in quick on vmx0 inet from any to any with opt lsrr
@5 block in quick on vmx0 inet from any to any with opt ssrr
@6 block in log first quick on vmx0 proto tcp from any to any flags
FPU/FSRPAU
@7 block in quick on vmx0 from any to any with ipopts
@8 pass in quick on vmx0 inet proto tcp from 192.168.60.0/24 to
192.168.60.1/32 port = ssh flags S/FSRPAU keep state
@9 pass in quick on vmx0 inet proto icmp from 192.168.60.0/24 to
192.168.60.1/32 icmp-type echo keep state
@10 block in log quick on vmx0 all

# ipfstat -on

@1 pass out quick on lo0 from any to any
@2 pass out quick on vmx0 proto tcp from any to any port = domain flags
S/FSRPAU keep state
@3 pass out quick on vmx0 proto udp from any to any port = domain keep state
@4 pass out quick on vmx0 proto udp from any to any port = ntp keep state
@5 pass out quick on vmx0 inet proto icmp from any to any icmp-type echo
keep state
@6 block out log quick on vmx0 all

I can ssh to the box (.1) from 192.168.60.0/24 but there is a noticeable
delay (couple of seconds) if I run tail or less on any log file. At the
same time, I see the following blocked from the ipfilter logs:

Aug 19 17:37:26 freebsd-tmpl ipmon[410]: 17:37:26.817761 vmx0 @0:12 b
192.168.60.1,22 -> 192.168.60.21,64962 PR tcp len 20 1532 -AP OUT bad
Aug 19 17:37:26 freebsd-tmpl ipmon[410]: 17:37:26.817966 vmx0 @0:12 b
192.168.60.1,22 -> 192.168.60.21,64962 PR tcp len 20 1616 -AP OUT bad

If I add a rule allowing all traffic from .1 to 192.168.60.0/24 everything
is working fine, so I get an impression something is wrong with "flags
S/FSRPAU keep state".

Any hints would be greatly appreciated!

PS: I don't know whether it'll help, but this is a VMXNET3 adapter, so I
gooogled to disable RXCSUM and TXCSUM however it didn't help.

# ifconfig -m

vmx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=39b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,TSO6>
capabilities=61079b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:50:56:8a:17:21
        inet 192.168.60.1 netmask 0xffffff00 broadcast 192.168.60.255
        media: Ethernet autoselect
        status: active
        supported media:
                media autoselect

Thank you very much.