PF slows

Steffen

Steffen

Hello!

I am running a web and mail server on FreeBSD 9.1. The system is installed on a KVM vServer. Everything works fine - until I enable pf(4). My weblog becomes unconscionably slow. So does all the other traffic, but this is not that annoying.

So it would be great if someone can tell me what the problem!


A test with benchmarks/iperf returns the following results:

Disabled pf:
Code: 
Client connecting to 109.193.XXX.XXX, TCP port 5001
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[  3] local 46.38.XXX.XXX port 31302 connected with 109.193.XXX.XXX port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  15.1 MBytes  12.6 Mbits/sec

Enabled pf:
Code: 
------------------------------------------------------------
Client connecting to 109.193.XXX.XXX, TCP port 5001
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[  3] local 46.38.XXX.XXX port 61377 connected with 109.193.XXX.XXX port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-18.1 sec   128 KBytes  58.1 Kbits/sec

This is my pf.conf:
Code: 
### INTERFACES ###
if = "{ em0 }"

### SETTINGS ###
set block-policy drop

### PORTS ###
tcp_pass = "{ 25 80 465 993}"
udp_pass = "{ 25 80 465 993}"
icmp_types = "echoreq"

### NORMALISATION ###
scrub in all
antispoof for $if

### RULES ###
block all
pass in on $if proto tcp from any to any port $tcp_pass flags S/SA keep state
pass in on $if proto udp to any port $udp_pass keep state
pass out quick all keep state

# PING #
pass in on $if inet proto icmp all icmp-type $icmp_types keep state

# TRACEROUTE #
pass in on $if inet proto udp from any to any port 33433 >< 33626 keep state


This is rc.conf:
Code: 
...
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
...
 
I had the same problem. The trick is to turn off TSO on the interface.

# ifconfig em0 -tso

Or in /etc/rc.conf:
Code: 
ifconfig_em0="inet 1.2.3.4 netmask 255.255.255.0 -tso"
 
It seems the combination of PF and VirtIO needs this in order to work properly. Not really sure why but I found the solution some time ago when I was dealing with the same problem.
 
You must log in or register to reply here.
Back
Top