From owner-freebsd-stable@FreeBSD.ORG Wed Dec 13 06:51:29 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1482816A403 for ; Wed, 13 Dec 2006 06:51:29 +0000 (UTC) (envelope-from LukeD@pobox.com) Received: from proof.pobox.com (proof.pobox.com [207.106.133.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F57E43CF6 for ; Wed, 13 Dec 2006 06:49:45 +0000 (GMT) (envelope-from LukeD@pobox.com) Received: from proof (localhost [127.0.0.1]) by proof.pobox.com (Postfix) with ESMTP id 2742828D89; Wed, 13 Dec 2006 01:51:34 -0500 (EST) Received: from border.crystalsphere.multiverse (pool-71-112-204-105.sttlwa.dsl-w.verizon.net [71.112.204.105]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by proof.sasl.smtp.pobox.com (Postfix) with ESMTP id 65DCD9C0EC; Wed, 13 Dec 2006 01:51:32 -0500 (EST) Date: Tue, 12 Dec 2006 22:51:04 -0800 (PST) From: Luke Dean X-X-Sender: lukas@border.crystalsphere.multiverse To: Charles Sprickman In-Reply-To: Message-ID: <20061212224537.Y97228@border.crystalsphere.multiverse> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-stable@freebsd.org Subject: Re: pf killing NFS X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Luke Dean List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2006 06:51:29 -0000 On Wed, 13 Dec 2006, Charles Sprickman wrote: > Hi all, > > I'm running a 6.2-RC1 box (cvsup'd today) that has two broadcom nics. One is > an internal network (nfs) and the other is external. > > PF has this rule for all traffic on the private net: > > [root@archive /home/jails]# pfctl -sr|grep bge1 > pass in quick on bge1 inet from 192.168.1.0/24 to any > pass out quick on bge1 inet from any to 192.168.1.0/24 > > No state since these are "quick" and symmetrical. > > Doing something like "ls /usr/ports" will just hang until interrupted. Using > tcp for nfs makes it workable, but very slow. > > If I disable pf (pfctl -d), both types of mounts work, and speed is > excellent. I also just found that if I remove the "scrub in all" statement > and change it to "scrub in on bge0", things are fine. I believe it's a bad idea to run NFS traffic through scrub unless you use the "no-df" option with it. I just don't scrub my internal network traffic at all. I got this from "man pf.conf": scrub has the following options: no-df Clears the dont-fragment bit from a matching IP packet. Some oper- ating systems are known to generate fragmented packets with the dont-fragment bit set. This is particularly true with NFS. Scrub will drop such fragmented dont-fragment packets unless no-df is specified.