PF from OpenBSD 4.5 available as patch for 8.1-STABLE?

Fri Nov 19 17:09:41 UTC 2010

Rehi,

just in case somebody is interested. I just applied the referenced patch and it applied without any major problems. I only had to remove/add a few #includes manually (due to .rej files). So, I don't suspect any compilation problems. I'm currently waiting for

make buildworld && make buildkernel

to complete. Once it's done, I hope it works without any problems (apart from the known bugs).

Kind regards,

    Holger

________________________________________
From: Holger Rauch
Sent: Friday, November 19, 2010 17:29
To: Russell Cattelan
Cc: freebsd-pf at FreeBSD.org
Subject: RE: PF from OpenBSD 4.5 available as patch for 8.1-STABLE?

Hi Russell,

I'm trying to solve the problem that my rsync/scp tasks stall the involved NICs on the firewall host are saturated. Up to now, I've noticed this saturation only with certain driver/NIC combos and the stalling has only occurred on the target side (i.e. the NIC the data gets transfered to). So, the rsync --bwlimit stuff is really just a "quick hack" in order to prevent that NIC saturation. A still better solution would probably be to use PF queues. But I actually hope to get by without having to do something like this.

I'm wondering anyway why PF doesn't prevent such saturation from happening on its own (without having to introduce queues)?

Thanks for the pointer to the patch. I will ask the author as to whether it can be applied without too much effort against 8.1-STABLE.

Greetings,

    Holger

________________________________________
From: Russell Cattelan [cattelan at thebarn.com]
Sent: Friday, November 19, 2010 17:05
To: Holger Rauch
Cc: freebsd-pf at FreeBSD.org
Subject: Re: PF from OpenBSD 4.5 available as patch for 8.1-STABLE?

I have not looked at this patch but you probably want to look at
http://lists.freebsd.org/pipermail/freebsd-pf/2010-October/005842.html

It is  a bit unclear from your post what problem are you trying to solve
here? Limit the bandwidth of your linux boxes when doing scp/rsync?

-Russell

Holger Rauch wrote:
> Hi,
>
> is there such a patch? The reason why I ask for it is:
>
> I'm currently experiencing saturated network interfaces when using gigabit networking in conjunction with certain Linux driver<->NIC combos for Broadcom chips against the PF version shipped with FreeBSD 8.1 stable running on a HP ProLiant DL 180 G5 server.
>
> The problem only occurs with high throughputs (at least 30 MBytes/sec) caused by scp/rsync. Up to now, I've come accross this issue with
>
>   Broadcom Corporation NetLink BCM5787M Gigabit Ethernet PCI Express (rev 02) (tg3 driver in Linux)
>
> and
>
> Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet (rev 20)
> (bnx2 driver in Linux; this is used in various HP ProLiant servers)
>
> But it doesn't occur with Intel chips and also not with this chip
>
> Broadcom Corporation NetXtreme BCM5764M Gigabit Ethernet PCIe (rev 10)
> (tg3 driver in Linux). With those NICs I can transfer 50-60 MBytes/sec via scp/rsync without any problem.
>
> I've also tried different Linux kernel versions (2.6.26 and 2.6.32). Didn't make a difference.
>
> On FreeBSD systems, I get around 22 MByte/sec when transferring files via scp. Furthermore, changing the PF rules from "modulate state" to "keep state" has also had a positive impact. I now workarounded the problem by changing all scp based cron jobs to rsync using ssh in conjunction with rsync's --bwlimit option.
>
> Thanks in advance&  kind regards,
>
>      Holger
>
>
> THE standard software for Aviation Authorities
>
> **********************************************************************************************
> IMPORTANT NOTICE / WICHTIGER HINWEIS
> This communication contains information which is confidential and may also be privileged. It is for the
> exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any
> distribution, copying or use of this communication or the information in it is strictly prohibited. If you have
> received this communication in error please notify us immediately by email or by telephone and then delete
> this email and any copies of it.
> Diese E-Mail koennte vertrauliche und/oder rechtlich geschuetzte Informationen enthalten. Wenn Sie nicht
> der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den
> Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser
> Mail sind nicht gestattet.
> **********************************************************************************************
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

*** eSafe scanned this email for malicious content ***
*** IMPORTANT: Do not open attachments from unrecognized senders  ***

THE standard software for Aviation Authorities

**********************************************************************************************
IMPORTANT NOTICE / WICHTIGER HINWEIS
This communication contains information which is confidential and may also be privileged. It is for the 
exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any 
distribution, copying or use of this communication or the information in it is strictly prohibited. If you have 
received this communication in error please notify us immediately by email or by telephone and then delete 
this email and any copies of it.
Diese E-Mail koennte vertrauliche und/oder rechtlich geschuetzte Informationen enthalten. Wenn Sie nicht 
der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den 
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser 
Mail sind nicht gestattet.
**********************************************************************************************