Date: Thu, 13 Mar 2008 23:30:03 GMT From: Laurent Frigault <lfrigault@agneau.org> To: freebsd-pf@FreeBSD.org Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules Message-ID: <200803132330.m2DNU3iG042764@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/121668; it has been noted by GNATS.
From: Laurent Frigault <lfrigault@agneau.org>
To: Max Laier <max@love2party.net>
Cc: bug-followup@freebsd.org
Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules
Date: Fri, 14 Mar 2008 00:20:00 +0100
On Thu, Mar 13, 2008 at 08:26:39PM +0100, Max Laier wrote:
> > sysctl net.inet.tcp.nolocaltimewait=1
> > not needed, but helps to reproduce the problem with client and server
> > on the same computer.
>
> Okay, now this is just asking for trouble. pf does thorough checks on TCP
> states, one of which is to enforce the 2MSL quite time before port reuse.
> If you set above sysctl you specificly ask FreeBSD to break that rule and
> thus cause pf to bark.
The nolocaltimewait=1 was only to help to reproduce the problem.
> You can also hit the issue if you have a large number of (consecutive)
> connections between two hosts (e.g. [poorly configured] squid ->
> www-backends, mysql, ...). The sollution is to:
I discover this problem with connection between CGI scripts and a mysql
server.
> 1) Reduce the connection spree and use one permanent connection
Not allways possible with CGI.
> 2) Increase the ephemeral port range net.inet.ip.portrange.hi{first,last}
Interesting point. Lowering first seems to help. Disabeling
net.inet.ip.portrange.randomized helps a lot too.
> 3) Decrease the pf state timeout tcp.{closing,closed} in order to relax
> the check. You can do this globaly and on a per-rule basis.
I've set closed to 1 and closing to 30
That helps too.
It does not seems possible to set tcp.closed to 0 on a per rule basis :
This is accepted :
pass out quick on lo0 proto tcp from any to any port 9 flags S/SA keep state ( tcp.closing 30 , tcp.closed 0 )
But pfctl -srules -vvv prints :
@0 pass out quick on lo0 proto tcp from any to any port = discard flags
S/SA keep state (tcp.closing 30)
[ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 51151 ]
the tcp.closed seems to be ignored
It works with tcp.closed set to 1
Regards,
--
Laurent Frigault | <url:http://www.agneau.org/>;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803132330.m2DNU3iG042764>