Date: Tue, 12 Dec 2006 22:51:04 -0800 (PST) From: Luke Dean <LukeD@pobox.com> To: Charles Sprickman <spork@bway.net> Cc: freebsd-stable@freebsd.org Subject: Re: pf killing NFS Message-ID: <20061212224537.Y97228@border.crystalsphere.multiverse> In-Reply-To: <Pine.OSX.4.61.0612130030020.354@white.nat.fasttrackmonkey.com> References: <Pine.OSX.4.61.0612130030020.354@white.nat.fasttrackmonkey.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 13 Dec 2006, Charles Sprickman wrote:
> Hi all,
>
> I'm running a 6.2-RC1 box (cvsup'd today) that has two broadcom nics. One is
> an internal network (nfs) and the other is external.
>
> PF has this rule for all traffic on the private net:
>
> [root@archive /home/jails]# pfctl -sr|grep bge1
> pass in quick on bge1 inet from 192.168.1.0/24 to any
> pass out quick on bge1 inet from any to 192.168.1.0/24
>
> No state since these are "quick" and symmetrical.
>
> Doing something like "ls /usr/ports" will just hang until interrupted. Using
> tcp for nfs makes it workable, but very slow.
>
> If I disable pf (pfctl -d), both types of mounts work, and speed is
> excellent. I also just found that if I remove the "scrub in all" statement
> and change it to "scrub in on bge0", things are fine.
I believe it's a bad idea to run NFS traffic through scrub unless you use
the "no-df" option with it. I just don't scrub my internal network
traffic at all.
I got this from "man pf.conf":
scrub has the following options:
no-df
Clears the dont-fragment bit from a matching IP packet. Some oper-
ating systems are known to generate fragmented packets with the
dont-fragment bit set. This is particularly true with NFS. Scrub
will drop such fragmented dont-fragment packets unless no-df is
specified.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061212224537.Y97228>