pf reply-to malfunction after r258468 (seems r258479)
Vladimir Sharun
atz at ukr.net
Tue Dec 3 10:31:03 UTC 2013
I have a test setup with direct internet connection Reail_IP_A and netgraph tunnel with Real_IP_B.
I have used a reply-to pf ruleset to sent all the traffic back via tunnel, if
it came via tunnel:
pass in quick on $tunnel_if reply-to ($tunnel_if 10.1.0.1) \
proto tcp from any to Real_IP_B port 443
And it works at least in r258468. After harware change/reboot yesterday I got strange performance
via netgraph tunnel. Investigation shows clear: this is not tunnel itself, because endpoint can
saturate wire speed, but when we run routable schema we got very low throughput. Deeper analyzing
shows packet duplication from reply-to, looks like that:
09:36:59.576405 IP Real_IP_B.443 > Testbed.43775: Flags [.], seq 523587:525035, ack 850, win 1040, options [nop,nop,TS val 3415853201 ecr 44833816], length 1448
09:36:59.576413 IP Real_IP_B.443 > Testbed.43775: Flags [.], seq 523587:525035, ack 850, win 1040, options [nop,nop,TS val 3415853201 ecr 44833816], length 1448
09:36:59.577583 IP Testbed.43775 > Real_IP_B.443: Flags [.], ack 525035, win 1018, options [nop,nop,TS val 44834046 ecr 3415853201], length 0
09:36:59.577713 IP Testbed.43775 > Real_IP_B.443: Flags [.], ack 525035, win 1040, options [nop,nop,TS val 44834046 ecr 3415853201], length 0
More information about the freebsd-current
mailing list