PF + BRIDGE + PFSYNC causes system freezing

kevin k at kevinkevin.com
Wed Mar 17 14:41:50 UTC 2010 

>>What are your settings for
>>
>>  $ sysctl -a | grep bridge.pfil

>#bridge options
>net.link.bridge.pfil_onlyip=1
>net.link.bridge.pfil_member=1
>net.link.bridge.pfil_bridge=0

>> Have you tried filtering only on one of the physical bridge interfaces,
>> with net.link.bridge.pfil_bridge=0 and set skip on { lo0, bridge0, em1}?

>I've only been filtering on one of the bridge interfaces , however I have
>not 'set skip on' the other interfaces. I will try that.


I have 'set skip' all interfaces except one of the bridged ones (em0) , in
pf.conf.

Interesting symptom currently is that the load on both servers is quite high
considering they are just virtual machines that aren't actually doing
anything  :

[server1]
last pid:  1176;  load averages:  2.66,  3.01,  2.87    up 0+00:36:26
10:34:24
22 processes:  1 running, 21 sleeping
CPU:     % user,     % nice,     % system,     % interrupt,     % idle
Mem: 8140K Active, 9400K Inact, 27M Wired, 34M Buf, 195M Free
Swap: 120M Total, 120M Free


[server2]
last pid:  1116;  load averages:  8.50, 10.11,  8.66    up 0+00:39:35
10:37:46
22 processes:  2 running, 20 sleeping
CPU:  0.0% user,  0.0% nice, 95.2% system,  4.8% interrupt,  0.0% idle
Mem: 8116K Active, 9560K Inact, 16M Wired, 8K Cache, 34M Buf, 205M Free
Swap: 120M Total, 120M Free


I decided to ping the pfsync0 interface from server 1 > server 2 :

# ping 10.0.0.11
PING 10.0.0.11 (10.0.0.11): 56 data bytes
64 bytes from 10.0.0.11: icmp_seq=3 ttl=64 time=91.159 ms
64 bytes from 10.0.0.11: icmp_seq=3 ttl=64 time=114.017 ms (DUP!)
64 bytes from 10.0.0.11: icmp_seq=4 ttl=64 time=206.446 ms
64 bytes from 10.0.0.11: icmp_seq=5 ttl=64 time=92.209 ms
64 bytes from 10.0.0.11: icmp_seq=5 ttl=64 time=181.774 ms (DUP!)
64 bytes from 10.0.0.11: icmp_seq=5 ttl=64 time=363.855 ms (DUP!)
^C
--- 10.0.0.11 ping statistics ---
9 packets transmitted, 3 packets received, +3 duplicates, 66.7% packet loss
round-trip min/avg/max/stddev = 91.159/174.910/363.855/95.135 ms



If theres anything else I  could check , suggestions are welcome.


Thanks,

Kevin K.

More information about the freebsd-pf mailing list