kern/144311: massive ICMP storm on lo0 occurs when using pf(4) 'reply-to'

Yoshiaki Kasahara kasahara at nc.kyushu-u.ac.jp
Fri Feb 26 06:00:12 UTC 2010 

>Number:         144311
>Category:       kern
>Synopsis:       massive ICMP storm on lo0 occurs when using pf(4) 'reply-to'
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 26 06:00:09 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Yoshiaki Kasahara
>Release:        FreeBSD 8.0-STABLE amd64
>Organization:
Kyushu University
>Environment:
System: FreeBSD elvenbow.cc.kyushu-u.ac.jp 8.0-STABLE FreeBSD 8.0-STABLE #1: Fri Feb 19 16:44:40 JST 2010 root at elf2.nc.kyushu-u.ac.jp:/usr/obj/usr/src/sys/GENERIC amd64


	
>Description:

A massive amount of 'ICMP unreachable - fragmentation needed' observed
on lo0 when pf(4) 'reply-to' is used for policy routing, which
degrades the overall performance of the system severely.

I have a web server with two NIC connected to different outgoing
networks.  Each network has a spoof filter, so I need to reply back to
the I/F where the connection came from.

+-----+
|    em0(IP1.IP1.IP1.IP1) -- ISP1(GW1.GW1.GW1.GW1)
|     |
|    em1(IP2.IP2.IP2.IP2) -- ISP2(GW2.GW2.GW2.GW2)
+-----+

So I use pf(4)'s 'reply-to' rule and noticed the symptom.

The simplified pf.conf which show the symptom is as follows (IP
addresses are masked):

-------------
if_isp1="em0"
isp1_router="GW1.GW1.GW1.GW1"
if_isp2="em1"
isp2_router="GW2.GW2.GW2.GW2"

pass in all
pass in reply-to ( $if_isp1 $isp1_router ) from any to $if_isp1
pass in reply-to ( $if_isp2 $isp2_router ) from any to $if_isp2
pass out all
-------------

Then access the web server on IP1 from a client (SIP.SIP.SIP.SIP) and
retrieve a large file such as a picture. While doing so, tcpdump -n -i
lo0 shows a massive amount of ICMP packets flowing like this:

# tcpdump -n -i lo0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
12:53:59.784441 IP 127.0.0.1 > IP1.IP1.IP1.IP1: ICMP SIP.SIP.SIP.SIP unreachable - need to frag (mtu 1500), length 48
12:53:59.784772 IP 127.0.0.1 > IP1.IP1.IP1.IP1: ICMP SIP.SIP.SIP.SIP unreachable - need to frag (mtu 1500), length 48
12:53:59.785001 IP 127.0.0.1 > IP1.IP1.IP1.IP1: ICMP SIP.SIP.SIP.SIP unreachable - need to frag (mtu 1500), length 48
12:53:59.785288 IP 127.0.0.1 > IP1.IP1.IP1.IP1: ICMP SIP.SIP.SIP.SIP unreachable - need to frag (mtu 1500), length 48
12:53:59.785482 IP 127.0.0.1 > IP1.IP1.IP1.IP1: ICMP SIP.SIP.SIP.SIP unreachable - need to frag (mtu 1500), length 48
.....(omit)

The SIP host can retrieve the file, but the throughput is very
poor.

netstat(1) also shows an abnormal number of packet counts (irrelevant
lines removed).

% netstat -ni
Name    Mtu Network       Address              Ipkts Ierrs Idrop    Opkts Oerrs  Coll
em0    1500 <Link#1>      00:1c:c0:fa:c4:6a    79142     0     0    80093     0     0
em0    1500 IP1.IP1.IP1.9 IP1.IP1.IP1.IP1   2090652887     -     -      472     -     -
em1    1500 <Link#2>      00:1b:21:52:52:60   141017     0     0    59392     0     0
em1    1500 IP2.IP2.IP2.0 IP2.IP2.IP2.IP2      83355     -     -    58112     -     -
lo0   16384 <Link#6>                        2090617974     0     0 2090617950     0     0
lo0   16384 127.0.0.0/8   127.0.0.1            35119     -     - 2090610857     -     -

Some hardware combination didn't seem to exhibit the symptom.
Actually I recently replaced the server and suddenly the problem
started to occur.  I examined the old server and noticed that I could
also reproduce the symptom on the old server when I changed the
default route.  Old system runs FreeBSD 8.0R-p1 amd64.

FreeBSD elf2.nc.kyushu-u.ac.jp 8.0-RELEASE-p1 FreeBSD 8.0-RELEASE-p1 #4: Wed Dec 16 15:49:14 JST 2009     root at elvenbow.cc.kyushu-u.ac.jp:/usr/obj/usr/src/sys/GENERIC  amd64

On the old system, msk(4) and vge(4) are used for ISP connections.
Default route to msk(4) is okay, but change it toward vge(4) exhibits
the problem. Exchanging NIC for ISP1 and ISP2 doesn't matter, so it is
more related to hardware (driver?) than network configuration, I
guess.

>How-To-Repeat:

Explained in the Description section.

>Fix:

Unknown.  I don't understand what is the source of these ICMP packets
and why they are generated.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list