Dear OpenBSD team,
I'm using the new "pfsync defer" feature to have firewalls active-active.
problem description:
In short the defer feature works as intended for all ipv4 packets.
there is no noticeable delay for the first packet. but the initial
ipv6 packet is delayed by 1-3 seconds (icmp6 about 1 sec and tcp about
2-3 sec).
pfsync defer is a great feature which is quite a big advantage
compared to all comercial and opensource firewalls available. as far
as I know no other vendors or opensource projects support a real
active-active firewall scenario.
please see also my post on misc@: "pfsync defer, ipv6 delay problem"
how to repeat:
1. set up a pair of OpenBSD 4.8 release (tested on intel, joe HP
Prolaint DL320 G3).
2. connect one interface to a LAN (e.g. bge0), dhcp or static ipv4,
ipv6 link-local
3. crosslink the boxes via the 2nd interface (e.g. bge1), use private
ipv4 address /24 or /30 and ipv5 link-local
4. set up pfsync0 on bge1 (defer off), multicast mode
you don't need carp enabled to repeat the problem
5. set up a simple pf ruleset, just to create in and outbound states (
on both boxes ):
block log all
pass in quick inet proto { udp tcp icmp }
pass in quick inet6 proto { udp tcp icmp6 }
pass quick on bge1 proto pfsync
pass out quick
test:
1. ping from one box to the other (over LAN interface)
ping is answered instantly
2. ping6 (link-local) from one box to the other (over LAN interface)
ping is answered instantly
3. turn on defer on pfsync0 ( on both boxes )
1. ping from one box to the other (over LAN interface)
ping is answered instantly
2. ping6 (link-local) from one box to the other (over LAN interface)
>> ping answer is delayed by about 1 sec
3. this behavior can also be reproduced with tcp traffic. you can use
thttp on one box and connect to port 80 from the other box
>> tcp connections are delayed by about 2-3 sec.
you can also see that packet is passed by pf (tcpdump on pflog0)
instantly, both for ipv4 and ipv6 packets even if defer is on and on
firewalls with do actually route you can see that packet is not
leaving the box outbound on 2nd interface in this delay time (1-2
seconds) after packet is passed by pf.
please find dmesg below
thanks in advance for heaving a look at this problem.
best regards
marco
OpenBSD 4.8 (GENERIC.MP) #359: Mon Aug 16 09:16:26 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Pentium(R) 4 CPU 3.06GHz ("GenuineIntel" 686-class) 3.07 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
real mem = 1207500800 (1151MB)
avail mem = 1177763840 (1123MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @
0xf0000, SMBIOS rev. 2.3 @ 0xec000 (39 entries)
bios0: vendor HP version "D13" date 10/14/2003
bios0: HP ProLiant DL320 G2
acpi0 at bios0: rev 0
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC SPCR
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Pentium(R) 4 CPU 3.06GHz ("GenuineIntel" 686-class) 3.07 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 11, 16 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
ioapic1 at mainbus0: apid 3 pa 0xfec01000, version 11, 16 pins
ioapic1: misconfigured as apic 0, remapped to apid 3
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C2
acpicpu1 at acpi0
acpitz0 at acpi0: critical temperature 31 degC
acpibtn0 at acpi0: PBTN
bios0: ROM list: 0xc0000/0x8000 0xc8000/0x2a00 0xcaa00/0x1800 0xee000/0x2000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "ServerWorks GCNB-LE Host" rev 0x32
pchb1 at pci0 dev 0 function 1 "ServerWorks GCNB-LE Host" rev 0x00
pciide0 at pci0 dev 2 function 0 "CMD Technology PCI0649" rev 0x02:
DMA, channel 0 configured to native-PCI, channel 1 configured to
native-PCI
pciide0: using apic 3 int 1 (irq 3) for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: <ST380011A>
wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide0 channel 1 drive 0: <Maxtor 6Y080L0>
wd1: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
vga1 at pci0 dev 3 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"Compaq Netelligent ASMC" rev 0x00 at pci0 dev 4 function 0 not configured
bge0 at pci0 dev 5 function 0 "Broadcom BCM5702X" rev 0x02,
BCM5702/5703 A2 (0x1002): apic 3 int 3 (irq 7), address
00:0f:20:98:bc:66
brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
bge1 at pci0 dev 6 function 0 "Broadcom BCM5702X" rev 0x02,
BCM5702/5703 A2 (0x1002): apic 3 int 4 (irq 10), address
00:0f:20:98:ac:b3
brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
piixpm0 at pci0 dev 15 function 0 "ServerWorks CSB6" rev 0xa0: polling
iic0 at piixpm0
spdmem0 at iic0 addr 0x51: 512MB DDR SDRAM registered ECC PC2100CL2.5
spdmem1 at iic0 addr 0x52: 512MB DDR SDRAM registered ECC PC2100CL2.5
spdmem2 at iic0 addr 0x53: 128MB DDR SDRAM registered ECC PC2300CL2.5
pciide1 at pci0 dev 15 function 1 "ServerWorks CSB6 RAID/IDE" rev 0xa0: DMA
atapiscsi0 at pciide1 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <TEAC, CD-224E, 9.9A> ATAPI 5/cdrom removable
cd0(pciide1:0:0): using PIO mode 4, DMA mode 2
ohci0 at pci0 dev 15 function 2 "ServerWorks CSB6 USB" rev 0x05: apic
2 int 11 (irq 11), version 1.0, legacy support
pchb2 at pci0 dev 15 function 3 "ServerWorks GCLE-2 Host" rev 0x00
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 "ServerWorks OHCI root hub" rev 1.00/1.00 addr 1
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
mtrr: Pentium Pro MTRR support
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
pfsync: failed to receive bulk update
pfsync: failed to receive bulk update
