From nobody Fri Jul 12 23:43:19 2024 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WLSpZ5vxlz5R3Yl for ; Fri, 12 Jul 2024 23:43:34 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-vs1-f53.google.com (mail-vs1-f53.google.com [209.85.217.53]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WLSpY6Z5Kz4Frw for ; Fri, 12 Jul 2024 23:43:33 +0000 (UTC) (envelope-from asomers@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none); spf=pass (mx1.freebsd.org: domain of asomers@gmail.com designates 209.85.217.53 as permitted sender) smtp.mailfrom=asomers@gmail.com Received: by mail-vs1-f53.google.com with SMTP id ada2fe7eead31-48ffceb3fdaso1061941137.0 for ; Fri, 12 Jul 2024 16:43:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720827812; x=1721432612; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=oYxhGMTbovOPTI+IjTwRY3uW7+ksgtMAQLwg9kvy3FM=; b=X9LbdxHvqeM+rOcH5+oLJT2GHhwLMlR4BaQ30bSP1IUslWQcurigXadMfk/0b2At03 d9Mb2w+QM0EEorYmQfJH+3lCet0Faxwqa0OHrodtBnYMyjDt9ur41eMdDsL1NsekWoGF vVg6Jy6wIcjHS+u69mqI8S/gwuLc1tzDm/6wbSGpE6yRm0f24fVhdKNwPAwsVoiWTI1k L+YQrJ/BiD8+0v+zzyGB00Dd30OYD9F+pEbJLRKHCtri6yLj5IqaygLHVpC3D6alVUpS jR5/f3xckWTuFfNktH9RFi5tFq9IvPXWOuWqlRLrfJ/Kty+UTXFNgCIYKs/lAKU24Q5s 402Q== X-Gm-Message-State: AOJu0YxvCbm//OmM8BkZycM25BglyDcQATX2nsZEag2dd19/AUDYzabp ll69BU2ah4edvbh5FB6cFpLMELaaR5o27DudbPzYKzaBRFSHFT3sZ0lKeRulfyWaMNIysQnY16q xso1qzLizA8wmAC1nMFC28XaCzTLw3Q== X-Google-Smtp-Source: AGHT+IEF+/FUuomHlZcaUhg05CTX4kqsH27qAI4lW0b3v9B7zc2WOQyeYUa9tawfZA9gRUHs0WUXzHzNepl22OUXvvk= X-Received: by 2002:a05:6102:8012:b0:48f:eb67:9239 with SMTP id ada2fe7eead31-4903220d00emr16426893137.32.1720827811711; Fri, 12 Jul 2024 16:43:31 -0700 (PDT) List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 From: Alan Somers Date: Fri, 12 Jul 2024 17:43:19 -0600 Message-ID: Subject: TCP_RACK, TCP_BBR, and firewalls To: FreeBSD Net Content-Type: text/plain; charset="UTF-8" X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.36 / 15.00]; NEURAL_HAM_LONG(-0.97)[-0.972]; NEURAL_HAM_SHORT(-0.93)[-0.932]; NEURAL_HAM_MEDIUM(-0.56)[-0.557]; FORGED_SENDER(0.30)[asomers@freebsd.org,asomers@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; MIME_GOOD(-0.10)[text/plain]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_ONE(0.00)[1]; MISSING_XM_UA(0.00)[]; FREEFALL_USER(0.00)[asomers]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MLMMJ_DEST(0.00)[freebsd-net@freebsd.org]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; FROM_NEQ_ENVFROM(0.00)[asomers@freebsd.org,asomers@gmail.com]; RCVD_COUNT_ONE(0.00)[1]; R_DKIM_NA(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.217.53:from]; TO_DOM_EQ_FROM_DOM(0.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; RCVD_IN_DNSWL_NONE(0.00)[209.85.217.53:from] X-Rspamd-Queue-Id: 4WLSpY6Z5Kz4Frw I've been experimenting with RACK and BBR. In my environment, they can dramatically improve single-stream TCP performance, which is awesome. But pf interferes. I have to disable pf in order for them to work at all. Is this a known limitation? If not, I will experiment some more to determine exactly what aspect of my pf configuration is responsible. If so, can anybody suggest what changes would have to happen to make the two compatible? -Alan