List Info

Thread: Re: kern/121668: connect randomly fails with EPERM with some pf rules
Re: kern/121668: connect randomly fails with EPERM with some pf rules
country flaguser name
United States		 2008-03-13 18:30:03 
The following reply was made to PR kern/121668; it has been
noted by GNATS.

From: Laurent Frigault <lfrigaultagneau.org>
To: Max Laier <maxlove2party.net>
Cc: bug-followupfreebsd.org
Subject: Re: kern/121668: connect randomly fails with EPERM
with some pf rules
Date: Fri, 14 Mar 2008 00:20:00 +0100

 On Thu, Mar 13, 2008 at 08:26:39PM +0100, Max Laier wrote:
 > > sysctl net.inet.tcp.nolocaltimewait=1
 > > not needed, but helps to reproduce the problem
with client and server
 > > on the same computer.
 > 
 > Okay, now this is just asking for trouble.  pf does
thorough checks on TCP 
 > states, one of which is to enforce the 2MSL quite time
before port reuse.  
 > If you set above sysctl you specificly ask FreeBSD to
break that rule and 
 > thus cause pf to bark.
 
 The nolocaltimewait=1  was only to help to reproduce the
problem.
 
 > You can also hit the issue if you have a large number
of (consecutive) 
 > connections between two hosts (e.g. [poorly
configured] squid -> 
 > www-backends, mysql, ...).  The sollution is to:
 
 I discover this problem with connection between CGI scripts
and a mysql
 server.
 
 >  1) Reduce the connection spree and use one permanent
connection
 
 Not allways possible with CGI.
 
 >  2) Increase the ephemeral port range
net.inet.ip.portrange.hi{first,last}
 
 Interesting point. Lowering first seems to help.
Disabeling
 net.inet.ip.portrange.randomized helps a lot too.
 
 >  3) Decrease the pf state timeout tcp.{closing,closed}
in order to relax 
 > the check.  You can do this globaly and on a per-rule
basis.
 
 I've set closed to 1 and closing to 30
 
 That helps too.
 
 It does not seems possible to set tcp.closed to 0 on a per
rule basis :
 This is accepted :
 pass out quick on lo0 proto tcp from any to any port 9
flags S/SA keep state ( tcp.closing 30 , tcp.closed 0 )
 
 But pfctl -srules -vvv prints :
 0
pass out quick on lo0 proto tcp from any to any port =
discard flags
 S/SA keep state (tcp.closing 30)
   [ Evaluations: 1         Packets: 0         Bytes: 0     
     States: 0     ]
   [ Inserted: uid 0 pid 51151 ]
 
 the tcp.closed seems to be ignored
 
 It works with tcp.closed set to 1
 
 Regards,
 -- 
 Laurent Frigault | <url:http://www.agneau.org/>

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: kern/121668: connect randomly fails with EPERM with some pf rules
user name
 2008-03-14 04:02:36 
>  It does not seems possible to set tcp.closed to 0 on a
per rule basis :
>  This is accepted :
>  pass out quick on lo0 proto tcp from any to any port 9
flags S/SA keep
> state ( tcp.closing 30 , tcp.closed 0 )
>
>  But pfctl -srules -vvv prints :
>  0 pass out quick on lo0 proto tcp from any to any
port = discard flags
>  S/SA keep state (tcp.closing 30)
>    [ Evaluations: 1         Packets: 0         Bytes: 0
          States:
> 0     ]
>    [ Inserted: uid 0 pid 51151 ]
>
>  the tcp.closed seems to be ignored
>
>  It works with tcp.closed set to 1
>

Why are you filtering on your local IP stack anyway?
filtering on lo0 is
not that common, or at least in my point of view not used
often and
presents problems all the way.

Just a random reply to something I feel -strange-.

Thanks,
remko

-- 
/"   Best regards,                      | remkoFreeBSD.org
 /   Remko Lodder                       | remkoEFnet
 X    http://www.evilcoder.org/          |
/    ASCII Ribbon Campaign              | Against HTML Mail
and News


_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: kern/121668: connect randomly fails with EPERM with some pf rules
country flaguser name
France		 2008-03-14 16:09:03 
On Fri, Mar 14, 2008 at 10:02:36AM +0100, Remko Lodder
wrote:
 
> Why are you filtering on your local IP stack anyway?
filtering on lo0
> is not that common, or at least in my point of view not
used often and
> presents problems all the way.

I don't. It was just a way to provide a simple case to
reproduce the
problem.

I have seen rare case when filtering local traffic was
needed to enforce
multi-jail isolations.

Usualy, I just have a stateless quick rule that allow
everything on
lo0 at the beginning of the ruleset before the default block
log  quick
all at the end


-- 
Laurent Frigault | <url:http://www.agneau.org/>

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: kern/121668: connect randomly fails with EPERM with some pf rules
user name
 2008-03-14 17:32:07 
On Fri, Mar 14, 2008 at 2:09 PM, Laurent Frigault
<lfrigaultagneau.org> wrote:
> On Fri, Mar 14, 2008 at 10:02:36AM +0100, Remko Lodder
wrote:
>
>  > Why are you filtering on your local IP stack
anyway? filtering on lo0
>  > is not that common, or at least in my point of
view not used often and
>  > presents problems all the way.
>
>  I don't. It was just a way to provide a simple case to
reproduce the
>  problem.
>
>  I have seen rare case when filtering local traffic was
needed to enforce
>  multi-jail isolations.
>
>  Usualy, I just have a stateless quick rule that allow
everything on
>  lo0 at the beginning of the ruleset before the default
block log  quick
>  all at the end
>
>

May want to use 'set skip' instead.
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1-4]

about | contact  Other archives ( Real Estate discussion Medical topics )