pf and mxge

ben wilber ben at
Fri Aug 29 10:54:28 UTC 2008


I'm trying to use PF on a machine with an mxge(4) interface and am
having some difficulty.  With my ruleset loaded, any TCP session that
gets a state grinds to a halt.

For example, I can log in via SSH and issue commands that return a
couple lines, but the output from a command like dmesg(8) comes very
slowly and sometimes won't finish before SSH times out.  MTU on the
interface is 1500 bytes.  This doesn't happen unless states are created
(e.g., not with "pass no state").

The machine is running -CURRENT for amd64 as of Jul 18th compiled with
ALTQ, crypto and IPSEC, HZ=1000 and DEVICE_POLLING (though not enabled).
IP and IPv6 forwarding are enabled, as well as fastforwarding.  Only
filtering; no bridges, ALTQ, NAT or scrubbing.

Any insight?


