kern/121668: connect randomly fails with EPERM with some pf rules

Laurent Frigault lfrigault at agneau.org
Thu Mar 13 23:30:03 UTC 2008 

The following reply was made to PR kern/121668; it has been noted by GNATS.

From: Laurent Frigault <lfrigault at agneau.org>
To: Max Laier <max at love2party.net>
Cc: bug-followup at freebsd.org
Subject: Re: kern/121668: connect randomly fails with EPERM with some pf rules
Date: Fri, 14 Mar 2008 00:20:00 +0100

 On Thu, Mar 13, 2008 at 08:26:39PM +0100, Max Laier wrote:
 > > sysctl net.inet.tcp.nolocaltimewait=1
 > > not needed, but helps to reproduce the problem with client and server
 > > on the same computer.
 > 
 > Okay, now this is just asking for trouble.  pf does thorough checks on TCP 
 > states, one of which is to enforce the 2MSL quite time before port reuse.  
 > If you set above sysctl you specificly ask FreeBSD to break that rule and 
 > thus cause pf to bark.
 
 The nolocaltimewait=1  was only to help to reproduce the problem.
 
 > You can also hit the issue if you have a large number of (consecutive) 
 > connections between two hosts (e.g. [poorly configured] squid -> 
 > www-backends, mysql, ...).  The sollution is to:
 
 I discover this problem with connection between CGI scripts and a mysql
 server.
 
 >  1) Reduce the connection spree and use one permanent connection
 
 Not allways possible with CGI.
 
 >  2) Increase the ephemeral port range net.inet.ip.portrange.hi{first,last}
 
 Interesting point. Lowering first seems to help. Disabeling
 net.inet.ip.portrange.randomized helps a lot too.
 
 >  3) Decrease the pf state timeout tcp.{closing,closed} in order to relax 
 > the check.  You can do this globaly and on a per-rule basis.
 
 I've set closed to 1 and closing to 30
 
 That helps too.
 
 It does not seems possible to set tcp.closed to 0 on a per rule basis :
 This is accepted :
 pass out quick on lo0 proto tcp from any to any port 9 flags S/SA keep state ( tcp.closing 30 , tcp.closed 0 )
 
 But pfctl -srules -vvv prints :
 @0 pass out quick on lo0 proto tcp from any to any port = discard flags
 S/SA keep state (tcp.closing 30)
   [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
   [ Inserted: uid 0 pid 51151 ]
 
 the tcp.closed seems to be ignored
 
 It works with tcp.closed set to 1
 
 Regards,
 -- 
 Laurent Frigault | <url:http://www.agneau.org/>

More information about the freebsd-pf mailing list