From owner-freebsd-pf@FreeBSD.ORG Thu Mar 13 23:30:03 2008 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0C861065670 for ; Thu, 13 Mar 2008 23:30:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9C1518FC12 for ; Thu, 13 Mar 2008 23:30:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2DNU3lg042765 for ; Thu, 13 Mar 2008 23:30:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2DNU3iG042764; Thu, 13 Mar 2008 23:30:03 GMT (envelope-from gnats) Date: Thu, 13 Mar 2008 23:30:03 GMT Message-Id: <200803132330.m2DNU3iG042764@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Laurent Frigault Cc: Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Laurent Frigault List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 23:30:03 -0000 The following reply was made to PR kern/121668; it has been noted by GNATS. From: Laurent Frigault To: Max Laier Cc: bug-followup@freebsd.org Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules Date: Fri, 14 Mar 2008 00:20:00 +0100 On Thu, Mar 13, 2008 at 08:26:39PM +0100, Max Laier wrote: > > sysctl net.inet.tcp.nolocaltimewait=1 > > not needed, but helps to reproduce the problem with client and server > > on the same computer. > > Okay, now this is just asking for trouble. pf does thorough checks on TCP > states, one of which is to enforce the 2MSL quite time before port reuse. > If you set above sysctl you specificly ask FreeBSD to break that rule and > thus cause pf to bark. The nolocaltimewait=1 was only to help to reproduce the problem. > You can also hit the issue if you have a large number of (consecutive) > connections between two hosts (e.g. [poorly configured] squid -> > www-backends, mysql, ...). The sollution is to: I discover this problem with connection between CGI scripts and a mysql server. > 1) Reduce the connection spree and use one permanent connection Not allways possible with CGI. > 2) Increase the ephemeral port range net.inet.ip.portrange.hi{first,last} Interesting point. Lowering first seems to help. Disabeling net.inet.ip.portrange.randomized helps a lot too. > 3) Decrease the pf state timeout tcp.{closing,closed} in order to relax > the check. You can do this globaly and on a per-rule basis. I've set closed to 1 and closing to 30 That helps too. It does not seems possible to set tcp.closed to 0 on a per rule basis : This is accepted : pass out quick on lo0 proto tcp from any to any port 9 flags S/SA keep state ( tcp.closing 30 , tcp.closed 0 ) But pfctl -srules -vvv prints : @0 pass out quick on lo0 proto tcp from any to any port = discard flags S/SA keep state (tcp.closing 30) [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 51151 ] the tcp.closed seems to be ignored It works with tcp.closed set to 1 Regards, -- Laurent Frigault |