From owner-freebsd-pf@FreeBSD.ORG Fri Aug 29 11:04:01 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44A071065679 for ; Fri, 29 Aug 2008 11:04:01 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA08.westchester.pa.mail.comcast.net (qmta08.westchester.pa.mail.comcast.net [76.96.62.80]) by mx1.freebsd.org (Postfix) with ESMTP id E4AD58FC1E for ; Fri, 29 Aug 2008 11:04:00 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA09.westchester.pa.mail.comcast.net ([76.96.62.20]) by QMTA08.westchester.pa.mail.comcast.net with comcast id 8ApL1a0030SCNGk58B3zWk; Fri, 29 Aug 2008 11:03:59 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA09.westchester.pa.mail.comcast.net with comcast id 8B3y1a00J4v8bD73VB3zVQ; Fri, 29 Aug 2008 11:03:59 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=VYC7y0bpvaNsSFGLE8MA:9 a=1MllLpo7mYeA6ZBaG8s8MihUSasA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id A3A0C17B81A; Fri, 29 Aug 2008 04:03:58 -0700 (PDT) Date: Fri, 29 Aug 2008 04:03:58 -0700 From: Jeremy Chadwick To: ben wilber Message-ID: <20080829110358.GA72503@icarus.home.lan> References: <20080829105422.GI1644@exodus.desync.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080829105422.GI1644@exodus.desync.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: pf and mxge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2008 11:04:01 -0000 On Fri, Aug 29, 2008 at 06:54:23AM -0400, ben wilber wrote: > I'm trying to use PF on a machine with an mxge(4) interface and am > having some difficulty. With my ruleset loaded, any TCP session that > gets a state grinds to a halt. > > For example, I can log in via SSH and issue commands that return a > couple lines, but the output from a command like dmesg(8) comes very > slowly and sometimes won't finish before SSH times out. MTU on the > interface is 1500 bytes. This doesn't happen unless states are created > (e.g., not with "pass no state"). > > The machine is running -CURRENT for amd64 as of Jul 18th compiled with > ALTQ, crypto and IPSEC, HZ=1000 and DEVICE_POLLING (though not enabled). > IP and IPv6 forwarding are enabled, as well as fastforwarding. Only > filtering; no bridges, ALTQ, NAT or scrubbing. > > Any insight? I've seen this problem on RELENG_6, although the SSH connections would not "time out" -- after a page or so of 'dmesg' output, they would immediately get disconnected/severed. I believe the problem was caused by my use of "modulate state" instead of "keep state" (since on RELENG_6 "keep state" is not implicit). Are you using "reassemble tcp", "synproxy state", or "modulate state" directives? Does disabling RFC1323 (see sysctl) make a difference at all? Are you blindly filtering all ICMP traffic and destroying PMTU negotiation? Can you provide your pf.conf? -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |