The one thing you're doing that stands out as different to the various similar systems I have (which don't have a problem) is bridging. Is there any possibility of trying it without the bridge?
I don't know if it will show anything useful, but what do you see in the way of livelocks in 'systat mbuf'? If it's non-trivial I wonder if the leak could be associated with that.. systat mbuf IFACE LIVELOCKS SIZE ALIVE LWM HWM CWM vr0 48 2k 14 2 63 14 vr1 2 2k 8 2 63 8 systat pool NAME SIZE REQUESTS FAIL INUSE PGREQ PGREL NPAGE HIWAT mcl2k 2048 22210954 0 35 165 0 165 165 On 2010/05/19 01:47, Chris Bayly wrote: > >Number: 6380 > >Category: kernel > >Synopsis: mbuf memory leak on Alix 3d3 in network stack > >Confidential: yes > >Severity: serious > >Priority: medium > >Responsible: bugs > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: sw-bug > >Submitter-Id: unknown > >Arrival-Date: Wed May 19 08:00:01 GMT 2010 > >Closed-Date: > >Last-Modified: > >Originator: > >Release: > >Organization: > >Environment: > System : OpenBSD 4.7 > Details : OpenBSD 4.7 (GENERIC) #556: Tue Mar 9 09:46:59 MST 2010 > > [email protected]:/usr/src/sys/arch/i386/compile/GENERIC > > Architecture: OpenBSD.i386 > Machine : i386 > >Description: > I have an Alix 3d3 (i386) that appears to be leaking memory somewhere > inside of the network stack. I originally noticed this with > 4.6-Stable, and have run various snapshots through the 4.6 and 4.7 > series. I believe I see the same behaviour with a May snapshot and > haven't found any changelogs that would seem to jive with what I'm > seeing. Can't replace the firewall with a newer snapshot for a few days, > but if it would be useful I will add info into this PR. > > The basic issue is that over a period of time the firewall becomes > non-responsive. From all appearances it seems that it is leaking > mbufs (mcl2k to be specific). I can increase the time it takes to > fail by jacking kern.maxclusters up absurdly high (128000 as evidenced > below). > > The basic setup on the firewall is that there are three > interfaces. vr0 - vr2. > > vr0 - is the inside interface for the nat'ed machines 192.168.2.1, > standard home firewall type stuff > > vr1 - is connected to a non-natted server and bridged to vr2 this > allows me to filter traffic to my internet facing server. > > vr2 - The outside interface that gets an IP from my ISP > > > Things that I've tried to mitigate the leak to no end is: > > - Removing altq queueing. > > - removing spamd-setup loads (having issues with 4.7 and pf running > out of memory on the loads, but I'm not sure that's related) > > - Varying the amount of traffic through the interfaces & pf. This > *might* have some correlation to the rate on the leak, (more > packets/sec over time might make it leak a BIT faster), but it's > non-linear. It seems to leak *almost* as fast just watching the > ARP's go by from my ISP as if I'm driving > 1.5MB/sec for hours. > > - Disabling PF (pfctl -F all ; pfctl -d). This DOES appear to slow > down the leak, but again doesn't seem to make it completely go away. > The peak allocated in a "netstat -m" still seems to go up, but at a > much slower rate. > > As for other processes running, I've got a named hosting the forward > and reverse for the inside of my natted network, a dhcpd running to > the inside with nothing abnormal in it (tie some mac's to some IP's, > set the PXE filenames for a few hosts, etc). I'm also running a > dhclient on the egress interface, and an snmpd listening on the inside > interface. > > My PF setup is included below, and has some strings replaced to clear > specific IP's. > > And if you're still reading this far down and have any ideas as to how > I should go about debugging from here I'd love to hear about it. My > google-fu has failed, and not being familiar enough with the source > I'm not even sure where to start tracking who is allocating the > mbufs. At this point I'd be happy just to find something that makes > the leak change (for better or for worse), or pointers to more > instrumentation for tracking who's alloc'ing the mbufs. > > After 5 hours and 41 minutes after boot this same machine had > a peak of 2388 mbufs allocated according to netstat -m > > > # pfctl -s info > Status: Enabled for 0 days 00:42:36 Debug: err > > Interface Stats for vr2 IPv4 IPv6 > Bytes In 301244350 0 > Bytes Out 7065212 0 > Packets In > Passed 221503 0 > Blocked 85 0 > Packets Out > Passed 117113 0 > Blocked 0 0 > > State Table Total Rate > current entries 98 > searches 687825 269.1/s > inserts 4834 1.9/s > removals 5006 2.0/s > Counters > match 5153 2.0/s > bad-offset 0 0.0/s > fragment 0 0.0/s > short 0 0.0/s > normalize 0 0.0/s > memory 0 0.0/s > bad-timestamp 0 0.0/s > congestion 0 0.0/s > ip-option 0 0.0/s > proto-cksum 0 0.0/s > state-mismatch 0 0.0/s > state-insert 0 0.0/s > state-limit 0 0.0/s > src-limit 0 0.0/s > synproxy 0 0.0/s > > > # ifconfig -a > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200 > priority: 0 > groups: lo > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:0d:b9:1a:a3:e8 > priority: 0 > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 > inet6 fe80::20d:b9ff:fe1a:a3e8%vr0 prefixlen 64 scopeid 0x1 > vr1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu > 1500 > lladdr 00:0d:b9:1a:a3:e9 > priority: 0 > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet 10.0.20.1 netmask 0xffffff00 broadcast 10.0.20.255 > inet6 fe80::20d:b9ff:fe1a:a3e9%vr1 prefixlen 64 scopeid 0x2 > vr2: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu > 1500 > lladdr 00:0d:b9:19:3d:4e > priority: 0 > groups: egress > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet6 fe80::20d:b9ff:fe19:3d4e%vr2 prefixlen 64 scopeid 0x3 > inet 174.d.e.f netmask 0xfffffc00 broadcast 255.255.255.255 > enc0: flags=0<> mtu 1536 > priority: 0 > bridge0: flags=41<UP,RUNNING> > groups: bridge > priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp > vr1 flags=3<LEARNING,DISCOVER> > port 2 ifpriority 0 ifcost 0 > vr2 flags=3<LEARNING,DISCOVER> > port 3 ifpriority 0 ifcost 0 > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200 > priority: 0 > groups: pflog > > > # netstat -m > 3771 mbufs in use: > 3761 mbufs allocated to data > 2 mbufs allocated to packet headers > 8 mbufs allocated to socket names and addresses > 1894/1906/128000 mbuf 2048 byte clusters in use (current/peak/max) > 0/8/128000 mbuf 4096 byte clusters in use (current/peak/max) > 0/8/128000 mbuf 8192 byte clusters in use (current/peak/max) > 0/8/128000 mbuf 9216 byte clusters in use (current/peak/max) > 0/8/128000 mbuf 12288 byte clusters in use (current/peak/max) > 0/8/128000 mbuf 16384 byte clusters in use (current/peak/max) > 0/8/128000 mbuf 65536 byte clusters in use (current/peak/max) > 4956 Kbytes allocated to network (95% in use) > 0 requests for memory denied > 0 requests for memory delayed > 0 calls to protocol drain routines > > # vmstat -m > Memory statistics by bucket size > Size In Use Free Requests HighWater Couldfree > 16 907 373 208862 1280 0 > 32 484 284 18450 640 0 > 64 2459 101 3416 320 0 > 128 236 52 2253 160 0 > 256 161 191 8588 80 99 > 512 158 26 21272 40 0 > 1024 263 5 474 20 0 > 2048 12 4 131 10 0 > 4096 12 7 491 5 29 > 8192 6 1 201 5 0 > 16384 5 0 29 5 0 > 32768 9 0 10 5 0 > > Memory usage type by bucket size > Size Type(s) > 16 devbuf, pcb, routetbl, sysctl, dirhash, in_multi, exec, xform_data, > VM swap, UVM amap, UVM aobj, USB, USB device, packet tags, temp > 32 devbuf, pcb, routetbl, ifaddr, sem, dirhash, proc, VFS cluster, > in_multi, ether_multi, xform_data, VM swap, UVM amap, USB, > crypto data, temp > 64 devbuf, pcb, routetbl, vnodes, UFS mount, sem, dirhash, NFS srvsock, > in_multi, pfkey data, UVM amap, USB, USB device, memdesc, NDP, temp > 128 devbuf, routetbl, ifaddr, sysctl, vnodes, dirhash, ttys, UVM amap, > USB, USB device, NDP, temp > 256 devbuf, routetbl, ifaddr, ioctlops, vnodes, shm, VM map, dirhash, > file desc, NFS daemon, exec, newblk, UVM amap, USB, temp > 512 devbuf, pcb, ifaddr, ioctlops, UFS mount, shm, dirhash, file desc, > proc, ttys, exec, UVM amap, USB device, crypto data, temp > 1024 devbuf, ioctlops, mount, file desc, ttys, exec, UVM amap, UVM aobj, > crypto data, temp > 2048 devbuf, sysctl, ioctlops, UFS mount, file desc, proc, VM swap, > UVM amap, temp > 4096 devbuf, ifaddr, ioctlops, file desc, pagedep, UVM amap, USB, temp > 8192 devbuf, MSDOSFS mount, temp > 16384 UFS quota, UFS mount, ISOFS mount, xform_data, inodedep, VM swap > 32768 devbuf, VM swap > > Memory statistics by type Type Kern > Type InUse