From owner-freebsd-pf@FreeBSD.ORG  Fri Aug 29 10:54:28 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 97C7B1065671
	for <freebsd-pf@freebsd.org>; Fri, 29 Aug 2008 10:54:28 +0000 (UTC)
	(envelope-from bw@exodus.desync.com)
Received: from exodus.desync.com (desync.com [IPv6:2607:f178::165])
	by mx1.freebsd.org (Postfix) with ESMTP id 41B148FC20
	for <freebsd-pf@freebsd.org>; Fri, 29 Aug 2008 10:54:27 +0000 (UTC)
	(envelope-from bw@exodus.desync.com)
Received: from exodus.desync.com (localhost [127.0.0.1])
	by exodus.desync.com (8.14.2/8.14.2) with ESMTP id m7TAsNe3090272
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <freebsd-pf@freebsd.org>; Fri, 29 Aug 2008 06:54:23 -0400 (EDT)
	(envelope-from bw@exodus.desync.com)
Received: (from bw@localhost)
	by exodus.desync.com (8.14.2/8.14.2/Submit) id m7TAsNcr090271
	for freebsd-pf@freebsd.org; Fri, 29 Aug 2008 06:54:23 -0400 (EDT)
	(envelope-from bw)
Date: Fri, 29 Aug 2008 06:54:23 -0400
From: ben wilber <ben@desync.com>
To: freebsd-pf@freebsd.org
Message-ID: <20080829105422.GI1644@exodus.desync.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Angst-Level: High
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: pf and mxge
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Aug 2008 10:54:28 -0000

Hello,

I'm trying to use PF on a machine with an mxge(4) interface and am
having some difficulty.  With my ruleset loaded, any TCP session that
gets a state grinds to a halt.

For example, I can log in via SSH and issue commands that return a
couple lines, but the output from a command like dmesg(8) comes very
slowly and sometimes won't finish before SSH times out.  MTU on the
interface is 1500 bytes.  This doesn't happen unless states are created
(e.g., not with "pass no state").

The machine is running -CURRENT for amd64 as of Jul 18th compiled with
ALTQ, crypto and IPSEC, HZ=1000 and DEVICE_POLLING (though not enabled).
IP and IPv6 forwarding are enabled, as well as fastforwarding.  Only
filtering; no bridges, ALTQ, NAT or scrubbing.

Any insight?

Thanks,
bw.