Best practice for virtualized pf based NAT router?

Kristof Provost kp at FreeBSD.org
Tue Oct 4 11:17:41 UTC 2016 

On 4 Oct 2016, at 13:02, Trond Endrestøl wrote:
> On Tue, 4 Oct 2016 12:19+0200, Kristof Provost wrote:
>> ifconfig xn0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso6 -tso4 -lro (and 
>> the same
>> for xn1).
>
> That made all the difference. Thank you.
>
Bah. I was hoping I’d put that bug to rest.

>> If that makes a difference I’d be very interested in both network 
>> captures and
>> further debugging.
>
> I'm pretty sure you ment if your proposed changes _doesn't_ make any
> difference, but if you want network captures, etc, I'm sure I can
> arrange it.
>
No, I meant if this helped. It means that a bug I thought was fully 
fixed is still there.

The fix was done in r289316:

     pf: Fix TSO issues

     In certain configurations (mostly but not exclusively as a VM on 
Xen) pf
     produced packets with an invalid TCP checksum.

     The problem was that pf could only handle packets with a full 
checksum. The
     FreeBSD IP stack produces TCP packets with a pseudo-header checksum 
(only
     addresses, length and protocol).
     Certain network interfaces expect to see the pseudo-header 
checksum, so they
     end up producing packets with invalid checksums.

     To fix this stop calculating the full checksum and teach pf to only 
update TCP
     checksums if TSO is disabled or the change affects the 
pseudo-header checksum.

     PR:             154428, 193579, 198868
     Relnotes:       yes
     Sponsored by:   RootBSD


It’s great that you’ve got a workaround, but the problem should be 
completely gone, and it’s clearly not.

If you’re willing to spend a bit more time on this I’d like to dig 
into it a bit, and try to find out what I missed.

Let’s start by looking at the network capture (with the offloads 
turned back on, so we can reproduce the problem).
I expect we’ll see incorrect TCP checksums, which is the cause of your 
bad performance.

It’s slightly surprising that it only happens in the forwarding path, 
but at least that’s something to go on.

Regards,
Kristof

More information about the freebsd-questions mailing list