MemUse HighUse Limit Requests Limit Limit Size(s) > devbuf 1115 386K 393K 39260K 1492 0 0 > 16,32,64,128,256,512,1024,2048,4096,8192,32768 > pcb 45 7K 7K 39260K 153 0 0 16,32,64,512 > routetbl 130 9K 11K 39260K 1591 0 0 > 16,32,64,128,256 > ifaddr 71 16K 16K 39260K 71 0 0 > 32,128,256,512,4096 > sysctl 3 3K 3K 39260K 3 0 0 16,128,2048 > ioctlops 0 0K 4K 39260K 4633 0 0 > 256,512,1024,2048,4096 > mount 1 1K 1K 39260K 1 0 0 1024 > vnodes 1471 97K 97K 39260K 1475 0 0 64,128,256 > UFS quota 1 16K 16K 39260K 1 0 0 16384 > UFS mount 5 21K 21K 39260K 5 0 0 > 64,512,2048,16384 > shm 2 1K 1K 39260K 2 0 0 256,512 > VM map 2 1K 1K 39260K 2 0 0 256 > sem 2 1K 1K 39260K 2 0 0 32,64 > dirhash 39 8K 8K 39260K 39 0 0 > 16,32,64,128,256,512 > file desc 2 5K 7K 39260K 6 0 0 > 256,512,1024,2048,4096 > proc 15 5K 5K 39260K 15 0 0 32,512,2048 > VFS cluster 0 0K 1K 39260K 1 0 0 32 > NFS srvsock 1 1K 1K 39260K 1 0 0 64 > NFS daemon 1 1K 1K 39260K 1 0 0 256 > in_multi 44 2K 2K 39260K 44 0 0 16,32,64 > ether_multi 12 1K 1K 39260K 12 0 0 32 > ISOFS mount 1 16K 16K 39260K 1 0 0 16384 > MSDOSFS mount 1 8K 8K 39260K 1 0 0 8192 > ttys 384 240K 240K 39260K 384 0 0 128,512,1024 > exec 0 0K 2K 39260K 350 0 0 > 16,256,512,1024 > pfkey data 1 1K 1K 39260K 2 0 0 64 > xform_data 0 0K 13K 39260K 96 0 0 16,32,16384 > pagedep 1 4K 4K 39260K 1 0 0 4096 > inodedep 1 16K 16K 39260K 1 0 0 16384 > newblk 1 1K 1K 39260K 1 0 0 256 > VM swap 7 39K 39K 39260K 7 0 0 > 16,32,2048,16384,32768 > UVM amap 1233 154K 256K 39260K 16499 0 0 > 16,32,64,128,256,512,1024,2048,4096 > UVM aobj 2 2K 2K 39260K 2 0 0 16,1024 > USB 30 7K 7K 39260K 30 0 0 > 16,32,64,128,256,4096 > USB device 11 4K 4K 39260K 11 0 0 16,64,128,512 > memdesc 1 1K 1K 39260K 1 0 0 64 > crypto data 1 1K 2K 39260K 33 0 0 32,512,1024 > packet tags 0 0K 1K 39260K 196736 0 0 16 > NDP 11 1K 2K 39260K 14 0 0 64,128 > temp 68 11K 16K 39260K 40489 0 0 > 16,32,64,128,256,512,1024,2048,4096,8192 > > Memory Totals: In Use Free Requests > 1072K 138K 264209 > Memory resource pool statistics > Name Size Requests Fail InUse Pgreq Pgrel Npage Hiwat Minpg Maxpg > Idle > extentpl 20 47 0 37 1 0 1 1 0 8 > 0 > phpool 48 1341 0 1313 16 0 16 16 0 8 > 0 > pmappl 76 382 0 28 1 0 1 1 0 8 > 0 > vmsppl 188 382 0 28 2 0 2 2 0 8 > 0 > vmmpepl 88 31121 0 1644 58 0 58 58 0 179 > 12 > vmmpekpl 88 2082 0 24 1 0 1 1 0 8 > 0 > aobjpl 48 1 0 1 1 0 1 1 0 8 > 0 > amappl 44 16216 0 1213 21 0 21 21 0 45 > 1 > anonpl 16 28284 0 5370 33 0 33 33 0 16 > 2 > bufpl 152 1890 0 1423 55 0 55 55 0 8 > 0 > mbpl 256 2800484 0 3775 238 0 238 238 1 8000 > 1 > mcl2k 2048 1105200 0 1896 954 0 954 954 4 64000 > 5 > sockpl 212 101068 0 79 8 0 8 8 0 8 > 3 > procpl 348 395 0 41 5 0 5 5 0 8 > 0 > processpl 28 395 0 41 1 0 1 1 0 8 > 0 > zombiepl 72 354 0 0 1 0 1 1 0 8 > 1 > ucredpl 80 141 0 22 1 0 1 1 0 8 > 0 > pgrppl 24 247 0 24 1 0 1 1 0 8 > 0 > sessionpl 48 49 0 23 1 0 1 1 0 8 > 0 > pcredpl 24 395 0 41 1 0 1 1 0 8 > 0 > lockfpl 56 32 0 2 1 0 1 1 0 8 > 0 > filepl 88 105899 0 138 5 0 5 5 0 8 > 1 > fdescpl 300 383 0 29 4 0 4 4 0 8 > 1 > pipepl 72 162 0 6 1 0 1 1 0 8 > 0 > kqueuepl 192 3 0 3 1 0 1 1 0 8 > 0 > knotepl 64 15 0 15 1 0 1 1 0 8 > 0 > sigapl 324 382 0 28 4 0 4 4 0 8 > 1 > pfiaddrpl 100 10 0 2 1 0 1 1 0 8 > 0 > wdcspl 96 2340 0 0 1 0 1 1 0 8 > 1 > namei 1024 11149 0 0 1 0 1 1 0 8 > 1 > vnodes 160 1868 0 1868 75 0 75 75 0 8 > 0 > nchpl 88 3066 0 2997 66 0 66 66 0 8 > 0 > ffsino 184 1861 0 1808 83 0 83 83 0 8 > 0 > dino1pl 128 1861 0 1808 59 0 59 59 0 8 > 0 > dirhash 1024 93 0 93 24 0 24 24 0 128 > 0 > pfrulepl 1148 301 0 58 55 28 27 42 0 8 > 0 > pfstatepl 212 27110 0 400 56 0 56 56 0 527 > 22 > pfstatekeypl 72 27843 0 432 35 18 17 19 0 8 > 2 > pfstateitempl 12 27843 0 432 4 0 4 4 0 8 > 1 > pfruleitempl 12 733 0 32 1 0 1 1 0 8 > 0 > pfaltqpl 224 24 0 0 1 0 1 1 0 8 > 1 > pfrktable 1240 34 0 7 5 0 5 5 0 667 > 2 > pfrke_plain 92 51456 2 10 715 0 715 715 0 9091 > 714 > pfosfpen 108 4176 0 696 74 55 19 19 0 8 > 0 > pfosfp 28 2442 0 407 3 0 3 3 0 8 > 0 > pffrent 16 46 0 0 1 0 1 1 0 20 > 1 > pffrag 48 23 0 0 1 0 1 1 0 12 > 1 > rtentpl 116 72 0 55 2 0 2 2 0 8 > 0 > rttmrpl 32 1 0 0 1 0 1 1 0 8 > 1 > tcpcbpl 400 53 0 22 3 0 3 3 0 8 > 0 > tcpqepl 16 5 0 0 1 0 1 1 0 13 > 1 > synpl 188 7 0 0 1 0 1 1 0 8 > 1 > plimitpl 152 33 0 7 1 0 1 1 0 8 > 0 > inpcbpl 224 100928 