Date: Sat, 21 May 2016 17:11:22 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 209680] ipfw: when enabled, net connections time out/ssh results in "broken pipe" Message-ID: <bug-209680-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209680 Bug ID: 209680 Summary: ipfw: when enabled, net connections time out/ssh results in "broken pipe" Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: ohartman@zedat.fu-berlin.de Since a couple of weeks (if not more than a months for now) I observe the fact that when IPFW is enabled (in kernel, no module load!), network performance is sometime worse, connections server/client drops erratically (PostgreSQL 9.5, Apache 2.4 webservices, copies of large files (> 200GB, I think it is the time that takes the copy that is relevant, not the size, the connection is 1GBit) via rsync and especially ssh connections to remote systems (remote maintenance is a nightmare recently). I'm not deeply in debugging, I observe, and I can give you this information. The problem occurs on different systems, all in common running most recent CURRENT (at the moment r300375). The systems do have different x86_amd64 architecture - Core2Duo dual socket XEONs as well as Haswell single socket XEONs, with different NICs (i210, i219, Broadcom, some Realtek, some Intel em). Also in common on these systems is the usage of IPFW statically in-kernel. Some private systems also habe libalias/in-kernel-NAT and pppoe, but that doesn't matter as well as the fact the problems occur with the vanilla ipfw-scripts delivered with FreeBSD (usage via type WORKSTATION) or with custom ipfw ruleset scripts. On a erratic basis, the connection drops or has a kind of hang that lasts for seconds. This prevents us from uploading large vector maps for GIS applications into PostgreSQL databases provided by a FBSD server. The connection has timeouts or drops. A nightmare is the usage of SSH for maintenance. Sometimes after several seonds after establishing the connection or after 30 minutes and more the connection dies with a broken pipe (ssh: Fssh_packet_write_wait: Connection to XXX.XXX.XXX.XXX port 22: Broken pipe). All of those reported problems do vanish if I disable IPFW via "ipfw disable firewall". My in-kernel config for IPFW is (this is the config of a home system, beware that NAT is not enabled on the servers): # # IPFW Firewall # options IPFIREWALL # firewall options IPFIREWALL_VERBOSE # enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=10 #limit verbosity #options IPFIREWALL_NAT # ipfw kernel nat support #options LIBALIAS # ipfw kernel nat support options IPDIVERT # divert sockets options DUMMYNET # traffic shaper, bandwidth manager and delay emulator #options HZ=2000 # strongly recommended # #options IPFIREWALL_DEFAULT_TO_ACCEPT # allow everything by default -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-209680-8>