PF + BRIDGE + PFSYNC causes system freezing

kevin k at kevinkevin.com
Tue Mar 16 19:20:04 UTC 2010 

I have been experiencing this problem with 2x freebsd firewall
implementations running pf + transparent bridging + pfsync between both
boxes.

Today in an effort to narrow down and troubleshoot the issue further, I have
decided to build two FreeBSD 7.2-RELEASE implementations using virtualbox.
Each box was allocated 256mb ram, 3 NIC's (internal network only) and a 4GB
hard drive. I compiled PF/ALTQ/MROUTING into the kernel and installed it. No
other fundamental modifications were made.

The intent is to reproduce the problem in a controlled environment. And
provide any information to @freebsd.org if requested.

Here is the pertinent information below. Note both boxes are identical :

[UNAME]
# uname -a
FreeBSD fw 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Tue Mar 16 13:18:05 UTC 2010
root@:/usr/obj/usr/src/sys/FW  i386

[IFCONFIG]
# ifconfig
em0: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:91:2d:fd
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
em1: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:c7:3f:6b
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:de:66:c6
        inet 10.0.0.10 netmask 0xffffff00 broadcast 10.0.0.255
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460
        pfsync: syncdev: em2 syncpeer: 10.0.0.11 maxupd: 128
bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 1e:29:e0:82:6e:d6
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: em1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 20000
        member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 20000


[KERNEL OPTIONS]
# Multicast routing support
options         MROUTING

# PF Firewall
device pf
device pflog
device pfsync

options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

[RC.CONF]
keymap="us.iso"

hostname="fw"
gateway_enable="YES"
sshd_enable="YES"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em0 addm em1 up"
ifconfig_em0="up"
ifconfig_em1="up"
ifconfig_em2="inet 10.0.0.10 netmask 255.255.255.0"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
pfsync_enable="YES"
pfsync_syncdev="em2"

ifconfig_pfsync0="up syncpeer 10.0.0.11 syncif em2"


[PF.CONF]

# macros
ext_if="em0"
int_if="em1"
mng_if="em2"

tcp_services="{ 22, 113, 53, 80 }"
icmp_types="echoreq"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in all random-id fragment reassemble
scrub out on $ext_if random-id


# filter rules
pass in quick
pass out quick

pass quick on $mng_if proto pfsync



Note the only difference in config is the ip address of the pfsycn
interface. When both boxes are on , one or both of them start to really slow
down and ultimately freeze. No messages are pasted on the console and
/var/log/messages is inaccessible during this point. 

I would like to assist in diagnosing this issue so if anyone wants me to
check anything or test, please let me know. I would really like to
understand this problem.

Thanks,

Kevin K.

More information about the freebsd-pf mailing list