0 47 7 0 7 7 0 8 > 4 > > In use 6860K, total allocated 11600K; utilization 59.1% > # uptime > 11:34PM up 3:51, 2 users, load averages: 0.11, 0.10, 0.08 > > # ps auxwww > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND > root 1 0.0 0.1 356 300 ?? Is 7:43PM 0:00.01 /sbin/init > _dhcp 2388 0.0 0.1 536 228 ?? Is 7:43PM 0:00.13 dhclient: > vr2 (dhclient) > root 28055 0.0 0.2 572 624 ?? Is 7:43PM 0:00.01 syslogd: > [priv] (syslogd) > _syslogd 23429 0.0 0.3 600 664 ?? I 7:43PM 0:00.05 syslogd -a > /var/www/dev/log -a /var/named/dev/log -a /var/empty/dev/log > root 35 0.0 0.2 432 388 ?? Is 7:43PM 0:00.00 pflogd: > [priv] (pflogd) > _pflogd 26009 0.0 0.1 496 296 ?? S 7:43PM 0:00.38 pflogd: > [running] -s 116 -i pflog0 -f /var/log/pflog (pflogd) > root 15844 0.0 0.3 2096 736 ?? Is 7:43PM 0:00.00 named: > [priv] (named) > named 26456 0.0 6.3 16072 16568 ?? I 7:43PM 0:17.08 named -4 > _ntp 19799 0.0 0.3 716 872 ?? Is 7:43PM 0:00.17 ntpd: ntp > engine (ntpd) > _ntp 26954 0.0 0.3 840 804 ?? Is 7:43PM 0:00.00 ntpd: dns > engine (ntpd) > root 20352 0.0 0.3 664 736 ?? Is 7:43PM 0:00.00 ntpd: > [priv] (ntpd) > root 29221 0.0 0.5 544 1184 ?? Is 7:43PM 0:00.01 > /usr/sbin/sshd > root 14386 0.0 0.3 532 820 ?? Is 7:43PM 0:00.00 snmpd: > parent (snmpd) > _snmpd 25621 0.0 0.4 564 976 ?? I 7:43PM 0:00.57 snmpd: snmp > engine (snmpd) > _dhcp 21615 0.0 0.4 712 1072 ?? Is 7:43PM 0:00.02 > /usr/sbin/dhcpd vr0 > proxy 14138 0.0 0.3 392 752 ?? Is 7:43PM 0:00.00 > /usr/sbin/ftp-proxy > root 18704 0.0 0.3 476 724 ?? Is 7:43PM 0:00.01 inetd > _spamd 16685 0.0 0.3 480 696 ?? Ss 7:43PM 0:00.34 > /usr/libexec/spamlogd > root 26064 0.0 0.4 632 1152 ?? Is 7:43PM 0:00.00 > /usr/sbin/sshd -p 222 > root 32526 0.0 0.3 504 796 ?? Is 7:43PM 0:00.04 cron > root 18346 0.0 0.6 1204 1468 ?? Ss 7:43PM 0:00.58 sendmail: > accepting connections (sendmail) > root 6227 0.0 1.0 3568 2480 ?? Is 7:44PM 0:00.46 sshd: > r...@ttyp1 (sshd) > root 4962 0.0 1.0 3484 2492 ?? Ss 10:27PM 0:00.56 sshd: > r...@ttyp3 (sshd) > root 2873 0.0 0.2 500 440 p1 Is+ 7:44PM 0:00.06 -ksh (ksh) > root 3855 0.0 0.2 556 444 p3 Ss 10:27PM 0:00.07 -ksh (ksh) > root 20880 0.0 0.1 272 284 p3 R+ 11:39PM 0:00.00 ps -auxwww > root 5266 0.0 0.1 484 304 00- I 7:43PM 0:00.00 dhclient: > vr2 [priv] (dhclient) > root 3213 0.0 0.3 436 732 00 Is+ 7:43PM 0:00.01 > /usr/libexec/getty std.38400 tty00 > > # cat /etc/sysctl.conf | egrep -v '^#' > net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 > packets > # required by some ports > kern.maxclusters=128000 # Absurdly high number > > > ### PF > # pf.conf > # Macros: define common values, so they can be referenced and changed easily. > ## > ext_if="vr2" # connection to cable modem > dmz_if="vr1" # myserver and external machines > nat_if="vr0" # the "inside" machines behind a nat > > ## Our friends. > myserver="174.a.b.c" > fwoutside="174.d.e.f" > remotefriend="68.g.h.i" > > ## Who are the trusted hosts? > trhost1="208.j.k.l" > trhost2="208.m.n.p" > trhost3="67.q.r.s" > > # Tables: similar to macros, but more flexible for many addresses. > ## Us > table <mynet> { $myserver, $fwoutside } > > ## IP's trusted (outside of our network) > table <trusted> { $trhost1, $trhost2, $remotefriend, $trhost3} > > # PF Settings > set loginterface vr2 > set skip on lo0 > > #Translation (NAT, redirects) > ## Nat myserver into the internal network? > match out on $dmz_if from 10.0.20.10/32 to any nat-to ($nat_if) > > ## NAT the 'inside' machines > match out on $ext_if from $nat_if/24 to any nat-to ($ext_if) > match in on $nat_if proto tcp from 192.168.2.0/24 to any port 21 rdr-to > 127.0.0.1 port 8021 > > # Filtering: We block everything not explicitly allowed > block in all > block out all > > block in inet6 > > ## Start by passing out any packet we create ourselves > pass out on $ext_if from <mynet> to any > pass out on $ext_if from any to <mynet> > pass in on $dmz_if from <mynet> to any > pass out on $dmz_if from any to <mynet> > > ## Allow traffic on the nat_if > pass in on $nat_if from any to any > pass out on $nat_if from any to any > > ## allow traffic myserver <-> bridge (not required with real IP on bridge) > pass in on $dmz_if from 10.0.20.0/24 to 10.0.20.1 > pass out on $dmz_if from 10.0.20.1 to 10.0.20.0/24 > pass in on $dmz_if from 10.0.20.0/24 to 192.168.2.0/24 > pass out on $dmz_if from 192.168.2.0/24 to 10.0.20.0/24 > > ## Need to pass ports for DHCP to ourselves (since we DHCP), and DMZ (for > non-static hosts) > pass in on {$dmz_if,$ext_if} proto {tcp, udp} from any to any port 67:68 > pass out on {$dmz_if,$ext_if} proto {tcp, udp} from any to any port 67:68 > > ## Ftp proxy > anchor "ftp-proxy/*" > pass out proto tcp from $ext_if to any port 21 > > ## Allow ONLY people we know to SSH in (stops annoying SSH scans if nothing > else) > pass in on $ext_if proto tcp from <trusted> to <mynet> port 22 > pass out on $ext_if proto tcp from <mynet> to any port 22 > ## Temporarily let in anyone on port 222 ... > pass in on $ext_if proto tcp from any to <mynet> port 222 > pass out on $ext_if proto tcp from <mynet> to any port 222 > > pass in on $ext_if proto icmp from any to <mynet> > pass out on $ext_if proto icmp from <mynet> to any > > ## IMAPS open to the world in the hopes that it's more secure then IMAP (ha!) > pass in on $ext_if proto tcp from any to <mynet> port 993 > pass out on $ext_if proto tcp from <mynet> to any port 993 > > ## Pass & Queue web/mail traffic > pass in on $ext_if proto tcp from any to any port {80,443} > pass out on $ext_if proto tcp from <mynet> to any port {80,443} > pass in quick on $ext_if proto tcp from any to any port {25,465} > pass out quick on $ext_if proto tcp from <mynet> to any port {25,465} > > > >How-To-Repeat: > Boot alix 3d3 with above configuration. Haven't seen the same leak > with a VIA M10000 mobo also running vr driver ethernet. > >Fix: > Disabling PF appears to slow down the leak (and make the firewall > less useful! :), but not stop the leak. > > > dmesg: > OpenBSD 4.7 (GENERIC) #556: Tue Mar 9 09:46:59 MST 2010 > [email protected]:/usr/src/sys/arch/i386/compile/GENERIC > cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) > 499 MHz > cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX > real mem = 268009472 (255MB) > avail mem = 250978304 (239MB) > mainbus0 at root > bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088 > pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000 > pcibios0: pcibios_get_intr_routing - function not supported > pcibios0: PCI IRQ Routing information unavailable. > pcibios0: PCI bus #0 is the last bus > bios0: ROM list: 0xe0000/0xa800 > cpu0 at mainbus0: (uniprocessor) > pci0 at mainbus0 bus 0: configuration mode 1 (bios) > pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33 > glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES > vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address > 00:0d:b9:1a:a3:e8 > ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI > 0x004063, model 0x0034 > vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, > address 00:0d:b9:1a:a3:e9 > ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI > 0x004063, model 0x0034 > vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15, > address 00:0d:b9:1a:a3:ea > ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI > 0x004063, model 0x0034 > glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit > 3579545Hz timer, watchdog, gpio > gpio0 at glxpcib0: 32 pins > pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 > wired to compatibility, channel 1 wired to compatibility > wd0 at pciide0 channel 0 drive 0: <SMI MODEL> > wd0: 1-sector PIO, LBA, 7647MB, 15662304 sectors > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 > pciide0: channel 1 ignored (disabled) > ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12, version > 1.0, legacy support > ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12 > usb0 at ehci0: USB revision 2.0 > uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 > isa0 at glxpcib0 > isadma0 at isa0 > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo > com0: console > com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo > pcppi0 at isa0 port 0x61 > midi0 at pcppi0: <PC speaker> > spkr0 at pcppi0 > npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 > usb1 at ohci0: USB revision 1.0 > uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1 > biomask 73e7 netmask ffe7 ttymask ffff > mtrr: K6-family MTRR support (2 registers) > nvram: invalid checksum > vscsi0 at root > scsibus0 at vscsi0: 256 targets > softraid0 at root > root on wd0a