[Bug 209680] ipfw: when enabled, net connections time out/ssh results in "broken pipe"

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat May 21 17:11:22 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209680

            Bug ID: 209680
           Summary: ipfw: when enabled, net connections time out/ssh
                    results in "broken pipe"
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: ohartman at zedat.fu-berlin.de

Since a couple of weeks (if not more than a months for now) I observe the fact
that when IPFW is enabled (in kernel, no module load!), network performance is
sometime worse, connections server/client drops erratically (PostgreSQL 9.5,
Apache 2.4 webservices,  copies of large files (> 200GB, I think it is the time
that takes the copy that is relevant, not the size, the connection is 1GBit)
via rsync and especially ssh connections to remote systems (remote maintenance
is a nightmare recently).

I'm  not deeply in debugging, I observe, and I can give you this information.
The problem occurs on different systems, all in common running most recent
CURRENT (at the moment r300375). The systems do have different x86_amd64
architecture - Core2Duo dual socket XEONs as well as Haswell single socket
XEONs, with different NICs (i210, i219, Broadcom, some Realtek, some Intel em).
Also in common on these systems is the usage of IPFW statically in-kernel. Some
private systems also habe libalias/in-kernel-NAT and pppoe, but that doesn't
matter as well as the fact the problems occur with the vanilla ipfw-scripts
delivered with FreeBSD (usage via type WORKSTATION) or with custom ipfw ruleset
scripts.

On a erratic basis, the connection drops or has a kind of hang that lasts for
seconds. This prevents us from uploading large vector maps for GIS applications
into PostgreSQL databases provided by a FBSD server. The connection has
timeouts or drops. A nightmare is the usage of SSH for maintenance. Sometimes
after several seonds after establishing the connection or after 30 minutes and
more the connection dies with a broken pipe (ssh: Fssh_packet_write_wait:
Connection to XXX.XXX.XXX.XXX port 22: Broken pipe).

All of those reported problems do vanish if I disable IPFW via "ipfw disable
firewall".

My in-kernel config for IPFW is (this is the config of a home system, beware
that NAT is not enabled on the servers):

#
#       IPFW Firewall
#
options         IPFIREWALL              # firewall
options         IPFIREWALL_VERBOSE      # enable logging to syslogd(8)
options         IPFIREWALL_VERBOSE_LIMIT=10    #limit verbosity
#options         IPFIREWALL_NAT          # ipfw kernel nat support
#options         LIBALIAS                # ipfw kernel nat support
options         IPDIVERT                # divert sockets
options         DUMMYNET        # traffic shaper, bandwidth manager and delay
emulator
#options                HZ=2000         # strongly recommended
#
#options                IPFIREWALL_DEFAULT_TO_ACCEPT    # allow everything by
default

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list