From owner-freebsd-bugs@freebsd.org  Sat May 21 17:11:22 2016
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1B4B1B45F66
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Sat, 21 May 2016 17:11:22 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 0BEF51B03
 for <freebsd-bugs@FreeBSD.org>; Sat, 21 May 2016 17:11:22 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4LHBLWM059791
 for <freebsd-bugs@FreeBSD.org>; Sat, 21 May 2016 17:11:21 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 209680] ipfw: when enabled, net connections time out/ssh
 results in "broken pipe"
Date: Sat, 21 May 2016 17:11:22 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.0-CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: ohartman@zedat.fu-berlin.de
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-209680-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 May 2016 17:11:22 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209680

            Bug ID: 209680
           Summary: ipfw: when enabled, net connections time out/ssh
                    results in "broken pipe"
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: ohartman@zedat.fu-berlin.de

Since a couple of weeks (if not more than a months for now) I observe the f=
act
that when IPFW is enabled (in kernel, no module load!), network performance=
 is
sometime worse, connections server/client drops erratically (PostgreSQL 9.5,
Apache 2.4 webservices,  copies of large files (> 200GB, I think it is the =
time
that takes the copy that is relevant, not the size, the connection is 1GBit)
via rsync and especially ssh connections to remote systems (remote maintena=
nce
is a nightmare recently).

I'm  not deeply in debugging, I observe, and I can give you this informatio=
n.
The problem occurs on different systems, all in common running most recent
CURRENT (at the moment r300375). The systems do have different x86_amd64
architecture - Core2Duo dual socket XEONs as well as Haswell single socket
XEONs, with different NICs (i210, i219, Broadcom, some Realtek, some Intel =
em).
Also in common on these systems is the usage of IPFW statically in-kernel. =
Some
private systems also habe libalias/in-kernel-NAT and pppoe, but that doesn't
matter as well as the fact the problems occur with the vanilla ipfw-scripts
delivered with FreeBSD (usage via type WORKSTATION) or with custom ipfw rul=
eset
scripts.

On a erratic basis, the connection drops or has a kind of hang that lasts f=
or
seconds. This prevents us from uploading large vector maps for GIS applicat=
ions
into PostgreSQL databases provided by a FBSD server. The connection has
timeouts or drops. A nightmare is the usage of SSH for maintenance. Sometim=
es
after several seonds after establishing the connection or after 30 minutes =
and
more the connection dies with a broken pipe (ssh: Fssh_packet_write_wait:
Connection to XXX.XXX.XXX.XXX port 22: Broken pipe).

All of those reported problems do vanish if I disable IPFW via "ipfw disable
firewall".

My in-kernel config for IPFW is (this is the config of a home system, beware
that NAT is not enabled on the servers):

#
#       IPFW Firewall
#
options         IPFIREWALL              # firewall
options         IPFIREWALL_VERBOSE      # enable logging to syslogd(8)
options         IPFIREWALL_VERBOSE_LIMIT=3D10    #limit verbosity
#options         IPFIREWALL_NAT          # ipfw kernel nat support
#options         LIBALIAS                # ipfw kernel nat support
options         IPDIVERT                # divert sockets
options         DUMMYNET        # traffic shaper, bandwidth manager and del=
ay
emulator
#options                HZ=3D2000         # strongly recommended
#
#options                IPFIREWALL_DEFAULT_TO_ACCEPT    # allow everything =
by
default

--=20
You are receiving this mail because:
You are the assignee for the bug.=