swap on wd0b dump on wd0b > clock: unknown CMOS layout > > pcidump: > Domain /dev/pci0: > 0:1:0: AMD Geode LX > 0x0000: Vendor ID: 1022 Product ID: 2080 > 0x0004: Command: 0005 Status ID: 0220 > 0x0008: Class: 06 Subclass: 00 Interface: 00 Revision: 33 > 0x000c: BIST: 00 Header Type: 80 Latency Timer: f8 Cache Line Size: 08 > 0x0010: BAR io addr: 0x0000ac1c > 0x0014: BAR empty (00000000) > 0x0018: BAR empty (00000000) > 0x001c: BAR empty (00000000) > 0x0020: BAR empty (00000000) > 0x0024: BAR empty (00000000) > 0x0028: Cardbus CIS: 00000000 > 0x002c: Subsystem Vendor ID: 1022 Product ID: 2080 > 0x0030: Expansion ROM Base Address: 00000000 > 0x0038: 00000000 > 0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00 > 0x0000: 20801022 02200005 06000033 0080f808 > 0x0010: 0000ac1d 00000000 00000000 00000000 > 0x0020: 00000000 00000000 00000000 20801022 > 0x0030: 00000000 00000000 00000000 00000000 > 0x0040: 00000000 00000000 00000000 00000000 > 0x0050: 00000000 00000000 00000000 00000000 > 0x0060: 00000000 00000000 00000000 00000000 > 0x0070: 00000000 00000000 00000000 00000000 > 0x0080: 00000000 00000000 00000000 00000000 > 0x0090: 00000000 00000000 00000000 00000000 > 0x00a0: 00000000 00000000 00000000 00000000 > 0x00b0: 00000000 00000000 00000000 00000000 > 0x00c0: 00000000 00000000 00000000 00000000 > 0x00d0: 00000000 00000000 00000000 00000000 > 0x00e0: 00000000 00000000 00000000 00000000 > 0x00f0: 00000000 00000000 00000000 00000000 > 0:1:2: AMD Geode LX Crypto > 0x0000: Vendor ID: 1022 Product ID: 2082 > 0x0004: Command: 0006 Status ID: 02a0 > 0x0008: Class: 10 Subclass: 10 Interface: 00 Revision: 00 > 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 08 > 0x0010: BAR mem 32bit addr: 0xefff4000 > 0x0014: BAR empty (00000000) > 0x0018: BAR empty (00000000) > 0x001c: BAR empty (00000000) > 0x0020: BAR empty (00000000) > 0x0024: BAR empty (00000000) > 0x0028: Cardbus CIS: 00000000 > 0x002c: Subsystem Vendor ID: 1022 Product ID: 2082 > 0x0030: Expansion ROM Base Address: 00000000 > 0x0038: 00000000 > 0x003c: Interrupt Pin: 01 Line: 09 Min Gnt: 00 Max Lat: 00 > 0x0000: 20821022 02a00006 10100000 00000008 > 0x0010: efff4000 00000000 00000000 00000000 > 0x0020: 00000000 00000000 00000000 20821022 > 0x0030: 00000000 00000000 00000000 00000109 > 0x0040: 00000000 00000000 00000000 00000000 > 0x0050: 00000000 00000000 00000000 00000000 > 0x0060: 00000000 00000000 00000000 00000000 > 0x0070: 00000000 00000000 00000000 00000000 > 0x0080: 00000000 00000000 00000000 00000000 > 0x0090: 00000000 00000000 00000000 00000000 > 0x00a0: 00000000 00000000 00000000 00000000 > 0x00b0: 00000000 00000000 00000000 00000000 > 0x00c0: 00000000 00000000 00000000 00000000 > 0x00d0: 00000000 00000000 00000000 00000000 > 0x00e0: 00000000 00000000 00000000 00000000 > 0x00f0: 00000000 00000000 00000000 00000000 > 0:9:0: VIA VT6105M RhineIII > 0x0000: Vendor ID: 1106 Product ID: 3053 > 0x0004: Command: 0097 Status ID: 0210 > 0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96 > 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 08 > 0x0010: BAR io addr: 0x00001000 > 0x0014: BAR mem 32bit addr: 0xe0000000 > 0x0018: BAR empty (00000000) > 0x001c: BAR empty (00000000) > 0x0020: BAR empty (00000000) > 0x0024: BAR empty (00000000) > 0x0028: Cardbus CIS: 00000000 > 0x002c: Subsystem Vendor ID: 1106 Product ID: 0106 > 0x0030: Expansion ROM Base Address: 00000000 > 0x0038: 00000000 > 0x003c: Interrupt Pin: 01 Line: 0a Min Gnt: 03 Max Lat: 08 > 0x0040: Capability 0x01: Power Management > 0x0000: 30531106 02100097 02000096 00000008 > 0x0010: 00001001 e0000000 00000000 00000000 > 0x0020: 00000000 00000000 00000000 01061106 > 0x0030: 00000000 00000040 00000000 0803010a > 0x0040: fe020001 00000000 00000000 00000000 > 0x0050: 04000000 00000000 00000000 00000000 > 0x0060: 00000000 00000000 00000000 00000000 > 0x0070: 00000000 00000000 00000000 00000000 > 0x0080: 00000000 00000000 00000000 00000000 > 0x0090: 00000000 00000000 00000000 00000000 > 0x00a0: 00000000 00000000 00000000 00000000 > 0x00b0: 00000000 00000000 00000000 00000000 > 0x00c0: 00000000 00000000 00000000 00000000 > 0x00d0: 00000000 00000000 00000000 00000000 > 0x00e0: 00000000 00000000 00000000 00000000 > 0x00f0: 00000000 00000000 00000000 00000000 > 0:10:0: VIA VT6105M RhineIII > 0x0000: Vendor ID: 1106 Product ID: 3053 > 0x0004: Command: 0097 Status ID: 0210 > 0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96 > 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 08 > 0x0010: BAR io addr: 0x00001400 > 0x0014: BAR mem 32bit addr: 0xe0040000 > 0x0018: BAR empty (00000000) > 0x001c: BAR empty (00000000) > 0x0020: BAR empty (00000000) > 0x0024: BAR empty (00000000) > 0x0028: Cardbus CIS: 00000000 > 0x002c: Subsystem Vendor ID: 1106 Product ID: 0106 > 0x0030: Expansion ROM Base Address: 00000000 > 0x0038: 00000000 > 0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 03 Max Lat: 08 > 0x0040: Capability 0x01: Power Management > 0x0000: 30531106 02100097 02000096 00000008 > 0x0010: 00001401 e0040000 00000000 00000000 > 0x0020: 00000000 00000000 00000000 01061106 > 0x0030: 00000000 00000040 00000000 0803010b > 0x0040: fe020001 00000000 00000000 00000000 > 0x0050: 04000000 00000000 00000000 00000000 > 0x0060: 00000000 00000000 00000000 00000000 > 0x0070: 00000000 00000000 00000000 00000000 > 0x0080: 00000000 00000000 00000000 00000000 > 0x0090: 00000000 00000000 00000000 00000000 > 0x00a0: 00000000 00000000 00000000 00000000 > 0x00b0: 00000000 00000000 00000000 00000000 > 0x00c0: 00000000 00000000 00000000 00000000 > 0x00d0: 00000000 00000000 00000000 00000000 > 0x00e0: 00000000 00000000 00000000 00000000 > 0x00f0: 00000000 00000000 00000000 00000000 > 0:11:0: VIA VT6105M RhineIII > 0x0000: Vendor ID: 1106 Product ID: 3053 > 0x0004: Command: 0097 Status ID: 0210 > 0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 96 > 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 08 > 0x0010: BAR io addr: 0x00001800 > 0x0014: BAR mem 32bit addr: 0xe0080000 > 0x0018: BAR empty (00000000) > 0x001c: BAR empty (00000000) > 0x0020: BAR empty (00000000) > 0x0024: BAR empty (00000000) > 0x0028: Cardbus CIS: 00000000 > 0x002c: Subsystem Vendor ID: 1106 Product ID: 0106 > 0x0030: Expansion ROM Base Address: 00000000 > 0x0038: 00000000 > 0x003c: Interrupt Pin: 01 Line: 0f Min Gnt: 03 Max Lat: 08 > 0x0040: Capability 0x01: Power Management > 0x0000: 30531106 02100097 02000096 00000008 > 0x0010: 00001801 e0080000 00000000 00000000 > 0x0020: 00000000 00000000 00000000 01061106 > 0x0030: 00000000 00000040 00000000 0803010f > 0x0040: fe020001 00000000 00000000 00000000 > 0x0050: 04000000 00000000 00000000 00000000 > 0x0060: 00000000 00000000 00000000 00000000 > 0x0070: 00000000 00000000 00000000 00000000 > 0x0080: 00000000 00000000 00000000 00000000 > 0x0090: 00000000 00000000 00000000 00000000 > 0x00a0: 00000000 00000000 00000000 00000000 > 0x00b0: 00000000 00000000 00000000 00000000 > 0x00c0: 00000000 00000000 00000000 00000000 > 0x00d0: 00000000 00000000 00000000 00000000 > 0x00e0: 00000000 00000000 00000000 00000000 > 0x00f0: 00000000 00000000 00000000 00000000 > 0:15:0: AMD CS5536 ISA > 0x0000: Vendor ID: 1022 Product ID: 2090 > 0x0004: Command: 0009 Status ID: 02a0 > 0x0008: Class: 06 Subclass: 01 Interface: 00 Revision: 03 > 0x000c: BIST: 00 Header Type: 80 Latency Timer: 40 Cache Line Size: 08 > 0x0010: BAR io addr: 0x00006000 > 0x0014: BAR io addr: 0x00006100 > 0x0018: BAR io addr: 0x00006200 > 0x001c: BAR io addr: 0x00000000 > 0x0020: BAR io addr: 0x00009d00 > 0x0024: BAR io addr: 0x00009c00 > 0x0028: Cardbus CIS: 00000000 > 0x002c: Subsystem Vendor ID: 1022 Product ID: 2090 > 0x0030: Expansion ROM Base Address: 00000000 > 0x0038: 00000000 > 0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00 > 0x0000: 20901022 02a00009 06010003 00804008 > 0x0010: 00006001 00006101 00006201 00000001 > 0x0020: 00009d01 00009c01 00000000 20901022 > 0x0030: 00000000 00000000 00000000 00000000 > 0x0040: 00000000 00000000 00000000 00000000 > 0x0050: 00000000 00000000 00000000 00000000 > 0x0060: 00000000 00000000 00000000 00000000 > 0x0070: 00000000 00000000 00000000 00000000 > 0x0080: 00000000 00000000 00000000 00000000 > 0x0090: 00000000 00000000 00000000 00000000 > 0x00a0: 00000000 00000000 00000000 00000000 > 0x00b0: 00000000 00000000 00000000 00000000 > 0x00c0: 00000000 00000000 00000000 00000000 > 0x00d0: 00000000 00000000 00000000 00000000 > 0x00e0: 00000000 00000000 00000000 00000000 > 0x00f0: 00000000 00000000 00000000 00000000 > 0:15:2: AMD CS5536 IDE > 0x0000: Vendor ID: 1022 Product ID: 209a > 0x0004: Command: 0005 Status ID: 02a0 > 0x0008: Class: 01 Subclass: 01 Interface: 80 Revision: 01 > 0x000c: BIST: 00 Header Type: 00 Latency Timer: f8 Cache Line Size: 08 > 0x0010: BAR empty (00000000) > 0x0014: BAR empty (00000000) > 0x0018: BAR empty (00000000) > 0x001c: BAR empty (00000000) > 0x0020: BAR io addr: 0x0000ff00 > 0x0024: BAR empty (00000000) > 0x0028: Cardbus CIS: 00000000 > 0x002c: Subsystem Vendor ID: 1022 Product ID: 209a > 0x0030: Expansion ROM Base Address: 00000000 > 0x0038: 00000000 > 0x003c: Interrupt Pin: 00 Line: 00 Min Gnt: 00 Max Lat: 00 > 0x0000: 209a1022 02a00005 01018001 0000f808 > 0x0010: 00000000 00000000 00000000 00000000 > 0x0020: 0000ff01 00000000 00000000 209a1022 > 0x0030: 00000000 00000000 00000000 00000000 > 0x0040: 00000002 00000000 20000000 20000000 > 0x0050: c0000000 00000000 00000000 00000000 > 0x0060: 00000000 00000000 00000000 00000000 > 0x0070: 00000000 00000000 00000000 00000000 > 0x0080: 00000000 00000000 00000000 00000000 > 0x0090: 00000000 00000000 00000000 00000000 > 0x00a0: 00000000 00000000 00000000 00000000 > 0x00b0: 00000000 00000000 00000000 00000000 > 0x00c0: 00000000 00000000 00000000 00000000 > 0x00d0: 00000000 00000000 00000000 00000000 > 0x00e0: 00000000 00000000 00000000 00000000 > 0x00f0: 00000000 00000000 00000000 00000000 > 0:15:4: AMD CS5536 USB > 0x0000: Vendor ID: 1022 Product ID: 2094 > 0x0004: Command: 0006 Status ID: 0230 > 0x0008: Class: 0c Subclass: 03 Interface: 10 Revision: 02 > 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 08 > 0x0010: BAR mem 32bit addr: 0xefffe000 > 0x0014: BAR empty (00000000) > 0x0018: BAR empty (00000000) > 0x001c: BAR empty (00000000) > 0x0020: BAR empty (00000000) > 0x0024: BAR empty (00000000) > 0x0028: Cardbus CIS: 00000000 > 0x002c: Subsystem Vendor ID: 1022 Product ID: 2094 > 0x0030: Expansion ROM Base Address: 00000000 > 0x0038: 00000000 > 0x003c: Interrupt Pin: 04 Line: 0c Min Gnt: 00 Max Lat: 00 > 0x0040: Capability 0x01: Power Management > 0x0000: 20941022 02300006 0c031002 00000008 > 0x0010: efffe000 00000000 00000000 00000000 > 0x0020: 00000000 00000000 00000000 20941022 > 0x0030: 00000000 00000040 00000000 0000040c > 0x0040: c8020001 00000000 00000000 00000000 > 0x0050: 00000000 00000000 00000000 00000000 > 0x0060: 00000000 00000000 00000000 00000000 > 0x0070: 00000000 00000000 00000000 00000000 > 0x0080: 00000000 00000000 00000000 00000000 > 0x0090: 00000000 00000000 00000000 00000000 > 0x00a0: 00000000 00000000 00000000 00000000 > 0x00b0: 00000000 00000000 00000000 00000000 > 0x00c0: 00000000 00000000 00000000 00000000 > 0x00d0: 00000000 00000000 00000000 00000000 > 0x00e0: 00000000 00000000 00000000 00000000 > 0x00f0: 00000000 00000000 00000000 00000000 > 0:15:5: AMD CS5536 USB > 0x0000: Vendor ID: 1022 Product ID: 2095 > 0x0004: Command: 0006 Status ID: 0230 > 0x0008: Class: 0c Subclass: 03 Interface: 20 Revision: 02 > 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 08 > 0x0010: BAR mem 32bit addr: 0xefffd000 > 0x0014: BAR empty (00000000) > 0x0018: BAR empty (00000000) > 0x001c: BAR empty (00000000) > 0x0020: BAR empty (00000000) > 0x0024: BAR empty (00000000) > 0x0028: Cardbus CIS: 00000000 > 0x002c: Subsystem Vendor ID: 1022 Product ID: 2095 > 0x0030: Expansion ROM Base Address: 00000000 > 0x0038: 00000000 > 0x003c: Interrupt Pin: 04 Line: 0c Min Gnt: 00 Max Lat: 00 > 0x0040: Capability 0x01: Power Management > 0x0000: 20951022 02300006 0c032002 00000008 > 0x0010: efffd000 00000000 00000000 00000000 > 0x0020: 00000000 00000000 00000000 20951022 > 0x0030: 00000000 00000040 00000000 0000040c > 0x0040: c8020001 00000000 00000000 00000000 > 0x0050: 00000001 00000000 00000000 00000000 > 0x0060: 00002020 00000000 00000000 00000000 > 0x0070: 00000000 00000000 00000000 00000000 > 0x0080: 00000000 00000000 00000000 00000000 > 0x0090: 00000000 00000000 00000000 00000000 > 0x00a0: 00000000 00000000 00000000 00000000 > 0x00b0: 00000000 00000000 00000000 00000000 > 0x00c0: 00000000 00000000 00000000 00000000 > 0x00d0: 00000000 00000000 00000000 00000000 > 0x00e0: 00000000 00000000 00000000 00000000 > 0x00f0: 00000000 00000000 00000000 00000000 > > acpidump: > > > >Release-Note: > >Audit-Trail: > >Unformatted: > From: [email protected] > Cc: [email protected] > Reply-To: [email protected]
