From owner-freebsd-questions@FreeBSD.ORG Tue Nov 13 02:21:16 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5030216A41B for ; Tue, 13 Nov 2007 02:21:16 +0000 (UTC) (envelope-from girishvenkatachalam@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.233]) by mx1.freebsd.org (Postfix) with ESMTP id 04A8A13C494 for ; Tue, 13 Nov 2007 02:21:15 +0000 (UTC) (envelope-from girishvenkatachalam@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so967633nzf for ; Mon, 12 Nov 2007 18:21:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:received:date:from:to:subject:message-id:reply-to:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; bh=O6VUxQNqJBq04UNFQdvUq6J5XXFtIDxjcuNQ24UNwkA=; b=PR93tC/tjMLd9Sp3JDzK5p3zduKUUUK7gmrv7dDv64BGJuKyO2KQjiCVm8APfRr7hLfFk9mzVaaVlMKtaKl/RTqREmHJX59Jp/TCD1bcon960SNaarCd5C0T/BNr2o8/LksIv7qEOhtP4Rwhl/Oluy3Wupe7NsM0bg+N/gJtcMQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:date:from:to:subject:message-id:reply-to:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; b=ERvZbt0h5x8TbI4JoxyBRIiyw5D51nWYSg+hb2YGT+qinxHKv91799kSS87LNfLvWBFhVKU1197amNSBiWN1KtH1caCg/GOYr6oTBz5FDEu2HTRGq+iT2HegnCJsBS4f/d1eu0J+yEtscvJmV50WtuRZXJ/JA2C9nHvBas3H9zg= Received: by 10.114.204.7 with SMTP id b7mr33417wag.1194920463339; Mon, 12 Nov 2007 18:21:03 -0800 (PST) Received: from saraswathy.susmita.org ( [59.92.39.41]) by mx.google.com with ESMTPS id k37sm8449132waf.2007.11.12.18.21.00 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 12 Nov 2007 18:21:02 -0800 (PST) Received: by saraswathy.susmita.org (Postfix, from userid 1002) id B470B143E7; Tue, 13 Nov 2007 07:50:53 +0530 (IST) Date: Tue, 13 Nov 2007 07:50:53 +0530 From: Girish Venkatachalam To: freebsd-questions@freebsd.org Message-ID: <20071113022053.GA17768@saraswathy.susmita.org> Mail-Followup-To: freebsd-questions@freebsd.org References: <669132de0711121208n32bfb827p4984c6d3383da713@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <669132de0711121208n32bfb827p4984c6d3383da713@mail.gmail.com> User-Agent: Mutt/1.5.12-2006-07-14 Subject: Re: PF, bridge, states and window scaling problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: girishvenkatachalam@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Nov 2007 02:21:16 -0000 On 22:08:03 Nov 12, Alupului Costin wrote: > I seem to have quite a problem with PF. I have set up a bridge to > shape my upstream traffic. I use ALTQ with hfsc discipline; but that's > not really important. My problem comes with the filter rules. I have > to use keep state because of the speed benefits (really I don't have a > choice), One should always keep state. > but PF has a problem when the clients passing traffic through > the bridge use TCP window scaling. Here is an example of four filter > rules that I thought should work to pass the traffic from one client > through the bridge and create a state: > > pass in quick on vlan0 from any to anIP/32 > pass out quick on vlan0 from anIP/32 to any keep state queue ul_client > pass in quick on vlan1 from anIP/32 to any > pass out quick on vlan1 from any to anIP/32 keep state queue dl_client > > The above rules generate state-mismatches. Didn't get you. What sort of mismatch? > I thought that would be > because pf doesn't see the SYN packet, although it does (one of the > out rules) and should create the state then... I tried writing all the > rules with keep state (even the inbound ones) but then nothing would > work at all. My intention was to create if-bound states, but I > switched back to floating states in the hope that pf would associate > the state created by an outbound rule with the traffic returning on > another interface of the bridge; still didn't work. > Have you tried adding "flags S/SAFR" to the filter rules? Try it and let me know. > I have read the man page for if_bridge and set the following sysctl variables: > > net.link.bridge.pfil_onlyip: 1 > net.link.bridge.pfil_bridge: 0 > net.link.bridge.pfil_member: 1 > > I have also read some posts on the web that said that pf simply > doesn't have all the hooks necesary to do the filtering inbound and > outbound, but reading the pfil man page I seem to disaggree with that. > What do you mean? ? > Has anyone encountered the same problem? And, more important: if i > give up the bridge setup and switch to routing, would that have any > effect? I.E: will I then be able to use keep state with the inbound > rules? Try it. Routing changes the topology a good deal. But I doubt if that is the issue here. No harm in testing though. > > Any help at all would be hugely appreciated as I am trying for about a > week to sort out this problem and can't seem to get any closer. The > only solution was to kindly ask my clients using TCP window scaling > (Vista mostly) to turn off this feature... Now I am seriously > considering bumping my bridge to a router but I am not sure that the > problem will be solved then. Try adding the flags switch as mentioned above. That way the states get established only from a TCP Syn packet. You should also try flushing the old states using pfctl(8). > > Oh, here is the setup of the bridge from rc.conf, although there > shouldn't be any problems there (the bridge works fine without pf, or > with pf stateless): Stateful filtering is always recommended. Performance is not the only reason why you should use it. It also adds to security. Have you tried disabling normalization/scrub? Best, Girish